OpenShift Container Platform 4.17 release notes

Updating Go-based Operator projects

Updating Ansible-based Operator projects

Updating helm-based Operator projects

Updating Hybrid helm-based Operator projects

Updating Java-based Operator projects

Not Available

Technology Preview

General Availability

Deprecated

Removed

Previously, attempting to configure RAID on specific hardware models by using Redfish might have resulted in the following error: The attribute StorageControllers/Name is missing from the resource. With this update, the validation logic no longer requires the Name field, because the field is not mandated by the Redfish standard. (OCPBUGS-38465)

Previously, the management interface for the iDRAC9 Redfish management interface in the Redfish Bare Metal Operator (BMO) module was incorrectly set to iPXE. This caused the error Could not find the following interface in the ironic.hardware.interfaces.management entrypoint: ipxe and the deployment failed on Dell Remote Access Controller (iDRAC)-based servers. With this release, the issue is resolved. (OCPBUGS-37261)

Previously, builds could not set the GIT_LFS_SKIP_SMUDGE environment variable and use its value when cloning the source code. This caused builds to fail for some Git repositories with LFS files. With this release, the build is able to set this environment variable and use it during the git clone step of the build, which resolves the issue. (OCPBUGS-33215)

Previously, if the developer or cluster admin used lowercase environment variable names for proxy information, these environment variables were carried into the build output container image. At runtime, the proxy settings were active and had to be unset. With this release, lowercase versions of the _PROXY environment variables are prevented from leaking into built container images. Now, buildDefaults are only kept during the build and settings created for the build process only are removed before pushing the image in the registry. (OCPBUGS-12699)

Previously, a machine controller failed to save the VMware vSphere task ID of an instance template clone operation. This caused the machine to go into the Provisioning state and to power off. With this release, the VMware vSphere machine controller can detect and recover from this state. (OCPBUGS-1735)

Previously, the machine-api Operator reacted when it deleted a server that was in an ERROR state. This happened because the server did not pass a port list. With this release, deleting a machine stuck in an ERROR state does not cause an Operator reaction. (OCPBUGS-33806)

Previously, you could not configure capacity reservation on a Microsoft Azure Workload Identity cluster because of missing permissions. With this release, the Microsoft.Compute/capacityReservationGroups/deploy/action permission is added as a default credential request in the <infra-name>-openshift-machine-api-azure-cloud-credentials custom role, so that you can now configure capacity reservation as expected. (OCPBUGS-37154)

Previously, an optional internal function of the cluster autoscaler caused repeated log entries when it was not implemented. The issue is resolved in this release. (OCPBUGS-33592)

Previously, a node associated with a restarting machine briefly having a status of Ready=Unknown triggered the UnavailableReplicas condition in the Control Plane Machine Set Operator. This condition caused the Operator to enter the Available=False state and trigger alerts because that state indicates a nonfunctional component that requires immediate administrator intervention. This alert should not have been triggered for the brief and expected unavailabilty during a restart. With this release, a grace period for node unreadiness is added to avoid triggering unnecessary alerts. (OCPBUGS-20061)

Previously, when an OpenShift Container Platform cluster was installed with no capabilities and later enabled the Build capability, the related Build cluster configuration custom resource definition (CRD) was not created. With this release, the Build cluster configuration CRD and its default instance are created. This allows the Build capability to be fully configured and customized. (OCPBUGS-34395)

Previously, role bindings related to the Image Registry, Build, and DeploymentConfig capabilities were created in every namespace, even if the capabilities were disabled. With this release, role bindings is only created if the capability is enabled on the cluster. (OCPBUGS-34077)

Previously, secrets in the cluster were fetched in a single call. When there was a large number of secrets, the API timed out. With this release, the Cloud Credential Operator fetches secrets in batches limited to 100 secrets. This change prevents timeouts when there is a large number of secrets in the cluster. (OCPBUGS-41233)

Previously, the Cloud Credential Operator reported an error when the awsSTSIAMRoleARN role was not present on a cluster that used manual mode with AWS Security Token Service. With this release, the Cloud Credential Operator no longer reports this as an error. (OCPBUGS-33566)

Previously, when checking whether passthrough permissions are sufficient, the Cloud Credential Operator sometimes received a response from the Google Cloud Platform (GCP) API that a permission is invalid for a project. This response caused the Operator to become degraded and installation to fail. With this release, the Operator is updated to handle this error gracefully. (OCPBUGS-36140)

Previously, a rarely occurring race condition between Go routines caused the Cluster Version Operator (CVO) to panic after the CVO started. With this release, the Go routines synchronization is improved and the issue is resolved. (OCPBUGS-32678)

Previously, on some browsers, some icons in the samples catalog were stretched, making it hard to read. With this update, the icons were resized correctly, and now the icons are no longer stretched and easier to read. (OCPBUGS-34516)

Previously, s2i build strategy was not explicitly mentioned in the func.yml. Therefore you could not create OpenShift Serverless functions with the repository. Additionally, error messages were not available if s2i is not mentioned or if func.yml. As a result, identifying the reason of failures was not apparent. With this update, if the s2i build strategy is not mentioned, users can still create a function. If it is not s2i, users cannot create a function. The error messages are now different for both the cases. (OCPBUGS-33733)

Previously, when using a Quick Start guided tour in the OpenShift Container Platform web console, it took multiple clicks of the Next button to skip to the next step if the check your work dialog was ignored. With this update, it only takes one click, regardless of the state of the check your work box. (OCPBUGS-25929)

Previously, DTK incorrectly included the same values for KERNEL_VERSION and RT_KERNEL_VERSION that exist in the /etc/driver-toolkit-release.json configuration file. With this update, the RT_KERNEL_VERSION is displayed correctly. (OCPBUGS-33699)

Previous versions of the etcd Operator checked the health of etcd members in serial with an all-member timeout that matched the single-member timeout. As a result, one slow member check could consume the entire timeout and cause later member checks to fail, regardless of the health of that later member. In this release, the etcd Operator checks the health of members in parallel, so the health and speed of one member’s check does not affect the other members' checks. (OCPBUGS-36301)

Previously, the health checks for the etcd Operator were not ordered. As a consequence, the health check sometimes failed even though all etcd members were healthy. The health-check failure triggered a scale-down event that caused the Operator to prematurely remove a healthy member. With this release, the health checks in the Operator are ordered. As a result, the health checks correctly reflect the health of etcd members and an incorrect scale-down event does not occur. (OCPBUGS-36462)

Previously, when a hosted cluster proxy was configured and it used an identity provider (IDP) that had an HTTP or HTTPS endpoint, the hostname of the IDP was unresolved before sending it through the proxy. Consequently, hostnames that could only be resolved by the data plane failed to resolve for IDPs. With this update, a DNS lookup is performed before sending IPD traffic through the konnectivity tunnel. As a result, IDPs with hostnames that can only be resolved by the data plane can be verified by the Control Plane Operator. (OCPBUGS-41371)

Previously, when the hosted cluster controllerAvailabilityPolicy was set to SingleReplica, podAntiAffinity on networking components blocked the availability of the components. With this release, the issue is resolved. (OCPBUGS-39313)

Previously, the AdditionalTrustedCA that was specified in the hosted cluster image configuration was not reconciled into the openshift-config namespace, as expected by the image-registry-operator, and the component did not become available. With this release, the issue is resolved. (OCPBUGS-39225)

Previously, Red Hat HyperShift periodic conformance jobs failed because of changes to the core operating system. These failed jobs caused the OpenShift API deployment to fail. With this release, an update recursively copies individual trusted certificate authority (CA) certificates instead of copying a single file, so that the periodic conformance jobs succeed and the OpenShift API runs as expected. (OCPBUGS-38941)

Previously, the Konnectivity proxy agent in a hosted cluster always sent all TCP traffic through an HTTP/S proxy. It also ignored host names in the NO_PROXY configuration because it only received resolved IP addresses in its traffic. As a consequence, traffic that was not meant to be proxied, such as LDAP traffic, was proxied regardless of configuration. With this release, proxying is completed at the source (control plane) and the Konnectivity agent proxying configuration is removed. As a result, traffic that is not meant to be proxied, such as LDAP traffic, is not proxied anymore. The NO_PROXY configuration that includes host names is honored. (OCPBUGS-38637)

Previously, the azure-disk-csi-driver-controller image was not getting appropriate override values when using registryOverride. This was intentional so as to avoid propagating the values to the azure-disk-csi-driver data plane images. With this update, the issue is resolved by adding a separate image override value. As a result, the azure-disk-csi-driver-controller can be used with registryOverride and no longer affects azure-disk-csi-driver data plane images. (OCPBUGS-38183)

Previously, the AWS cloud controller manager within a hosted control plane that was running on a proxied management cluster would not use the proxy for cloud API communication. With this release, the issue is fixed. (OCPBUGS-37832)

Previously, proxying for Operators that run in the control plane of a hosted cluster was performed through proxy settings on the Konnectivity agent pod that runs in the data plane. It was not possible to distinguish if proxying was needed based on application protocol.

Previously, proxying for IDP communication occurred in the Konnectivity agent. By the time traffic reached Konnectivity, its protocol and hostname were no longer available. As a consequence, proxying was not done correctly for the OAUTH server pod. It did not distinguish between protocols that require proxying (http/s) and protocols that do not (ldap://). In addition, it did not honor the no_proxy variable that is configured in the HostedCluster.spec.configuration.proxy spec.

Previously, the HostedClusterConfig Operator (HCCO) did not delete the ImageDigestMirrorSet CR (IDMS) after you removed the ImageContentSources field from the HostedCluster object. As a consequence, the IDMS persisted in the HostedCluster object when it should not. With this release, the HCCO manages the deletion of IDMS resources from the HostedCluster object. (OCPBUGS-34820)

Previously, deploying a hostedCluster in a disconnected environment required setting the hypershift.openshift.io/control-plane-operator-image annotation. With this update, the annotation is no longer needed. Additionally, the metadata inspector works as expected during the hosted Operator reconciliation, and OverrideImages is populated as expected. (OCPBUGS-34734)

Previously, hosted clusters on AWS leveraged their VPC’s primary CIDR range to generate security group rules on the data plane. As a consequence, if you installed a hosted cluster into an AWS VPC with multiple CIDR ranges, the generated security group rules could be insufficient. With this update, security group rules are generated based on the provided machine CIDR range to resolve this issue. (OCPBUGS-34274)

Previously, the OpenShift Cluster Manager container did not have the right TLS certificates. As a consequence, you could not use image streams in disconnected deployments. With this release, the TLS certificates are added as projected volumes to resolve this issue. (OCPBUGS-31446)

Previously, the internal image registry would not correctly authenticate users on clusters configured with external OpenID Connect (OIDC) users. Consequently, this made it impossible for users to push or pull images to and from the internal image registry. With this update, the internal image registry starts by using the SelfSubjectReview API, dropping use of the openshift specific user API, which is not available on clusters configured with external OIDC users. As a result, it is now possible to successfully authenticate with the internal image registry again. (OCPBUGS-35335)

Previously, the image registry was unable to run due to a permissions error in the certificate directory. This issue has been resolved. (OCPBUGS-38885)

Previously, when enabling virtualHostedStyle with regionEndpoint set in image registry Operator config, the image registry would ignore the virtual hosted style config and would fail to start. This update fixes the issue by using a new upstream distribution configuration, which is force path style, in favor of the downstream only version, which is virtual hosted style. (OCPBUGS-32710)

Previously, when OpenShift Container Platform was deployed on Azure clusters with Workload ID, storage accounts created for the cluster and the image registry had Storage Account Key Access enabled by default, which could pose security risks to the deployment.

Previously, extracting the IP address from the Cluster API Machine object only returned a single address. On VMware vSphere, the returned address would always be an IPv6 address and this caused issues with the must-gather implementation if the address was non-routable. With this release, the Cluster API Machine object returns all IP addresses, including IPv4, so that the must-gather issue no longer occurs on VMware vSphere. (OCPBUGS-37427)

Previously, when installing a cluster on IBM Cloud® into an existing VPC, the installation program retrieved an unsupported VPC region. Attempting to install into a supported VPC region that follows the unsupported VPC region alphabetically caused the installation program to crash. With this release, the installation program is updated to ignore any VPC regions that are not fully available during resource lookups. (OCPBUGS-14963)

Previously, the installation program attempted to download the OVA on VMware vSphere whether the template field was defined or not. With this update, the issue is resolved. The installation program verifies if the template field is defined. If the template field is not defined, the OVA is downloaded. If the template field is defined, the OVA is not downloaded. (OCPBUGS-39240)

Previously, enabling custom feature gates sometimes caused installation on an AWS cluster to fail if the feature gate ClusterAPIInstallAWS=true was not enabled. With this release, the ClusterAPIInstallAWS=true feature gate is not required. (OCPBUGS-34708)

Previously, some processes could be left running if the installation program exited due to infrastructure provisioning failures. With this update, all installation-related processes are terminated when the installation program terminates. (OCPBUGS-36378)

Previously, the installation program required permission to create and delete IAM roles when installing a cluster on AWS even when an existing IAM role was provided. With this update, the installation program only requires these permissions when it is creating IAM roles. (OCPBUGS-36390)

Previously, long cluster names were trimmed without warning the user. With this update, the installation program warns the user when trimming long cluster names. (OCPBUGS-33840)

Previously, the openshift-install CLI sometimes failed to connect to the bootstrap node when collecting bootstrap gather logs. The installation program reported an error message such as The bootstrap machine did not execute the release-image.service systemd unit. With this release and after the bootstrap gather logs issue occurs, the installation program now reports Invalid log bundle or the bootstrap machine could not be reached and bootstrap logs were not collected, which is a more accurate error message. (OCPBUGS-34953)

Previously, when installing a cluster on AWS, subnets that the installation program created were incorrectly tagged with the kubernetes.io/cluster/<clusterID>: shared tag. With this update, these subnets are correctly tagged with the kubernetes.io/cluster/<clusterID>: owned tag. (OCPBUGS-36904)

Previously, the local etcd data store that is saved during installation was not deleted if the installation failed, consuming extra space on the installation host. With this update, the data store is deleted if infrastructure provisioning failures prevent a successful installation. (OCPBUGS-36284)

Previously, when a folder was undefined and the data center was located in a data center folder, an wrong folder structure was created starting from the root of the vCenter server. By using the Govmomi DatacenterFolders.VmFolder, it used the a wrong path. With this release, the folder structure uses the data center inventory path and joins it with the virtual machine (VM) and cluster ID value, and the issue is resolved. (OCPBUGS-38616)

Previously, when templates are defined for each failure domain, the installation program required an external connection to download the OVA in VMware vSphere. With this release, the issue is resolved. (OCPBUGS-39239)

Previously, installing a cluster with a Dynamic Host Configuration Protocol (DHCP) network on Nutanix caused a failure. With this release, this issue is resolved. (OCPBUGS-38934)

Previously, due to an EFI Secure Boot failure in the SCOS, when the FCOS pivoted to the SCOS the virtual machine (VM) failed to boot. With this release, the Secure Boot is disabled only when the Secure Boot is enabled in the coreos.ovf configuration file, and the issue is resolved. (OCPBUGS-37736)

Previously, if you specified an unsupported architecture in the install-config.yaml file the installation program would fail with a connection refused message. With this update, the installation program correctly validates the cluster architecture parameter, leading to successful installations. (OCPBUGS-38841)

Previously, a rare condition om VMware vSphere Cluster API machines caused the vCenter session management to time out unexpectedly. With this release, the Keep Alive support is disabled in the current and later versions of CAPV, and the issue is resolved. (OCPBUGS-38677)

Previously, the installation program on Amazon Web Services (AWS) used multiple IPv4 public IP addresses that Amazon has started charging for. With this release, support is provided for bring your own (BYO) public IPv4 pools in OpenShift Container Platform so that users have control of IP addresses that are used by their services. Where the BYO public IPv4 pools feature is enabled, two new permissions, ec2:DescribePublicIpv4Pools and ec2:DisassociateAddress, are required, and the issue is resolved. (OCPBUGS-35504)

Previously, when users provided public subnets while using existing subnets and creating a private cluster, the installation program occasionally exposed on the public internet the load balancers that were created in public subnets. This invalidated the reason for a private cluster. With this release, the issue is resolved by displaying a warning during a private installation that providing public subnets might break the private clusters and, to prevent this, users must fix their inputs. (OCPBUGS-38963)

Previously, during installation the oc adm node-image create command used the kube-system/cluster-config-v1 resource to determine the platform type. With this release, the installation program uses the infrastructure resource, which provides more accurate information about the platform type. (OCPBUGS-39092)

Previously, the oc adm node-image create command failed when run against a cluster in a restricted environment with a proxy because the command ignored the cluster-wide proxy setting. With this release, when the command is run it checks the cluster proxy resource settings, where available, to ensure the command is run successfully and the issue is resolved. (OCPBUGS-39090)

Previously, when installing a cluster with the Agent-based installer, the assisted-installer process could timeout when attempting to add control plane nodes to the cluster. With this update, the assisted-installer process loads fresh data from the assisted-service process, preventing the timeout. (OCPBUGS-36779)

Previously, when the VMware vSphere vCenter cluster contained an ESXi host that did not have a standard port group defined and the installation program tried to select that host to import the OVA, the import failed and the error Invalid Configuration for device 0 was reported. With this release, the installation program verifies whether a standard port group for an ESXi host is defined and, if not, continues until it locates an ESXi host with a defined standard port group, or reports an error message if it fails to locate one, resolving the issue. (OCPBUGS-38560)

Previously, extracting the IP address from the Cluster API Machine object only returned a single IP address. On VMware vSphere, the returned address would always be an IPv6 address and this caused issues with the must-gather implementation if the address was non-routable. With this release, the Cluster API Machine object returns all IP addresses, including IPv4, so that the must-gather issue no longer occurs on VMware vSphere. (OCPBUGS-37607)

Previously, when installing a cluster on AWS, Elastic Kubernetes Service (EKS) messages could appear in the installation logs even when EKS was meant to be disabled. With this update, EKS log messages have been disabled. (OCPBUGS-35752)

Previously, unexpected output would appear in the terminal when creating an installer-provisioned infrastructure cluster. With this release, the issue has been resolved and the unexpected output no longer shows. (OCPBUGS-35547)

Previously, when installing a cluster on AWS after deleting a cluster with the ./openshift-install destroy cluster command, the installation would fail with an error stating that there might already be a running cluster. With this update, all leftover artifacts are removed when the cluster is destroyed, resulting in successful installations afterwards. (OCPBUGS-35542)

Previously, when installing a cluster on AWS, load balancer ingress rules were continuously revoked and re-authorized, causing unnecessary API calls and delays in cluster provisioning. With this update, load balancer ingress rules are no longer revoked during installation, reducing API traffic and installation delays. (OCPBUGS-35440)

Previously, when setting platform.openstack.controlPlanePort.network without a fixedIPs value, the installation program would output a misleading error message about the network missing subnets. With this release, the installation program validates that the install-config field controlPlanePort has a valid subnet filter set because it is a required value. (OCPBUGS-37104)

Previously, adding IPv6 support for user-provisioned installation platforms caused an issue with naming Red Hat OpenStack Platform (RHOSP) resources, especially when you run two user-provisioned installation clusters on the same Red Hat OpenStack Platform (RHOSP) platform. This happened because the two clusters share the same names for network, subnets, and router resources. With this release, all the resources names for a cluster remain unique for that cluster so no interfere occurs. (OCPBUGS-33973)

Previously, when installing a cluster on IBM Power® Virtual Server with installer-provisioned infrastructure, the installation could fail due to load balancer timeouts. With this update, the installation program waits for the load balancer to be available instead of timing out. (OCPBUGS-34869)

Previously, when using the Assisted Installer, using a password that contained the colon character (:) resulted in a failed installation. With this update, pull secrets containing a colon in the password do not cause the Assisted Installer to fail. (OCPBUGS-31727)

Previously, solid state drives (SSD) that used SATA hardware were identified as removable. The Assisted Installer for OpenShift Container Platform reported that no eligible disks were found and the installation stopped. With this release, removable disks are eligible for installation. (OCPBUGS-33404)

Previously, when installing a cluster on bare metal using installer provisioned infrastructure, the installation could time out if the network to the bootstrap virtual machine is slow. With this update, the timeout duration has been increased to cover a wider range of network performance scenarios. (OCPBUGS-41500)

Previously, when installing a cluster on IBM Power® Virtual Server, the installation program did not list the e980 system type in the madrid region. With this update, the installation program correctly lists this region. (OCPBUGS-38439)

Previously, after installing a single-node OpenShift cluster, the monitoring system could produce an alert that applied to clusters with multiple nodes. With this update, single-node OpenShift clusters only produce monitoring alerts that apply to single-node OpenShift clusters. (OCPBUGS-35833)

Previously, when installing a cluster on IBM Power® Virtual Server, the installation could fail due to a DHCP server network collision. With this update, the installation program selects a random number to generate the DHCP network to avoid collision. (OCPBUGS-33912)

Previously, the installation program used the Neutron API endpoint to tag security groups. This API does not support special characters, so some Red Hat OpenStack Platform (RHOSP) clusters failed to install on RHOSP. With this release, the installation program uses an alternative endpoint to tag security groups so that the issue no longer persists. (OCPBUGS-36913)

Previously, setting an invalid Universally Unique Identifier (UUID) for the additionalNetworkIDs parameter of a machine pool in your install-config configuration file could result in the installation program exiting from installing the cluster. With this release, the installation program checks the validity of the additionalNetworkIDs parameter before the program continuing with installing the cluster so that this issue no longer persists. (OCPBUGS-35420)

Previously, for IBM Power® Virtual Server installer-provisioned infrastructure clusters, if no network name existed for a Dynamic Host Configuration Protocol (DHCP), the destroy code would skip deleting the DHCP resource. With this release, a test now checks if a DHCP is in an ERROR state, so that the DHCP resource is deleted. (OCPBUGS-35039)

Previously, in some Hypershift hosted clusters, the IO archive contained the hostname even with network obfuscation enabled. This issue has been resolved, and IO archives no longer contain hostnames when they are obfuscated. (OCPBUGS-33082)

Previously, in a cluster that runs OpenShift Container Platform 4.16 with the Telco RAN DU reference configuration, long duration cyclictest or timerlat tests could fail with maximum latencies detected above 20 us. This issue occured because the psi kernel command line argument was being set to 1 by default when cgroup v2 is enabled. With this release, the issue is fixed by setting psi=0 in the kernel arguments when enabling cgroup v2. The cyclictest latency issue reported in OCPBUGS-34022 is now also fixed. (OCPBUGS-37271)

Previously, if a cluster admin creates a new MachineOSConfig object that references a legacy pull secret, the canonicalized version of this secret that gets created is not updated whenever the original pull secret changes. With this release, the issue is resolved. (OCPBUGS-34079)

Previously, the /etc/mco/internal-registry-pull-secret.json secret was being managed by the Machine Config Operator (MCO). Due to a recent change, this secret rotates on an hourly basis. Whenever the MCO detected a change to this secret, it rolled the secret out to each node in the cluster, which resulted in disruptions. With this fix, a different internal mechanism processes changes to the internal registry pull secret to avoid rolling out repeated MachineConfig updates. (OCPBUGS-33913)

Previously, if you created more than one MachineOSConfig object that required a canonicalized secret, only the first object would build. With this fix, the build controller handles multiple MachineOSBuilds that use the same canonicalized secret. (OCPBUGS-33671)

Previously, if machine config pools (MCP) had a higher maxUnavailable value than the cluster’s number of unavailable nodes, cordoned nodes were able to be erroneously selected as an update candidate. This fix adds a node readiness check in the node controller so that cordoned nodes are queued for an update. (OCPBUGS-33397)

Previously, nodes could be drained twice if the node was queued multiple times in the drain controller. This behaviour might have been due to increased activity on the node object by on-cluster layering functionality. With this fix, a node queued for drain only drains once. (OCPBUGS-33134)

Previously, a potential panic was seen in Machine Config Controller and Machine Build Controller objects if a de-reference accidentally deleted MachineOSConfig/MachineOSBuild to read the build status. The panic is controlled with additional error conditions to warn for allowed MachineOSConfig deletions. (OCPBUGS-33129)

Previously, after upgrading from OpenShift Container Platform 4.1 or 4.2 to version 4.15, some machines could get stuck during provisioning and never became available. This was because the machine-config-daemon-firstboot service was failing due to an incompatible machine-config-daemon binary on those nodes. With this release, the correct machine-config-daemon binary is copied to nodes before booting. (OCPBUGS-28974)

Previously, if you attempted to configure on-cluster Red Hat Enterprise Linux CoreOS (RHCOS) image layering on a non-RHCOS node, the node became degraded. With this fix, in this situation, an error message is produced in the node logs, but the node is not degraded. (OCPBUGS-19537)

Previously, the Cluster overview page included a View all steps in documentation link that resulted in a 404 error for Red Hat OpenShift Service on AWS and Red Hat OpenShift Dedicated clusters. With this update, the link does not appear for Red Hat OpenShift Service on AWS and Red Hat OpenShift Dedicated clusters. (OCPBUGS-37054)

Previously, a warning was not provided when you were on a Google Cloud Platform (GCP) cluster that supports GCP Workload Identity and that the Operator supports it. With this release, logic was added to support GCP Workload Identity and Federated Identity Operator installs, so now you are alerted when you are on a GCP cluster. (OCPBUGS-38591)

Previously, the version number text in the Updates graph on the Cluster Settings page appeared as black text on a dark background when using Firefox in dark mode. With this update, the text appears as white text. (OCPBUGS-38427)

Previously, dynamic plugins using PatternFly 4 referenced variables that are not available in OpenShift Container Platform 4.15 and later. This was causing contrast issues for Red Hat Advanced Cluster Management (RHACM) in dark mode. With this update, older chart styles are now available to support PatternFly 4 charts used by dynamic plugins. (OCPBUGS-36816)

Previously, when the Display Admission Webhook warning implementation presented issues with some incorrect code. With this update, the unnecessary warning message has been removed. (OCPBUGS-35940)

Previously, the global sync lock that applied to all HTTP servers spawned goroutines with a sync lock that is specific to each of the refresh tokens. With this release, the global refresh sync lock on a cluster with an external OIDC environment was replaced with a sync that refreshes for each token. As a result, refresh token performance is improved by 30% to 50%. (OCPBUGS-35080)

Previously, a warning was not displayed for the minAvailable warning in PodDisruptionBudget create and edit form. With this update, code logic for displaying the minAvailable warning was added, and the minAvailable warning is displayed if violated. (OCPBUGS-34937)

Previously, the OperandDetails page displayed information for the first CRD that matched by name. After this fix, the OperandDetails page displays information for the CRD that matches by name and the version of the operand. (OCPBUGS-34901)

Previously, one inactive or idle browser tab caused session expiration for all other tabs. With this change, activity in any tab will prevent session expiration even if there is one inactive or idle browser tab. (OCPBUGS-34387)

Previously, text areas were not resizable. With this update, you are now able to resize text areas. (OCPBUGS-34200)

Previously, the Debug container link was not displayed for pods with a Completed status. With this change, the link now appears. (OCPBUGS-33631)

Previously, the OpenShift Container Platform web console did not show filesystem metrics on the Nodes list page due to incorrect Prometheus query. With this update, filesystem metrics are correctly displayed. (OCPBUGS-33136)

Previously, pseudolocalization was not working due to a configuration issue. After this fix, pseudolocalization works again. (OCPBUGS-30218)

Previously, console pods would crash loop if the --user-auth flag was set to disabled. With this update, the console backend properly handles this value. (OCPBUGS-29510)

Previously, utilization cards displayed a limit that incorrectly implied a relationship between capacity and limits. With this update, the position of limit was changed and the wording updated. (OCPBUGS-23332)

Previously, in some edge cases, the wrong resource could be fetched when using websockets to watch a namespaced resource without providing a namespace. With this update, a validation to the resource watch logic was added to prevent the websocket request and log an error under this condition. (OCPBUGS-19855)

Previously, perspective switching was not properly handled. With this update, perspectives that are passed with URL search parameters or plugin route page extensions now correctly switch the perspective and retain the correct URL path. (OCPBUGS-19048)

Previously, the SR-IOV Network Operator was listing the SriovNetworkNodePolicies resources in random order. This caused the sriov-device-plugin pod to enter a continuous restart loop. With this release, the SR-IOV Network Operator lists policies in a deterministic order so that the sriov-device-plugin pod does not enter a continuous restart loop. (OCPBUGS-36243)

Previously, an interface created inside a new pod would remain inactive and the Gratuitous Address Resolution Protocol (GARP) notification would be generated. The notification did not reach the cluster and this prevented ARP tables of other pods inside the cluster from updating the MAC address of the new pod. This situation caused cluster traffic to stall until ARP table entries expired. With this release, a GARP notification is now sent after the interface inside a pod is active so that the GARP notification reaches the cluster. As a result, surrounding pods can identify the new pod earlier than they could with the previous behavior. (OCPBUGS-30549)

Previously, enabling FIPS for a cluster caused SR-IOV device plugin pods to fail. With this release, SR-IOV device plugin pods have FIPS enabled so that when you enable FIPS for the cluster, the pods do not fail. (OCPBUGS-41131)

Previously, a race condition was generated after rebooting an OpenShift Container Platform node that used a performance profile with a small number of reserved CPUs. This occurred because Single Root I/O Virtualization (SR-IOV) virtual functions (VFs) shared the same MAC address and any pods that used the VFs would experience communication issues. With this release, an update to the SR-IOV Network Operator config daemon ensures that the Operator checks that no duplicate MAC addresses do not exist on VFs. (OCPBUGS-33137)

Previously, if you deleted the sriovOperatorConfig custom resource (CR), you could not create a new sriovOperatorConfig CR. With this release, the Single Root I/O Virtualization (SR-IOV) Network Operator removes validating webhooks when you delete the sriovOperatorConfig CR, so that you can create a new sriovOperatorConfig CR. (OCPBUGS-37567)

Previously, when you switched your cluster to use a different load balancer, the Ingress Operator did not remove the values from the classicLoadBalancer and networkLoadBalancer parameters in the IngressController custom resource (CR) status. This situation caused the status of the CR to report wrong information from the classicLoadBalancer and networkLoadBalancer parameters. With this release, after you switch your cluster to use a different load balancer, the Ingress Operator removes values from these parameters so that the CR reports a more accurate and less confusing message status. (OCPBUGS-38646)

Previously, no multicast packets reached their intended target nodes when a multicast sender and a multicast receiver existed on the same node. This happened because of an OVN-Kubernetes RPM package update. With this release, this regression is fixed in the OVN-Kubernetes RPM package, so that the issue no longer persists. (OCPBUGS-34778)

Previously, when you created a LoadBalancer service for the Ingress Operator, a log message was generated that stated the change was not effective. This log message should only trigger for a change to an Infra custom resource. With this release, this log message is no longer generated when you create a LoadBalancer service for the Ingress Operator. (OCPBUGS-34413)

Previously, the DNSNameResolver controller sent DNS requests to CoreDNS pods for DNS names that had IP addresses with expired time-to-live (TTL) values. This caused a continuous generation of DNS requests and memory leak issues for those pods. With this release, the DNSNameResolver controller waits until it receives the updated list of IP addresses and TTL values for a DNS name before sending any more requests to the DNS name. As a result, the controller no longer generates erroneous requests and sends them to pods. CoreDNS pods can now respond to DNS requests in a timely manner and update the DNSNameResolver objects with the latest IP addresses and TTLs. (OCPBUGS-33750)

Previously, when you used the must-gather tool, a Multus Container Network Interface (CNI) log file, multus.log, was stored in a node’s file system. This situation caused the tool to generate unnecessary debug pods in a node. With this release, the Multus CNI no longer creates a multus.log file, and instead uses a CNI plugin pattern to inspect any logs for Multus DaemonSet pods in the openshift-multus namespace. (OCPBUGS-33959)

Previously, an alert for OVNKubernetesNorthdInactive would not fire in circumstances where it should fire. With this release, the issue is fixed so that the alert for OVNKubernetesNorthdInactive fires as expected. (OCPBUGS-33758)

Previously, for all pods where the default route has been customized, a missing route for the Kubernetes-OVN masquerade address caused each pod to be unable to connect to itself through a service for which it acts as a backend. With this release, the missing route for Kubernetes-OVN masquerade address is added to pods so that the issue no longer occurs. (OCPBUGS-36865)

Previously, the iptables-alerter pod did not handle errors from the crictl command-line interface, which could cause the pod to incorrectly log events from host-network pods or cause pod restarts. With this release, the errors are handled correctly so that these issues no longer persist. (OCPBUGS-37713)

Previously, if you created a hosted cluster by using a proxy for the purposes of making the cluster reach a control plane from a compute node, the compute node would be unavailable to the cluster. With this release, the proxy settings are updated for the node so that the node can use a proxy to successfully communicate with the control plane. (OCPBUGS-37786)

Previously, when a cluster failed to install on an on-premise platform with a configured load balancer, the LoadBalancer service’s LoadBalancerReady condition received the SyncLoadBalancerFailed status. The status generated the following message:

The kube-controller-manager logs might contain more details.

The cloud-controller-manager logs may contain more details.

Previously, you could not control log levels for the internal component that selects IP addresses for cluster nodes. With this release, you can now enable debug log levels so that you can either increase or decrease log levels on-demand. To adjust log levels, you must create a config map manifest file with a configuration similar to the following:

apiVersion: v1
data:
  enable-nodeip-debug: "true"
kind: ConfigMap
metadata:
  name: logging
  namespace: openshift-vsphere-infra
# ...

Previously, the Ingress Operator could not successfully update the canary route because the Operator did not have permission to update spec.host or spec.subdomain fields on an existing route. With this release, the required permission is added to the cluster role for the Operator’s service account and the Ingress Operator can update the canary route. (OCPBUGS-36465)

Previously, administrator privileges were required to run some networking containers, such as Keepalived, on supported on-premise platforms. With this release, these containers no longer require administrator privileges to run them on supported on-premise platforms. (OCPBUGS-36175)

Previously, if your NodeNetworkConfigurationPolicy (NNCP) custom resource (CR) is set to use the default spanning tree protocol (STP) implementation, the CR configuration file would show stp.enabled: true, but the OpenShift Container Platform web console cleared the STP checkbox. With this release, the web console only clears the STEP checkbox after you define stp.enabled: false in the NNCP CR YAML file. (OCPBUGS-36238)

Previously, the Ingress Controller status was incorrectly displayed as Degraded=False because of a migration time issue with the CanaryRepetitiveFailures condition. With this release, the Ingress Controller status is correctly marked as Degraded=True for the appropriate length of time that the CanaryRepetitiveFailures condition exists. (OCPBUGS-39220)

Previously, the Container Runtime Config controller did not detect whether a mirror configuration was in use before adding the scope from a ClusterImagePolicy CR to the /etc/containers/registries.d/sigstore-registries.yaml file. As a consequence, image verification failed with a Not looking for sigstore attachments message. With this fix, images are pulled from the mirror registry as expected. (OCPBUGS-36344)

Previously, a group ID was not added to the /etc/group directory within a container when the spec.securityContext.runAsGroup attribute was set in the pod specification. With this release, this issue is fixed. (OCPBUGS-39478)

Previously, because of a critical regression on RHEL 9.4 kernels earlier than 5.14.0-427.26.1.el9_4, the mglru feature had memory management disabled. In this release, the regression issue is fixed so that the mglru feature is now enabled in OpenShift Container Platform 4.17. (OCPBUGS-35436)

Previously, due to an internal bug, the Node Tuning Operator incorrectly computed CPU masks for interrupt and network-handling CPU affinity if a machine had more than 256 CPUs. This prevented proper CPU isolation on those machines and resulted in systemd unit failures. With this release, the Node Tuning Operator computes the masks correctly. (OCPBUGS-39164)

Previously, the Open vSwitch (OVS) pinning procedure set the CPU affinity of the main thread, but other CPU threads did not pick up this affinity if they had already been created. As a consequence, some OVS threads did not run on the correct CPU set, which might interfere with the performance of pods with a Quality of Service (QoS) class of Guaranteed. With this update, the OVS pinning procedure updates the affinity of all the OVS threads, ensuring that all OVS threads run on the correct CPU set. (OCPBUGS-35347)

Previously, when you log on under the Administrator perspective on the OpenShift Container Platform web console and use the Observe → Alerting function, an S is not a function displayed on alert metrics graph. This issue happened because of a missing function validation check. With this release, the function validation check is added so the alert metric chart displays collected metrics. (OCPBUGS-37291)

Previously, when using oc-mirror plugin v2 with the --delete flag to remove Operator catalogs from mirror registries, the process failed with the following error:

2024/08/02 12:18:03 [ERROR]: [OperatorImageCollector] pinging container registry localhost:55000: Get "https://localhost:55000/v2/": http: server gave HTTP response to HTTPS client.

Previously, when using the oc-mirror plugin v2 in mirror-to-disk mode, catalog images and contents were stored in subfolders under working-dir, based on the image digest. During the disk-to-mirror process in fully disconnected environments, the plugin tried to resolve the catalog image tag through the source registry, which was unavailable, leading to such errors:

[ERROR] : [OperatorImageCollector] pinging container registry registry.redhat.io: Get "http://registry.redhat.io/v2/": dial tcp 23.217.255.152:80: i/o timeout

Previously, when using oc-mirror plugin v2 in mirror-to-disk mode in disconnected environments, the plugin was unable to access api.openshift.com to download graph.tar.gz, resulting in mirroring failures. With this update, the plugin now searches the local cache for the graph image in disconnected environments where the UPDATE_URL_OVERRIDE environment variable is set. If the graph image is missing, the plugin skips it without failing. (OCPBUGS-38469)

Previously, oc-mirror plugin v2 failed to mirror Operator catalogs from disk-to-mirror in fully disconnected environments. This issue also affected catalogs that specified a targetCatalog in the ImageSetConfiguration file. With this update, the plugin can now successfully mirror catalogs in fully disconnected environments, and the targetCatalog functionality works as expected. (OCPBUGS-34521)

Previously, with the oc-mirror plugin v2, there was no validation for the -v2 vs --v2 flags for the oc-mirror command. As a result, users who mistakenly used -v2, which sets the log level to 2, instead of --v2, which switches to oc-mirror plugin v2, received unclear error messages. With this update, flag validation is provided. If the -v2 flag is used while the ImageSetConfig is using the v2alpha1 API and --v2 is not specified, an error message is displayed. The following message is now enabled that provides a clear guidance to the user:

[ERROR]: Detected a v2 `ImageSetConfiguration`, please use `--v2` instead of `-v2`.

Previously, oc-mirror plugin v2 did not automatically perform retries when it encountered errors on registries, such as timeouts, expired authentication tokens, HTTP 500 errors, and so on. With this update, retries for these errors are implemented, and users can configure retry behavior with the following flags:

Previously, when using the oc-mirror plugin v2 with the --rebuild-catalogs flag, the catalog cache was regenerated locally, which caused failures either due to compatibility issues with the opm binary and the platform or due to cache integrity problems on the cluster. With this update, the --rebuild-catalogs flag defaults to true, so catalogs are rebuilt without regenerating the internal cache. Additionally, the image command has been modified to generate the cache during pod startup, which may delay pod initialization. (OCPBUGS-37667)

Previously, the oc-mirror plugin v2 did not use the system proxy configuration to recover signatures for releases when running behind a proxy with system proxy settings. With this release, the system proxy settings are now applied during the signature recovery process. (OCPBUGS-37055)

Previously, oc-mirror plugin v2 would stop the mirroring process when it encountered Operators using bundle versions that were not compliant with semantic versioning, which also prevented the creation of cluster resources like IDMS, ITMS, and CatalogSource objects. With this fix, the plugin now skips these problematic images instead of halting the process. If an image uses incorrect semantic versioning, a warning message is displayed in the console with the relevant image details. (OCPBUGS-33081)

Previously, oc-mirror plugin v2 did not generate ImageDigestMirrorSet (IDMS) or ImageTagMirrorSet (ITMS) files when mirroring failed due to network issues or invalid Operator catalogs. With this update, the oc-mirror continues mirroring other images when Operator or additional images fail, and stops only when release images fail. Cluster resources are generated based on successfully mirrored images, and all errors are collected in a log file for review. (OCPBUGS-34020)

Previously, OpenShift Container Platform release images were not visible in certain registries, such as Red Hat Quay. This prevented users from installing OpenShift Container Platform due to the missing release images. With this update, release images are always tagged to ensure they appear in registries like Red Hat Quay, enabling proper installation. (OCPBUGS-36410)

Previously, the oc adm must-gather command took a long time to gather CPU-related performance data in large clusters. With this release, the data is gathered in parallel instead of sequentially, which shortens the data collection time. (OCPBUGS-34360)

Previously, the oc set env command incorrectly changed the API version of Route and DeploymentConfig objects, for example, apps.openshift.io/v1 became v1. This caused the command to exit with unable to recognize no matches for kind errors. With this release, the error is fixed so that the os set env command keeps the correct API version in Route and DeploymentConfig objects. (OCPBUGS-32108)

Previously, when a must-gather operation failed for any reason and the user manually deleted the leftover namespace, a cluster role binding created by the must-gather command would remain in the cluster. With this release, when the temporary must-gather namespace is deleted, the associated cluster role binding is automatically deleted with it. (OCPBUGS-31848)

Previously, when using the --v2 flag with the oc-mirror plugin v2, if no images were mirrored and some were skipped, empty imds.yaml and itms.yaml files were generated. With this release, the custom resource generation is only triggered when at least one image is successfully mirrored, preventing the creation of empty files. (OCPBUGS-33775)

Previously, clusters with many custom resources (CRs) experienced timeouts from the API server and stranded updates where the only workaround was to uninstall and then reinstall the stranded Operators. This occurred because OLM evaluated potential updates by using a dynamic client lister. With this fix, OLM uses a paging lister for custom resource definitions (CRDs) to avoid timeouts and stranded updates. (OCPBUGS-41549)

Previously, catalog source pods could not recover from a cluster node failure when the registryPoll parameter was unset. With this fix, OLM updates its logic for checking for dead pods. As a result, catalog source pods now recover from node failures as expected. (OCPBUGS-39574)

Previously, if you tried to install a previously-deleted Operator after an OpenShift Container Platform update, the installation might fail. This occurred because OLM could not find previously created bundle unpack jobs. With this fix, OLM correctly installs previously installed Operators. (OCPBUGS-32439)

Previously, when a new version of a custom resource definition (CRD) specified a new conversion strategy, this conversion strategy was expected to successfully convert resources. However, OLM cannot run the new conversion strategies for CRD validation without actually performing the update operation. With this release, OLM generates a warning message during the update process when CRD validations fail with the existing conversion strategy, and the new conversion strategy is specified in the new version of the CRD. (OCPBUGS-31522)

Previously, if the spec.grpcPodConfig.securityContextConfig field in CatalogSource objects was unset within namespaces with a PodSecurityAdmission (PSA) level value of restricted, the catalog pod would not pass PSA validation. With this release, the OLM Catalog Operator now configures the catalog pod with the securityContexts necessary to pass PSA validation. (OCPBUGS-29729)

Previously, the catalogd-controller-manager pod might not have been deployed to a node despite being in the scheduling queue, and the OLM Operator would fail to install. With this fix, CPU requests are reduced for the related resources, and the issue no longer occurs. (OCPBUGS-29705)

Previously, the Catalog Operator sometimes attempted to connect to deleted catalog sources that were stored in the cache. With this fix, the Catalog Operator queries a client to list the catalog sources on a cluster. (OCPBUGS-8659)

Previously, LUKS encryption on a system using 512 emulation disks caused provisioning to fail at the ignition-ostree-growfs step because of an sfdisk alignment issue. With this release, the ignition-ostree-growfs script detects this situation and fixes the alignment automatically. As a result, the system no longer fails during provisioning. (OCPBUGS-35410)

Previously, a bug in the growpart utility caused a LUKS device to lock. This caused the system to boot into an emergency mode. With this release, the call to the growpart utility is removed and the system successfully boots without issue. (OCPBUGS-33124)

Previously, if a new deployment was done at the OSTree level on the host, which is identical to the current deployment on a different stateroot, OSTree identified them as equal. This behavior prevented the bootloader from updating when the set-default command was invoked, because OSTree did not recognize the two stateroots as a differentiating factor for deployments. With this release, OSTree’s logic is modified to consider the stateroots. As a result, OSTree properly sets the default deployment to a new deployment that has different stateroots. (OCPBUGS-30276)

Previously, the Secrets Store Container Storage Interface (CSI) Driver on hosted control planes clusters failed to mount secrets because of an issue when using the hosted control planes command-line interface, hcp, to create OpenID Connect (OIDC) infrastructure on Amazon Web Services. With this release, the issue has been fixed so that the driver can now mount volumes. (OCPBUGS-18711)

Not Available

Technology Preview

General Availability

Deprecated

Removed