In the template that is used by the deployment controller, explicit UID/GIDs are set, which doesn't work on OCP because of the Pod Security Policies.

Reproduction steps from skondkar1@redhat.com's original comment:

1) Installed 2.3 latest build using IIB's

2) Verified that smcp in 'istio-system' namespace is created successfully with below setting in smcp:

runtime:
components:
pilot:
container:
env:
PILOT_ENABLE_GATEWAY_API: "true"
PILOT_ENABLE_GATEWAY_API_STATUS: "true"
PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER: "true"

3) Installed the Gateway API CRDs:

kubectl get crd gateways.gateway.networking.k8s.io ||

Unknown macro: { kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v0.4.0" | kubectl apply -f -; }

4) Deployed the test application:

kubectl apply -f samples/httpbin/httpbin.yaml

5)Created istio-ingress namspace:

kubectl create namespace istio-ingress

6) Created smmr in istio-system' namespace and added member as 'istio-ingress'

7) Created Gateway and HTTPRoute resources in 'istio-ingress' namespace

kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: Gateway
metadata:
name: gateway
namespace: istio-ingress
spec:
gatewayClassName: istio
listeners:

• name: default
  hostname: "*.example.com"
  port: 80
  protocol: HTTP
  allowedRoutes:
  namespaces:
  from: All
  —
  apiVersion: gateway.networking.k8s.io/v1alpha2
  kind: HTTPRoute
  metadata:
  name: http
  namespace: default
  spec:
  parentRefs:
• name: gateway
  namespace: istio-ingress
  hostnames: ["httpbin.example.com"]
  rules:
• matches:
• path:
  type: PathPrefix
  value: /get
  filters:
• type: RequestHeaderModifier
  requestHeaderModifier:
  add:
• name: my-added-header
  value: added-value
  backendRefs:
• name: httpbin
  port: 8000
  EOF

8) Result:

Gateway is created successfully
HTTPRoute is created successfully

Note: The only issue i see is - the gateway pod is not created. The istio-ingress namespace -> 'Deployments' shows 'gateway' deployment with '0 of 1 pods' as shown in the screenshot.

The istio-ingress namespace > 'Deployments' -> gateway deployment -> ReplicaSet details> Events shows below:

Generated from replicaset-controller30 times in the last 1 hour
Error creating: pods "gateway-689ddc9c9-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, spec.containers[0].securityContext.runAsUser: Invalid value: 1337: must be in the ranges: [1000770000, 1000779999], provider "restricted": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]