This is a cache of https://docs.openshift.com/container-platform/4.17/release_notes/ocp-4-17-release-notes.html. It is a snapshot of the page at 2024-11-25T06:02:07.577+0000.
OpenShift Container Platform 4.17 release notes | Release notes | OpenShift Container Platform 4.17
×

Red Hat OpenShift Container Platform provides developers and IT organizations with a hybrid cloud application platform for deploying both new and existing applications on secure, scalable resources with minimal configuration and management. OpenShift Container Platform supports a wide selection of programming languages and frameworks, such as Java, JavaScript, Python, Ruby, and PHP.

Built on Red Hat Enterprise Linux (RHEL) and Kubernetes, OpenShift Container Platform provides a more secure and scalable multitenant operating system for today’s enterprise-class applications, while delivering integrated application runtimes and libraries. OpenShift Container Platform enables organizations to meet security, privacy, compliance, and governance requirements.

About this release

OpenShift Container Platform (RHSA-2024:3718) is now available. This release uses Kubernetes 1.30 with CRI-O runtime. New features, changes, and known issues that pertain to OpenShift Container Platform 4.17 are included in this topic.

OpenShift Container Platform 4.17 clusters are available at https://console.redhat.com/openshift. With the Red Hat OpenShift Cluster Manager application for OpenShift Container Platform, you can deploy OpenShift Container Platform clusters to either on-premises or cloud environments.

OpenShift Container Platform 4.17 is supported on Red Hat Enterprise Linux (RHEL) 8.8-8.10, and on Red Hat Enterprise Linux CoreOS (RHCOS) 9.4.

You must use RHCOS machines for the control plane, and you can use either RHCOS or RHEL for compute machines. RHEL machines are deprecated in OpenShift Container Platform 4.16 and will be removed in a future release.

The support lifecycle for odd-numbered releases, such as OpenShift Container Platform 4.17, on all supported architectures, including x86_64, 64-bit ARM (aarch64), IBM Power® (ppc64le), and IBM Z® (s390x) architectures is 18 months. For more information about support for all versions, see the Red Hat OpenShift Container Platform Life Cycle Policy.

Commencing with the OpenShift Container Platform 4.14 release, Red Hat is simplifying the administration and management of Red Hat shipped cluster Operators with the introduction of three new life cycle classifications; Platform Aligned, Platform Agnostic, and Rolling Stream. These life cycle classifications provide additional ease and transparency for cluster administrators to understand the life cycle policies of each Operator and form cluster maintenance and upgrade plans with predictable support boundaries. For more information, see OpenShift Operator Life Cycles.

OpenShift Container Platform is designed for fips. When running Red Hat Enterprise Linux (RHEL) or Red Hat Enterprise Linux CoreOS (RHCOS) booted in fips mode, OpenShift Container Platform core components use the RHEL cryptographic libraries that have been submitted to NIST for fips 140-2/140-3 Validation on only the x86_64, ppc64le, and s390x architectures.

For more information about the NIST validation program, see Cryptographic Module Validation Program. For the latest NIST status for the individual versions of RHEL cryptographic libraries that have been submitted for validation, see Compliance Activities and Government Standards.

OpenShift Container Platform layered and dependent component support and compatibility

The scope of support for layered and dependent components of OpenShift Container Platform changes independently of the OpenShift Container Platform version. To determine the current support status and compatibility for an add-on, refer to its release notes. For more information, see the Red Hat OpenShift Container Platform Life Cycle Policy.

New features and enhancements

This release adds improvements related to the following components and concepts:

Cluster Resource Override Admission Operator

Moving the Cluster Resource Override Operator

By default, the installation process creates a Cluster Resource Override Operator pod on a worker node and two Cluster Resource Override pods on control plane nodes. You can move these pods to other nodes, such as an infrastructure node, as needed. For more information, see Moving the Cluster Resource Override Operator pods.

Cluster Resource Override Operator pod is owned by a deployment object

The Cluster Resource Override Operator pod is now owned by a deployment object. Previously, the Operator was owned by a daemon set object. Using a deployment for the Operator addresses a number of issues, including additional security and add the ability to run the pods on worker nodes.

Extensions (OLM v1)

Operator Lifecycle Manager (OLM) v1 documentation moved to new Extensions guide (Technology Preview)

The documentation for OLM v1, which has been in Technology Preview starting in OpenShift Container Platform 4.14, is now moved and reworked as a separate guide called Extensions. Previously, OLM v1 documentation was a subsection of the existing Operators guide, which otherwise documents the existing OLM feature set.

The updated location and guide name reflect a more focused documentation experience and aims to differentiate between OLM v1 and existing OLM.

OLM v1 Technology Preview features

This Technology Preview phase of OLM v1 introduces the following features:

Custom resource definition (CRD) upgrade safety

When you update a CRD that is provided by a cluster extension, OLM v1 now runs a CRD upgrade safety preflight check to ensure backwards compatibility with previous versions of that CRD. The CRD update must pass the validation checks before the change is allowed to progress on a cluster.

Single object ownership for cluster extensions

In OLM v1, a Kubernetes object can only be owned by a single ClusterExtension object at a time. This ensures that objects within an OpenShift Container Platform cluster are managed consistently and prevents conflicts between multiple cluster extensions attempting to control the same object.

For more information, see Object ownership for cluster extensions.

Enhanced security

OLM v1 now requires a dedicated service account for installing, updating, and managing cluster extensions. Additionally, catalogd uses HTTPS encryption to secure catalog server responses.

Improved status conditions

In this release, OLM v1 includes improved status conditions and error messaging via the ClusterExtension API.

OLM v1 supported extensions and known issue

Currently, Operator Lifecycle Manager (OLM) v1 supports installing cluster extensions that meet all of the following criteria:

  • The extension must use the registry+v1 bundle format introduced in existing OLM.

  • The extension must support installation via the AllNamespaces install mode.

  • The extension must not use webhooks.

  • The extension must not declare dependencies by using any of the following file-based catalog properties:

    • olm.gvk.required

    • olm.package.required

    • olm.constraint

OLM v1 checks that the extension you want to install meets these constraints. If the extension that you want to install does not meet these constraints, an error message is printed in the cluster extension’s conditions.

Operator Lifecycle Manager (OLM) v1 does not support the OperatorConditions API introduced in existing OLM.

If an extension relies on only the OperatorConditions API to manage updates, the extension might not install correctly. Most extensions that rely on this API fail at start time, but some might fail during reconciliation.

As a workaround, you can pin your extension to a specific version. When you want to update your extension, consult the extension’s documentation to find out when it is safe to pin the extension to a new version.

Currently, Operator Lifecycle Manager (OLM) v1 cannot authenticate private registries, such as the Red Hat-provided Operator catalogs. This is a known issue. As a result, the OLM v1 procedures that rely on having the Red Hat Operators catalog installed do not work. (OCPBUGS-36364)

Edge computing

Managing host firmware settings with GitOps ZTP

You can now configure host firmware settings for managed clusters that you deploy with GitOps ZTP. You save host profile YAML files alongside SiteConfig custom resources (CRs) that you use to deploy the managed clusters. GitOps ZTP uses the host profiles to configure firmware settings in the managed cluster hosts during deployment. On the hub cluster, you can use FirmwareSchema CRs to discover managed cluster host firmware schema, and HostFirmwareSettings CRs and retrieve managed clusters firmware settings.

Image-based upgrade enhancements

With this release, the image-based upgrade introduces the following enhancements:

  • Simplifies the upgrade process for a large group of managed clusters by adding the ImageBasedGroupUpgrade API on the hub

  • Labels the managed clusters for action completion when using the ImageBasedGroupUpgrade API

  • Improves seed cluster validation before the seed image generation

  • Automatically cleans up the container storage disk if usage reaches a certain threshold on the managed clusters

  • Adds comprehensive event history in the new status.history field of the ImageBasedUpgrade CR

For more information about the ImageBasedGroupUpgrade API, see Managing the image-based upgrade at scale using the ImageBasedGroupUpgrade CR on the hub.

Disk encryption with TPM and PCR protection (Technology Preview)

With this release, you can enable disk encryption with Trusted Platform Module (TPM) and Platform Configuration Registers (PCRs) protection. You can use the diskEncryption field in the SiteConfig custom resource (CR) to configure the disk encryption. Configuring the SiteConfig CR enables disk encryption at the time of cluster installation.

IPsec encryption for multi-node clusters using GitOps ZTP and SiteConfig resources

You can now enable IPsec encryption in managed multi-node clusters that you deploy with GitOps ZTP and Red Hat Advanced Cluster Management (RHACM). You can encrypt traffic between the managed cluster and IPsec endpoints external to the managed cluster. All network traffic between nodes on the OVN-Kubernetes cluster network is encrypted with IPsec in Transport mode.

Image-based installation for single-node OpenShift clusters

Image-based installations streamline the installation and deployment process for single-node OpenShift clusters by significantly reducing installation and deployment times.

Using an image-based workflow, you can preinstall instances of single-node OpenShift on target hosts. These preinstalled hosts can be rapidly reconfigured and deployed at the far edge of the network, including in disconnected environments, with minimal intervention.

IBM Z and IBM LinuxONE

With this release, IBM Z® and IBM® LinuxONE are now compatible with OpenShift Container Platform 4.17. You can perform the installation with z/VM, LPAR, or Red Hat Enterprise Linux (RHEL) Kernel-based Virtual Machine (KVM). For installation instructions, see Preparing to install on IBM Z and IBM LinuxONE.

Compute nodes must run Red Hat Enterprise Linux CoreOS (RHCOS).

IBM Z and IBM LinuxONE notable enhancements

The IBM Z® and IBM® LinuxONE release on OpenShift Container Platform 4.17 adds improvements and new capabilities to OpenShift Container Platform components and concepts.

This release introduces support for the following features on IBM Z® and IBM® LinuxONE:

  • CPU manager

  • Non-volatile memory express (NVMe) support for LPAR

  • Tuning etcd latency tolerances

IBM Power

IBM Power® is now compatible with OpenShift Container Platform 4.17. For installation instructions, see the following documentation:

Compute nodes must run Red Hat Enterprise Linux CoreOS (RHCOS).

IBM Power notable enhancements

The IBM Power® release on OpenShift Container Platform 4.17 adds improvements and new capabilities to OpenShift Container Platform components.

This release introduces support for the following features on IBM Power:

  • Tuning etcd latency tolerances

  • Installer Provisioned Infrastructure for IBM PowerVS - move to CAPI

IBM Power, IBM Z, and IBM LinuxONE support matrix

Starting in OpenShift Container Platform 4.14, Extended Update Support (EUS) is extended to the IBM Power® and the IBM Z® platform. For more information, see the OpenShift EUS Overview.

Table 1. OpenShift Container Platform features
Feature IBM Power® IBM Z® and IBM® LinuxONE

Alternate authentication providers

Supported

Supported

Agent-based Installer

Supported

Supported

Assisted Installer

Supported

Supported

Automatic Device Discovery with Local Storage Operator

Unsupported

Supported

Automatic repair of damaged machines with machine health checking

Unsupported

Unsupported

Cloud controller manager for IBM Cloud®

Supported

Unsupported

Controlling overcommit and managing container density on nodes

Unsupported

Unsupported

CPU manager

Supported

Supported

Cron jobs

Supported

Supported

Descheduler

Supported

Supported

Egress IP

Supported

Supported

Encrypting data stored in etcd

Supported

Supported

fips cryptography

Supported

Supported

Helm

Supported

Supported

Horizontal pod autoscaling

Supported

Supported

Hosted control planes

Supported

Supported

IBM Secure Execution

Unsupported

Supported

Installer-provisioned Infrastructure Enablement for IBM Power® Virtual Server

Supported

Unsupported

Installing on a single node

Supported

Supported

IPv6

Supported

Supported

Monitoring for user-defined projects

Supported

Supported

Multi-architecture compute nodes

Supported

Supported

Multi-architecture control plane

Supported

Supported

Multipathing

Supported

Supported

Network-Bound Disk Encryption - External Tang Server

Supported

Supported

Non-volatile memory express drives (NVMe)

Supported

Unsupported

nx-gzip for Power10 (Hardware Acceleration)

Supported

Unsupported

oc-mirror plugin

Supported

Supported

OpenShift CLI (oc) plugins

Supported

Supported

Operator API

Supported

Supported

OpenShift Virtualization

Unsupported

Unsupported

OVN-Kubernetes, including IPsec encryption

Supported

Supported

PodDisruptionBudget

Supported

Supported

Precision Time Protocol (PTP) hardware

Unsupported

Unsupported

Red Hat OpenShift Local

Unsupported

Unsupported

Scheduler profiles

Supported

Supported

Secure Boot

Unsupported

Supported

Stream Control Transmission Protocol (SCTP)

Supported

Supported

Support for multiple network interfaces

Supported

Supported

The openshift-install utility to support various SMT levels on IBM Power® (Hardware Acceleration)

Supported

Supported

Three-node cluster support

Supported

Supported

Topology Manager

Supported

Unsupported

z/VM Emulated FBA devices on SCSI disks

Unsupported

Supported

4K FCP block device

Supported

Supported

Table 2. Persistent storage options
Feature IBM Power® IBM Z® and IBM® LinuxONE

Persistent storage using iSCSI

Supported [1]

Supported [1],[2]

Persistent storage using local volumes (LSO)

Supported [1]

Supported [1],[2]

Persistent storage using hostPath

Supported [1]

Supported [1],[2]

Persistent storage using Fibre Channel

Supported [1]

Supported [1],[2]

Persistent storage using Raw Block

Supported [1]

Supported [1],[2]

Persistent storage using EDEV/FBA

Supported [1]

Supported [1],[2]

  1. Persistent shared storage must be provisioned by using either Red Hat OpenShift Data Foundation or other supported storage protocols.

  2. Persistent non-shared storage must be provisioned by using local storage, such as iSCSI, FC, or by using LSO with DASD, FCP, or EDEV/FBA.

Table 3. Operators
Feature IBM Power® IBM Z® and IBM® LinuxONE

cert-manager Operator for Red Hat OpenShift

Supported

Supported

Cluster Logging Operator

Supported

Supported

Cluster Resource Override Operator

Supported

Supported

Compliance Operator

Supported

Supported

Cost Management Metrics Operator

Supported

Supported

File Integrity Operator

Supported

Supported

HyperShift Operator

Technology Preview

Technology Preview

IBM Power® Virtual Server Block CSI Driver Operator

Supported

Unsupported

Ingress Node Firewall Operator

Supported

Supported

Local Storage Operator

Supported

Supported

MetalLB Operator

Supported

Supported

Network Observability Operator

Supported

Supported

NFD Operator

Supported

Supported

NMState Operator

Supported

Supported

OpenShift Elasticsearch Operator

Supported

Supported

Vertical Pod Autoscaler Operator

Supported

Supported

Table 4. Multus CNI plugins
Feature IBM Power® IBM Z® and IBM® LinuxONE

Bridge

Supported

Supported

Host-device

Supported

Supported

IPAM

Supported

Supported

IPVLAN

Supported

Supported

Table 5. CSI Volumes
Feature IBM Power® IBM Z® and IBM® LinuxONE

Cloning

Supported

Supported

Expansion

Supported

Supported

Snapshot

Supported

Supported

Insights Operator

The Insights Operator now collects more OpenShift Container Platform container log data from namespaces prefixed with either the openshift- or kube- prefix and generates recommendations much faster. Enhancements have also been made to give you more flexibility in how the data to be collected gets defined for your service.

Rapid Recommendations

This release introduces a new feature called Rapid Recommendations, which provides a more dynamic and version-independent mechanism for remotely configuring the rules that determine which data the Insights Operator collects.

Rapid Recommendations builds on the existing conditional data gathering mechanism. The Insights Operator connects to a secure remote endpoint service running on /console.redhat.com to retrieve definitions that contain the rules for determining which container log messages are filtered and collected by Red Hat.

The conditional data-gathering definitions, also referred to as rules, get configured through an attribute named conditionalGathererEndpoint in the pod.yml configuration file.

conditionalGathererEndpoint: https://console.redhat.com/api/gathering/v2/%s/gathering_rules

Previously, the rules for determining the data that the Insights Operator collects were hard-coded and tied to the corresponding OpenShift Container Platform version.

The preconfigured endpoint URL now provides a placeholder (%s) for defining a target version of OpenShift Container Platform.

More data collected and recommendations added

The Insights Operator now gathers more data to detect the following scenarios, which other applications can use to generate remedial recommendations to proactively manage your OpenShift Container Platform deployments:

  • Detects pods and namespaces that use the deprecated OpenShift SDN CNI plugin and generates a recommendation for the possible actions you should take depending on the data collected from your deployment.

  • Collects custom resource definitions (CRD) from RHOSP.

  • Collects the haproxy_exporter_server_threshold metric to detect the problem and remediation reported in OCPBUGS-36687.

  • Collects data to detect custom Prometheus Alertmanager instances that are not in the openshift-monitoring namespace because they could potentially impact the management of corresponding resources.

  • Detects the upcoming expiry of the default Ingress Controller expiration certificate, which other applications and services can use to generate recommendations to renew the certificate before the expiry date.

    • Before this update, the Insights Operator gathered information about all Ingress Controller certificates, including their NotBefore and NotAfter dates. This data is now compiled into a JSON file located at aggregated/ingress_controllers_certs.json for easier monitoring of certificate validity across the cluster. (OCPBUGS-35727)

Installation and update

User-defined labels and tags for GCP

With this update, the user-defined labels and tags for Google Cloud Platform (GCP) is Generally Available.

Installing a cluster on Nutanix with compute machines using GPUs

With this update, you can install a cluster on Nutanix with compute machines that use GPUs for processing. You attach a GPU to compute nodes with the compute.platform.nutanix.gpus parameters in the install-config.yaml file.

Installing a cluster on Nutanix with compute nodes using multiple disks

With this update, you can install a cluster on Nutanix with compute machines that have multiple disks attached to them. You attach multiple disks to compute nodes with the compute.platform.nutanix.dataDisks parameters in the install-config.yaml file.

Installing a cluster on Azure in the Central Spain region

You can now install an OpenShift Container Platform cluster on Azure in the Central Spain region, spaincentral.

For more information, see Supported Azure regions.

Installing a cluster with the support for configuring multi-architecture compute machines

With this release, you can install an Amazon Web Services (AWS) cluster and Google Cloud Platform (GCP) cluster with the support for configuring multi-architecture compute machines. While installing the cluster, you can specify different CPU architectures for the control plane and compute machines in the following ways:

  • 64-bit x86 compute machines and 64-bit ARM control plane machines

  • 64-bit ARM compute machines and 64-bit x86 control plane machines

An OpenShift Container Platform cluster with multi-architecture compute machines supports compute machines with different architectures. For more information, see the following documentation:

Installing a cluster on Nutanix with Flow Virtual Networking

In OpenShift Container Platform 4.17, you can install a cluster on Nutanix with Flow Virtual Networking enabled. Flow Virtual Networking is a software-defined networking solution for Nutanix AHV clusters that provides multi-tenant isolation, self-service provisioning, and IP address preservation using VPCs, subnets, and other virtual components that are separate from the physical network. To perform this installation, enable Flow Virtual Networking in your Nutanix AHV environment before installing.

For more information, see Flow Virtual Networking overview.

Cluster API replaces Terraform for Microsoft Azure installations

In OpenShift Container Platform 4.17, the installation program uses Cluster API instead of Terraform to provision cluster infrastructure during installations on Azure.

With the replacement of Terraform, the following permissions are required if you use a service principal with limited privileges:

  • Microsoft.Network/loadBalancers/inboundNatRules/read

  • Microsoft.Network/loadBalancers/inboundNatRules/write

  • Microsoft.Network/loadBalancers/inboundNatRules/join/action

  • Microsoft.Network/loadBalancers/inboundNatRules/delete

  • Microsoft.Network/routeTables/read

  • Microsoft.Network/routeTables/write

  • Microsoft.Network/routeTables/join/action

For more information on required permissions, see Required Azure permissions for installer-provisioned infrastructure.

Installing a cluster on Google Cloud Platform by using an existing service account

With this update, you can install a cluster on GCP by using an existing service account, allowing you to minimize the permissions that you grant to the service account the installation program uses. You can specify this service account in the compute.platform.gcp.serviceAccount and controlPlane.platform.gcp.serviceAccount parameters in the install-config.yaml file. For more information, see Available installation configuration parameters for GCP.

Installing a cluster on AWS by using an existing IAM profile

With this release, you can install OpenShift Container Platform on Amazon Web Services (AWS) by using an existing identity and access management (IAM) instance profile. For more information, see Optional AWS configuration parameters.

Installing a cluster on GCP using the N4 machine series

With this release, you can deploy a cluster on GCP using the N4 machine series for compute or control plane machines. The supported disk type of N4 machine series is hyperdisk-balanced. For more information, see Installation configuration parameters for GCP.

Cluster API replaces Terraform for Google Cloud Platform (GCP) installations

With this release, the installation program uses Cluster API instead of Terraform to provision cluster infrastructure during installations on GCP.

Three-node cluster support for RHOSP

Deploying a three-node cluster on installer-provisioned infrastructure is now supported on Red Hat OpenStack Platform (RHOSP).

Deploying Red Hat OpenStack Platform (RHOSP) with root volume and etcd on local disk (Generally Available)

You can now move etcd from a root volume (Cinder) to a dedicated ephemeral local disk as a Day 2 deployment with this generally available feature.

Announcement of the deprecation of extending compute nodes into AWS Outposts for clusters deployed on AWS Public Cloud

With this release, extending compute nodes into AWS Outposts for clusters deployed on AWS Public Cloud is deprecated. The ability to deploy compute nodes into AWS Outposts after installation, as an extension of an existing OpenShift Container Platform cluster operating in a public AWS region, will be removed with the release of OpenShift Container Platform version 4.20.

Operator lifecycle

New guide location and release notes section for Operator Lifecycle Manager (OLM) v1 (Technology Preview)

For release notes about OLM v1 in OpenShift Container Platform 4.17 and later, including its new guide location starting this release, see the new features and enhancements section for Extensions (OLM v1).

This "Operator lifecycle" section will continue to document new features and enhancements for existing OLM in future releases.

Web console warnings for deprecated Operators

When deprecated packages, channels, or versions are defined for Operators in a catalog, the OpenShift Container Platform web console now displays warning badges for the affected elements of the Operator, including any custom deprecation messages, on both the pre- and post-installation pages of the OperatorHub.

For more information on the deprecation schema for Operator catalogs, see see Operator Framework packaging format → Schemas → olm.deprecations schema.

Operator development

Token authentication for Operators on cloud providers: GCP Workload Identity

With this release, Operators managed by Operator Lifecycle Manager (OLM) can support token authentication when running on Google Cloud Platform (GCP) clusters configured for GCP Workload Identity. Updates to the Cloud Credential Operator (CCO) enable semi-automated provisioning of certain short-term credentials, provided that the Operator author has enabled their Operator to support GCP Workload Identity.

OpenShift CLI (oc)

oc-mirror to include the HyperShift KubeVirt CoreOS container

With this release, oc-mirror now includes the Red Hat Enterprise Linux CoreOS (RHCOS) image for the HyperShift KubeVirt provider when mirroring the OpenShift Container Platform release payload.

The kubeVirtContainer flag, which is set to false by default, must be set to true in the imageSetConfig.yaml file to extract the KubeVirt Container RHCOS. This ensures support for disconnected environments by including the required image for KubeVirt virtual machines acting as nodes for hosted clusters.

Machine Config Operator

Control plane TLS security profiles supported by the MCO

The Machine Config Operator (MCO) and Machine Config Server now use the TLS security profile that is configured for the control plane components. For more information, see Configuring the TLS security profile for the control plane.

Updated boot images for AWS now supported (Technology Preview)

Updated boot images are now supported as a Technology Preview feature for Amazon Web Services (AWS) clusters. This feature allows you configure your cluster to update the node boot image whenever you update your cluster. By default, the boot image in your cluster is not updated along with your cluster. For more information, see Updated boot images.

Updated boot images for GCP clusters promoted to GA

Updated boot images has been promoted to GA for Google Cloud Platform (GCP) clusters. For more information, see Updated boot images.

Node disruption policies promoted to GA

The node disruption policies feature has been promoted to GA. A node disruption policy allows you to define a set of Ignition config objects changes that would require little or no disruption to your workloads. For more information, see Using node disruption policies to minimize disruption from machine config changes.

Machine management

Supporting AWS Placement Group Partition Number

This release introduces the placementGroupPartition field for OpenShift Container Platform MachineSet on Amazon Web Services (AWS). With this feature, you can specify a partition number within an existing placement group, enabling precise instance allocation and improved fault tolerance. For example, see Assigning machines to placement groups for Elastic Fabric Adapter instances by using machine sets.

Configuring Capacity Reservation by using machine sets

OpenShift Container Platform release 4.17 introduces support for on-demand Capacity Reservation with Capacity Reservation groups on Microsoft Azure clusters. For more information, see Configuring Capacity Reservation by using machine sets for compute or control plane machine sets.

Monitoring

The in-cluster monitoring stack for this release includes the following new and modified features.

Updates to monitoring stack components and dependencies

This release includes the following version updates for in-cluster monitoring stack components and dependencies:

  • Alertmanager to 0.27.0

  • Prometheus Operator to 0.75.2

  • Prometheus to 2.53.1

  • kube-state-metrics to 2.13.0

  • node-exporter to 1.8.2

  • Thanos to 0.35.1

Changes to alerting rules

Red Hat does not guarantee backward compatibility for recording rules or alerting rules.

  • Added the PrometheusKubernetesListWatchFailures alert to warn users about Prometheus and Kubernetes API failures, such as unreachable API and permissions issues, which can lead into silent service discovery failures.

Updated Prometheus to tolerate jitters at scrape time for user-defined projects

With this update, the Prometheus configuration for monitoring for user-defined projects now tolerates jitters at scrape time. This update optimizes data compression for monitoring deployments that show sub-optimal chunk compression for data storage, which reduces the disk space used by the time series database in these deployments.

Network Observability Operator

The Network Observability Operator releases updates independently from the OpenShift Container Platform minor version release stream. Updates are available through a single, Rolling Stream which is supported on all currently supported versions of OpenShift Container Platform 4. Information regarding new features, enhancements, and bug fixes for the Network Observability Operator is found in the Network Observability release notes.

Nodes

New CRIO command behavior

Beginning in OpenShift Container Platform 4.17, when a node is rebooted, the crio wipe command checks that the CRI-O binary exited cleanly. Those images that did not exit cleanly are targeted as corrupted and removed. This behavior prevents CRI-O from failing to start due to half-pulled images or other unsynced files. In OpenShift Container Platform 4.15 and 4.16, the crio wipe command removed all images when a node was rebooted. The crio wipe command’s new behavior increases efficiency while still reducing the risk of image corruption when a node is rebooted.

New flags added for must-gather command

OpenShift Container Platform release 4.17 adds two new flags for use with the oc adm must-gather command to limit the timespan of the information gathered. Only one of the following flags can be used at a time. Plugins are encouraged but not required to support these flags.

  • --since: Only return logs newer than a relative duration, such as 5s, 2m, or 3h. Defaults to all logs.

  • --since-time: Only return logs after a specific date, expressed in the RFC3339 format. Defaults to all logs.

For a full list of flags to use with the oc adm must-gather command, see Must-gather flags.

Linux user namespaces now supported for pods (Technology Preview)

OpenShift Container Platform release 4.17 adds support for deploying pods and containers into Linux user namespaces. Running pods and containers in individual user namespaces can mitigate several vulnerabilities that a compromised container can pose to other pods and the node itself. For more information, see Running pods in Linux user namespaces.

CRI-O metrics port now uses TLS

OpenShift Container Platform monitoring now uses a TLS-backed endpoint to fetch CRI-O container runtime metrics. These certificates are managed by the system and not the user. OpenShift Container Platform monitoring queries have been updated to the new port. For information on the certificates used by monitoring, see Monitoring and OpenShift Logging Operator component certificates.

Adding compute nodes to on-premise clusters

With this release, you can add compute nodes by using the OpenShift CLI (oc) to generate an ISO image, which can then be used to boot one or more nodes in your target cluster. This process can be used regardless of how you installed your cluster.

Networking

Dual-NIC Intel E810 Logan Beach as PTP grandmaster clock

You can now configure linuxptp services as a grandmaster clock (T-GM) for dual Intel E810 Logan Beach network interface controllers (NICs). You can configure the linuxptp services as a T-GM for the following dual E810 NICs:

  • Intel E810-XXVDA4T Westport Channel NICs

  • Intel E810-CQDA2T Logan Beach NICs

The host system clock is synchronized from the NIC that is connected to the Global Navigation Satellite Systems (GNSS) time source. The second NIC is synced to the 1PPS timing output provided by the NIC that is connected to GNSS. For more information, see Configuring linuxptp services as a grandmaster clock for dual E810 NICs.

Masquerade subnet change for new clusters

For OpenShift Container Platform 4.17 and later versions, clusters use 169.254.0.0/17 for IPv4 and fd69::/112 for IPv6 as the default masquerade subnet. These ranges should be avoided by users. For upgraded clusters, there is no change to the default masquerade subnet.

Enabling the SR-IOV network metrics exporter

With this release, you can query the Single Root I/O Virtualization (SR-IOV) virtual function (VF) metrics by using the OpenShift Container Platform web console to monitor the networking activity of the SR-IOV pods. When you query the SR-IOV VF metrics by using the web console, the SR-IOV network metrics exporter fetches and returns the VF network statistics along with the name and namespace of the pod that the VF is attached to.

Microsoft Azure for the Kubernetes NMState Operator

Red Hat support exists for using the Kubernetes NMState Operator on Microsoft Azure but in a limited capacity. Support is limited to configuring DNS servers on your system as a postinstallation task.

For more information, see About the Kubernetes NMState Operator.

View metrics collected by the Kubernetes NMState Operator

The Kubernetes NMState Operator, kubernetes-nmstate-operator, can collect metrics from the kubernetes_nmstate_features_applied component and expose them as ready-to-use metrics. You can view these metrics by using the Administrator and Developer perspectives.

For more information, see About the Kubernetes NMState Operator.

New PTP fast events REST API version 2 available

A new PTP fast events O-RAN Release 3 compliant REST API version 2 is available. Now, you can develop PTP event consumer applications that receive host hardware PTP events directly from the PTP Operator-managed pod.

The PTP events REST API v1 and PTP events consumer application sidecar is deprecated.

In O-RAN O-Cloud Notification API Specification for Event Consumers 3.0, the resource is defined as a hierarchical path for the subsystem that produces the notifications. The PTP events REST API v2 does not have a global subscription for all lower hierarchy resources contained in the resource path. You subscribe consumer applications to the various available event types separately.

Automatic leap seconds handling for PTP grandmaster clocks

The PTP Operator now automatically updates the leap second file by using Global Positioning System (GPS) announcements.

Leap second information is stored in an automatically generated ConfigMap resource named leap-configmap in the openshift-ptp namespace.

NIC partitioning for SR-IOV devices (Generally Available)

With this update, the ability to enable NIC partitioning for Single Root I/O Virtualization (SR-IOV) devices at install time is Generally Available.

For more information, see NIC partitioning for SR-IOV devices.

Host network settings for SR-IOV VFs (Generally Available)

With this update, the ability to update host network settings for Single Root I/O Virtualization (SR-IOV) network virtual functions in an existing cluster is Generally Available.

User-defined network segmentation (Technology Preview)

With OpenShift Container Platform 4.17, users can create multiple networks and declare them as primary or secondary networks for their workloads through the technology preview of the UserDefinedNetwork (UDN) custom resource definition (CRD). With UDN, users can isolate namespaces without configuring and managing complex network policies.

For more information, see Understanding user-defined networks

CoreDNS update to version 1.11.3

OpenShift Container Platform 4.17 now includes CoreDNS version 1.11.3.

eBPF manager Operator (Tech Preview)

The eBPF manager Operator, available as a Technology Preview, allows you to securely deploy and manage eBPF programs. It facilitates the secure loading, unloading, modifying, and monitoring of eBPF programs in OpenShift Container Platform clusters. For more information about deploying the bpfman Operator, see About the eBPF Manager Operator.

eBPF program support for Ingress Node Firewall Operator (Technology Preview)

Secure management of eBPF programs for the Ingress Node Firewall Operator is available as a Technology Preview. Use of this feature requires installation of the eBPF manager Operator, also available as a Technology Preview. For more information, see Ingress Node Firewall Operator integration.

Changes to MetalLB

With this update, MetalLB uses FRR-K8s as the default backend. Previously, this was an optional feature available in Technology Preview. For more information, see Configuring the integration of MetalLB and FRR-K8s.

MetalLB also includes a new field for the Border Gateway Protocol (BGP) peer custom resource, connectTime. You can use this field to specify how long BGP waits between connection attempts to a neighbor. For more information, see About the BGP peer custom resource.

Exposing MTU for vfio-pci SR-IOV devices

With this release, maximum transmission unit (MTU) on virtual function using the vfio-pci driver is available in the network-status pod annotation, and inside the container.

MetalLB metrics naming update

With this release, the naming convention for MetalLB BGP and BFD metrics was updated:

  • The naming for BGP metrics was updated from metallb_bgp_<metric_name> to frrk8s_bgp_<metric_name>.

  • The naming for BFD metrics was updated from metallb_bfd_<metric_name> to frrk8s_bfd_<metric_name>.

To view all the metrics in the new format, see MetalLB metrics for BGP and BFD.

Registry

New chunkSizeMiB configuration parameter for S3 registry storage

A new, optional configuration parameter, chunkSizeMiB, is now available for deployments using S3 API-compatible backend storage. When configured, it determines the size of the multipart upload chunks for the S3 API. The default value is 10 MiB, with a minimum of 5 MiB.

Red Hat Enterprise Linux CoreOS (RHCOS)

RHCOS uses RHEL 9.4

RHCOS uses Red Hat Enterprise Linux (RHEL) 9.4 packages in OpenShift Container Platform 4.17. These packages ensure that your OpenShift Container Platform instance receives the latest fixes, features, enhancements, hardware support, and driver updates.

Support for the DNF package manager

With this release, you can now use DNF to install additional packages to your customized Red Hat Enterprise Linux CoreOS (RHCOS) builds. For more information, see Red Hat Enterprise Linux CoreOS (RHCOS) image layering.

Storage

AWS EFS CSI storage usage metrics is generally available

Amazon Web Services (AWS) Elastic File Service (EFS) usage metrics allow you to monitor how much space is used by EFS volumes. This feature is generally available.

Turning on these metrics can lead to performance degradation because the CSI driver walks through the whole volume. Therefore, this option is disabled by default. Administrators must explicitly enable this feature.

For more information, see AWS EFS storage CSI usage metrics.

Preventing unauthorized volume mode conversion is generally available

Previously, there was no validation of whether the mode of an original volume (filesystem or raw block), whose snapshot was taken, matches the mode of a newly created volume. This presented a security gap that could allow malicious users to potentially exploit an as-yet-unknown vulnerability in the host operating system.

Nevertheless, some users have a legitimate need to perform such conversions. This feature allows cluster administrators to provide these rights (ability to perform update or patch operations on VolumeSnapshotContents objects) only to trusted users or applications, such as backup vendors.

To convert a volume mode, an authorized user needs to change snapshot.storage.kubernetes.io/allow-volume-mode-change: "true" for VolumeSnapshotContent of the snapshot source.

This feature is supported as generally available.

Automatic deletion of resources for GCP Filestore is generally available

In earlier versions of OpenShift Container Platform, when destroying a cluster, Google Compute Platform (GCP) Filestore Storage did not delete all of the cloud resources belonging to that cluster. This required manually deleting all of the persistent volume claims (PVCs) that used the Filestore storage class before destroying the cluster.

With OpenShift Container Platform 4.17, when destroying a cluster the OpenShift Container Platform installer should generally delete all of the cloud resources that belong to that cluster, and therefore manual deletion of PVCs should not be required. However, due to the special nature of the Google Compute Platform (GCP) Filestore resources, the automated cleanup process might not remove all of the resources in some rare cases. This feature is supported as generally available.

For more information, see Destroying clusters and GCP Filestore.

Azure File CSI supports snapshots (Technology Preview)

OpenShift Container Platform 4.17 introduces volume snapshot support for the Microsoft Azure File Container Storage Interface (CSI) Driver Operator. This capability is supported as a Technology Preview feature.

Multiple vCenter support for vSphere CSI (Technology Preview)

OpenShift Container Platform v4.17 introduces the ability to deploy OpenShift Container Platform across multiple vSphere clusters (vCenters). This feature is supported with Technology Preview status.

Multiple vCenters can only be configured during installation. The maximum number of supported vCenter clusters is three.

Disabling and enabling storage on vSphere (Technology Preview)

Cluster administrators might want to disable the VMWare vSphere Container Storage Interface (CSI) Driver as a Day 2 operation, so the vSphere CSI Driver does not interface with your vSphere setup. This feature is supported at the Technology Preview level.

For more information, see Disabling and enabling storage on vSphere.

RWX/RWO SELinux Mount (Developer Preview)

Pods might take a very long time to start when the volume contains a large number of files. To avoid SELinux labeling issues while keeping SELinux confining, you can enable the ReadWriteMany/ReadWriteOnce (RWX/RWO) SELinux Mount feature. Be advised that the RWX/RWO SELinux Mount feature is a Developer Preview feature. It is not supported by Red Hat, and you should not enable this feature set on production or clusters that you plan to maintain over time.

RWX/RWO SELinux Mount is a Developer Preview feature only. Developer Preview features are not supported by Red Hat in any way and are not functionally complete or production-ready. Do not use Developer Preview features for production or business-critical workloads. Developer Preview features provide early access to upcoming product features in advance of their possible inclusion in a Red Hat product offering, enabling customers to test functionality and provide feedback during the development process. These features might not have any documentation, are subject to change or removal at any time, and testing is limited. Red Hat might provide ways to submit feedback on Developer Preview features without an associated SLA.

For more information about the RWX/RWO SELinux Mount feature, including how to enable it, see RWX/RWO SELinux Mount feature Knowledge Centered Service article.

Migrating CNS volumes between datastores with cns-migration (Developer Preview)

In OpenShift Container Platform 4.17, if you are running out of space in your current datastore, or want to move to a more performant datastore, you can migrate volumes between datastores. Be advised that this feature is a Developer Preview feature. It is not supported by Red Hat.

Migrating CNS Volumes Between Datastores is a Developer Preview feature only. Developer Preview features are not supported by Red Hat in any way and are not functionally complete or production-ready. Do not use Developer Preview features for production or business-critical workloads. Developer Preview features provide early access to upcoming product features in advance of their possible inclusion in a Red Hat product offering, enabling customers to test functionality and provide feedback during the development process. These features might not have any documentation, are subject to change or removal at any time, and testing is limited. Red Hat might provide ways to submit feedback on Developer Preview features without an associated SLA.

For more information about cns-migration, see Moving CNS volumes between datastores.

Google Secret Manager is now available for the Secrets Store CSI Driver Operator (Technology Preview)

You can now use the Secrets Store CSI Driver Operator to mount secrets from Google Secret Manager to a Container Storage Interface (CSI) volume in OpenShift Container Platform. The Secrets Store CSI Driver Operator is available as a Technology Preview feature.

For the full list of available secrets store providers, see Secrets store providers.

For information about using the Secrets Store CSI Driver Operator to mount secrets from Google Secret Manager, see Mounting secrets from Google Secret Manager.

Scalability and performance

Kernel Module Management Operator

In this release, the firmware search path has been updated to copy the contents of the specified path into the path specified in worker.setFirmwareClassPath (default: /var/lib/firmware). For more information, see Example Module CR.

Node scaling for etcd

In this release, if your cluster is installed on a bare metal platform, you can scale a cluster control plane up to 5 nodes as a postinstallation task. The etcd Operator scales accordingly to account for the additional control plane nodes. For more information, see Node scaling for etcd.

Security

Automatic rotation of signer certificates

With this release, all etcd certificates originate from a new namespace: openshift-etcd. When a new signer certificate is close to its expiration date, the following actions occur:

  1. An automatic rotation of the signer certificate activates.

  2. The certificate bundle updates.

  3. All certificates regenerate with the new signers.

Manual rotation of signer certificates is still supported by deleting the specific secret and waiting for the status pod rollout to complete.

Sigstore signature image verification

With this release, Technology Preview clusters use Sigstore signatures to verify images that were retrieved using a pull spec that references the quay.io/openshift-release-dev/ocp-release repository.

Currently, if you are mirroring images, you must also mirror quay.io/openshift-release-dev/ocp-release:<release_image_digest_with_dash>.sig Sigstore signatures in order for the image verification to succeed.

Web console

OpenShift Lightspeed Operator is available in the web console

Starting with OpenShift Container Platform 4.16, OpenShift Lightspeed Operator is available for use in the web console. With this release, a hover button was added to help you discover OpenShift Lightspeed. Once you click the hover button, the chat window appears with instructions on how to enable and install OpenShift Lightspeed on the cluster. You can hide the OpenShift Lightspeed button when changing the default user preferences.

Administrator perspective

This release introduces the following updates to the Administrator perspective of the web console:

  • Deprecated Operators are displayed in the OperatorHub before and after installation along with a warning notification that the Operator is deprecated.

  • You can check contnet of the configuration files for MachineConfig objects without having to manually retrieve its contents.

  • An alert was added to the Operator details page and the Operator installation page if your cluster is on Google Cloud Platform (GCP) with Workload Identity Foundation (WIF).

  • A page for ShipWright BuildStrategy was added to the Shipwright page with a ClusterBuildStrategy and BuildStrategy tab.

Customize the Create project modal using dynamic plugins

With this release, a new extension point was added, so dynamic plugin creators can pass a component that renders in place of the default Create Project modal.

For more information on OpenShift Container Platform Console dynamic plugin SDK extensions, see Dynamic plugin extension types.

External OpenID Connect (OIDC) token issuer is now functional in the web console

With this update, the web console works as expected when internal oauth-server resource and oauth-apiserver resource are removed and replaced with an external OpenID Connect (OIDC) issuer.

Developer Perspective

This release introduces the following updates to the Developer perspective of the web console:

  • When you use one of the add flows to create a new deployment, the Import from Git or Container images automatically opens them in the sidebar.

  • You can easily select the desired Git Type without having to use the list if OpenShift Container Platform is unable to identify its type.

  • Import from Git supports GitEA, an open-source alternitve to GitHub.

  • A warning notification displays on the Topology page if the PodDisruptionBudget limit is reached.

  • When importing applications through the Import from Git flows you can use Shipwright Build strategies such as S2I, buildpack, and buildah strategy for building the image.

Notable technical changes

OpenShift Container Platform 4.17 introduces the following notable technical changes:

Operator SDK 1.36.1

OpenShift Container Platform 4.17 supports Operator SDK 1.36.1. See Installing the Operator SDK CLI to install or update to this latest version.

Operator SDK 1.36.1 now supports Kubernetes 1.29 and uses a Red Hat Enterprise Linux (RHEL) 9 base image.

If you have Operator projects that were previously created or maintained with Operator SDK 1.31.0, update your projects to keep compatibility with Operator SDK 1.36.1.

Deprecated and removed features

Some features available in previous releases have been deprecated or removed.

Deprecated functionality is still included in OpenShift Container Platform and continues to be supported; however, it will be removed in a future release of this product and is not recommended for new deployments. For the most recent list of major functionality deprecated and removed within OpenShift Container Platform 4.17, refer to the table below. Additional details for more functionality that has been deprecated and removed are listed after the table.

In the following tables, features are marked with the following statuses:

  • Not Available

  • Technology Preview

  • General Availability

  • Deprecated

  • Removed

Bare metal monitoring deprecated and removed features

Table 6. Bare Metal Event Relay Operator tracker
Feature 4.15 4.16 4.17

Bare Metal Event Relay Operator

Deprecated

Deprecated

Removed

Images deprecated and removed features

Table 7. Cluster Samples Operator deprecated and removed tracker
Feature 4.15 4.16 4.17

Cluster Samples Operator

General Availability

Deprecated

Deprecated

Installation deprecated and removed features

Table 8. Installation deprecated and removed tracker
Feature 4.15 4.16 4.17

--cloud parameter for oc adm release extract

Deprecated

Deprecated

Deprecated

CoreDNS wildcard queries for the cluster.local domain

Deprecated

Deprecated

Deprecated

compute.platform.openstack.rootVolume.type for RHOSP

Deprecated

Deprecated

Deprecated

controlPlane.platform.openstack.rootVolume.type for RHOSP

Deprecated

Deprecated

Deprecated

ingressVIP and apiVIP settings in the install-config.yaml file for installer-provisioned infrastructure clusters

Deprecated

Deprecated

Deprecated

Package-based RHEL compute machines

General Availability

Deprecated

Deprecated

platform.aws.preserveBootstrapIgnition parameter for Amazon Web Services (AWS)

General Availability

Deprecated

Deprecated

Terraform infrastructure provider for Amazon Web Services (AWS), VMware vSphere and Nutanix

General Availability

Removed

Removed

Installing a cluster on Alibaba Cloud with installer-provisioned infrastructure

Technology Preview

Removed

Removed

Installing a cluster on AWS with compute nodes in AWS Outposts

Deprecated

Deprecated

Deprecated

Operator lifecycle and development deprecated and removed features

Table 9. Operator lifecycle and development deprecated and removed tracker
Feature 4.15 4.16 4.17

Operator SDK

General Availability

Deprecated

Deprecated

Scaffolding tools for Ansible-based Operator projects

General Availability

Deprecated

Deprecated

Scaffolding tools for Helm-based Operator projects

General Availability

Deprecated

Deprecated

Scaffolding tools for Go-based Operator projects

General Availability

Deprecated

Deprecated

Scaffolding tools for Hybrid Helm-based Operator projects

Technology Preview

Deprecated

Deprecated

Scaffolding tools for Java-based Operator projects

Technology Preview

Deprecated

Deprecated

Platform Operators

Technology Preview

Removed

Removed

Plain bundles

Technology Preview

Removed

Removed

SQLite database format for Operator catalogs

Deprecated

Deprecated

Deprecated

Machine management deprecated and removed features

Table 10. Machine management deprecated and removed tracker
Feature 4.15 4.16 4.17

Managing machine with Machine API for Alibaba Cloud

Technology Preview

Removed

Removed

Cloud controller manager for Alibaba Cloud

Technology Preview

Removed

Removed

Monitoring deprecated and removed features

Table 11. Monitoring deprecated and removed tracker
Feature 4.15 4.16 4.17

dedicatedServiceMonitors setting that enables dedicated service monitors for core platform monitoring

Deprecated

Removed

Removed

prometheus-adapter component that queries resource metrics from Prometheus and exposes them in the metrics API

Deprecated

Removed

Removed

Networking deprecated and removed features

Table 12. Networking deprecated and removed tracker
Feature 4.15 4.16 4.17

OpenShift SDN network plugin

Deprecated

Deprecated

Removed

iptables

Deprecated

Deprecated

Deprecated

Limited live migration to OVN-Kubernetes from OpenShift SDN

Not Available

General Availability

Removed

PTP events REST API v1 and PTP events consumer application sidecar

General Availability

General Availability

Deprecated

Storage deprecated and removed features

Table 13. Storage deprecated and removed tracker
Feature 4.15 4.16 4.17

AliCloud Disk CSI Driver Operator

General Availability

Removed

Removed

Node deprecated and removed features

Table 14. Node deprecated and removed tracker
Feature 4.15 4.16 4.17

ImageContentSourcePolicy (ICSP) objects

Deprecated

Deprecated

Deprecated

Kubernetes topology label failure-domain.beta.kubernetes.io/zone

Deprecated

Deprecated

Deprecated

Kubernetes topology label failure-domain.beta.kubernetes.io/region

Deprecated

Deprecated

Deprecated

cgroup v1

General Availability

Deprecated

Deprecated

Web console deprecated and removed features

Table 15. Web console deprecated and removed tracker
Feature 4.15 4.16 4.17

Patternfly 4

Deprecated

Deprecated

Deprecated

React Router 5

Deprecated

Deprecated

Deprecated

Workloads deprecated and removed features

Table 16. Workloads deprecated and removed tracker
Feature 4.15 4.16 4.17

DeploymentConfig objects

Deprecated

Deprecated

Deprecated

Deprecated features

The preserveBootstrapIgnition parameter for AWS

The preserveBootstrapIgnition parameter for AWS in the install-config.yaml file has been deprecated. You can use the bestEffortDeleteIgnition parameter instead. (OCPBUGS-33661)

kube-apiserver no longer gets a valid cloud configuration object

In OpenShift Container Platform 4.17, kube-apiserver no longer gets a valid cloud configuration object. As a result, the PersistentVolumeLabel admission plugin rejects in-tree Google Compute Engine (GCE) persistent disk persistent volumes (PD PVs), that do not have the correct topology. (OCPBUGS-34544)

kube-apiserver no longer gets a valid cloud configuration object

In OpenShift Container Platform 4.16, Patternfly 4 and React Router 5 were deprecated. The deprecated static remains the same for OpenShift Container Platform 4.17. All plugins should migrate to Patternfly 5 and React Router 6 as soon as possible. (OCPBUGS-34538)

Removed features

Bare Metal Event Relay Operator (BMER)

BMER was deprecated in OpenShift Container Platform version 4.15 and 4.16. With this release, BMER is no longer supported and the related BMER content is removed from the documentation.

OpenShift SDN network plugin (Removed)

OpenShift SDN network plugin was deprecated in 4.15 and 4.16. With this release, the SDN network plugin is no longer supported and the content has been removed from the documentation.

Removal of RukPak (Technology Preview)

RukPak was introduced as a Technology Preview feature in OpenShift Container Platform 4.12. Starting in OpenShift Container Platform 4.14, it was used as a component in the Technology Preview of Operator Lifecycle Manager (OLM) v1.

Starting in OpenShift Container Platform 4.17, RukPak is now removed and relevant functionality relied upon by OLM v1 has been moved to other components.

Bug fixes

Bare Metal Hardware Provisioning

  • Previously, attempting to configure RAID on specific hardware models by using Redfish might have resulted in the following error: The attribute StorageControllers/Name is missing from the resource. With this update, the validation logic no longer requires the Name field, because the field is not mandated by the Redfish standard. (OCPBUGS-38465)

  • Previously, the management interface for the iDRAC9 Redfish management interface in the Redfish Bare Metal Operator (BMO) module was incorrectly set to iPXE. This caused the error Could not find the following interface in the ironic.hardware.interfaces.management entrypoint: ipxe and the deployment failed on Dell Remote Access Controller (iDRAC)-based servers. With this release, the issue is resolved. (OCPBUGS-37261)

Builds

  • Previously, builds could not set the GIT_LFS_SKIP_SMUDGE environment variable and use its value when cloning the source code. This caused builds to fail for some Git repositories with LFS files. With this release, the build is able to set this environment variable and use it during the git clone step of the build, which resolves the issue. (OCPBUGS-33215)

  • Previously, if the developer or cluster admin used lowercase environment variable names for proxy information, these environment variables were carried into the build output container image. At runtime, the proxy settings were active and had to be unset. With this release, lowercase versions of the _PROXY environment variables are prevented from leaking into built container images. Now, buildDefaults are only kept during the build and settings created for the build process only are removed before pushing the image in the registry. (OCPBUGS-12699)

Cloud Compute

  • Previously, a machine controller failed to save the VMware vSphere task ID of an instance template clone operation. This caused the machine to go into the Provisioning state and to power off. With this release, the VMware vSphere machine controller can detect and recover from this state. (OCPBUGS-1735)

  • Previously, the machine-api Operator reacted when it deleted a server that was in an ERROR state. This happened because the server did not pass a port list. With this release, deleting a machine stuck in an ERROR state does not cause an Operator reaction. (OCPBUGS-33806)

  • Previously, you could not configure capacity reservation on a Microsoft Azure Workload Identity cluster because of missing permissions. With this release, the Microsoft.Compute/capacityReservationGroups/deploy/action permission is added as a default credential request in the <infra-name>-openshift-machine-api-azure-cloud-credentials custom role, so that you can now configure capacity reservation as expected. (OCPBUGS-37154)

  • Previously, an optional internal function of the cluster autoscaler caused repeated log entries when it was not implemented. The issue is resolved in this release. (OCPBUGS-33592)

  • Previously, a node associated with a restarting machine briefly having a status of Ready=Unknown triggered the UnavailableReplicas condition in the Control Plane Machine Set Operator. This condition caused the Operator to enter the Available=False state and trigger alerts because that state indicates a nonfunctional component that requires immediate administrator intervention. This alert should not have been triggered for the brief and expected unavailabilty during a restart. With this release, a grace period for node unreadiness is added to avoid triggering unnecessary alerts. (OCPBUGS-20061)

  • Previously, when an OpenShift Container Platform cluster was installed with no capabilities and later enabled the Build capability, the related Build cluster configuration custom resource definition (CRD) was not created. With this release, the Build cluster configuration CRD and its default instance are created. This allows the Build capability to be fully configured and customized. (OCPBUGS-34395)

  • Previously, role bindings related to the Image Registry, Build, and DeploymentConfig capabilities were created in every namespace, even if the capabilities were disabled. With this release, role bindings is only created if the capability is enabled on the cluster. (OCPBUGS-34077)

Cloud Credential Operator

  • Previously, secrets in the cluster were fetched in a single call. When there was a large number of secrets, the API timed out. With this release, the Cloud Credential Operator fetches secrets in batches limited to 100 secrets. This change prevents timeouts when there is a large number of secrets in the cluster. (OCPBUGS-41233)

  • Previously, the Cloud Credential Operator reported an error when the awsSTSIAMRoleARN role was not present on a cluster that used manual mode with AWS Security Token Service. With this release, the Cloud Credential Operator no longer reports this as an error. (OCPBUGS-33566)

  • Previously, when checking whether passthrough permissions are sufficient, the Cloud Credential Operator sometimes received a response from the Google Cloud Platform (GCP) API that a permission is invalid for a project. This response caused the Operator to become degraded and installation to fail. With this release, the Operator is updated to handle this error gracefully. (OCPBUGS-36140)

Cluster Version Operator

  • Previously, a rarely occurring race condition between Go routines caused the Cluster Version Operator (CVO) to panic after the CVO started. With this release, the Go routines synchronization is improved and the issue is resolved. (OCPBUGS-32678)

Developer Console

  • Previously, on some browsers, some icons in the samples catalog were stretched, making it hard to read. With this update, the icons were resized correctly, and now the icons are no longer stretched and easier to read. (OCPBUGS-34516)

  • Previously, s2i build strategy was not explicitly mentioned in the func.yml. Therefore you could not create OpenShift Serverless functions with the repository. Additionally, error messages were not available if s2i is not mentioned or if func.yml. As a result, identifying the reason of failures was not apparent. With this update, if the s2i build strategy is not mentioned, users can still create a function. If it is not s2i, users cannot create a function. The error messages are now different for both the cases. (OCPBUGS-33733)

  • Previously, when using a Quick Start guided tour in the OpenShift Container Platform web console, it took multiple clicks of the Next button to skip to the next step if the check your work dialog was ignored. With this update, it only takes one click, regardless of the state of the check your work box. (OCPBUGS-25929)

Driver ToolKit (DTK)

  • Previously, DTK incorrectly included the same values for KERNEL_VERSION and RT_KERNEL_VERSION that exist in the /etc/driver-toolkit-release.json configuration file. With this update, the RT_KERNEL_VERSION is displayed correctly. (OCPBUGS-33699)

etcd Cluster Operator

  • Previous versions of the etcd Operator checked the health of etcd members in serial with an all-member timeout that matched the single-member timeout. As a result, one slow member check could consume the entire timeout and cause later member checks to fail, regardless of the health of that later member. In this release, the etcd Operator checks the health of members in parallel, so the health and speed of one member’s check does not affect the other members' checks. (OCPBUGS-36301)

  • Previously, the health checks for the etcd Operator were not ordered. As a consequence, the health check sometimes failed even though all etcd members were healthy. The health-check failure triggered a scale-down event that caused the Operator to prematurely remove a healthy member. With this release, the health checks in the Operator are ordered. As a result, the health checks correctly reflect the health of etcd members and an incorrect scale-down event does not occur. (OCPBUGS-36462)

Hosted control planes

To view bug fixes for hosted control planes on OpenShift Container Platform 4.17, see Bug fixes.

Image Registry

  • Previously, the internal image registry would not correctly authenticate users on clusters configured with external OpenID Connect (OIDC) users. Consequently, this made it impossible for users to push or pull images to and from the internal image registry. With this update, the internal image registry starts by using the SelfSubjectReview API, dropping use of the openshift specific user API, which is not available on clusters configured with external OIDC users. As a result, it is now possible to successfully authenticate with the internal image registry again. (OCPBUGS-35335)

  • Previously, the image registry was unable to run due to a permissions error in the certificate directory. This issue has been resolved. (OCPBUGS-38885)

  • Previously, when enabling virtualHostedStyle with regionEndpoint set in image registry Operator config, the image registry would ignore the virtual hosted style config and would fail to start. This update fixes the issue by using a new upstream distribution configuration, which is force path style, in favor of the downstream only version, which is virtual hosted style. (OCPBUGS-32710)

  • Previously, when OpenShift Container Platform was deployed on Azure clusters with Workload ID, storage accounts created for the cluster and the image registry had Storage Account Key Access enabled by default, which could pose security risks to the deployment.

    With this update, shared access keys are disabled by default on new installations that use Workload ID, enhancing security by preventing the use of shared access keys.

    Shared access keys should only be disabled if the cluster is configured to use Workload ID. Disabling shared access keys on a cluster not configured with Microsoft Entra Workload ID can cause the Image Registry Operator to become degraded.

    For existing storage accounts created before this update, shared access keys are not automatically disabled. Administrators must manually disable shared access key support on these storage accounts to prevent the use of shared keys. For more information about disabling shared access keys, see Prevent Shared Key authorization for an Azure Storage account.

Installer

  • Previously, extracting the IP address from the Cluster API Machine object only returned a single address. On VMware vSphere, the returned address would always be an IPv6 address and this caused issues with the must-gather implementation if the address was non-routable. With this release, the Cluster API Machine object returns all IP addresses, including IPv4, so that the must-gather issue no longer occurs on VMware vSphere. (OCPBUGS-37427)

  • Previously, when installing a cluster on IBM Cloud® into an existing VPC, the installation program retrieved an unsupported VPC region. Attempting to install into a supported VPC region that follows the unsupported VPC region alphabetically caused the installation program to crash. With this release, the installation program is updated to ignore any VPC regions that are not fully available during resource lookups. (OCPBUGS-14963)

  • Previously, the installation program attempted to download the OVA on VMware vSphere whether the template field was defined or not. With this update, the issue is resolved. The installation program verifies if the template field is defined. If the template field is not defined, the OVA is downloaded. If the template field is defined, the OVA is not downloaded. (OCPBUGS-39240)

  • Previously, enabling custom feature gates sometimes caused installation on an AWS cluster to fail if the feature gate ClusterAPIInstallAWS=true was not enabled. With this release, the ClusterAPIInstallAWS=true feature gate is not required. (OCPBUGS-34708)

  • Previously, some processes could be left running if the installation program exited due to infrastructure provisioning failures. With this update, all installation-related processes are terminated when the installation program terminates. (OCPBUGS-36378)

  • Previously, the installation program required permission to create and delete IAM roles when installing a cluster on AWS even when an existing IAM role was provided. With this update, the installation program only requires these permissions when it is creating IAM roles. (OCPBUGS-36390)

  • Previously, long cluster names were trimmed without warning the user. With this update, the installation program warns the user when trimming long cluster names. (OCPBUGS-33840)

  • Previously, the openshift-install CLI sometimes failed to connect to the bootstrap node when collecting bootstrap gather logs. The installation program reported an error message such as The bootstrap machine did not execute the release-image.service systemd unit. With this release and after the bootstrap gather logs issue occurs, the installation program now reports Invalid log bundle or the bootstrap machine could not be reached and bootstrap logs were not collected, which is a more accurate error message. (OCPBUGS-34953)

  • Previously, when installing a cluster on AWS, subnets that the installation program created were incorrectly tagged with the kubernetes.io/cluster/<clusterID>: shared tag. With this update, these subnets are correctly tagged with the kubernetes.io/cluster/<clusterID>: owned tag. (OCPBUGS-36904)

  • Previously, the local etcd data store that is saved during installation was not deleted if the installation failed, consuming extra space on the installation host. With this update, the data store is deleted if infrastructure provisioning failures prevent a successful installation. (OCPBUGS-36284)

  • Previously, when a folder was undefined and the data center was located in a data center folder, an wrong folder structure was created starting from the root of the vCenter server. By using the Govmomi DatacenterFolders.VmFolder, it used the a wrong path. With this release, the folder structure uses the data center inventory path and joins it with the virtual machine (VM) and cluster ID value, and the issue is resolved. (OCPBUGS-38616)

  • Previously, when templates are defined for each failure domain, the installation program required an external connection to download the OVA in VMware vSphere. With this release, the issue is resolved. (OCPBUGS-39239)

  • Previously, installing a cluster with a Dynamic Host Configuration Protocol (DHCP) network on Nutanix caused a failure. With this release, this issue is resolved. (OCPBUGS-38934)

  • Previously, due to an EFI Secure Boot failure in the SCOS, when the FCOS pivoted to the SCOS the virtual machine (VM) failed to boot. With this release, the Secure Boot is disabled only when the Secure Boot is enabled in the coreos.ovf configuration file, and the issue is resolved. (OCPBUGS-37736)

  • Previously, if you specified an unsupported architecture in the install-config.yaml file the installation program would fail with a connection refused message. With this update, the installation program correctly validates the cluster architecture parameter, leading to successful installations. (OCPBUGS-38841)

  • Previously, a rare condition om VMware vSphere Cluster API machines caused the vCenter session management to time out unexpectedly. With this release, the Keep Alive support is disabled in the current and later versions of CAPV, and the issue is resolved. (OCPBUGS-38677)

  • Previously, the installation program on Amazon Web Services (AWS) used multiple IPv4 public IP addresses that Amazon has started charging for. With this release, support is provided for bring your own (BYO) public IPv4 pools in OpenShift Container Platform so that users have control of IP addresses that are used by their services. Where the BYO public IPv4 pools feature is enabled, two new permissions, ec2:DescribePublicIpv4Pools and ec2:DisassociateAddress, are required, and the issue is resolved. (OCPBUGS-35504)

  • Previously, when users provided public subnets while using existing subnets and creating a private cluster, the installation program occasionally exposed on the public internet the load balancers that were created in public subnets. This invalidated the reason for a private cluster. With this release, the issue is resolved by displaying a warning during a private installation that providing public subnets might break the private clusters and, to prevent this, users must fix their inputs. (OCPBUGS-38963)

  • Previously, during installation the oc adm node-image create command used the kube-system/cluster-config-v1 resource to determine the platform type. With this release, the installation program uses the infrastructure resource, which provides more accurate information about the platform type. (OCPBUGS-39092)

  • Previously, the oc adm node-image create command failed when run against a cluster in a restricted environment with a proxy because the command ignored the cluster-wide proxy setting. With this release, when the command is run it checks the cluster proxy resource settings, where available, to ensure the command is run successfully and the issue is resolved. (OCPBUGS-39090)

  • Previously, when installing a cluster with the Agent-based installer, the assisted-installer process could timeout when attempting to add control plane nodes to the cluster. With this update, the assisted-installer process loads fresh data from the assisted-service process, preventing the timeout. (OCPBUGS-36779)

  • Previously, when the VMware vSphere vCenter cluster contained an ESXi host that did not have a standard port group defined and the installation program tried to select that host to import the OVA, the import failed and the error Invalid Configuration for device 0 was reported. With this release, the installation program verifies whether a standard port group for an ESXi host is defined and, if not, continues until it locates an ESXi host with a defined standard port group, or reports an error message if it fails to locate one, resolving the issue. (OCPBUGS-38560)

  • Previously, extracting the IP address from the Cluster API Machine object only returned a single IP address. On VMware vSphere, the returned address would always be an IPv6 address and this caused issues with the must-gather implementation if the address was non-routable. With this release, the Cluster API Machine object returns all IP addresses, including IPv4, so that the must-gather issue no longer occurs on VMware vSphere. (OCPBUGS-37607)

  • Previously, when installing a cluster on AWS, Elastic Kubernetes Service (EKS) messages could appear in the installation logs even when EKS was meant to be disabled. With this update, EKS log messages have been disabled. (OCPBUGS-35752)

  • Previously, unexpected output would appear in the terminal when creating an installer-provisioned infrastructure cluster. With this release, the issue has been resolved and the unexpected output no longer shows. (OCPBUGS-35547)

  • Previously, when installing a cluster on AWS after deleting a cluster with the ./openshift-install destroy cluster command, the installation would fail with an error stating that there might already be a running cluster. With this update, all leftover artifacts are removed when the cluster is destroyed, resulting in successful installations afterwards. (OCPBUGS-35542)

  • Previously, when installing a cluster on AWS, load balancer ingress rules were continuously revoked and re-authorized, causing unnecessary API calls and delays in cluster provisioning. With this update, load balancer ingress rules are no longer revoked during installation, reducing API traffic and installation delays. (OCPBUGS-35440)

  • Previously, when setting platform.openstack.controlPlanePort.network without a fixedIPs value, the installation program would output a misleading error message about the network missing subnets. With this release, the installation program validates that the install-config field controlPlanePort has a valid subnet filter set because it is a required value. (OCPBUGS-37104)

  • Previously, adding IPv6 support for user-provisioned installation platforms caused an issue with naming Red Hat OpenStack Platform (RHOSP) resources, especially when you run two user-provisioned installation clusters on the same Red Hat OpenStack Platform (RHOSP) platform. This happened because the two clusters share the same names for network, subnets, and router resources. With this release, all the resources names for a cluster remain unique for that cluster so no interfere occurs. (OCPBUGS-33973)

  • Previously, when installing a cluster on IBM Power® Virtual Server with installer-provisioned infrastructure, the installation could fail due to load balancer timeouts. With this update, the installation program waits for the load balancer to be available instead of timing out. (OCPBUGS-34869)

  • Previously, when using the Assisted Installer, using a password that contained the colon character (:) resulted in a failed installation. With this update, pull secrets containing a colon in the password do not cause the Assisted Installer to fail. (OCPBUGS-31727)

  • Previously, solid state drives (SSD) that used SATA hardware were identified as removable. The Assisted Installer for OpenShift Container Platform reported that no eligible disks were found and the installation stopped. With this release, removable disks are eligible for installation. (OCPBUGS-33404)

  • Previously, when installing a cluster on bare metal using installer provisioned infrastructure, the installation could time out if the network to the bootstrap virtual machine is slow. With this update, the timeout duration has been increased to cover a wider range of network performance scenarios. (OCPBUGS-41500)

  • Previously, when installing a cluster on IBM Power® Virtual Server, the installation program did not list the e980 system type in the madrid region. With this update, the installation program correctly lists this region. (OCPBUGS-38439)

  • Previously, after installing a single-node OpenShift cluster, the monitoring system could produce an alert that applied to clusters with multiple nodes. With this update, single-node OpenShift clusters only produce monitoring alerts that apply to single-node OpenShift clusters. (OCPBUGS-35833)

  • Previously, when installing a cluster on IBM Power® Virtual Server, the installation could fail due to a DHCP server network collision. With this update, the installation program selects a random number to generate the DHCP network to avoid collision. (OCPBUGS-33912)

  • Previously, the installation program used the Neutron API endpoint to tag security groups. This API does not support special characters, so some Red Hat OpenStack Platform (RHOSP) clusters failed to install on RHOSP. With this release, the installation program uses an alternative endpoint to tag security groups so that the issue no longer persists. (OCPBUGS-36913)

  • Previously, setting an invalid Universally Unique Identifier (UUID) for the additionalNetworkIDs parameter of a machine pool in your install-config configuration file could result in the installation program exiting from installing the cluster. With this release, the installation program checks the validity of the additionalNetworkIDs parameter before the program continuing with installing the cluster so that this issue no longer persists. (OCPBUGS-35420)

  • Previously, for IBM Power® Virtual Server installer-provisioned infrastructure clusters, if no network name existed for a Dynamic Host Configuration Protocol (DHCP), the destroy code would skip deleting the DHCP resource. With this release, a test now checks if a DHCP is in an ERROR state, so that the DHCP resource is deleted. (OCPBUGS-35039)

Insights Operator

  • Previously, in some Hypershift hosted clusters, the IO archive contained the hostname even with network obfuscation enabled. This issue has been resolved, and IO archives no longer contain hostnames when they are obfuscated. (OCPBUGS-33082)

Machine Config Operator

  • Previously, in a cluster that runs OpenShift Container Platform 4.16 with the Telco RAN DU reference configuration, long duration cyclictest or timerlat tests could fail with maximum latencies detected above 20 us. This issue occured because the psi kernel command line argument was being set to 1 by default when cgroup v2 is enabled. With this release, the issue is fixed by setting psi=0 in the kernel arguments when enabling cgroup v2. The cyclictest latency issue reported in OCPBUGS-34022 is now also fixed. (OCPBUGS-37271)

  • Previously, if a cluster admin creates a new MachineOSConfig object that references a legacy pull secret, the canonicalized version of this secret that gets created is not updated whenever the original pull secret changes. With this release, the issue is resolved. (OCPBUGS-34079)

  • Previously, the /etc/mco/internal-registry-pull-secret.json secret was being managed by the Machine Config Operator (MCO). Due to a recent change, this secret rotates on an hourly basis. Whenever the MCO detected a change to this secret, it rolled the secret out to each node in the cluster, which resulted in disruptions. With this fix, a different internal mechanism processes changes to the internal registry pull secret to avoid rolling out repeated MachineConfig updates. (OCPBUGS-33913)

  • Previously, if you created more than one MachineOSConfig object that required a canonicalized secret, only the first object would build. With this fix, the build controller handles multiple MachineOSBuilds that use the same canonicalized secret. (OCPBUGS-33671)

  • Previously, if machine config pools (MCP) had a higher maxUnavailable value than the cluster’s number of unavailable nodes, cordoned nodes were able to be erroneously selected as an update candidate. This fix adds a node readiness check in the node controller so that cordoned nodes are queued for an update. (OCPBUGS-33397)

  • Previously, nodes could be drained twice if the node was queued multiple times in the drain controller. This behaviour might have been due to increased activity on the node object by on-cluster layering functionality. With this fix, a node queued for drain only drains once. (OCPBUGS-33134)

  • Previously, a potential panic was seen in Machine Config Controller and Machine Build Controller objects if a de-reference accidentally deleted MachineOSConfig/MachineOSBuild to read the build status. The panic is controlled with additional error conditions to warn for allowed MachineOSConfig deletions. (OCPBUGS-33129)

  • Previously, after upgrading from OpenShift Container Platform 4.1 or 4.2 to version 4.15, some machines could get stuck during provisioning and never became available. This was because the machine-config-daemon-firstboot service was failing due to an incompatible machine-config-daemon binary on those nodes. With this release, the correct machine-config-daemon binary is copied to nodes before booting. (OCPBUGS-28974)

  • Previously, if you attempted to configure on-cluster Red Hat Enterprise Linux CoreOS (RHCOS) image layering on a non-RHCOS node, the node became degraded. With this fix, in this situation, an error message is produced in the node logs, but the node is not degraded. (OCPBUGS-19537)

Management Console

  • Previously, the Cluster overview page included a View all steps in documentation link that resulted in a 404 error for Red Hat OpenShift Service on AWS and Red Hat OpenShift Dedicated clusters. With this update, the link does not appear for Red Hat OpenShift Service on AWS and Red Hat OpenShift Dedicated clusters. (OCPBUGS-37054)

  • Previously, a warning was not provided when you were on a Google Cloud Platform (GCP) cluster that supports GCP Workload Identity and that the Operator supports it. With this release, logic was added to support GCP Workload Identity and Federated Identity Operator installs, so now you are alerted when you are on a GCP cluster. (OCPBUGS-38591)

  • Previously, the version number text in the Updates graph on the Cluster Settings page appeared as black text on a dark background when using Firefox in dark mode. With this update, the text appears as white text. (OCPBUGS-38427)

  • Previously, dynamic plugins using PatternFly 4 referenced variables that are not available in OpenShift Container Platform 4.15 and later. This was causing contrast issues for Red Hat Advanced Cluster Management (RHACM) in dark mode. With this update, older chart styles are now available to support PatternFly 4 charts used by dynamic plugins. (OCPBUGS-36816)

  • Previously, when the Display Admission Webhook warning implementation presented issues with some incorrect code. With this update, the unnecessary warning message has been removed. (OCPBUGS-35940)

  • Previously, the global sync lock that applied to all HTTP servers spawned goroutines with a sync lock that is specific to each of the refresh tokens. With this release, the global refresh sync lock on a cluster with an external OIDC environment was replaced with a sync that refreshes for each token. As a result, refresh token performance is improved by 30% to 50%. (OCPBUGS-35080)

  • Previously, a warning was not displayed for the minAvailable warning in PodDisruptionBudget create and edit form. With this update, code logic for displaying the minAvailable warning was added, and the minAvailable warning is displayed if violated. (OCPBUGS-34937)

  • Previously, the OperandDetails page displayed information for the first CRD that matched by name. After this fix, the OperandDetails page displays information for the CRD that matches by name and the version of the operand. (OCPBUGS-34901)

  • Previously, one inactive or idle browser tab caused session expiration for all other tabs. With this change, activity in any tab will prevent session expiration even if there is one inactive or idle browser tab. (OCPBUGS-34387)

  • Previously, text areas were not resizable. With this update, you are now able to resize text areas. (OCPBUGS-34200)

  • Previously, the Debug container link was not displayed for pods with a Completed status. With this change, the link now appears. (OCPBUGS-33631)

  • Previously, the OpenShift Container Platform web console did not show filesystem metrics on the Nodes list page due to incorrect Prometheus query. With this update, filesystem metrics are correctly displayed. (OCPBUGS-33136)

  • Previously, pseudolocalization was not working due to a configuration issue. After this fix, pseudolocalization works again. (OCPBUGS-30218)

  • Previously, console pods would crash loop if the --user-auth flag was set to disabled. With this update, the console backend properly handles this value. (OCPBUGS-29510)

  • Previously, utilization cards displayed a limit that incorrectly implied a relationship between capacity and limits. With this update, the position of limit was changed and the wording updated. (OCPBUGS-23332)

  • Previously, in some edge cases, the wrong resource could be fetched when using websockets to watch a namespaced resource without providing a namespace. With this update, a validation to the resource watch logic was added to prevent the websocket request and log an error under this condition. (OCPBUGS-19855)

  • Previously, perspective switching was not properly handled. With this update, perspectives that are passed with URL search parameters or plugin route page extensions now correctly switch the perspective and retain the correct URL path. (OCPBUGS-19048)

Networking

  • Previously, the SR-IOV Network Operator was listing the SriovNetworkNodePolicies resources in random order. This caused the sriov-device-plugin pod to enter a continuous restart loop. With this release, the SR-IOV Network Operator lists policies in a deterministic order so that the sriov-device-plugin pod does not enter a continuous restart loop. (OCPBUGS-36243)

  • Previously, an interface created inside a new pod would remain inactive and the Gratuitous Address Resolution Protocol (GARP) notification would be generated. The notification did not reach the cluster and this prevented ARP tables of other pods inside the cluster from updating the MAC address of the new pod. This situation caused cluster traffic to stall until ARP table entries expired. With this release, a GARP notification is now sent after the interface inside a pod is active so that the GARP notification reaches the cluster. As a result, surrounding pods can identify the new pod earlier than they could with the previous behavior. (OCPBUGS-30549)

  • Previously, enabling fips for a cluster caused SR-IOV device plugin pods to fail. With this release, SR-IOV device plugin pods have fips enabled so that when you enable fips for the cluster, the pods do not fail. (OCPBUGS-41131)

  • Previously, a race condition was generated after rebooting an OpenShift Container Platform node that used a performance profile with a small number of reserved CPUs. This occurred because Single Root I/O Virtualization (SR-IOV) virtual functions (VFs) shared the same MAC address and any pods that used the VFs would experience communication issues. With this release, an update to the SR-IOV Network Operator config daemon ensures that the Operator checks that no duplicate MAC addresses do not exist on VFs. (OCPBUGS-33137)

  • Previously, if you deleted the sriovOperatorConfig custom resource (CR), you could not create a new sriovOperatorConfig CR. With this release, the Single Root I/O Virtualization (SR-IOV) Network Operator removes validating webhooks when you delete the sriovOperatorConfig CR, so that you can create a new sriovOperatorConfig CR. (OCPBUGS-37567)

  • Previously, when you switched your cluster to use a different load balancer, the Ingress Operator did not remove the values from the classicLoadBalancer and networkLoadBalancer parameters in the IngressController custom resource (CR) status. This situation caused the status of the CR to report wrong information from the classicLoadBalancer and networkLoadBalancer parameters. With this release, after you switch your cluster to use a different load balancer, the Ingress Operator removes values from these parameters so that the CR reports a more accurate and less confusing message status. (OCPBUGS-38646)

  • Previously, no multicast packets reached their intended target nodes when a multicast sender and a multicast receiver existed on the same node. This happened because of an OVN-Kubernetes RPM package update. With this release, this regression is fixed in the OVN-Kubernetes RPM package, so that the issue no longer persists. (OCPBUGS-34778)

  • Previously, when you created a LoadBalancer service for the Ingress Operator, a log message was generated that stated the change was not effective. This log message should only trigger for a change to an Infra custom resource. With this release, this log message is no longer generated when you create a LoadBalancer service for the Ingress Operator. (OCPBUGS-34413)

  • Previously, the DNSNameResolver controller sent DNS requests to CoreDNS pods for DNS names that had IP addresses with expired time-to-live (TTL) values. This caused a continuous generation of DNS requests and memory leak issues for those pods. With this release, the DNSNameResolver controller waits until it receives the updated list of IP addresses and TTL values for a DNS name before sending any more requests to the DNS name. As a result, the controller no longer generates erroneous requests and sends them to pods. CoreDNS pods can now respond to DNS requests in a timely manner and update the DNSNameResolver objects with the latest IP addresses and TTLs. (OCPBUGS-33750)

  • Previously, when you used the must-gather tool, a Multus Container Network Interface (CNI) log file, multus.log, was stored in a node’s file system. This situation caused the tool to generate unnecessary debug pods in a node. With this release, the Multus CNI no longer creates a multus.log file, and instead uses a CNI plugin pattern to inspect any logs for Multus DaemonSet pods in the openshift-multus namespace. (OCPBUGS-33959)

  • Previously, an alert for OVNKubernetesNorthdInactive would not fire in circumstances where it should fire. With this release, the issue is fixed so that the alert for OVNKubernetesNorthdInactive fires as expected. (OCPBUGS-33758)

  • Previously, for all pods where the default route has been customized, a missing route for the Kubernetes-OVN masquerade address caused each pod to be unable to connect to itself through a service for which it acts as a backend. With this release, the missing route for Kubernetes-OVN masquerade address is added to pods so that the issue no longer occurs. (OCPBUGS-36865)

  • Previously, the iptables-alerter pod did not handle errors from the crictl command-line interface, which could cause the pod to incorrectly log events from host-network pods or cause pod restarts. With this release, the errors are handled correctly so that these issues no longer persist. (OCPBUGS-37713)

  • Previously, if you created a hosted cluster by using a proxy for the purposes of making the cluster reach a control plane from a compute node, the compute node would be unavailable to the cluster. With this release, the proxy settings are updated for the node so that the node can use a proxy to successfully communicate with the control plane. (OCPBUGS-37786)

  • Previously, when a cluster failed to install on an on-premise platform with a configured load balancer, the LoadBalancer service’s LoadBalancerReady condition received the SyncLoadBalancerFailed status. The status generated the following message:

    The kube-controller-manager logs might contain more details.

    This message is wrong because the logs are stored in the cloud-controller-manager namespace of a project. With this release, the SyncLoadBalancerFailed status now communicates the correct message:

    The cloud-controller-manager logs may contain more details.
  • Previously, you could not control log levels for the internal component that selects IP addresses for cluster nodes. With this release, you can now enable debug log levels so that you can either increase or decrease log levels on-demand. To adjust log levels, you must create a config map manifest file with a configuration similar to the following:

    apiVersion: v1
    data:
      enable-nodeip-debug: "true"
    kind: ConfigMap
    metadata:
      name: logging
      namespace: openshift-vsphere-infra
    # ...
  • Previously, the Ingress Operator could not successfully update the canary route because the Operator did not have permission to update spec.host or spec.subdomain fields on an existing route. With this release, the required permission is added to the cluster role for the Operator’s service account and the Ingress Operator can update the canary route. (OCPBUGS-36465)

  • Previously, administrator privileges were required to run some networking containers, such as Keepalived, on supported on-premise platforms. With this release, these containers no longer require administrator privileges to run them on supported on-premise platforms. (OCPBUGS-36175)

  • Previously, if your NodeNetworkConfigurationPolicy (NNCP) custom resource (CR) is set to use the default spanning tree protocol (STP) implementation, the CR configuration file would show stp.enabled: true, but the OpenShift Container Platform web console cleared the STP checkbox. With this release, the web console only clears the STEP checkbox after you define stp.enabled: false in the NNCP CR YAML file. (OCPBUGS-36238)

  • Previously, the Ingress Controller status was incorrectly displayed as Degraded=False because of a migration time issue with the CanaryRepetitiveFailures condition. With this release, the Ingress Controller status is correctly marked as Degraded=True for the appropriate length of time that the CanaryRepetitiveFailures condition exists. (OCPBUGS-39220)

Node

  • Previously, the Container Runtime Config controller did not detect whether a mirror configuration was in use before adding the scope from a ClusterImagePolicy CR to the /etc/containers/registries.d/sigstore-registries.yaml file. As a consequence, image verification failed with a Not looking for sigstore attachments message. With this fix, images are pulled from the mirror registry as expected. (OCPBUGS-36344)

  • Previously, a group ID was not added to the /etc/group directory within a container when the spec.securityContext.runAsGroup attribute was set in the pod specification. With this release, this issue is fixed. (OCPBUGS-39478)

  • Previously, because of a critical regression on RHEL 9.4 kernels earlier than 5.14.0-427.26.1.el9_4, the mglru feature had memory management disabled. In this release, the regression issue is fixed so that the mglru feature is now enabled in OpenShift Container Platform 4.17. (OCPBUGS-35436)

Node Tuning Operator (NTO)

  • Previously, due to an internal bug, the Node Tuning Operator incorrectly computed CPU masks for interrupt and network-handling CPU affinity if a machine had more than 256 CPUs. This prevented proper CPU isolation on those machines and resulted in systemd unit failures. With this release, the Node Tuning Operator computes the masks correctly. (OCPBUGS-39164)

  • Previously, the Open vSwitch (OVS) pinning procedure set the CPU affinity of the main thread, but other CPU threads did not pick up this affinity if they had already been created. As a consequence, some OVS threads did not run on the correct CPU set, which might interfere with the performance of pods with a Quality of Service (QoS) class of Guaranteed. With this update, the OVS pinning procedure updates the affinity of all the OVS threads, ensuring that all OVS threads run on the correct CPU set. (OCPBUGS-35347)

Observability

  • Previously, when you log on under the Administrator perspective on the OpenShift Container Platform web console and use the ObserveAlerting function, an S is not a function displayed on alert metrics graph. This issue happened because of a missing function validation check. With this release, the function validation check is added so the alert metric chart displays collected metrics. (OCPBUGS-37291)

OpenShift CLI (oc)

  • Previously, when using oc-mirror plugin v2 with the --delete flag to remove Operator catalogs from mirror registries, the process failed with the following error:

    2024/08/02 12:18:03 [ERROR]: [OperatorImageCollector] pinging container registry localhost:55000: Get "https://localhost:55000/v2/": http: server gave HTTP response to HTTPS client.

    This occurred because oc-mirror plugin v2 was querying the local cache using HTTPS instead of HTTP. With this update, the HTTP client is now properly configured before the query, resolving the issue. (OCPBUGS-41503)

  • Previously, when using the oc-mirror plugin v2 in mirror-to-disk mode, catalog images and contents were stored in subfolders under working-dir, based on the image digest. During the disk-to-mirror process in fully disconnected environments, the plugin tried to resolve the catalog image tag through the source registry, which was unavailable, leading to such errors:

    [ERROR] : [OperatorImageCollector] pinging container registry registry.redhat.io: Get "http://registry.redhat.io/v2/": dial tcp 23.217.255.152:80: i/o timeout

    With this update, the plugin checks the local cache during the disk-to-mirror process to determine the digest, avoiding the need to query the registry. (OCPBUGS-36214)

  • Previously, when using oc-mirror plugin v2 in mirror-to-disk mode in disconnected environments, the plugin was unable to access api.openshift.com to download graph.tar.gz, resulting in mirroring failures. With this update, the plugin now searches the local cache for the graph image in disconnected environments where the UPDATE_URL_OVERRIDE environment variable is set. If the graph image is missing, the plugin skips it without failing. (OCPBUGS-38469)

  • Previously, oc-mirror plugin v2 failed to mirror Operator catalogs from disk-to-mirror in fully disconnected environments. This issue also affected catalogs that specified a targetCatalog in the ImageSetConfiguration file. With this update, the plugin can now successfully mirror catalogs in fully disconnected environments, and the targetCatalog functionality works as expected. (OCPBUGS-34521)

  • Previously, with the oc-mirror plugin v2, there was no validation for the -v2 vs --v2 flags for the oc-mirror command. As a result, users who mistakenly used -v2, which sets the log level to 2, instead of --v2, which switches to oc-mirror plugin v2, received unclear error messages. With this update, flag validation is provided. If the -v2 flag is used while the ImageSetConfig is using the v2alpha1 API and --v2 is not specified, an error message is displayed. The following message is now enabled that provides a clear guidance to the user:

    [ERROR]: Detected a v2 `ImageSetConfiguration`, please use `--v2` instead of `-v2`.
  • Previously, oc-mirror plugin v2 did not automatically perform retries when it encountered errors on registries, such as timeouts, expired authentication tokens, HTTP 500 errors, and so on. With this update, retries for these errors are implemented, and users can configure retry behavior with the following flags:

    • --retry-times: Specifies the number of retry attempts. Default is 2.

    • --retry-delay: Sets the delay between retries. Default is 1 second.

    • --image-timeout: Defines the timeout period for mirroring an image. Default is 10 minutes.

    • --max-parallel-downloads: Controls the maximum number of layers to pull simultaneously during a single copy operation. Default is 6.

  • Previously, when using the oc-mirror plugin v2 with the --rebuild-catalogs flag, the catalog cache was regenerated locally, which caused failures either due to compatibility issues with the opm binary and the platform or due to cache integrity problems on the cluster. With this update, the --rebuild-catalogs flag defaults to true, so catalogs are rebuilt without regenerating the internal cache. Additionally, the image command has been modified to generate the cache during pod startup, which may delay pod initialization. (OCPBUGS-37667)

  • Previously, the oc-mirror plugin v2 did not use the system proxy configuration to recover signatures for releases when running behind a proxy with system proxy settings. With this release, the system proxy settings are now applied during the signature recovery process. (OCPBUGS-37055)

  • Previously, oc-mirror plugin v2 would stop the mirroring process when it encountered Operators using bundle versions that were not compliant with semantic versioning, which also prevented the creation of cluster resources like IDMS, ITMS, and CatalogSource objects. With this fix, the plugin now skips these problematic images instead of halting the process. If an image uses incorrect semantic versioning, a warning message is displayed in the console with the relevant image details. (OCPBUGS-33081)

  • Previously, oc-mirror plugin v2 did not generate ImageDigestMirrorSet (IDMS) or ImageTagMirrorSet (ITMS) files when mirroring failed due to network issues or invalid Operator catalogs. With this update, the oc-mirror continues mirroring other images when Operator or additional images fail, and stops only when release images fail. Cluster resources are generated based on successfully mirrored images, and all errors are collected in a log file for review. (OCPBUGS-34020)

  • Previously, OpenShift Container Platform release images were not visible in certain registries, such as Red Hat Quay. This prevented users from installing OpenShift Container Platform due to the missing release images. With this update, release images are always tagged to ensure they appear in registries like Red Hat Quay, enabling proper installation. (OCPBUGS-36410)

  • Previously, the oc adm must-gather command took a long time to gather CPU-related performance data in large clusters. With this release, the data is gathered in parallel instead of sequentially, which shortens the data collection time. (OCPBUGS-34360)

  • Previously, the oc set env command incorrectly changed the API version of Route and DeploymentConfig objects, for example, apps.openshift.io/v1 became v1. This caused the command to exit with unable to recognize no matches for kind errors. With this release, the error is fixed so that the os set env command keeps the correct API version in Route and DeploymentConfig objects. (OCPBUGS-32108)

  • Previously, when a must-gather operation failed for any reason and the user manually deleted the leftover namespace, a cluster role binding created by the must-gather command would remain in the cluster. With this release, when the temporary must-gather namespace is deleted, the associated cluster role binding is automatically deleted with it. (OCPBUGS-31848)

  • Previously, when using the --v2 flag with the oc-mirror plugin v2, if no images were mirrored and some were skipped, empty imds.yaml and itms.yaml files were generated. With this release, the custom resource generation is only triggered when at least one image is successfully mirrored, preventing the creation of empty files. (OCPBUGS-33775)

Operator Lifecycle Manager (OLM)

  • Previously, clusters with many custom resources (CRs) experienced timeouts from the API server and stranded updates where the only workaround was to uninstall and then reinstall the stranded Operators. This occurred because OLM evaluated potential updates by using a dynamic client lister. With this fix, OLM uses a paging lister for custom resource definitions (CRDs) to avoid timeouts and stranded updates. (OCPBUGS-41549)

  • Previously, catalog source pods could not recover from a cluster node failure when the registryPoll parameter was unset. With this fix, OLM updates its logic for checking for dead pods. As a result, catalog source pods now recover from node failures as expected. (OCPBUGS-39574)

  • Previously, if you tried to install a previously-deleted Operator after an OpenShift Container Platform update, the installation might fail. This occurred because OLM could not find previously created bundle unpack jobs. With this fix, OLM correctly installs previously installed Operators. (OCPBUGS-32439)

  • Previously, when a new version of a custom resource definition (CRD) specified a new conversion strategy, this conversion strategy was expected to successfully convert resources. However, OLM cannot run the new conversion strategies for CRD validation without actually performing the update operation. With this release, OLM generates a warning message during the update process when CRD validations fail with the existing conversion strategy, and the new conversion strategy is specified in the new version of the CRD. (OCPBUGS-31522)

  • Previously, if the spec.grpcPodConfig.securityContextConfig field in CatalogSource objects was unset within namespaces with a PodSecurityAdmission (PSA) level value of restricted, the catalog pod would not pass PSA validation. With this release, the OLM Catalog Operator now configures the catalog pod with the securityContexts necessary to pass PSA validation. (OCPBUGS-29729)

  • Previously, the catalogd-controller-manager pod might not have been deployed to a node despite being in the scheduling queue, and the OLM Operator would fail to install. With this fix, CPU requests are reduced for the related resources, and the issue no longer occurs. (OCPBUGS-29705)

  • Previously, the Catalog Operator sometimes attempted to connect to deleted catalog sources that were stored in the cache. With this fix, the Catalog Operator queries a client to list the catalog sources on a cluster. (OCPBUGS-8659)

Red Hat Enterprise Linux CoreOS (RHCOS)

  • Previously, LUKS encryption on a system using 512 emulation disks caused provisioning to fail at the ignition-ostree-growfs step because of an sfdisk alignment issue. With this release, the ignition-ostree-growfs script detects this situation and fixes the alignment automatically. As a result, the system no longer fails during provisioning. (OCPBUGS-35410)

  • Previously, a bug in the growpart utility caused a LUKS device to lock. This caused the system to boot into an emergency mode. With this release, the call to the growpart utility is removed and the system successfully boots without issue. (OCPBUGS-33124)

  • Previously, if a new deployment was done at the OSTree level on the host, which is identical to the current deployment on a different stateroot, OSTree identified them as equal. This behavior prevented the bootloader from updating when the set-default command was invoked, because OSTree did not recognize the two stateroots as a differentiating factor for deployments. With this release, OSTree’s logic is modified to consider the stateroots. As a result, OSTree properly sets the default deployment to a new deployment that has different stateroots. (OCPBUGS-30276)

Storage

  • Previously, the Secrets Store Container Storage Interface (CSI) Driver on hosted control planes clusters failed to mount secrets because of an issue when using the hosted control planes command-line interface, hcp, to create OpenID Connect (OIDC) infrastructure on Amazon Web Services. With this release, the issue has been fixed so that the driver can now mount volumes. (OCPBUGS-18711)

Technology Preview features status

Some features in this release are currently in Technology Preview. These experimental features are not intended for production use. Note the following scope of support on the Red Hat Customer Portal for these features:

In the following tables, features are marked with the following statuses:

  • Not Available

  • Technology Preview

  • General Availability

  • Deprecated

  • Removed

Networking Technology Preview features

Table 17. Networking Technology Preview tracker
Feature 4.15 4.16 4.17

Ingress Node Firewall Operator

General Availability

General Availability

General Availability

eBPF manager Operator

N/A

N/A

Technology Preview

Advertise by using L2 mode the MetalLB service from a subset of nodes, using a specific pool of IP addresses

Technology Preview

Technology Preview

Technology Preview

Multi-network policies for SR-IOV networks

General Availability

General Availability

General Availability

Updating the interface-specific safe sysctls list

Technology Preview

Technology Preview

Technology Preview

Egress service custom resource

Technology Preview

Technology Preview

Technology Preview

VRF specification in BGPPeer custom resource

Technology Preview

Technology Preview

Technology Preview

VRF specification in NodeNetworkConfigurationPolicy custom resource

Technology Preview

Technology Preview

Technology Preview

Admin Network Policy (AdminNetworkPolicy)

Technology Preview

General Availability

General Availability

IPsec external traffic (north-south)

General Availability

General Availability

General Availability

Host network settings for SR-IOV VFs

Technology Preview

Technology Preview

General Availability

Integration of MetalLB and FRR-K8s

Not Available

Technology Preview

General Availability

Dual-NIC Intel E810 PTP boundary clock with highly available system clock

Not Available

General Availability

General Availability

Intel E810 Westport Channel NIC as PTP grandmaster clock

Technology Preview

General Availability

General Availability

Dual-NIC Intel E810 Westport Channel as PTP grandmaster clock

Technology Preview

General Availability

General Availability

Automatic leap seconds handling for PTP grandmaster clocks

Not Available

Not Available

General Availability

PTP events REST API v2

Not Available

Not Available

General Availability

Configure the br-ex bridge needed by OVN-Kuberenetes using NMState

Not Available

Technology Preview

Technology Preview

Overlapping IP configuration for multi-tenant networks with Whereabouts

Not Available

General Availability

General Availability

User defined network segmentation

Not Available

Not Available

Technology Preview

Storage Technology Preview features

Table 18. Storage Technology Preview tracker
Feature 4.15 4.16 4.17

AWS EFS storage CSI usage metrics

Not Available

Not Available

General Availability

Automatic device discovery and provisioning with Local Storage Operator

Technology Preview

Technology Preview

Technology Preview

Azure File CSI snapshot support

Not Available

Not Available

Technology Preview

IBM Power® Virtual Server Block CSI Driver Operator

General Availability

General Availability

General Availability

Read Write Once Pod access mode

Technology Preview

General Availability

General Availability

Shared Resources CSI Driver in OpenShift Builds

Technology Preview

Technology Preview

Technology Preview

Secrets Store CSI Driver Operator

Technology Preview

Technology Preview

Technology Preview

CIFS/SMB CSI Driver Operator

Not Available

Technology Preview

Technology Preview

VMWare vSphere multiple vCenter support

Not Available

Not Available

Technology Preview

Disabling/enabling storage on vSphere

Not Available

Not Available

Technology Preview

RWX/RWO SELinux Mount

Not Available

Not Available

Developer Preview

Migrating CNS Volumes Between Datastores

Not Available

Not Available

Developer Preview

Installation Technology Preview features

Table 19. Installation Technology Preview tracker
Feature 4.15 4.16 4.17

Installing OpenShift Container Platform on Oracle® Cloud Infrastructure (OCI) with VMs

General Availability

General Availability

General Availability

Installing OpenShift Container Platform on Oracle® Cloud Infrastructure (OCI) on bare metal

Developer Preview

Developer Preview

Developer Preview

Adding kernel modules to nodes with kvc

Technology Preview

Technology Preview

Technology Preview

Enabling NIC partitioning for SR-IOV devices

Technology Preview

Technology Preview

General Availability

User-defined labels and tags for Google Cloud Platform (GCP)

Technology Preview

Technology Preview

General Availability

Installing a cluster on Alibaba Cloud by using installer-provisioned infrastructure

Technology Preview

Not Available

Not Available

Installing a cluster on Alibaba Cloud by using Assisted Installer

Not Available

Technology Preview

Technology Preview

Mount shared entitlements in BuildConfigs in RHEL

Technology Preview

Technology Preview

Technology Preview

Selectable Cluster Inventory

Technology Preview

Technology Preview

Technology Preview

Static IP addresses with VMware vSphere (IPI only)

Technology Preview

General Availability

General Availability

Support for iSCSI devices in RHCOS

Technology Preview

General Availability

General Availability

Installing a cluster on GCP using the Cluster API implementation

Not Available

Technology Preview

General Availability

Support for Intel® VROC-enabled RAID devices in RHCOS

Technology Preview

General Availability

General Availability

Node Technology Preview features

Table 20. Nodes Technology Preview tracker
Feature 4.15 4.16 4.17

MaxUnavailableStatefulSet featureset

Technology Preview

Technology Preview

Technology Preview

Linux user namespace support

Not Available

Not Available

Technology Preview

Multi-Architecture Technology Preview features

Table 21. Multi-Architecture Technology Preview tracker
Feature 4.15 4.16 4.17

IBM Power® Virtual Server using installer-provisioned infrastructure

General Availability

General Availability

General Availability

kdump on arm64 architecture

Technology Preview

Technology Preview

Technology Preview

kdump on s390x architecture

Technology Preview

Technology Preview

Technology Preview

kdump on ppc64le architecture

Technology Preview

Technology Preview

Technology Preview

Multiarch Tuning Operator

Not available

Technology Preview

Technology Preview

Scalability and performance Technology Preview features

Table 22. Scalability and performance Technology Preview tracker
Feature 4.15 4.16 4.17

factory-precaching-cli tool

Technology Preview

Technology Preview

Technology Preview

Hyperthreading-aware CPU manager policy

Technology Preview

Technology Preview

Technology Preview

HTTP transport replaces AMQP for PTP and bare-metal events

Technology Preview

General Availability

General Availability

Mount namespace encapsulation

Technology Preview

Technology Preview

Technology Preview

Node Observability Operator

Technology Preview

Technology Preview

Technology Preview

Tuning etcd latency tolerances

Technology Preview

General Availability

General Availability

Increasing the etcd database size

Not Available

Technology Preview

Technology Preview

Using RHACM PolicyGenerator resources to manage GitOps ZTP cluster policies

Not Available

Technology Preview

Technology Preview

Pinned Image Sets

Not Available

Technology Preview

Technology Preview

Operator lifecycle and development Technology Preview features

Table 23. Operator lifecycle and development Technology Preview tracker
Feature 4.15 4.16 4.17

Operator Lifecycle Manager (OLM) v1

Technology Preview

Technology Preview

Technology Preview

RukPak

Technology Preview

Technology Preview

Removed

Platform Operators

Technology Preview

Removed

Removed

Scaffolding tools for Hybrid Helm-based Operator projects

Technology Preview

Deprecated

Deprecated

Scaffolding tools for Java-based Operator projects

Technology Preview

Deprecated

Deprecated

OpenShift CLI (oc) Technology Preview features

Table 24. OpenShift CLI (oc) Technology Preview tracker
Feature 4.15 4.16 4.17

oc-mirror plugin v2

Not Available

Technology Preview

Technology Preview

Enclave support

Not Available

Technology Preview

Technology Preview

Delete functionality

Not Available

Technology Preview

Technology Preview

Monitoring Technology Preview features

Table 25. Monitoring Technology Preview tracker
Feature 4.15 4.16 4.17

Metrics Collection Profiles

Technology Preview

Technology Preview

Technology Preview

Metrics Server

Technology Preview

General Availability

General Availability

Monitoring Technology Preview features

Table 26. Monitoring Technology Preview tracker
Feature 4.15 4.16 4.17

Red Hat OpenShift Lightspeed in the OpenShift Container Platform web console

Not Available

Developer Preview

Developer Preview

Red Hat OpenStack Platform (RHOSP) Technology Preview features

Table 27. RHOSP Technology Preview tracker
Feature 4.15 4.16 4.17

Dual-stack networking with installer-provisioned infrastructure

General Availability

General Availability

General Availability

Dual-stack networking with user-provisioned infrastructure

General Availability

General Availability

General Availability

RHOSP integration into the Cluster CAPI Operator

Technology Preview

Technology Preview

Technology Preview

Control Plane with rootVolumes and etcd on local disk

Technology Preview

Technology Preview

General Availability

To know the status of the hosted control planes features on OpenShift Container Platform 4.17, see Generally Available and Technology Preview features in hosted control planes release notes.

Hosted control planes Technology Preview features

Table 28. Hosted control planes Technology Preview tracker
Feature 4.15 4.16

Hosted control planes for OpenShift Container Platform on Amazon Web Services (AWS)

Technology Preview

General Availability

Hosted control planes for OpenShift Container Platform on bare metal

General Availability

General Availability

Hosted control planes for OpenShift Container Platform on OpenShift Virtualization

General Availability

General Availability

Hosted control planes for OpenShift Container Platform using non-bare metal agent machines

Technology Preview

Technology Preview

Hosted control planes for an ARM64 OpenShift Container Platform cluster on Amazon Web Services

Technology Preview

Technology Preview

Hosted control planes for OpenShift Container Platform on IBM Power

Technology Preview

Technology Preview

Hosted control planes for OpenShift Container Platform on IBM Z

Technology Preview

Technology Preview

Hosted control planes for OpenShift Container Platform on RHOSP

Not Available

Not Available

Machine management Technology Preview features

Table 29. Machine management Technology Preview tracker
Feature 4.15 4.16 4.17

Managing machines with the Cluster API for Amazon Web Services

Technology Preview

Technology Preview

Technology Preview

Managing machines with the Cluster API for Google Cloud Platform

Technology Preview

Technology Preview

Technology Preview

Managing machines with the Cluster API for VMware vSphere

Not Available

Technology Preview

Technology Preview

Defining a vSphere failure domain for a control plane machine set

Technology Preview

General Availability

General Availability

Cloud controller manager for Alibaba Cloud

Technology Preview

Removed

Removed

Cloud controller manager for Google Cloud Platform

General Availability

General Availability

General Availability

Cloud controller manager for IBM Power® Virtual Server

Technology Preview

Technology Preview

Technology Preview

Authentication and authorization Technology Preview features

Table 30. Authentication and authorization Technology Preview tracker
Feature 4.15 4.16 4.17

Pod security admission restricted enforcement

Technology Preview

Technology Preview

Technology Preview

Machine Config Operator Technology Preview features

Table 31. Machine Config Operator Technology Preview tracker
Feature 4.15 4.16 4.17

Improved MCO state reporting

Technology Preview

Technology Preview

Technology Preview

On-cluster RHCOS image layering

Not Available

Technology Preview

Technology Preview

Node disruption policies

Not Available

Technology Preview

General Availability

Updating boot images for GCP clusters

Not Available

Technology Preview

General Availability

Updating boot images for AWS clusters

Not Available

Not Available

Technology Preview

Edge computing Technology Preview features

Table 32. Edge computing Technology Preview tracker
Feature 4.15 4.16 4.17

Accelerated provisioning of GitOps ZTP

Not Available

Technology Preview

Technology Preview

Enabling disk encryption with TPM and PCR protection

Not Available

Not Available

Technology Preview

Known issues

  • The oc annotate command does not work for LDAP group names that contain an equal sign (=), because the command uses the equal sign as a delimiter between the annotation name and value. As a workaround, use oc patch or oc edit to add the annotation. (BZ#1917280)

  • A known issue exists when deleting a NetworkAttachmentDefinition (NAD) resource created by a UserDefinedNetwork resource. You must check to see if a pod is referencing the NAD before deleting the NAD. The pod should be deleted before the NAD. Failure to do so can leave pods in an unexpected state. (OCPBUGS-39185)

  • The DNF package manager included in Red Hat Enterprise Linux CoreOS (RHCOS) images cannot be used at runtime, because DNF relies on additional packages to access entitled nodes in a cluster that are under a Red Hat subscription. As a workaround, use the rpm-ostree command instead. (OCPBUGS-35247)

  • When installing a cluster on Microsoft Azure, the installation will fail if no install-config.yaml file is provided. If an install-config.yaml file is provided, and controlPlane.platform is present but controlPlane.platform.azure is not provided, the installation will fail. (OCPBUGS-42296)

    See Sample customized install-config.yaml file for Azure for a sample configuration file, or set a non-null parameter as in the following example:

    controlPlane:
      platform:
        azure: {}
  • When installing multiple clusters on Microsoft Azure, running multiple installations simultaneously from the same installation host will result in only one of the clusters installing successfully. If you run the installations sequentially rather than simultaneously, you can install multiple clusters on Azure from the same installation host. (OCPBUGS-36202)

  • When installing a cluster on Microsoft Azure, specifying the Standard_M8-4ms instance type for control plane machines results in an error due to that instance type specifying its memory in decimal format instead of integer format. (OCPBUGS-42241)

  • Due to a change in storage account naming in OpenShift Container Platform 4.17, the Azure File Container Storage Interface (CSI) driver now alphabetically matches storage account of the Image Registry Operator. With this change, there is a known issue where the Azure File CSI driver fails to mount all volumes when the image registry is configured as private. The mount failures occur because the CSI driver tries to use the storage account of the Image Registry Operator, which is not configured to allow connections from worker subnets.

    As a temporary workaround, the image registry should not be configured as private when using the Azure File CSI driver. This is a known issue and will be fixed in a future version of OpenShift Container Platform. (OCPBUGS-42308)

  • When installing a cluster on Azure, the installation fails if a customer-managed encryption key is specified. (OCPBUGS-42349)

  • When an error occurs during mirroring Operators and additional images, the log message "Generating Catalog Source" might still appear, even if no files are generated. (OCPBUGS-42503)

  • If you have IPsec enabled on the cluster, on the node hosting the north-south IPsec connection, restarting the ipsec.service systemd unit or restarting the ovn-ipsec-host pod causes a loss of the IPsec connection. (RHEL-26878)

  • When you run Cloud-native Network Functions (CNF) latency tests on an OpenShift Container Platform cluster, the test can sometimes return results greater than the latency threshold for the test; for example, 20 microseconds for cyclictest testing. This results in a test failure. (OCPBUGS-42328)

  • Each node group must only match one MachineConfigPool object. In some cases, the NUMA Resources Operator can allow a configuration where a node group matches more than one MachineConfigPool object. This issue could lead to unexpected behavior in resource management. (OCPBUGS-42523)

  • When the bond mode in the NetworkNodeConfigurationPolicy is changed from balance-rr to active-backup on kernel bonds that are attached to the br-ex interface, the change might fail on arbitrary nodes. As a workaround, create a NetworkNodeConfigurationPolicy object without specifying the bond port configuration. (OCPBUGS-42031)

  • If the controller pod terminates while cloning, or taking or restoring a volume snapshot, is in progress, the Microsoft Azure File clone or snapshot persistent volume claims (PVCs) remain in the Pending state. To resolve this issue, delete any affected clone or snapshot PVCs, and then recreate those PVCs. (OCPBUGS-35977)

  • Deploying a self-managed private hosted cluster on AWS fails because the bootstrap-kubeconfig file uses an incorrect KAS port. As a result, the AWS instances are provisioned, but cannot join the hosted cluster as nodes. (OCPBUGS-31840)

Asynchronous errata updates

Security, bug fix, and enhancement updates for OpenShift Container Platform 4.17 are released as asynchronous errata through the Red Hat Network. All OpenShift Container Platform 4.17 errata is available on the Red Hat Customer Portal. See the OpenShift Container Platform Life Cycle for more information about asynchronous errata.

Red Hat Customer Portal users can enable errata notifications in the account settings for Red Hat Subscription Management (RHSM). When errata notifications are enabled, users are notified through email whenever new errata relevant to their registered systems are released.

Red Hat Customer Portal user accounts must have systems registered and consuming OpenShift Container Platform entitlements for OpenShift Container Platform errata notification emails to generate.

This section will continue to be updated over time to provide notes on enhancements and bug fixes for future asynchronous errata releases of OpenShift Container Platform 4.17. Versioned asynchronous releases, for example with the form OpenShift Container Platform 4.17.z, will be detailed in subsections. In addition, releases in which the errata text cannot fit in the space provided by the advisory will be detailed in subsections that follow.

For any OpenShift Container Platform release, always review the instructions on updating your cluster properly.

RHSA-2024:9610 - OpenShift Container Platform 4.17.5 bug fix, and security update advisory

Issued: 19 November 2024

OpenShift Container Platform release 4.17.5, which includes security updates, is now available. The list of bug fixes that are included in the update is documented in the RHSA-2024:9610 advisory. The RPM packages that are included in the update are provided by the RRHSA-2024:9613 advisory.

Space precluded documenting all of the container images for this release in the advisory.

You can view the container images in this release by running the following command:

$ oc adm release info 4.17.5 --pullspecs

Enhancements

Improving the validation criteria for Cluster Monitoring Operator
  • With this release, the Cluster Monitoring Operator (CMO) has improved validation criteria. The CMO blocks cluster updates with configurations in openshift-monitoring/cluster-monitoring-config or openshift-user-workload-monitoring/user-workload-monitoring-config that include unsupported fields or misconfigurations. (OCPBUGS-43690)

Bug fixes

  • Previously, the Azure File Driver attempted to reuse existing storage accounts. With this release, the Azure File Driver creates storage accounts during dynamic provisioning. For updated clusters, newly-created Persistent Volumes use a new storage account. Persistent Volumes that were previously provisioned continue using the same storage account used before the cluster update. (OCPBUGS-42949)

  • Previously, when you used the must-gather tool, a Multus Container Network Interface (CNI) log file, multus.log, was stored in a node’s file system. This situation caused the tool to generate unnecessary debug pods in a node. With this release, the Multus CNI no longer creates a multus.log file, and instead uses a CNI plugin pattern to inspect any logs for Multus DaemonSet pods in the openshift-multus namespace. (OCPBUGS-42835)

  • Previously, the task data did not fully load on ArtifactHub when you attempted to create a pipeline. With this release, the console fully loads the data from ArtifactHub and the issue is resolved. (OCPBUGS-16141)

Updating

To update an OpenShift Container Platform 4.17 cluster to this latest release, see Updating a cluster using the CLI.

RHSA-2024:8981 - OpenShift Container Platform 4.17.4 bug fix, and security update advisory

Issued: 13 November 2024

OpenShift Container Platform release 4.17.4, which includes security updates, is now available. The list of bug fixes that are included in the update is documented in the RHSA-2024:8981 advisory. The RPM packages that are included in the update are provided by the RHSA-2024:8984 advisory.

Space precluded documenting all of the container images for this release in the advisory.

You can view the container images in this release by running the following command:

$ oc adm release info 4.17.4 --pullspecs

Enhancements

Authenticating customer workloads with GCP Workload Identity

With this release, applications in customer workloads on OpenShift Container Platform clusters that use Google Cloud Platform Workload Identity can authenticate by using GCP Workload Identity.

To use this authentication method with your applications, you must complete configuration steps on the cloud provider console and your OpenShift Container Platform cluster.

ansible-operator upstream version information
  • The ansible-operator version now shows the corresponding upstream version information. (OCPBUGS-43836)

Bug fixes

  • Previously, when installing a cluster on an IBM platform and adding an existing VPC to the cluster, the Cluster API Provider IBM Cloud would not add ports 443, 5000, and 6443 to the security group of the VPC. This situation prevented the VPC from being added to the cluster. With this release, a fix ensures that the Cluster API Provider IBM Cloud adds the ports to the security group of the VPC so that the VPC gets added to your cluster. (OCPBUGS-44226)

  • Previously, the installation program populated the network.devices, template and workspace fields in the spec.template.spec.providerSpec.value section of the VMware vSphere control plane machine set custom resource (CR). These fields should be set in the vSphere failure domain, and the installation program populating them caused unintended behaviors.

    Updating these fields did not trigger an update to the control plane machines, and these fields were cleared when the control plane machine set was deleted. With this release, the installation program is updated to no longer populate values that are included in the failure domain configuration. If these values are not defined in a failure domain configuration, for instance on a cluster that is updated to OpenShift Container Platform 4.17 from an earlier version, the values defined by the installation program are used. (OCPBUGS-44047)

  • Previously, enabling ESP hardware offload using IPSec on attached interfaces in Open vSwitch broke connectivity due to a bug in Open vSwitch. With this release, OpenShift automatically disables ESP hardware offload on the Open vSwitch attached interfaces, and the issue is resolved. (OCPBUGS-43917)

  • Previously, if you configured the identity provider (IDP) name for OAuth custom resource (CR) to contain whitespaces, oauth-server crashed. With this release, an identity provider (IDP) name that contains whitespaces does not cause oauth-server to crash. (OCPBUGS-44118)

  • Previously, due to a behavior regression in Go 1.22, oauth-server pods crashed if the IDP configuration contained multiple password-based IDPs, such as htpasswd, with at least one of them having spaces in its name. Note that if the bootstrap user ,kubeadmin, still exists in a cluster, the user also counts as a password-based IDP. With this release, a fix to the oauth-server resolves this issue and prevents the server from crashing. (OCPBUGS-43587)

  • Previously, when you used the Agent-based Installer to install a cluster on a node that had an incorrect date, the cluster installation failed. With this release, a patch is applied to the Agent-based Installer live ISO time synchronization. The patch configures the /etc/chrony.conf file with the list of additional Network Time Protocol (NTP) servers, so that you can set any of these additional NTP servers in the agent-config.yaml without experiencing a cluster installation issue. (OCPBUGS-43846)

  • Previously, when you installed a private cluster on Google Cloud Platform (GCP), the API firewall rule used the source range of 0.0.0.0/0. This address allowed non-cluster resources unintended access to the private cluster. With this release, the API firewall rule now only allows resources that have source ranges in the Machine Network to access the private cluster. (OCPBUGS-43786)

  • Previously, an invalid or unreachable identity provider (IDP) blocked updates to hosted control planes. With this release, the ValidIDPConfiguration condition in the HostedCluster object now reports any IDP errors so that these errors do not block updates to hosted control planes. (OCPBUGS-43746)

  • Previously, the attach, oc exec, and port-forward commands received an error if you ran the commands through a proxy. With this release, a patch applied to kubectl ensures kubectl can handle any proxy errors with these commands, so that the commands run as expected. (OCPBUGS-43696)

  • Previously, Red Hat Enterprise Linux (RHEL) CoreOS templates that were shipped by the Machine Config Operator (MCO) caused node scaling to fail on Red Hat OpenStack Platform (RHOSP). This issue happened because of an issue with systemd and the presence of a legacy boot image from older versions of OpenShift Container Platform. With this release, a patch fixes the issue with systemd and removes the legacy boot image, so that node scaling can continue as expected. (OCPBUGS-42577)

  • Previously, a restart of a Cluster Version Operator (CVO) pod while the pod was initializing a syncing operation caused the guard of a blocked upgrade request to fail. This meant that the blocked upgrade request was unexpectedly accepted. With this release, a CVO pod postpones reconciliation of requests during initialization, so that the guard of a blocked upgrade requests persists after the CVO pod restarts. (OCPBUGS-42386)

Updating

To update an OpenShift Container Platform 4.17 cluster to this latest release, see Updating a cluster using the CLI.

RHSA-2024:8434 - OpenShift Container Platform 4.17.3 bug fix, and security update advisory

Issued: 29 October 2024

OpenShift Container Platform release 4.17.3, which includes security updates, is now available. The list of bug fixes that are included in the update is documented in the RHSA-2024:8434 advisory. The RPM packages that are included in the update are provided by the RHSA-2024:8437 advisory.

Space precluded documenting all of the container images for this release in the advisory.

You can view the container images in this release by running the following command:

$ oc adm release info 4.17.3 --pullspecs

Enhancements

Exposing network overlap metrics with the Cluster Network Operator
  • When you start the limited live migration method and an issue exists with network overlap, the Cluster Network Operator (CNO) can expose network overlap metrics for the issue. This is possible because the openshift_network_operator_live_migration_blocked metric now includes the new NetworkOverlap label. (OCPBUGS-39121)

Loading git repository environment variables automatically from your repository
  • Previously, when you imported a git repository by using the serverless import strategy, the environment variables from the func.yaml file were not automatically loaded into the form. With this update, the environment variables are now loaded upon import. (OCPBUGS-42474)

Bug fixes

  • Previously, a regression was introduced to the OpenShift installer during a Power VS deployment. As a result, the security group rules required for OpenShift Install were not created. With this release, the issue is resolved. (OCPBUGS-43547)

  • Previously, if an image registry Operator was configured with the`networkAccess` field set to Internal in Azure, an authorization error prevented the image registry Operator from deleting the storage container, and the managementState field from being set to Removed. With this release, the Operator can delete the storage account and storage container, and the managementState field can successfully set to Removed. (OCPBUGS-43350)

  • Previously, both active and passive high-availability (HA) deployments ran three replicas instead of the required two. As a result, control planes contained more pods than required, which led to scaling issues. With this release, the number of replicas in active and passive HA deployments is reduced from three to two. (OCPBUGS-42704)

  • Previously, the configuration loader logged yaml unmarshal errors when the INI succeeded. With this release, the unmarshal errors are no longer logged when the INI succeeds. (OCPBUGS-42327)

  • Previously, the Machine Config Operator (MCO)'s vSphere resolve-prepender script used systemd directives that were incompatible with old bootimage versions used in OpenShift Container Platform 4. With this release, nodes can scale using newer bootimage versions 4.17 4.13 and above, through manual intervention, or by upgrading to a release that includes this fix. (OCPBUGS-42108)

  • Previously, the installation program did not validate the maximum transmission unit (MTU) for a custom IPv6 network on Red Hat Enterprise Linux CoreOS (RHCOS). If you specified a low value for the MTU, the installation of the cluster would fail. With this release, the minimum MTU value for IPv6 networks is set to 1380, where 1280 is the minimum MTU for IPv6 and 100 is the OVN-Kubernetes encapsulation overhead. With this release, the installation program now validates the MTU for a custom IPv6 network on Red Hat Enterprise Linux CoreOS (RHCOS). (OCPBUGS-41812)

  • Previously, the rpm-ostree-fix-shadow-mode.service service would run when you ran RHCOS in a live environment. As a result, the rpm-ostree-fix-shadow-mode.service service logged a failure that did not impact the deployment or live system. With this release, the rpm-ostree-fix-shadow-mode.service service will not run if the RHCOS is not running from an installed environment and the issue is resolved. (OCPBUGS-41621)

Updating

To update an OpenShift Container Platform 4.17 cluster to this latest release, see Updating a cluster using the CLI.

RHSA-2024:8229 - OpenShift Container Platform 4.17.2 bug fix, and security update advisory

Issued: 23 October 2024

OpenShift Container Platform release 4.17.2, which includes security updates, is now available. The list of bug fixes that are included in the update is documented in the RHSA-2024:8229 advisory. The RPM packages that are included in the update are provided by the RHBA-2024:8232 advisory.

Space precluded documenting all of the container images for this release in the advisory.

You can view the container images in this release by running the following command:

$ oc adm release info 4.17.2 --pullspecs

Enhancements

  • The Operator SDK now correctly scaffolds the Dockerfile for kube-rbac-proxy. Additionally, the Operator SDK can now use -rhel9 container images. (OCPBUGS-42953)

  • When you start the limited live migration method and an issue exists with network overlap, the Cluster Network Operator (CNO) can now expose network overlap metrics for the issue. This is possible because the openshift_network_operator_live_migration_blocked metric now includes the new NetworkOverlap label. (OCPBUGS-39121)

Bug fixes

  • Previously, the approval mechanism for certificate signing requests (CSRs) failed because the node name and internal DNS entry for a CSR did not match in terms of character case differences. With this release, an update to the approval mechanism for CSRs skips case-sensitive checks so that a CSR with a matching node name and internal DNS entry does not fail the check because of character case differences. (OCPBUGS-43312)

  • Previously, a port conflict on the Cloud Credential Operator (CCO) and the assisted-service object caused cluster installations on VMware vSphere to fail. With this release, the installation program ignores the pprof module in the assisted-service object so that the port conflict no longer exists. (OCPBUGS-43069)

  • Previously, when you attempted to use the oc import-image command to import an image in a hosted control planes cluster, the command failed because of access issues with a private image registry. With this release, an update to openshift-apiserver pods in a hosted control planes cluster resolves names that use the data plane so that the oc import-image command now works as expected with private image registries. (OCPBUGS-43051)

  • Previously, for managed services on hosted control planes, audit logs were sent to a local webhook service, audit-webhook. This caused issues for hosted control planes pods that sent audit logs through the konnectivity service. With this release, audit-webhook is added to the list of no_proxy hosts so that hosted control planes pods can send auti logs to the audit-webhook service. (OCPBUGS-42974)

  • Previously, when you used the Agent-based Installer to install a cluster, assisted-installer-controller timed out or exited the installation process depending on whether assisted-service was unavailable on the rendezvous host. This situation caused the cluster installation to fail during CSR approval checks. With this release, an update to assisted-installer-controller ensures that the controller does not timeout or exit if assisted-service is unavailable. The CSR approval check now works as expected. (OCPBUGS-42839)

  • Previously, running the openshift-install gather bootstrap --dir <workdir> command might cause the installation program to skip the analysis of the collected logs. The command would output the following message:

    Invalid log bundle or the bootstrap machine could not be reached and bootstrap logs were not collected

    With this release, the installation program can now analyze log handles that the gather bootstrap --dir <workdir> argument generates. (OCPBUGS-42806)

  • Previously, when you used the Developer perspective with custom editors on the OpenShift Container Platform web console, entering the n keyboard shortcut caused the namespace menu to unexpectedly open. This issue happened because the keyboard shortcut key did not account for custom editors. With this release, the namespace menu now accounts for custom editors and does not unexpectedly open when you enter the n keyboard shortcut. (OCPBUGS-42607)

  • Previously, the installation program did not validate the maximum transmission unit (MTU) for a custom IPv6 network on Red Hat Enterprise Linux CoreOS (RHCOS). If you specified a low value for the MTU, installation of the cluster would fail. With this release, the minimum MTU value for IPv6 networks is set to 1380, where 1280 is the minimum MTU for IPv6 and 100 is the OVN-Kubernetes encapsulation overhead. With this release, the installation program now validates the MTU for a custom IPv6 network on Red Hat Enterprise Linux CoreOS (RHCOS) (OCPBUGS-41812)

  • Previously, a hosted control planes cluster that used mirroring release images might result in existing node pools to use the hosted cluster’s operating system version instead of the NodePool version. With this release, a fix ensures that node pools use their own versions. (OCPBUGS-41552)

  • Previously, after you creating a private OpenShift Container Platform cluster on Microsoft Azure, the installation program did not mark the storage account that it created as private. As a result, the storage account was publically available. With this release, the installation program now correctly always marks the storage account as private regardless if the cluster is publically or privately available. (OCPBUGS-42349)

Updating

To update an OpenShift Container Platform 4.17 cluster to this latest release, see Updating a cluster using the CLI.

RHSA-2024:7922 - OpenShift Container Platform 4.17.1 bug fix, and security update advisory

Issued: 16 October 2024

OpenShift Container Platform release 4.17.1, which includes security updates, is now available. The list of bug fixes that are included in the update is documented in the RHSA-2024:7922 advisory. The RPM packages that are included in the update are provided by the RHSA-2024:7925 advisory.

Space precluded documenting all of the container images for this release in the advisory.

You can view the container images in this release by running the following command:

$ oc adm release info 4.17.1 --pullspecs

Enhancements

  • The Operator SDK now correctly scaffolds the Dockerfile for ansible-operator. Additionally, the Operator SDK can now use -rhel9 container images. (OCPBUGS-42853)

  • The Operator SDK now correctly scaffolds the Dockerfile for helm-operator. Additionally, the Operator SDK can now use -rhel9 container images. (OCPBUGS-42786)

  • When you install the Red Hat OpenShift Lightspeed, which is a Developer Preview feature only, the checkbox for enabling in-cluster monitoring is now enabled by default. (OCPBUGS-42380)

  • The installation program now uses a newer version of the cluster-api-provider-ibmcloud provider that includes Transit Gateway fixes. (OCPBUGS-42483)

  • The migrating CNS volumes feature, which is a Developer Preview feature only, includes the following enhancements:

    • The feature now checks for the vCenter version before moving CNS volumes to VMware vSphere. (OCPBUGS-42006)

    • The feature keeps migrating CNS volumes even if some volumes do not exist, so that the migration operation does not exit when no volume exists. (OCPBUGS-42008)

  • The vSphere CSI Driver Operator can now delete all resources for a vSphere CSI driver that was removed from a cluster. (OCPBUGS-42007)

Bug fixes

  • Previously, the Single-Root I/O Virtualization (SR-IOV) Operator did not expire the acquired lease during the Operator’s shutdown operation. This impacted a new instance of the Operator, because the new instance had to wait for the lease to expire before the new instance was operational. With this release, an update to the Operator shutdown logic ensures that the Operator expires the lease when the Operator is shutting down. (OCPBUGS-37668)

  • Previously, when you configured the image registry to use an Microsoft Azure storage account that was located in a resource group other than the cluster’s resource group, the Image Registry Operator would become degraded. This occurred because of a validation error. With this release, an update to the Operator allows for authentication only by using a storage account key. Validation of other authentication requirements is not required. (OCPBUGS-42812)

  • Previously, if availability zones were not in a specific order in the install-config.yaml configuration file, the installation program would wrongly sort the zones before saving the control plane machine set manifests. When the program created the machines, additional control plane virtual machines were created to reconcile the machines into each zone. This caused a resource-constraint issue. With this release, the installation program no longer sorts availability zones so that this issue no longer occurs. (OCPBUGS-42699)

  • Previously, the Red Hat OpenShift Container Platform web console did not require the Creator field as a mandatory field. API changes specified an empty value for this field, but a user profile could still create silent alerts. With this release, the API marks the Creator field as a mandatory field for a user profile. (OCPBUGS-42606)

  • Previously, during root certification rotation, the Ingress Operator and DNS Operator failed to start. With this release, an update to the kubeconfigs for the Ingress Operator and DNS Operator ensure that annotations set the conditions for managing the public key infrastructure (PKI). This update ensures that both Operators can start as expected during root certification rotation. (OCPBUGS-42261)

  • Previously, during root certification rotation, the metrics-server pod in the data plane failed to start correctly. This happened because of a certificate issue. With this release, the hostedClusterConfigOperator resource sends the correct certificate to the data plane so that the metrics-server pod starts as expected. (OCPBUGS-42098)

  • Previously, the installation program attempted to create a private zone for a cluster that needed to be installed on a Google Cloud Platform shared virtual private network (VPC). This caused the installation of the cluster to fail. With this release, a fix skips the creation of the private zone so that this cluster installation issue no longer exists. (OCPBUGS-42142)

  • Previously, when the installation program installed a cluster on a Google Cloud Platform VPC, role bindings for the control plane service account were not removed by the program. With this release, a fix removes the role bindings so that your cluster no longer includes these artifacts. (OCPBUGS-42116)

  • Previously, if you enabled on-cluster layering for your cluster and you attempted to configure kernel arguments in the machine configuration, machine config pools (MCPs) and nodes entered a degraded state. This happened because of a configuration mismatch. With this release, a check for kernel arguments for a cluster with OCL-enabled ensures that the arguments are configured and applied to nodes in the cluster. This update prevents any mismatch that previously occurred between the machine configuration and the node configuration. (OCPBUGS-42081)

  • Previously, creating cron jobs to create pods for your cluster caused the component that fetches the pods to fail. Because of this issue, the Topology page on the OpenShift Container Platform web console failed. With this release, a 3 second delay is configured for the component that fetches pods that are generated from the cron job so that this issue no longer exists. (OCPBUGS-41685)

  • Previously, when you deployed an OpenShift Container Platform cluster that listed a TechPreviewNoUpgrade feature gate in its configured on RHOSP, the cluster-capi-operator pod crashed. This occurred because the Cluster CAPI Operator expected a different API version than the one that was served. With this release, an update to the Cluster CAPI Operator ensures that the Operator uses the correct version of the API so that this issue no longer occurs. (OCPBUGS-41576)

  • Previously, using DNF to install additional packages on your customized Red Hat Enterprise Linux CoreOS (RHCOS) builds caused builds to fail because packages could not be located. With this release, the Subscription Manager adds the correct packages to RHCOS so that this issue no longer occurs. (OCPBUGS-41376)

  • Previosuly, bonds that were configured in active-backup mode would have EFI System Partition (ESP) offload active even if underlying links did not support ESP offload. This caused IPsec associations to fail. With this release, ESP offload is disabled for bonds so that IPsec associations pass. (OCPBUGS-41255)

  • Previosuly, resources for a new user account were not removed when the account was deleted. This caused unnecessary information in config maps, roles, and role-bindings. With this release, an ownerRef tag is added to these resources, so that when you delete a user account the resources are also deleted from all cluster resources. (OCPBUGS-39601)

  • Previosuly, a coding issue caused the Ansible script on RHCOS user-provisioned installation infrastructure to fail. This occurred when IPv6 was enabled for a three-node cluster. With this release, support exists for installing a three-node cluster with IPv6 enabled on RHCOS. (OCPBUGS-39409)

  • Previously, the order of an Ansible Playbook was modified to run before the metadata.json file was created, which caused issues with older versions of Ansible. With this release, the playbook is more tolerant of missing files and the issue is resolved. (OCPBUGS-39286)

  • Previously, when the Node Tuning Operator (NTO) was configured to use PerformanceProfiles, NTO would create an ocp-tuned-one-shot systemd service. The systemd service would run before kubelet and blocked execution. The systemd service invokes Podman which uses an NTO image, but when the NTO image was not present Podman still tried to fetch the image and it would fail. With this release, support is added for cluster-wide proxy environment variables defined in /etc/mco/proxy.env. Now, Podman pulls NTO images in environments which need to use proxies for out-of-cluster connections. (OCPBUGS-39124)

  • Previously, the resource type filter for the Events page on the OpenShift Container Platform web console wrongly reported the number of resources when you selected more than three resources. With this release, the filter now reports the correct number of resources based on your resource selection. (OCPBUGS-39091)

  • Previously, Ironic inspection failed if special or invalid characters existed in the serial number of a block device. This occurred because the lsblk command failed to escape the characters. With this release, the command now escapes the characters so this issue no longer persists. (OCPBUGS-39013)

  • Previously, when you used the Redfish Virtual Media to add an xFusion bare-metal node to your cluster, the node did not get added because of a node registration issue. The issue occurred because the hardware was not 100% compliant with Redfish. With this release, you can now add xFusion bare-metal nodes to your cluster. (OCPBUGS-38784)

  • Previously, on the Developer perspective on the OpenShift Container Platform web console, when you navigated to Observe > Metrics, two Metrics tabs existed. With this release, the duplicate tab is removed and now exists in the openshift-monitoring/monitoring-plugin application that serves the Metrics tabs on the web console. (OCPBUGS-38462)

  • Previously, the manila-csi-driver and node registrar pods had missing healthchecks because of a configuration issue. With this release, the health checks are now added to both of these resources. (OCPBUGS-38457)

  • Previously, updating the additionalTrustBundle parameter in a hosted control planes cluster configuration did not get applied to compute nodes. With this release, a fix ensures that updates to the additionalTrustBundle parameter automatically apply to compute nodes that exist in your hosted control planes cluster. (OCPBUGS-36680)

  • Previously, with oc-mirror plugin v2 (Technology Preview), images that referenced both tag and digest references were not supported. During the disk-to-mirror process for fully disconnected environments, the images were skipped and this caused build issues for the archive file. With this release, oc-mirror plugin v2 now supports an image that includes both of these references. An image is now pulled from the digest reference and keeps the tag reference for information purposes, while an appropriate warning message is displayed in the console output. (OCPBUGS-42421)

  • Previously, the Cluster API used an unsupported tag template for a virtual network installation when compared with the default non-cluster-API-provisioned installation. This caused the Image Registry Operator to enter a degraded state when configured with networkAccess: Internal. With this release, the Image Registry Operator now supports both tag templates so that this issue no longer exists. (OCPBUGS-42394)

  • Previously, the Cloud Controller Manager (CCM) liveness probe used on IBM Cloud cluster installations could not use loopback and this caused the probe to continuously restart. With this release, the probe can use loopback so that this issue not longer occurs. (OCPBUGS-41941)

  • Previously, when the globallyDisableIrqLoadBalancing field was set to true in the PerformanceProfile object, the isolated CPUs were listed in the IRQBALANCE_BANNED_CPULIST variable instead of the IRQBALANCE_BANNED_CPUS variable. These variables are stored in /etc/sysconfig/irqbalance. Changing the value of the globallyDisableIrqLoadBalancing field from true to false did not update the IRQBALANCE_BANNED_CPULIST variable correctly. As a result, the number of CPUs available for load rebalancing did not increase because the isolated CPUs remained in the IRQBALANCE_BANNED_CPULIST variable. With this release, a fix ensures that isolated CPUs are now listed in the IRQBALANCE_BANNED_CPUS variable, so that the number of CPUs available for load rebalancing increase as expected. (OCPBUGS-42323)

Updating

To update an OpenShift Container Platform 4.16 cluster to this latest release, see Updating a cluster using the CLI.

RHSA-2024:3718 - OpenShift Container Platform 4.17.0 image release, bug fix, and security update advisory

Issued: 01 October 2024

OpenShift Container Platform release 4.17.0, which includes security updates, is now available. The list of bug fixes that are included in the update is documented in the RHSA-2024:3718 advisory. The RPM packages that are included in the update are provided by the RHSA-2024:3722 advisory.

Space precluded documenting all of the container images for this release in the advisory.

You can view the container images in this release by running the following command:

$ oc adm release info 4.17.0 --pullspecs

Known issues

  • When the globallyDisableIrqLoadBalancing field is set to true in the PerformanceProfile object, the isolated CPUs are listed in the IRQBALANCE_BANNED_CPULIST variable instead of the IRQBALANCE_BANNED_CPUS variable. However, changing the value of the globallyDisableIrqLoadBalancing field from true to false does not update the IRQBALANCE_BANNED_CPULIST variable correctly. As a result, the number of CPUs available for load rebalancing does not increase, as the isolated CPUs remain in the IRQBALANCE_BANNED_CPULIST variable.

    The IRQBALANCE_BANNED_CPULIST variable and the IRQBALANCE_BANNED_CPUS variable are stored in the /etc/sysconfig/irqbalance file.

Updating

To update an OpenShift Container Platform 4.16 cluster to this latest release, see Updating a cluster using the CLI.