diff --git a/Makefile b/Makefile
index cbafde83..adf1ee65 100644
--- a/Makefile
+++ b/Makefile
@@ -561,10 +561,8 @@ uninstall-k8s: check-kubectl check-kustomize check-envsubst ## Uninstall from Ku
 install-openshift-infrastructure:
 ifeq ($(strip $(INFRASTRUCTURE_OVERRIDE)),true)
 	@echo "INFRASTRUCTURE_OVERRIDE is set to true, deploying infrastructure components"
-	@echo "Installing CRDs"
-	kustomize build deploy/components/crds | kubectl apply --server-side --force-conflicts -f -
-	@echo "Installing the Istio Control Plane"
-	kustomize build deploy/components/istio-control-plane | kubectl apply -f -
+	@echo "Installing OpenShift Infrastructure"
+	kustomize build deploy/environments/dev/openshift-infra | kubectl apply --server-side --force-conflicts -f -
 else
 	$(error "Error: The environment variable INFRASTRUCTURE_OVERRIDE must be set to true in order to run this target.")
 endif
@@ -583,11 +581,12 @@ endif
 .PHONY: uninstall-openshift-infrastructure
 uninstall-openshift-infrastructure:
 ifeq ($(strip $(INFRASTRUCTURE_OVERRIDE)),true)
-	@echo "INFRASTRUCTURE_OVERRIDE is set to true, removing infrastructure components"
-	@echo "Uninstalling the Istio Control Plane"
-	kustomize build deploy/components/istio-control-plane | kubectl delete -f - || true
-	@echo "Uninstalling CRDs"
-	kustomize build deploy/components/crds | kubectl delete -f - || true
+	@echo "INFRASTRUCTURE_OVERRIDE is set to true, removing infrastructure components (this is extremely destructive)"
+	@echo "This is extremely destructive. We'll provide a few seconds before starting to give you a chance to cancel."
+	sleep 3
+	@echo "Uninstalling OpenShift Infrastructure Components"
+	@echo "Installing OpenShift Infrastructure"
+	kustomize build deploy/environments/dev/openshift-infra | kubectl delete -f - || true
 else
 	$(error "Error: The environment variable INFRASTRUCTURE_OVERRIDE must be set to true in order to run this target.")
 endif
@@ -786,6 +785,9 @@ print-namespace: ## Print the current namespace
 print-project-name: ## Print the current project name
 	@echo "$(PROJECT_NAME)"
 
+.PHONY: install-hooks
+install-hooks: ## Install git hooks
+	git config core.hooksPath hooks
 #
 # Development Environments
 #
@@ -818,7 +820,3 @@ environment.dev.kind.update: image-build
 	@echo "INFO: Restarting the Endpoint Picker Deployment"
 	kubectl --context kind-$(KIND_CLUSTER_NAME) -n default rollout restart deployment endpoint-picker
 	kubectl --context kind-$(KIND_CLUSTER_NAME) -n default rollout status deployment endpoint-picker
-
-.PHONY: install-hooks
-install-hooks: ## Install git hooks
-	git config core.hooksPath hooks
diff --git a/deploy/environments/dev/openshift-infra/kustomization.yaml b/deploy/environments/dev/openshift-infra/kustomization.yaml
new file mode 100644
index 00000000..e3a63a5d
--- /dev/null
+++ b/deploy/environments/dev/openshift-infra/kustomization.yaml
@@ -0,0 +1,19 @@
+# ------------------------------------------------------------------------------
+# OpenShift Environment - Infrastructure
+#
+# This provides the infrastructure-level requirements that individual
+# development environments (see `deploy/environments/dev/openshift`) will need
+# (e.g. CRDs, Operators, RBAC, etc).
+#
+# **WARNING**: Needs to be run once, and regularly updated on an OpenShift
+# cluster by an administrator prior to deploying individual environments on
+# that cluster with `deploy/environments/dev/openshift`.
+#
+# ------------------------------------------------------------------------------
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- ../../../components/crds/
+- ../../../components/istio-control-plane/
+- rbac.yaml
diff --git a/deploy/environments/dev/openshift-infra/rbac.yaml b/deploy/environments/dev/openshift-infra/rbac.yaml
new file mode 100644
index 00000000..4998bccd
--- /dev/null
+++ b/deploy/environments/dev/openshift-infra/rbac.yaml
@@ -0,0 +1,66 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: gateway-management
+rules:
+  # ---------------------------------------------------------------------------
+  # Gateway API
+  # ---------------------------------------------------------------------------
+  - apiGroups:
+    - gateway.networking.k8s.io
+    resources:
+    - gateways
+    - httproutes
+    - grpcroutes
+    verbs:
+    - get
+    - list
+    - watch
+    - create
+    - update
+    - patch
+    - delete
+  # ---------------------------------------------------------------------------
+  # Gateway API Inference Extension (GIE)
+  # ---------------------------------------------------------------------------
+  - apiGroups:
+    - inference.networking.x-k8s.io
+    resources:
+    - inferencepools
+    - inferencemodels
+    verbs:
+    - get
+    - list
+    - watch
+    - create
+    - update
+    - patch
+    - delete
+  # ---------------------------------------------------------------------------
+  # Istio
+  # ---------------------------------------------------------------------------
+  - apiGroups:
+    - networking.istio.io
+    resources:
+    - destinationrules
+    verbs:
+    - get
+    - list
+    - watch
+    - create
+    - update
+    - patch
+    - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: authenticated-gateway-management
+subjects:
+  - kind: Group
+    name: system:authenticated
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: gateway-management
+  apiGroup: rbac.authorization.k8s.io