Deployments created by gateways don't have an ownerReference #8209
Description
Repro steps:
- Install the gateway helm chart v1.6.3 (oci://docker.io/envoyproxy/gateway-helm) and apply quickstart.yaml (steps from quickstart).
- Observe that the created Service has ownerReferences, but the Deployment doesn't.
Service:
kubectl get svc -n envoy-gateway envoy-envoy-gateway-eg-f8b463ac -o yaml
apiVersion: v1
kind: Service
metadata:
creationTimestamp: "2026-02-08T05:05:56Z"
labels:
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: eg
gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway
name: envoy-envoy-gateway-eg-f8b463ac
namespace: envoy-gateway
ownerReferences:
- apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
name: eg
uid: da4c0909-1dc3-4371-9c7f-0bf9edeab871
resourceVersion: "250213778"
uid: a7bd156d-caeb-4364-ac91-d850a7c3e566
spec:
allocateLoadBalancerNodePorts: true
clusterIP: 10.97.90.71
clusterIPs:
- 10.97.90.71
externalTrafficPolicy: Local
healthCheckNodePort: 32475
internalTrafficPolicy: Cluster
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- name: http-80
nodePort: 32247
port: 80
protocol: TCP
targetPort: 10080
selector:
app.kubernetes.io/component: proxy
app.kubernetes.io/managed-by: envoy-gateway
app.kubernetes.io/name: envoy
gateway.envoyproxy.io/owning-gateway-name: eg
gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway
sessionAffinity: None
type: LoadBalancer
status:
conditions:
- lastTransitionTime: "2026-02-08T05:05:57Z"
message: ""
reason: satisfied
status: "True"
type: cilium.io/IPAMRequestSatisfied
loadBalancer:
ingress:
- ip: 192.168.50.239
ipMode: VIP
Deployment:
kubectl describe deployment -n envoy-gateway envoy-envoy-gateway-eg-f8b463ac
Name: envoy-envoy-gateway-eg-f8b463ac
Namespace: envoy-gateway
CreationTimestamp: Sun, 08 Feb 2026 06:05:56 +0100
Labels: app.kubernetes.io/component=proxy
app.kubernetes.io/managed-by=envoy-gateway
app.kubernetes.io/name=envoy
gateway.envoyproxy.io/owning-gateway-name=eg
gateway.envoyproxy.io/owning-gateway-namespace=envoy-gateway
Annotations: deployment.kubernetes.io/revision: 1
Selector: app.kubernetes.io/component=proxy,app.kubernetes.io/managed-by=envoy-gateway,app.kubernetes.io/name=envoy,gateway.envoyproxy.io/owning-gateway-name=eg,gateway.envoyproxy.io/owning-gateway-namespace=envoy-gateway
Replicas: 1 desired | 1 updated | 1 total | 1 available | 0 unavailable
StrategyType: RollingUpdate
MinReadySeconds: 0
RollingUpdateStrategy: 25% max unavailable, 25% max surge
Pod Template:
Labels: app.kubernetes.io/component=proxy
app.kubernetes.io/managed-by=envoy-gateway
app.kubernetes.io/name=envoy
gateway.envoyproxy.io/owning-gateway-name=eg
gateway.envoyproxy.io/owning-gateway-namespace=envoy-gateway
Annotations: prometheus.io/path: /stats/prometheus
prometheus.io/port: 19001
prometheus.io/scrape: true
Service Account: envoy-envoy-gateway-eg-f8b463ac
Containers:
envoy:
Image: docker.io/envoyproxy/envoy:distroless-v1.36.4
Ports: 19001/TCP (metrics), 19003/TCP (readiness)
Host Ports: 0/TCP (metrics), 0/TCP (readiness)
SeccompProfile: RuntimeDefault
Command:
envoy
Args:
--service-cluster
envoy-gateway/eg
--service-node
$(ENVOY_POD_NAME)
--config-yaml
admin:
access_log:
- name: envoy.access_loggers.file
typed_config:
"@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
path: /dev/null
address:
socket_address:
address: 127.0.0.1
port_value: 19000
cluster_manager:
local_cluster_name: envoy-gateway/eg
node:
locality:
zone: $(ENVOY_SERVICE_ZONE)
layered_runtime:
layers:
- name: global_config
static_layer:
envoy.restart_features.use_eds_cache_for_ads: true
re2.max_program_size.error_level: 4294967295
re2.max_program_size.warn_level: 1000
dynamic_resources:
ads_config:
api_type: DELTA_GRPC
transport_api_version: V3
grpc_services:
- envoy_grpc:
cluster_name: xds_cluster
set_node_on_first_message_only: true
lds_config:
ads: {}
resource_api_version: V3
cds_config:
ads: {}
resource_api_version: V3
static_resources:
listeners:
- name: envoy-gateway-proxy-stats-0.0.0.0-19001
address:
socket_address:
address: '0.0.0.0'
port_value: 19001
protocol: TCP
bypass_overload_manager: true
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: eg-stats-http
normalize_path: true
route_config:
name: local_route
virtual_hosts:
- name: prometheus_stats
domains:
- "*"
routes:
- match:
path: /stats/prometheus
headers:
- name: ":method"
string_match:
exact: GET
route:
cluster: prometheus_stats
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
clusters:
- name: prometheus_stats
connect_timeout: 0.250s
type: STATIC
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: prometheus_stats
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: 127.0.0.1
port_value: 19000
- connect_timeout: 10s
eds_cluster_config:
eds_config:
ads: {}
resource_api_version: 'V3'
service_name: envoy-gateway/eg
load_balancing_policy:
policies:
- typed_extension_config:
name: 'envoy.load_balancing_policies.least_request'
typed_config:
'@type': 'type.googleapis.com/envoy.extensions.load_balancing_policies.least_request.v3.LeastRequest'
locality_lb_config:
zone_aware_lb_config:
min_cluster_size: '1'
name: envoy-gateway/eg
type: EDS
- connect_timeout: 10s
load_assignment:
cluster_name: xds_cluster
endpoints:
- load_balancing_weight: 1
lb_endpoints:
- load_balancing_weight: 1
endpoint:
address:
socket_address:
address: envoy-gateway.envoy-gateway.svc.cluster.local.
port_value: 18000
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
"@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
explicit_http_config:
http2_protocol_options:
connection_keepalive:
interval: 30s
timeout: 5s
name: xds_cluster
type: STRICT_DNS
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
common_tls_context:
tls_params:
tls_maximum_protocol_version: TLSv1_3
tls_certificate_sds_secret_configs:
- name: xds_certificate
sds_config:
path_config_source:
path: /sds/xds-certificate.json
resource_api_version: V3
validation_context_sds_secret_config:
name: xds_trusted_ca
sds_config:
path_config_source:
path: /sds/xds-trusted-ca.json
resource_api_version: V3
overload_manager:
refresh_interval: 0.25s
resource_monitors:
- name: "envoy.resource_monitors.global_downstream_max_connections"
typed_config:
"@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
max_active_downstream_connections: 50000
--log-level
warn
--cpuset-threads
--drain-strategy
immediate
--component-log-level
misc:error
--drain-time-s
60
Requests:
cpu: 100m
memory: 512Mi
Liveness: http-get http://:19003/ready delay=0s timeout=1s period=10s #success=1 #failure=3
Readiness: http-get http://:19003/ready delay=0s timeout=1s period=5s #success=1 #failure=1
Startup: http-get http://:19003/ready delay=0s timeout=1s period=10s #success=1 #failure=30
Environment:
ENVOY_POD_NAMESPACE: (v1:metadata.namespace)
ENVOY_POD_NAME: (v1:metadata.name)
ENVOY_SERVICE_ZONE: (v1:metadata.annotations['topology.kubernetes.io/zone'])
Mounts:
/certs from certs (ro)
/sds from sds (rw)
shutdown-manager:
Image: docker.io/envoyproxy/gateway:v1.6.3
Port: <none>
Host Port: <none>
SeccompProfile: RuntimeDefault
Command:
envoy-gateway
Args:
envoy
shutdown-manager
Requests:
cpu: 10m
memory: 32Mi
Liveness: http-get http://:19002/healthz delay=0s timeout=1s period=10s #success=1 #failure=3
Readiness: http-get http://:19002/healthz delay=0s timeout=1s period=10s #success=1 #failure=3
Startup: http-get http://:19002/healthz delay=0s timeout=1s period=10s #success=1 #failure=30
Environment:
ENVOY_POD_NAMESPACE: (v1:metadata.namespace)
ENVOY_POD_NAME: (v1:metadata.name)
ENVOY_SERVICE_ZONE: (v1:metadata.annotations['topology.kubernetes.io/zone'])
Mounts: <none>
Volumes:
certs:
Type: Secret (a volume populated by a Secret)
SecretName: envoy
Optional: false
sds:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: envoy-envoy-gateway-eg-f8b463ac
Optional: false
Node-Selectors: <none>
Tolerations: <none>
Conditions:
Type Status Reason
---- ------ ------
Available True MinimumReplicasAvailable
Progressing True NewReplicaSetAvailable
OldReplicaSets: <none>
NewReplicaSet: envoy-envoy-gateway-eg-f8b463ac-66b569cf96 (1/1 replicas created)
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal ScalingReplicaSet 89s deployment-controller Scaled up replica set envoy-envoy-gateway-eg-f8b463ac-66b569cf96 from 0 to 1