OpenShift Container Platform 4.18 release notes

Scaffolding tools for Hybrid Helm-based Operator projects

Scaffolding tools for Java-based Operator projects

Updating Go-based Operator projects

Updating Ansible-based Operator projects

Updating Helm-based Operator projects

Not Available

Technology Preview

General Availability

Deprecated

Removed

Previously, API validation did not prevent an authorized client from decreasing the current revision of a static pod operand, such as kube-apiserver, or prevent the operand from progressing concurrently on two nodes. With this release, requests that attempt to do either are now rejected. (OCPBUGS-48502)

Previously, the oauth-server would crash when configuring an oath identity provider (IDP) with a callback path that contained spaces. With this release, the issue is resolved.(OCPBUGS-44099)

Previously, the Bare Metal Operator (BMO) created the HostFirmwareComponents custom resource for all Bare Metal hosts (BMH), including ones based on the intelligent platform management interface (IPMI), which did not support it. With this release, HostFirmwareComponents custom resources are only created for BMH that support it. (OCPBUGS-49699)

Previously, in bare-metal configurations where the provisioning network is disabled but the bootstrapProvisioningIP field is set, the bare-metal provisioning components might fail to start. These failures occur when the provisioning process reconfigures the external network interface on the bootstrap VM during the process of pulling container images. With this release, dependencies were added to ensure that interface reconfiguration only occurs when the network is idle, preventing conflicts with other processes. As a result, the bare-metal provisioning components now start reliably, even when the bootstrapProvisioningIP field is set and the provisioning network is disabled. (OCPBUGS-36869)

Previously, Ironic inspection failed if special or invalid characters existed in the serial number of a block device. This occurred because the lsblk command failed to escape the characters. With this release, the command now escapes the characters so this issue no longer persists. (OCPBUGS-36492)

Previously, a check for unexpected IP addresses on the provisioning interface during metal3 pod startup was triggered. This issue occurred because of the presence of an IP addresses supplied by DHCP from a previous version of the pod that existed on another node. With this release, a pod startup check now looks only for IP addresses that exist outside the provisioning network subnet, so that a metal3 pod starts immediately, even when if the node has moved to a different node. (OCPBUGS-38507)

Previously, enabling a provisioning network by editing the cluster-wide Provisioning resource was only possible on installer-provisioned infrastructure clusters with platform type baremetal. On bare metal, single-node OpenShift, and user-provisioned infrastructure clusters, editing this resource resulted in a validation error. With this release, the excessive validation check has been removed, and enabling a provisioning network is now possible on bare-metal clusters with platform type none. As with installer-provisioned infrastructure clusters, users are responsible for making sure that all networking requirements are met for this operation. (OCPBUGS-43371)

Previously, the availability set fault domain count was hardcoded to 2. This value works in most regions in Microsoft Azure because the fault domain counts are typically at least 2, but failed in the centraluseuap and eastusstg regions. With this release, the availability set fault domain count in a region is set dynamically. (OCPBUGS-48659)

Previously, an updated zone API error message from Google Cloud Platform (GCP) with increased granularity caused the machine controller to mistakenly mark the machine as valid with a temporary cloud error instead of recognizing it as an invalid machine configuration error. This prevented the invalid machine from transitioning to a failed state. With this update, the machine controller handles the new error messages correctly, and machines with an invalid zone or project ID now transition properly to a failed state. (OCPBUGS-47790)

Previously, the certificate signing request (CSR) approver included certificates from other systems within its calculations for whether it was overwhelmed and should stop approving certificates. In larger clusters, with other subsystems using CSRs, the CSR approver counted unrelated unapproved CSRs towards its total and prevented further approvals. With this release, the CSR approver only includes CSRs that it can approve, by using the signerName property as a filter. As a result, the CSR approver only prevents new approvals when there are a large number of unapproved CSRs for the relevant signerName values. (OCPBUGS-46425)

Previously, some cluster autoscaler metrics were not initialized, and therefore were not available. With this release, these metrics are initialized and available. (OCPBUGS-46416)

Previously, if an informer watch stream missed an event because of a temporary disconnection, the informer might return a special signal type after it reconnected to the network, especially when the informer recognizes that an EndpointSlice object was deleted during the temporary disconnection. The returned signal type indicated that the state of the event has stalled and that the object was deleted. The returned signal type was not accurate and might have caused confusion for a OpenShift Container Platform user. With this release, the Cloud Controller Manager (CCM) handles unexpected signal types so that OpenShift Container Platform users do not receive confusing information from returned types. (OCPBUGS-45972)

Previously, when the AWS DHCP option set was configured to use a custom domain name that contains a trailing period (.), OpenShift Container Platform installation failed. With this release, the logic that extracts the hostname of EC2 instances and turns them into Kubelet node names is updated to trim trailing periods so that the resulting Kubernetes object name is valid. Trailing periods in the DHCP option set no longer cause installation to fail. (OCPBUGS-45889)

Previously, installation of an AWS cluster failed in certain environments on existing subnets when the publicIp parameter for the MachineSet object was explicity set to false. With this release, a configuration value set for publicIp no longer causes issues when the installation program provisions machines for your AWS cluster in certain environment. (OCPBUGS-45130)

Previously, enabling a provisioning network by editing the cluster-wide Provisioning resource was only possible on clusters with platform type baremetal, such as ones created by the IPI installer. On baremetal SNO and UPI clusters that would result in a validation error. The excessive validation has been removed, and enabling a provisioning network is now possible on baremetal clusters with platform type none. As with IPI, users are responsible for making sure that all networking requirements are met for this operation. (OCPBUGS-43371)

Previously, the installation program populated the network.devices, template, and workspace fields in the spec.template.spec.providerSpec.value section of the VMware vSphere control plane machine set custom resource (CR). These fields should be set in the vSphere failure domain, and the installation program populating them caused unintended behaviors. Updating these fields did not trigger an update to the control plane machines, and these fields were cleared when the control plane machine set was deleted. With this release, the installation program is updated to no longer populate values that are included in the failure domain configuration. If these values are not defined in a failure domain configuration, for instance on a cluster that is updated to OpenShift Container Platform 4.18 from an earlier version, the values defined by the installation program are used. (OCPBUGS-42660)

Previously, the cluster autoscaler would occasionally leave a node with a PreferNoSchedule taint during deletion. With this release, the maximum bulk deletion limit is disabled so that nodes with this taint no longer remain after deletion. (OCPBUGS-42132)

Previously, the Cloud Controller Manager (CCM) liveness probe used on IBM Cloud cluster installations could not use loopback and this caused the probe to continuously restart. With this release, the probe can use loopback so that this issue not longer occurs. (OCPBUGS-41936)

Previously, the approval mechanism for certificate signing requests (CSRs) failed because the node name and internal DNS entry for a CSR did not match in terms of character case differences. With this release, an update to the approval mechanism for CSRs skips case-sensitive checks so that a CSR with a matching node name and internal DNS entry does not fail the check because of character case differences. (OCPBUGS-36871)

Previously, the cloud node manager had permission to update any node object when it needed to update only the node on which it was running. With this release, restrictions have been put in place to prevent the node manager from one node updating the node object of another node.(OCPBUGS-22190)

Previously, the aws-sdk-go-v2 software development kit (SDK) failed to authenticate an AssumeRoleWithWebIdentity API operation on an Amazon Web Services (AWS) Security Token Service (STS) cluster. With this release, pod-identity-webhook now includes a default region so that this issue no longer persists. (OCPBUGS-45937)

Previously, secrets in the cluster were fetched in a single call. When there were a large number of secrets, this caused the API to time out. With this release, the Cloud Credential Operator fetches secrets in batches limited to 100 secrets. This change prevents timeouts when there are large number of secrets in the cluster. (OCPBUGS-39531)

Previously, if you specified the forceSelinuxRelabel field in a ClusterResourceOverride custom resource (CR), and then modified it afterwards, the change would not be reflected in the clusterresourceoverride-configuration config map, which is used to apply the SELinux re-labeling workaround feature. With this update, the Cluster Resource Override Operator can track the change to the forceSelinuxRelabel feature in order to reconcile the config map object. As a result, the config map object is correctly updated when you change the ClusterResourceOverride CR field. (OCPBUGS-48692)

Previously, a custom security context constraint (scc) impacted any pod that was generated by the Cluster Version Operator from receiving a cluster version upgrade. With this release, OpenShift Container Platform now sets a default scc to each pod, so that any custom scc created does not impact a pod. (OCPBUGS-46410)

Previously, the Cluster Version Operator (CVO) did not filter internal errors that were propogated to the ClusterVersion Failing condition message. As a result, errors that did not negatively impact the update were shown in the ClusterVersion Failing condition message. With this release, the errors that are propogated to the ClusterVersion Failing condition message are filtered. (OCPBUGS-15200)

Previously, if a PipelineRun was using a resolver, rerunning that PipelineRun resulted in an error. With this fix, a user can rerun PipelineRun if it is using resolver. (OCPBUGS-45228)

Previously, on the if you edited a deployment config in Form view, the ImagePullSecrets values were duplicated. With this update, editing the form does not add duplicate entries. (OCPBUGS-45227)

Previously, when you searched on the OperatorHub or another catalog, you would experience periods of latency between each key press. With this update, the input on the catalog search bars are debounced. (OCPBUGS-43799)

Previously, no option existed to close the Getting started resources section in the Administrator perspective. With this change, user can close the Getting started resources section. (OCPBUGS-38860)

Previously, when cronjobs were created, the creation of pods happens too quickly, causing the component that fetches new pods off the cronjob to fail. With this update, a 3 second delay was added before starting to fetch the pods of the cronjob. (OCPBUGS-37584)

Previously, resources created when a new user is created were not removed automatically when the user was deleted. This caused clutter on the cluster with configuration maps, roles, and role-bindings. With this update, ownerRefs was added to the resources, so they are cleared once the user is deleted and the cluster no longer clutters with users. (OCPBUGS-37560)

Previously, when importing a Git repository using the serverless import strategy, the environment variables from the func.yaml were not automatically loaded into the form. With this update, the environment variables are now loaded upon import. (OCPBUGS-34764)

Previously, users would erroneously see an option to import a repository using the pipeline build strategy when the devfile import strategy was selected; however, this was not possible. With this update, the pipeline strategy has been removed when the devfile import strategy is selected. (OCPBUGS-32526)

Previously, when using a custom template, you could not enter multi-line parameters, such as private keys. With this release, you can switch between single-line and multi-line modes so you can fill out template fields with multi-line inputs. (OCPBUGS-23080)

Previously, you could not install a cluster on AWS in the ap-southeast-5 region or other regions because the OpenShift Container Platform internal registry did not support these regions. With this release, the internal registry is updated to include the following regions so that this issue no longer occurs:

Previously, when the Image Registry Operator was configured with networkAccess: Internal in Microsoft Azure, it would not be possible to successfully set managementState to Removed in the Operator configuration. This occurred because of an authorization error when the Operator tried to delete the storage container. With this update, the Image Registry Operator continues with the deletion of the storage account, which automatically deletes the storage container, resulting in a successful change into the Removed state. (OCPBUGS-42732)

Previously, when configuring the image registry to use an Microsoft Azure storage account located in a resource group other than the cluster’s resource group, the Image Registry Operator would become degraded due to a validation error. This update changes the Image Registry Operator to allow for authentication by only storage account key without validating for other authentication requirements. (OCPBUGS-42514)

Previously, installation with the OpenShift installer used the cluster API. Virtual networks created by the cluster API use a different tag template. Consequently, setting .spec.storage.azure.networkAccess.type: Internal in the Image Registry Operator’s config.yaml file resulted in the Image Registry Operator unable to discover the virtual network. With this update, the Image Registry Operator searches for both new and old tag templates, resolving the issue. (OCPBUGS-42196)

Previously, the image registry would, in some cases, panic when attempting to purge failed uploads from s3-compatible storage providers. This was caused by the image registry’s s3 driver mishandling empty directory paths. With this update, the image registry properly handles empty directory paths, fixing the panic. (OCPBUGS-39108)

Previously, installing a cluster with a Dynamic Host Configuration Protocol (DHCP) network on Nutanix caused a failure. With this release, this issue is resolved. (OCPBUGS-38118)

Previously, installing an AWS cluster in either the Commercial Cloud Services (C2S) region or the Secret Commercial Cloud Services (SC2S) region failed because the installation program added unsupported security groups to the load balancer. With this release, the installation program no longer adds unsupported security groups to the load balancer for a cluster that needs to be installed in either the C2S region or SC2S region. (OCPBUGS-33311)

Previously, when installing a Google Cloud Platform (GCP) cluster where instances required that IP forwarding was not set, the installation failed. With this release, IP forwarding is disabled for all GCP machines and the issue is resolved. (OCPBUGS-49842)

Previously, when installing a cluster on AWS in existing subnets, for bring your own virtual private cloud (BYO VPC) in edge zones, the installation program did not tag the subnet edge resource with kubernetes.io/cluster/<InfraID>:shared. With this release, all subnets that are used in the install-config.yaml file contain the required tags. (OCPBUGS-49792)

Previously, a cluster that was created on Amazon Web Services (AWS) could fail to deprovision the cluster without the permissions to release the EIP address, ec2:ReleaseAddress. This issue occurred when the cluster was created with the minimum permissions in an existing virtual private cloud (VPC), including an unmanaged VPC or bring your own (BYO) VPC, and BYO Public IPv4 Pool address. With this release, the ec2:ReleaseAddress permission is exported to the Identity and Access Management (IAM) policy generated during installation. (OCPBUGS-49735)

Previously, when installing a cluster on Nutanix, the installation program could fail with a timeout while uploading images to Prism Central. This occurred in some slower Prism Central environments when the Prism API attempted to load the Red Hat Enterprise Linux CoreOS (RHCOS) image. The Prism API call timeout value was 5 minutes. With this release, the Prism API call timeout value is a configurable parameter platform.nutanix.prismAPICallTimeout in the install-config.yaml file and the default timeout value is 10 minutes. (OCPBUGS-49148)

Previously, the oc adm node-image monitor command failed because of a temporary API server disconnection and then displayed an error or End of File message. With this release, the installation program ignores a temporary API server disconnection and the monitor command tries to connect to the API server again. (OCPBUGS-48714)

Previously, when you deleted backend service resources on Google Cloud Platform (GCP), some resources to be deleted were not found. For example, the associated forwarding rules, health checks, and firewall rules were not deleted. With this release, the installation program tries to find the backend service by name first, then searches for forwarding rules, health checks, and firewall rules before it determines if those results match a backend service. The algorithm for associating resources is reversed and the appropriate resources are deleted. There are no leaked backend service resources and the issue is resolved. When you delete a private cluster, the forwarding rules, backend services, health checks, and firewall rules created by the Ingress Operator are not deleted. (OCPBUGS-48611)

Previously, OpenShift Container Platform was not compliant with PCI-DSS/BAFIN regulations. With this release, the cross-tenant object replication in Microsoft Azure is unavailable. Consequently, the chance of unauthorized data access is reduced and the strict adherence to data governance policies is ensured. (OCPBUGS-48118)

Previously, when you installed OpenShift Container Platform on Amazon Web Services (AWS) and specified an edge machine pool without an instance type, in some instances it caused the edge node to fail. With this release, if you specify an edge machine pool without an instance type you must use the permission ec2:DescribeInstanceTypeOfferings. The permission derives the correct instance type available, based on the AWS Local Zones or Wavelength Zones locations used. (OCPBUGS-47502)

Previously, when the API server disconnected temporarily, the command oc adm node-image monitor reported an end of file (EOF) error. With this release, when the API server disconnects temporarily, the monitor command does not fail. (OCPBUGS-46391)

Previously, when you specified the HostedZoneRole permission in the install-config.yaml file while creating a shared Virtual Private Cloud (VPC), you also had to specify the sts:AssumeRole permission. Otherwise, it caused an error. With this release, if you specify the HostedZoneRole permission the installation program validates that the sts:AssumeRole permission is present. (OCPBUGS-46046)

Previously, when the publicIpv4Pool configuration parameter was used during installation the permissions ec2:AllocateAddress and ec2:AssociateAddress were not validated. As a consequence, permission failures could occur during installation. With this release, the required permissions are validated before the cluster is installed and the issue is resolved. (OCPBUGS-45711)

Previously, during a disconnected installation, when the imageContentSources parameter was configured for more than one mirror for a source, the command to create the agent ISO image could fail, depending on the sequence of the mirror configuration. With this release, multiple mirrors are handled correctly when the agent ISO is created and the issue is resolved. (OCPBUGS-45630)

Previously, when installing a cluster using the Cluster API on installer-provisioned infrastructure, the user provided a machineNetwork parameter. With this release, the installation program uses a random machineNetwork parameter. (OCPBUGS-45485)

Previously, during an installation on Amazon Web Services (AWS), the installation program used the wrong load balancer when searching for the hostedZone ID, which caused an error. With the release, the correct load balancer is used and the issue is resolved. (OCPBUGS-45301)

Previously, endpoint overrides in IBM Power Virtual Server were not conditional. As a consequence, endpoint overrides were created incorrectly and caused failures in Virtual Private Environments (VPE). With this release, endpoint overrides are conditional only for disconnected installations. (OCPBUGS-44922)

Previously, during a shared Virtual Private Cloud (VPC) installation, the installation program added the records to a private DNS zone created by the installation program instead of adding the records to the cluster’s private DNS zone. As a consequence, the installation failed. With this release, the installation program searches for an existing private DNS zone and, if found, pairs that zone with the network that is supplied by the install-config.yaml file and the issue is resolved. (OCPBUGS-44641) (OCPBUGS-44641)

Previously, the oc adm drain --delete-local-data command was not supported in the 4.18 oc CLI tool. With this release, the command has been updated to oc adm drain --delete-emptydir-data. (OCPBUGS-44318)

Previously, US East (wdc04), US South (dal13), Sydney (syd05), and Toronto (tor01) regions were not supported for IBM Power Virtual Server. With this release, these regions, which include PowerEdgeRouter (PER) capabilities, are supported for IBM Power Virtual Server. (OCPBUGS-44312)

Previously, during a Google Cloud Platform (GCP) installation, when the installation program was creating filters with large numbers of returned data, for example for subnets, it exceeded the quota for the maximum number times that a resource can be filtered in a specific period. With this release, all relevant filtering is moved to the client so that the filter quotas are not exceeded and the issue is resolved. (OCPBUGS-44193)

Previously, during an Amazon Web Services (AWS) installation, the installation program validated all the tags in the install-config.yaml file only when you set propogateTags to true. With this release, the installation program validates all the tags in the install-config.yaml file. (OCPBUGS-44171)

Previously, if the RendezvousIP value matched a substring in the next-hop-address field of a compute node configuration, it reported a validation error. The RendezvousIP value must match a control plane host address only. With this release, a substring comparison for RendezvousIP value is used against a control plane host address only, so that the error no longer exists. (OCPBUGS-44167)

Previously, when you deleted a cluster in IBM Power Virtual Server, the Transit Gateway connections were cleaned up. With this release, if the tgName parameter is set, Red Hat OpenStack Platform (RHOSP) does not clean up the Transit Gateway connection when you delete a cluster. (OCPBUGS-44162)

Previously, when installing a cluster on an IBM platform and adding an existing VPC to the cluster, the Cluster API Provider IBM Cloud would not add ports 443, 5000, and 6443 to the security group of the VPC. This situation prevented the VPC from being added to the cluster. With this release, a fix ensures that the Cluster API Provider IBM Cloud adds the ports to the security group of the VPC so that the VPC gets added to your cluster. (OCPBUGS-44068)

Previously, the Cluster API Provider IBM Cloud module was very verbose. With this release, the verbosity of the module is reduced, and this will affect the output of the .openshift_install.log file. (OCPBUGS-44022)

Previously, when you deployed a cluster on a IBM Power Virtual Server zone, the load balancers were slow to create. As a consequence, the cluster failed. With this release, the Cluster API Provider IBM Cloud no longer has to wait until all load balancers are ready and the issue is resolved. (OCPBUGS-43923)

Previously, for the Agent-based Installer, all host validation status logs referred to the name of the first registered host. As a consequence, when a host validation failed, it was not possible to determine the problem host. With this release, the correct host is identified in each log message and now the host validation logs correctly show the host to which they correspond, and the issue is resolved. (OCPBUGS-43768)

Previously, when you used the oc adm node-image create command to generate the image while running the Agent-based Installer and the step fails, the accompanying error message did not show the container log. The oc adm node-image create command uses a container to generate the image. When the image generation step fails, the basic error message does not show the underlying issue that caused the image generation failure. With this release, to help troubleshooting, the oc adm node-image create command now shows the container log, so the underlying issue is displayed. (OCPBUGS-43757)

Previously, the Agent-based Installer failed to parse the cloud_controller_manager parameter in the install-config.yaml configuration file. This resulted in the Assisted Service API failing because it received an empty string, and this in turn caused the installation of the cluster to fail on Oracle® Cloud Infrastructure (OCI). With this release, an update to the parsing logic ensures that the Agent-based Installer correctly interprets the cloud_controller_manager parameter so that the Assisted Service API receives the correct string value. As a result, the Agent-based Installer can now installer a cluster on OCI. (OCPBUGS-43674)

Previously, an update to Azure SDK for Go removed the SendCertificateChain option and this changed the behavior of sending certificates. As a consequence, the full certificate chain was not sent. With this release, the option to send a full certification chain is available and the issue is resolved. (OCPBUGS-43567)

Previously, when installing a cluster on Google Cloud Platform (GCP) using the Cluster API implementation, the installation program did not distinguish between internal and external load balancers while creating firewall rules. As a consequence, the firewall rule for internal load balancers was open to all IP address sources, that is, 0.0.0.0/0. With this release, the Cluster API Provider GCP is updated to restrict firewall rules to the machine CIDR when using an internal load balancer. The firewall rule for internal load balancers is correctly limited to machine networks, that is, nodes in the cluster and the issue is resolved. (OCPBUGS-43520)

Previously, when installing a cluster on IBM Power Virtual Server, the required security group rules were not created. With this release, the missing security group rules for installation are identified and created and the issue is resolved. (OCPBUGS-43518)

Previously, when you tried to add a compute node with the oc adm node-image command by using an instance that was previously created with Red Hat OpenStack Platform (RHOSP), the operation failed. With this release, the issue is resolved by correctly setting the user-managed networking configuration. (OCPBUGS-43513)

Previously, when destroying a cluster on Google Cloud Platform (GCP), a forwarding rule incorrectly blocked the installation program. As a consequence, the destroy process failed to complete. With this release, the issue is resolved by the installation program setting its state correctly and marking all destroyed resources as deleted. (OCPBUGS-42789)

Previously, when configuring the Agent-Based Installer installation in a disconnected environment with more than one mirror for the same source, the installation might fail. This occurred because one of the mirrors was not checked. With this release, all mirrors are used when multiple mirrors are defined for the same source and the issue is resolved. (OCPBUGS-42705)

Previously, you could not change the AdditionalTrustBundlePolicy parameter in the install-config.yaml file for the Agent-based Installer. The parameter was always set to ProxyOnly. With this release, you can set AdditionalTrustBundlePolicy to other values, for example, Always. By default, the parameter is set to ProxyOnly. (OCPBUGS-42670)

Previously, when you installed a cluster and tried to add a compute node with the oc adm node-image command, it failed because the date, time, or both might have been inaccurate. With this release, the issue is resolved by applying the same Network Time Protocol (NTP) configuration in the target cluster MachineConfig chrony resource to the node ephemeral live environment (OCPBUGS-42544)

Previously, during installation the name of the artifact that the oc adm node-image create command generated did not include <arch> in its file name. As a consequence, the file name was inconsistent with other generated ISOs. With this release, a patch fixes the name of the artifact that is generated by the oc adm node-image create command by also including the referenced architecture as part of the file name and the issue is resolved. (OCPBUGS-42528)

Previously, the Agent-based Installer set the assisted-service object to a debug logging mode. Unintentionally, the pprof module in the assisted-service object, which uses port 6060, was then turned on. As a consequence, there was a port conflict and the Cloud Credential Operator (CCO) did not run. When requested by the VMware vSphere Cloud Controller Manager (CCM), vSphere secrets were not generated, the RHOSP CCM failed to initialize the nodes, and the cluster installation was blocked. With this release, the pprof module in the assisted-service object does not run when invoked by the Agent-based Installer. As a result, the CCO runs correctly and cluster installations on vSphere that use the Agent-based Installer succeed. (OCPBUGS-42525)

Previously, when a compute node was trying to join a cluster the rendezvous node rebooted before the process completed. As the compute node could not communicate as expected with the rendezvous node, the installation was not successful. With this release, a patch is applied that fixes the racing condition that caused the rendezvous node to reboot prematurely and the issue is resolved. (OCPBUGS-41811)

Previously, when using the Assisted Installer, selecting a multi-architecture image for s390x CPU architecture on Red Hat Hybrid Cloud Console could cause the installation to fail. The installation program reported an error that the new cluster was not created because the skip MCO reboot was not compatible with s390x CPU architecture. With this release, the issue is resolved. (OCPBUGS-41716)

Previously, a coding issue caused the Ansible script on RHOSP user-provisioned infrastructure installation to fail during the provisioning of compact clusters. This occurred when IPv6 was enabled for a three-node cluster. With this release, the issue is resolved and you can provision compact three-node clusters. (OCPBUGS-41538)

Previously, a coding issue caused the Ansible script on RHOSP user-provisioned installation infrastructure to fail during the provisioning of compact clusters. This occurred when IPv6 was enabled for a three-node cluster. With this release, the issue is resolved and you can provision compact three-node clusters on RHOSP for user-provisioned installation infrastructure. (OCPBUGS-39402)

Previously, the order of an Ansible Playbook was modified to run before the metadata.json file was created, which caused issues with older versions of Ansible. With this release, the playbook is more tolerant of missing files to accommodate older versions of Ansible and the issue is resolved. (OCPBUGS-39285)

Previously, when you installed a cluster there were issues using a compute node because the date, time, or both might have been inaccurate. With this release, a patch is applied to the live ISO time synchronization. The patch configures the /etc/chrony.conf file with the list of the additional Network Time Protocol (NTP) servers that the user provides in the agent-config.yaml file, so that you can use a compute node without experiencing a cluster installation issue. (OCPBUGS-39231)

Previously, when installing a cluster on bare metal using installer-provisioned infrastructure, the installation could time out if the network to the bootstrap virtual machine is slow. With this update, the timeout duration has been increased to cover a wider range of network performance scenarios. (OCPBUGS-39081)

Previously, the oc adm node-image create command failed when run against a cluster in a restricted environment with a proxy because the command ignored the cluster-wide proxy setting. With this release, when the command is run it includes the cluster proxy resource settings, if available, to ensure the command is run successfully and the issue is resolved. (OCPBUGS-38990)

Previously, when installing a cluster on Google Cloud Platform (GCP) into a shared Virtual Private Cloud (VPC) with a bring your own (BYO) hosted zone, the installation could fail due to an error creating the private managed zone. With this release, a fix ensures that where there is a preexisting private managed zone the installation program skips creating a new one and the issue is resolved. (OCPBUGS-38966)

Previously, an installer-provisioned installation on VMware vSphere to run OpenShift Container Platform 4.16 in a disconnected environment failed when the template could not be downloaded. With this release, the template is downloaded correctly and the issue is resolved. (OCPBUGS-38918)

Previously, during installation the oc adm node-image create command used the kube-system/cluster-config-v1 resource to determine the platform type. With this release, the installation program uses the infrastructure resource, which provides more accurate information about the platform type. (OCPBUGS-38802)

Previously, a rare condition on VMware vSphere Cluster API machines caused the vCenter session management to time out unexpectedly. With this release, the Keep Alive support is disabled in the current and later versions of Cluster API Provider vSphere, and the issue is resolved. (OCPBUGS-38657)

Previously, when a folder was undefined and the data center was located in a data center folder, a wrong folder structure was created starting from the root of the vCenter server. By using the Govmomi DatacenterFolders.VmFolder, it used the wrong path. With this release, the folder structure uses the data center inventory path and joins it with the virtual machine (VM) and cluster ID value, and the issue is resolved. (OCPBUGS-38599)

Previously, the installation program on Google Cloud Platform (GCP) filtered addresses to find and delete internal addresses only. The addition of Cluster API Provider Google Cloud Platform (GCP) provisioned resources included changes to address resources. With this release, Cluster API Provider GCP creates external addresses and these must be included in a cluster cleanup operation. (OCPBUGS-38571)

Previously, if you specified an unsupported architecture in the install-config.yaml file the installation program would fail with a connection refused message. With this update, the installation program correctly validates that the specified cluster architecture is compatible with OpenShift Container Platform, leading to successful installations. (OCPBUGS-38479)

Previously, when you used the Agent-based Installer to install a cluster, assisted-installer-controller timed out or exited the installation process depending on whether assisted-service was unavailable on the rendezvous host. This situation caused the cluster installation to fail during CSR approval checks. With this release, an update to assisted-installer-controller ensures that the controller does not timeout or exit if assisted-service is unavailable. The CSR approval check now works as expected. (OCPBUGS-38466)

Previously, installing a cluster with a Dynamic Host Configuration Protocol (DHCP) network on Nutanix caused a failure. With this release, this issue is resolved. (OCPBUGS-388118)

Previously, when the VMware vSphere vCenter cluster contained an ESXi host that did not have a standard port group defined and the installation program tried to select that host to import the OVA, the import failed and the error Invalid Configuration for device 0 was reported. With this release, the installation program verifies whether a standard port group for an ESXi host is defined and, if not, continues until it locates an ESXi host with a defined standard port group, or reports an error message if it fails to locate one, resolving the issue. (OCPBUGS-37945)

Previously, due to an EFI Secure Boot failure in the SCOS, when the FCOS pivoted to the SCOS the virtual machine (VM) failed to boot. With this release, the Secure Boot is disabled only when the Secure Boot is enabled in the `coreos.ovf ` configuration file, and the issue is resolved (OCPBUGS-37736)

Previously, when deprecated and supported fields were used with the installation program on VMware vSphere a validation error message was reported. With this release, warning messages are added specifying that using deprecated and supported fields are not recommended with the installation program on VMware vSphere. (OCPBUGS-37628)

Previously, if you tried to install a second cluster using existing Azure Virtual Networks (VNet) on Microsoft Azure, the installation failed. Where the front end IP address of the API server load balancer was not specified, the Cluster API fixed the address to 10.0.0.100. As this IP address was already taken by the first cluster, this resulted in the second load balancer failing to install. With this release, a dynamic IP address checks whether the default IP address is available. If it is unavailable, the dynamic IP selects the next available address and you can install the second cluster successfully with a different load balancer IP. (OCPBUGS-37442)

Previously, the installation program attempted to download the OVA on VMware vSphere whether the template field was defined or not. With this update, the issue is resolved. The installation program verifies if the template field is defined. If the template field is not defined, the OVA is downloaded. If the template field is defined, the OVA is not downloaded. (OCPBUGS-36494)

Previously, when installing a cluster on IBM Cloud the installation program checked the first group of subnets, that is 50, only when searching for subnet details by name. With this release, pagination support is provided to search all subnets. (OCPBUGS-36236)

Previously, when installing Cluster API Provider Google Cloud Platform (GCP) into a shared Virtual Private Cloud (VPC) without the required permission compute.firewalls.create the installation failed because no firewall rules were created. With this release, a fix ensures that a rule to create the firewall is skipped during installation and the issue is resolved. (OCPBUGS-35262)

Previously, for the Agent-Based installer, the networking layout defined through nmstate might result in a configuration error if all hosts do not have an entry in the interfaces section that matches an entry in the networkConfig section. However, if the entry in the networkConfig section uses a physical interface name then the entry in the interfaces section is not required.

Previously, the container tools module was enabled by default on the RHEL node. With this release, the container-tools module is disabled to install the correct package between conflicting repositories. (OCPBUGS-34844)

Previously, during entitled builds on a Red Hat OpenShift Container Platform cluster running on IBM Z hardware, repositories were not enabled. This issue has been resolved. You can now enable repositories during entitled builds on a Red Hat OpenShift Container Platform cluster running on IBM Z hardware. (OCPBUGS-32233)

Previously, Red Hat Enterprise Linux (RHEL) CoreOS templates that were shipped by the Machine Config Operator (MCO) caused node scaling to fail on Red Hat OpenStack Platform (RHOSP). This issue happened because of an issue with systemd and the presence of a legacy boot image from older versions of OpenShift Container Platform. With this release, a patch fixes the issue with systemd and removes the legacy boot image, so that node scaling can continue as expected. (OCPBUGS-42324)

Previously, if you enabled on-cluster layering for your cluster and you attempted to configure kernel arguments in the machine configuration, machine config pools (MCPs) and nodes entered a degraded state. This happened because of a configuration mismatch. With this release, a check for kernel arguments for a cluster with OCL-enabled ensures that the arguments are configured and applied to nodes in the cluster. This update prevents any mismatch that previously occurred between the machine configuration and the node configuration. (OCPBUGS-34647)

Previously, clicking the "Don’t show again" link in the Lightspeed modal dialog did not correctly navigate to the general User Preference tab when one of the other User Preference tabs was displayed. After this update, clicking the "Don’t show again" link correctly navigates to the general User Preference tab. (OCPBUGS-48106)

Previously, multiple external link icons might show in the primary action button of the OperatorHub modal. With this update, only a single external link icon appears. (OCPBUGS-47742)

Previously, the web console was disabled when the authorization type was set to None in the cluster authentication configuration. With this update, the web console no longer disables when the authorization type was set to None. (OCPBUGS-46068)

Previously, the MachineConfig Details tab displayed an error when one or more spec.config.storage.file did not include optional data. With this update, the error no longer occurs and the Details tab renders as expected. (OCPBUGS-44049)

Previously, an extra name property was passed into resource list page extensions used to list related Operands on the CSV details page. As a result, the Operand list was filtered by the cluster service version (CSV) name and often returned an empty list. With this update, Operands are listed as expected. (OCPBUGS-42796)

Previously, the Sample tab did not show when creating a new ConfigMap with one or more ConfigMap ConsoleYAMLSamples present on the cluster. After this update, the Sample tab shows with one or more ConfigMap ConsoleYAMLSamples present. (OCPBUGS-41492)

Previously, the Events page resource type filter incorrectly reported the number of resources when three or more resources were selected. With this update, the filter always reports the correct number of resources. (OCPBUGS-38701)

Previously, the version number text in the updates graph on the Cluster Settings page appeared as black text on a dark background while viewing the page using Firefox in dark mode. With this update, the text appears as white text. (OCPBUGS-37988)

Previously, Alerting pages did not show resource information in their empty state. With this update, resource information is available on the Alerting pages. (OCPBUGS-36921)

Previously, the Operator Lifecycle Manager (OLM) CSV annotation contained unexpected JSON, which was successfully parsed, but then threw a runtime error when attempting to use the resulting value. With this update, JSON values from OLM annotations are validated before use, errors are logged, and the console does not fail when unexpected JSON is received in an annotation. (OCPBUGS-35744)

Previously, silenced alerts were visible on the Overview page of the OpenShift Container Platform web console. This occurred because the alerts did not include any external labels. With this release, silenced alerts include the external labels so they are filtered out and are not viewable. (OCPBUGS-31367)

Previously, if the SMTP smarthost or from fields under the emailConfigs object were not specified at the global or receiver level in the AlertmanagerConfig custom resource (CR), Alertmanager would crash because these fields are required. With this release, the Prometheus Operator fails reconciliation if these fields are not specified. Therefore, the Prometheus Operator no longer pushes invalid configurations to Alertmanager, preventing it from crashing. (OCPBUGS-48050)

Previously, the Cluster Monitoring Operator (CMO) did not mark configurations in cluster-monitoring-config and user-workload-monitoring-config config maps as invalid for unknown (for example, no longer supported) or duplicated fields. With this release, stricter validation is added that helps identify such errors. (OCPBUGS-42671)

Previously, it was not possible for a user to query the user workload monitoring Thanos API endpoint with POST requests. With this update, a cluster admin can bind a new pod-metrics-reader cluster role with a role binding or cluster role binding to allow POST queries for a user or service account. (OCPBUGS-41158)

Previously, an invalid config map configuration for core platform monitoring, user workload monitoring, or both caused Cluster Monitoring Operator (CMO) to report an InvalidConfiguration error. With this release, if only the user workload monitoring configuration is invalid, CMO reports UserWorkloadInvalidConfiguration, making it clear where the issue is located. (OCPBUGS-33863)

Previously, telemeter-client containers showed a TelemeterClientFailures Warnings message in multiple clusters. With this release, a runbook is added for the TelemeterClientFailures alert to explain the cause of the alert triggering and the alert provides resolution steps. (OCPBUGS-33285)

Previously, AlertmanagerConfig objects with invalid child routes generated invalid Alertmanager configuration leading to Alertmanager disruption. With this release, Prometheus Operator rejects such AlertmanagerConfig objects, and users receive a warning about the invalid child routes in logs. (OCPBUGS-30122)

Previously, the config-reloader for Prometheus for user-defined projects would fail if unset environment variables were used in the ServiceMonitor configuration, which resulted in Prometheus pods failing. With this release, the reloader no longer fails when an unset environment variable is encountered. Instead, unset environment variables are left as they are, while set environment variables are expanded as usual. Any expansion errors, suppressed or otherwise, can be tracked through the reloader_config_environment_variable_expansion_errors variable. (OCPBUGS-23252)

Previously, enabling encapsulated security payload (ESP) offload hardware when using IPSec on Open vSwitch attached interfaces would break connectivity in your cluster. To resolve this issue, OpenShift Container Platform by default disables ESP offload hardware on Open vSwitch attached interfaces. This fixes the issue. (OCPBUGS-42987)

Previously, if you deleted the default sriovOperatorConfig custom resource (CR), you could not recreate the default sriovOperatorConfig CR, because the ValidatingWebhookConfiguration was not initially deleted. With this release, the Single Root I/O Virtualization (SR-IOV) Network Operator removes validating webhooks when you delete the sriovOperatorConfig CR, so that you can create a new sriovOperatorConfig CR. (OCPBUGS-41897)

Previously, if you set custom annotations in a custom resource (CR), the SR-IOV Operator would override all the default annotations in the SriovNetwork CR. With this release, when you define custom annotations in a CR, the SR-IOV Operator does not override the default annotations. (OCPBUGS-41352)

Previously, bonds that were configured in active-backup mode would have IPsec Encapsulating Security Payload (ESP) offload active even if underlying links did not support ESP offload. This caused IPsec associations to fail. With this release, ESP offload is disabled for bonds so that IPsec associations pass. (OCPBUGS-39438)

Previously, the Machine Config Operator (MCO)'s vSphere resolve-prepender script used systemd directives that were incompatible with old bootimage versions used in OpenShift Container Platform 4. With this release, nodes can scale using newer bootimage versions 4.18 4.13 and above, through manual intervention, or by upgrading to a release that includes this fix. (OCPBUGS-38012)

Previously, the Ingress Controller status incorrectly displayed as Degraded=False because of a migration time issue with the CanaryRepetitiveFailures condition. With this release, the Ingress Controller status is correctly marked as Degraded=True for the appropriate length of time that the CanaryRepetitiveFailures condition exists. (OCPBUGS-37491)

Previously, when a pod was running on a node on which egress IPv6 is assigned, the pod was not able to communicate with the Kubernetes service in a dual stack cluster. This resulted in the traffic with the IP family, that the egressIP is not applicable to, being dropped. With this release, only the source network address translation (SNAT) for the IP family that the egress IPs applied to is deleted, eliminating the risk of traffic being dropped. (OCPBUGS-37193)

Previously, the Single-Root I/O Virtualization (SR-IOV) Operator did not expire the acquired lease during the Operator’s shutdown operation. This impacted a new instance of the Operator, because the new instance had to wait for the lease to expire before the new instance was operational. With this release, an update to the Operator shutdown logic ensures that the Operator expires the lease when the Operator is shutting down. (OCPBUGS-23795)

Previously, for an Ingress resource with an IngressWithoutClassName alert, the Ingress Controller did not delete the alert along with deletion of the resource. The alert continued to show on the OpenShift Container Platform web console. With this release, the Ingress Controller resets the openshift_ingress_to_route_controller_ingress_without_class_name metric to 0 before the controller deletes the Ingress resource, so that the alert is deleted and no longer shows on the web console. (OCPBUGS-13181)

Previously, when either the clusterNetwork or serviceNetwork IP address pools overlapped with the default transit_switch_subnet 100.88.0.0/16 IP address and the custom value of transit_switch_subnet did not take effect, ovnkube-node pods crashed after the live migration operation. With this release, the custom value of transit_switch_subnet can be passed to ovnkube node pods, so that this issue no longer persists. (OCPBUGS-43740)

Previously, a change in OVN-Kubernetes that standardized the appProtocol value h2c to kubernetes.io/h2c was not recognized by OpenShift router. Consequently, specifying appProtocol: kubernetes.io/h2c on a service did not cause OpenShift router to use clear-text HTTP/2 to connect to the service endpoints. With this release, OpenShift router was changed to handle appProtocol: kubernetes.io/h2c the same way as it handles appProtocol: h2c resolving the issue. (OCPBUGS-42972)

Previously, instructions that guided the user after changing the LoadBalancer parameter from External to Internal were missing for IBM Power Virtual Server, Alibaba Cloud, and Red Hat OpenStack Platform (RHOSP). This caused the Ingress Controller to be put in a permanent Progressing state. With this release the message The IngressController scope was changed from Internal to External is followed by To effectuate this change, you must delete the service resolving the permanent Progressing state. (OCPBUGS-39151)

Previously, there was no event logged when an error occurred from failed conversion from ingress to route conversion. With this update, this error appear in the event logs. (OCPBUGS-29354)

Previously, an ovnkube-node pod on a node that uses cgroup v1 was failing because it could not find the kubelet cgroup path. With this release, an ovnkube-node pod no longer fails if the node uses cgroup v1. However, the OVN-Kubernetes network plugin outputs an UDNKubeletProbesNotSupported event notification. If you enable cgroup v2 for each node, OVN-Kubernetes no longer outputs the event notification.(OCPBUGS-50513)

Previously, when you finished the live migration for a kubevirt virtual machine (VM) that uses the Layer 2 topology, an old node still transmits IPv4 egress traffic to the virtual machine. With this release, the OVN-Kubernetes plugin updates the gateway MAC address for a kubevirt virtual machine (VM) during the live migration process so that this issue no longer occurs. (OCPBUGS-49857)

Previously, the DNS-based egress firewall incorrectly prevented creation of a firewall rule that contained a DNS name in uppercase characters. With this release, an fix to the egress firewall no longer prevents creation of a firewall rule that contains a DNS name in uppercase characters. (OCPBUGS-49589)

Previously, when you attempted to use the Cluster Network Operator (CNO) to upgrade a cluster with existing localnet networks, ovnkube-control-plane pods failed to run. This happened because the ovnkube-cluster-manager container could not process an OVN-Kubernetes localnet topology network that did not have subnets defined. With this release, a fix ensures that the ovnkube-cluster-manager container can process an OVN-Kubernetes localnet topology network that does not have subnets defined. (OCPBUGS-44195)

Previously, the SR-IOV Network Operator could not retrieve metadata when cloud-native network (CNF) workers were deployed with a configuration drive on Red Hat OpenStack Platform (RHOSP). A configuration drive is often unmounted after a boot operation on immutable systems, so now the Operator dynamically mounts a configuration drive when required. The Operator can now retrieve the metadata and then unmount the configuration drive. This means that you no longer need to manually mount and unmount the configuration drive. (OCPBUGS-41829)

Previously, when you switched your cluster to use a different load balancer, the Ingress Operator did not remove the values from the classicLoadBalancer and networkLoadBalancer parameters in the IngressController custom resource (CR) status. This situation caused the status of the CR to report wrong information from the classicLoadBalancer and networkLoadBalancer parameters. With this release, after you switch your cluster to use a different load balancer, the Ingress Operator removes values from these parameters so that the CR reports a more accurate and less confusing message status. (OCPBUGS-38217)

Previously, a duplicate feature gate, ExternalRouteCertificate, was added to the FeatureGate CR. With this release, ExternalRouteCertificate is removed because a OpenShift Container Platform cluster does not use this feature gate. (OCPBUGS-36479)

Previously, after a user created a route, the user needed both create and update permissions on the routes/custom-host sub-resource to edit the .spec.tls.externalCertificate field of a route. With this release, this permission requirement has been fixed, so that a user only needs the create permission to edit the .spec.tls.externalCertificate field of a route. The update permission is now marked as an optional permission. (OCPBUGS-34373)