$ oc get proxy cluster -oyaml apiVersion: config.openshift.io/v1 kind: Proxy metadata: creationTimestamp: "2019-07-18T17:19:22Z" generation: 1 name: cluster resourceVersion: "273" selfLink: /apis/config.openshift.io/v1/proxies/cluster uid: 2f77651a-a980-11e9-8db5-fa163e9073cb spec: httpProxy: http://10.42.15.4:3128 httpsProxy: http://10.42.15.4:3128 $ oc get clusteroperator authentication NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE authentication Unknown Unknown True 24m $ oc get event | grep OperatorStatusChanged | tail -n1 22m Normal OperatorStatusChanged deployment/authentication-operator Status for clusteroperator/authentication changed: Degraded changed from False to True ("RouteHealthDegraded: failed to GET route: dial tcp 10.42.10.202:443: connect: no route to host") The pod does not have a route to the external network (where the router LB is) and thus can not do the route health check. https://github.com/openshift/cluster-authentication-operator/blob/988eeefffa2e117076b12ba53bd0a4454d200a21/pkg/operator2/operator.go#L530-L531
After talking to Clayton, I think we are just going to make it a requirement that the router wildcard DNS entry resolve to an address reachable from behind the proxy.