For Gateway API support to work in a multitenant mesh, all Gateway API CRDs need to be present. As starting with 2.3.1, OSSM supports both v1alpha2 and v1beta1 resources, that means that both versions need to be present. This can be achieved by installing the CRDs with the following command (note the extra experimental in the URL):

kubectl get crd gateways.gateway.networking.k8s.io ||   { kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd/experimental?ref=v0.5.1" | kubectl apply -f -; }

The CRDs need to be present because we disable the CRD scan in multitenant deployments, which means that Istio has no way of knowing which CRDs are present in the cluster and just creates Informers for all of them, in turn leading to errors when watches fail.

A possible fix could be to remove the disabling of the CRD scan and instead rewriting it so that it doesn't need cluster-wide permissions, by using the kubernetes API Discovery instead of List()ing the CustomResourceDefinitions.