OpenShift Container Platform 4.2 release notes

Blocked registries were not set in registries.conf used by Buildah. Therefore, Buildah could push an image to a registry blocked by the cluster image policy. With this bug fix, the registries.conf file generated for builds now includes blocked registries. Builds now respect the blocked registries setting for image pull and push. (BZ#1730722)

When shell variables were referenced in build configurations that used the source-to-image build strategy, logic that attempted to produce a Dockerfile, which could be used to perform the source-to-image build, would incorrectly attempt to evaluate those variables. As a result, some shell variables would be erroneously evaluated as empty values, leading to build errors, and other variables would trigger error messages from failed attempts to evaluate them. Shell variables referenced in build configurations are now properly escaped, so that they are evaluated at the expected time. These errors should no longer be observed. (BZ#1712245)

Due to a logic bug, attempts to push an image to a registry after it was built would fail if the build’s BuildConfig specified an output of type DockerImage, but the name that was specified for that output image did not include a tag component. The attempt to push a built image would fail. The builder now adds the "latest" tag to a name if one is not specified. An image built using a BuildConfig specifying an output of type DockerImage, with a name that does not include a tag component, will now be pushed using the "latest" tag. (BZ#1746499)

Previously, there was a memory limit on the Pod. As a result, the Credential Operator could crash on clusters with large numbers of projects/namespaces. With this bug fix, the memory limit is removed, the Operator no longer crashes, and memory is handled by the cluster itself. (BZ#1711402)

The cloud-credential ClusterOperator did not define related resources, causing Operator logs to not be present in tarballs generated by the oc adm must-gather command. This bug fix updates the Operator to add related resources, and as a result logs are now included. (BZ#1717631)

rshared propogation might cause the /sys filesystem to recursively mount on top of itself, causing container fails to start with "no space left on device" errors. This bug fix prevents that there are recursive /sys mounts on top of each other, and as a result containers run correctly with the rshared: true option set. (BZ#1711200)

When the Dockerfile builder handled COPY instructions that used the --from flag to specify content be copied from an image rather than either builder context or a previous stage, the image’s name could be logged as though it had been specified in a FROM instruction. The name would be listed multiple times if multiple COPY instructions specified it as the argument to a --from flag. This bug fix ensures the builder no longer attempts to trigger the pulling of images that are referred to in this way at the start of the build process. As a result, images that are referenced in COPY instructions using the --from flag are no longer pulled until their contents are required, and the build log no longer logs a FROM instruction that specifies the name of such an image. (BZ#1684427)

Logic which handled COPY and ADD instructions in cases where the build context directory included a .dockerignore file would not correctly handle some symbolic links and subdirectories. An affected build would fail while attempting to process a COPY or ADD instruction that triggered the bug. This bug fix extends the logic which handles this case, and as a result these errors should no longer occur. (BZ#1707941)

Long running jenkins agent or slave Pods can experience the defect process phenomenon that has previously been observed with the jenkins master. Several defect processes show up in process listings until the Pod is terminated. This bug fix employs dumb-init with the OpenShift Jenkins master image to clean up these defect processes, which occur during jenkins job processing. As a result, process listings within agent or slave Pods, and on the hosts those Pods reside, no longer include the defunct processes. (BZ#1705123)

Changes to OAuth support in 4.2 allow for different certificate configurations between the Jenkins service account certificate and the certificate used by the router for the OAuth server. As a result, you could not log into the Jenkins console. With this bug fix, the OpenShift Container Platform Jenkins login plug-in was updated to attempt TLS connections with the default certificates available to the JVM in addition to the certificates mounted into the Pod. You can now log into the jenkins console. (BZ#1709575)

The OpenShift Container Platform Jenkins Sync plug-in confused ImageStreams and ConfigMaps with the same name when processing them for Jenkins Kubernetes plug-in PodTemplates, causing an event for one type to be able to delete the Pod template created from another type. With this bug fix, the OpenShift Container Platform Jenkins Sync plug-in was modified to keep track of which API object type created the Pod template of a given name. Now, Jenkins Kubernetes plug-in PodTemplates created by the OpenShift Container Platform Sync plug-in’s mapping from ConfigMaps and ImageStreams are not inadvertently deleted when two types with the same name exist in the cluster. (BZ#1711340)

Quick, successive, deletes of the Samples Operator configuration object could lead to the last delete hanging and the Operator stuck in it’s ImageChangesInProgress condition stuck in True, which resulted in the clusteroperator object for the Samples Operator being stuck in Progressing==True, causing indeterminate state for cluster samples. This bug fix introduced corrections to the coordination between the delete finalizer and Samples upsert. Quick, successive deletes of the Samples Operator configuration object now work as expected. (BZ#1735711)

Previously, the pruner was getting all images in a single request, which caused the request to take too long. This bug fix introduced the use of the pager to get all of the images. Now the pruner can get all of the images without timing out. (BZ#1702757)

Previously the importer could only import up to three signatures, but registry.redhat.io often has more than three signatures. This caused signatures to not be imported. This bug fix increased the limit of the importer so signatures can now be imported. (BZ#1722568)

Previously the CRD did not have OpenAPI schema, which meant oc explain did not work for the config.imageregistry resource. This bug fix enabled the generation of the OpenAPI schema, so oc explain can now provide information about the config.imageregistry.operator.openshift.io resource. (BZ#1705752)

The Image Registry Operator did not register the openshift-image-registry namespace as a related object. In some situations, no data from the image registry or Image Registry Operator would be collected from must-gather. This bug fix ensures the openshift-image-registry namespace is always included in the Image Registry Operator’s related objects. As a result, basic information from the openshift-image-registry namespace including Pods, deployments, and services is always collected by must-gather. (BZ#1748436)

Previously the CVO, the Image Registry Operator, and the service-ca injection controller simultaneously watched and updated the CA bundle used by the image registry. This caused the CA bundle used to establish trust between the internal registry and the rest of OpenShift to be constantly removed and recreated. With this bug fix, the CVO no longer manages the CA bundle. The Image Registry Operator ensures that the ConfigMap to hold the CA bundle is created, but does not manage its content. Now the ConfigMap holding the CA bundle for the internal registry is only updated as needed by the service-ca injection controller. (BZ#1734564)

TLS keys were not added to registry routes. This is because TLS keys were stored in Secret.StringData and the Operator was unable to see the real data in the secret. Now, Secret.Data is used instead and the Operator can see the values. (BZ#1719965)

The drain process would take up to 600 seconds to evict the image-registry Pod. This was because the image registry was running from sh and signals were not propagated to the image registry, and unable to receive SIGTERM. Now, the registry process uses exec and the registry is the pid 1 process and able to receive SIGTERM. Drain now evicts successfully. (BZ#1729979)

must-gather did not collect PVCs and events in the openshift-image-registry namespace. Now, PVCs are collected as part of the must-gather process. (BZ#1737558)

Default minimal installations of Red Hat Enterprise Linux would install and enable firewalld.service. The firewall service would block ports that prevented oc rsh/exec/logs from working as expected. Now, firewalld.service is disabled if it is installed to conform to testing standards. (BZ#1740439)

Workers were not created when the default path for images was changed from the default settings. Now, the installer creates and uses it’s own storage pool. (BZ#1707479)

It was possible to shorten certificate rotation by creating a ConfigMap. This behavior is not supported. Now, if you create this ConfigMap, Upgradable is set to False on the kubeapiserver-operator, which means that you can no longer update your cluster. (BZ#1722550)

The dynamic seeding function of Elasticsearch was inefficient, and clusters with a large number of projects made too many calls. This issue was compounded by a lack of caching. Because of the inefficient seeding and lack of caching, calls to Elasticsearch were timing out before a response was returned. This bug fix added API call caching and ACL seeding. These improvements reduce the opportunity for page timeouts. (BZ#1705589)

The Logging Operator relied on the type of information stream to set the log type, so logs sent to stdout were tagged as INFO and logs sent to stderr were tagged as ERROR. This method does not always correctly convey the information type. Now, the log level is no longer set based on the information stream. Instead, it is set to unknown if the correct log level cannot be determined. (BZ#1726639)

During Cluster Logging instance deletion, resources under Cluster Logging were deleted independently. Therefore, there could be a short time period when the Fluentd or Rsyslog DaemonSet was still running but its log collector service account was removed. This made the logs processed in this time miss Kubernetes information, including the namespace name. With this bug fix, the service accounts now wait to be deleted until all descendant resources are deleted. There is now no chance for the collector DaemonSets to run without the log collector service account. (BZ#1715370)

Previously, console Operator logs for events would print some duplicate messages. A version update for a dependency repository has resolved this issue and messages are no longer being duplicated in console Operator logs. (BZ#1687666)

Users were not able to copy the whole webhook URL since the secret value was obfuscated. A link was added so that users are now able to copy the entire webhook URL with the secret value included. (BZ#1665010)

The Machine and Machine Set details pages in the web console did not contain an Events tab. An Events tab is now added and is now available from the Machine and Machine Set details pages. (BZ#1693180)

Previously, users could not view a node’s status from its details page in the web console. A status field has been added and users can now view a node’s status from its details page. (BZ#1706868)

Previously, you would occasionally see a blank popup in the web console if you attempted to create an Operator resource immediately after installing an Operator through the OperatorHub. With this bug fix, a clear message is now shown if you attempt to create a resource before it is available. (BZ#1710079)

Previously the Deployment Config Details page in the web console would say that the status was Active before the first revision had rolled out. With this bug fix, the status now says Updating before a rollout has occurred, and Up to date when the rollout is complete. (BZ#1714897)

Previously, the metrics charts for nodes in the web console could incorrectly total usage for more than one node in some circumstances. With this bug fix, the node page charts now correctly display the usage only for that node. (BZ#1720119)

Previously, the ca.crt value for OpenID identity providers was not set properly when created through the web console. The problem has been fixed, and the ca.crt is now correctly set. BZ#1727282)

Previously, users would see an error in the web console when navigating to the ClusterResourceQuota instances from the CRD list. The problem has been fixed, and you can now successfully list ClusterResourceQuota instances from the CRD page. (BZ#1742952)

Previously, the web console did not show when a node was unscheduleable in the node list. This was inconsistent with the CLI. The console now shows when a node is unscheduleable from the node list and node details pages. (BZ#1748405)

Previously, the web console would show config map and secret keys with all caps styling in the resource details pages. This is a problem as key names are often file names and case sensitive. The OpenShift Container Platform 4.2 web console now shows config map and secret keys in their proper case. (BZ#1752572)

Egress IP addressess did not work correctly in namespaces with restrictive NetworkPolicies. As a result, Pods that accepted traffic from specific sources would not be able to send egress traffic through egress IPs, because the response from the external server would be mistakenly rejected by their NetworkPolicies. With this bug fix, replies from egress traffic are now correctly recognized as replies rather than as new connections. Egress IPs and NetworkPolicy work together. (BZ#1700431)

If a Pod using an external IP address to contact an external host received an external IP address not responding condition, the egress IP monitoring code mistakenly determined that the host was not responding. As a result, highly-available egress IPs could get switched to a different node to another. The monitoring code was fixed to distinguish between a egress node not responding and a final destination not responding conditions. Highly available egress IPs are not be switched between nodes unnecessarily. (BZ#1717639)

By default, the etcd namespace was created without specifying a net id. As a result, API server components could not connect to etcd. The code was fixed to specify netid=1 for the etcd namespace. (BZ#1719653)

The algorithm used when merging additional IP addresses added to a node was incorrect. As a result, when adding an additional IP address to a node, the list of addresses was out of order, resulting in the node being unable to communicate to the API server. The merge algorithm for addresses was changed to not reorder the addresses. Adding secondary IP addresses to a node no longer changes the ordering and the node is able to continue communication with the API server. (BZ#1696628)

Because of a problem with the kubeConfig controller, changes to the kubelet Config are reverted if the cluster is upgraded to a version that uses a different OS release. The code was fixed to specify the correct controller in the source. Customizations to the kubeletConfig will be retained. (BZ#1718726)

The wrong validation for node selector labels was causing empty values for keys on labels to not be accepted. This update fixes the node selector label validation mechanism so that an empty value for a key on label is a valid node selector. (BZ#*1683819)

The oc get command was not returning the proper information when it received an empty result list. This update improves the information that is returned when oc get receives an empty list. (BZ#1708280)

Marketplace Cluster Operator was reporting degraded when restarting or upgrading the Marketplace Operator. Therefore, the OpenShift Container Platform upgrade tests were failing. With this bug fix, the upgrade tests are passing again because OpenShift Container Platform is no longer reporting degraded when the Operator is stopped. (BZ#1706867)

A bug during upgrade was causing Marketplace Operator to degrade and exit. The ClusterOperator status did not give an accurate description of the health of the Marketplace Operator.

The CatalogSourceConfig (csc) and OperatorSource (opsrc) Custom Resource Definitions (CRDs) owned by Marketplace did not include a description. Therefore, oc explain csc and oc explain opsrc would return empty descriptions. With this bug fix, OpenAPI CRD definitions are now added so that oc explain csc and oc explain opsrc now work. (BZ#1723835)

The Marketplace Operator was overwriting the Pod deployment spec of registry deployments associated with OperatorSources. Therefore, users were unable to add NodeSelectors. With this bug fix, required fields are only replaced in the deployment spec on OperatorSource updates, allowing users to add NodeSelectors to the Operator registry Pod associated with OperatorSources. By default, no NodeSelector is present. Users can now add NodeSelectors to the Pod spec in the registry Pod deployments. For example, with the community-operators OperatorSource, you would edit the community-operators deployment in the openshift-marketplace namespace. (BZ#1696726)

The Marketplace Operator was scaling the registry deployment down and then scaling it back up to force updates. This could cause the Pod to crash-loop if there was an issue in the registry Pod. This bug fix uses annotation to force the update, rather than scaling the registry deployment up and down so that the deployment will not become unavailable. Note that this alone will not fix the bug. A fix is required to the end-to-end test that does not fail it on crash-looping Pods in the openshift-marketplace namespace. (BZ#1700100)

The must-gather tool requires a field, RelatedObjects, in the ClusterOperator Custom Resource to be populated with ObjectReferences of the resources associated with the Operator. Because this field was missing for Marketplace, the must-gather tool was not able to gather enough information about the Marketplace Operator. This update now populates the RelatedObjects field with the Operator’s namespace and the OperatorSource, CatalogSourceConfig, and CatalogSource resources. This enables the must-gather tool to gather enough information about the Marketplace Operator. (BZ#1717439)

Setting the OpenShift Controller Manager Operator to Unmanaged or Removed is unsupported, so it would cause the conditions on the corresponding ClusterOperator object to go to an Unknown status. With this bug fix, the OpenShift Controller Manager Operator now ignores the unsupported Unmanaged and Removed settings for management state. A message now explains this in the ClusterOperator status conditions. (BZ#1719188)

Previously, SSH connections were hanging when the ClientAliveInterval within the sshd configuration was not set to 180 as required by Microsoft Azure. This bug fix now defaults the sshd config to 180 so that SSH no longer hangs within Azure. (BZ#1701050)

Previously, the Automation Broker always created a network policy to give a transient namespace access to the target namespace. As a consequence, the target namespace locked down to the newly created policy and namespaces could communicate with each other. This fix causes the Automation Broker to check if there are network policies in place for the target namespace, and if there are none, to not create a new network policy. This fix allows the Automation Broker to perform Ansible Playbook Bundle actions actions without affecting the existing services running in the target namespace. (BZ#1643303)

Previously, the OpenShift Ansible Service Broker Operator did not pass metrics to Prometheus unless the correct permissions were manually applied. With this update, the Operator now automatically installs with the required permissions. (BZ#1692281)

Previously, the custom resource definition for the Samples Operator configuration object (configs.samples.operator.openshift.io) did not have openAPIV3Schema validation defined. Therefore,oc explain was unable to provide useful information about the object. With this fix, openAPIV3Schema validation was added, and now oc explain works on the object. (BZ#1705753)

Previously, the Samples Operator was using a direct OpenShift Container Platform go client to make GET calls in order to maintain controller/informer based watches for secrets, imagestreams, and templates. This resulted in unnecessary API calls being made against the OpenShift Container Platform API server. This fix leverages the informer/listener API and reduces activity against the OpenShift Container Platform API server. (BZ#1707834)

Previously, the Samples Operator was not creating a cluster role that aggregated into the cluster-reader role. As a consequence, users with the cluster-reader role could not read the config object for the samples Operator. With this update, the manifest of the samples operator was updated to include a cluster role for read-only access to its config object, and this role aggregated into the cluster-reader role. Now, users with the cluster-reader role can read, list, and watch the config object for the samples Operator. (BZ#1717124)

If you have Service Mesh installed, upgrade Service Mesh before upgrading OpenShift Container Platform. For a workaround, see Updating OpenShift Service Mesh from version 1.0.1 to 1.0.2.

Cluster-scoped resources are not yet handled by the application migration tool, including resources such as Cluster Role Bindings and Security Context Constraints. If applications you are migrating depend on these kind of cluster-scoped resources on the source cluster, manually ensure they are recreated on the destination cluster. Coverage will be expanded in a future release to handle these resources.

4.2.0 Dynamic Host Configuration Protocol (DHCP) does not currently work with any of the Multus CNI plug-ins. (BZ#1754686)

Cluster Loader fails when called without configuration. (BZ#1761925)

The Cluster Network Operator does not a remove NetworkAttachmentDefinition that the Operator created previously, when the additional network is removed from the additionalNetworks collection. (BZ#1755586)

The Prometheus Operator deploys StatefulSet and creates a memory limit that is too small on the rules-configmap-reloader container. (BZ#1735691)

DHCP mode fails when configuring it in Multus CNI IPAM. (BZ#1754682)

Schema change in ClusterResourceQuota from version 4.1 to 4.2 results in breakage. (BZ#1755125)

Disaster recovery is broken for various deployments, including bare metal and vSphere. (BZ#1718436)

Removing simpleMacvlanConfig from the Cluster Network Operator does not delete the old network-attachment-definition. You must delete the resources manually. (BZ#1755586)

The SRIVO Operator Pod crashes when NAD is manually created. (BZ#1755188)

No proxy is set for kube-controller-manager. (BZ#1753467)

git clone operations that go through an HTTPS proxy will fail. Non-TLS (HTTP) proxies can be used successfully. (BZ#1750650)

Builds that use image references that correlate to an image mirror, which is the case in a disconnected environment, will fail to pull or push those image references if the mirror requires authentication. (BZ#1745192)

Image stream import does not use mirrors. This is often used in disconnected environments. (BZ#1741391)

OpenShift Container Platform 4.2 will not work on Red Hat OpenStack Platform 15 until this Red Hat OpenStack Platform 15 bug is resolved. (BZ#1751942)

If builds use a build secret, it is strongly recommended that layers are squashed using imageOptimizationPolicy: SkipLayers. Otherwise, secrets might leak in source and docker strategy builds.

AllowVolumeExpansion, and other StorageClass attributes, are not updated when upgrading OpenShift Container Platform. It is recommended to delete the default StorageClass and allow the ClusterStorageOperator to recreate this with the correct attributes after the upgrade is completed. (BZ#1751641)

Non-serverless workloads show resources for serverless workloads in the Topology resources panel. (BZ#1760810)

Pod status is depicted inconsistently in the Topology view, Resources side panel, and the Deployment Config Details page. (BZ#1760827)

When an application is created using the Add page options, the deployed image ignores the selected target port and always uses the first entry. (BZ#1760836)

Certain features like the name of the application and the build status are not rendered in the Topology view on the Edge browser. (BZ#1760858)

Determination of active Pods when a rollout fails can be incorrect in the Topology view. (BZ#1760828)

If a cluster-wide egress proxy is configured and then later unset, Pods for applications that have been previously deployed by OLM-managed Operators can enter a CrashLoopBackOff state. This is caused by the deployed Operator still being configured to rely on the proxy.

$ oc get deployments --all-namespaces \
    -l olm.owner,olm.owner!=packageserver (1)

There is an issue with the Machine Config Operator (MCO) supporting Day 2 proxy support, which describes when an existing non-proxied cluster is reconfigured to use a proxy. The MCO should apply newly configured proxy CA certificates in a ConfigMap to the RHCOS trust bundle; this is not working. As a workaround, you must manually add the proxy CA certificate to your trust bundle and then update the trust bundle:

$ cp /opt/registry/certs/<my_root_ca>.crt /etc/pki/ca-trust/source/anchors/
$ update-ca-trust extract
$ oc adm drain <node>
$ systemctl reboot