OpenShift Container Platform 4.17 release notes | Release notes

About this release
OpenShift Container Platform layered and dependent component support and compatibility
New features and enhancements
Notable technical changes
Deprecated and removed features
Bug fixes
Technology Preview features status
Known issues
Asynchronous errata updates
- RHSA-2024:XXXX - OpenShift Container Platform 4.17.0 image release, bug fix, and security update advisory

Red Hat OpenShift Container Platform provides developers and IT organizations with a hybrid cloud application platform for deploying both new and existing applications on secure, scalable resources with minimal configuration and management. OpenShift Container Platform supports a wide selection of programming languages and frameworks, such as Java, JavaScript, Python, Ruby, and PHP.

Built on Red Hat Enterprise Linux (RHEL) and Kubernetes, OpenShift Container Platform provides a more secure and scalable multitenant operating system for today’s enterprise-class applications, while delivering integrated application runtimes and libraries. OpenShift Container Platform enables organizations to meet security, privacy, compliance, and governance requirements.

About this release

OpenShift Container Platform (RHSA-2024:XXXX) is now available. This release uses Kubernetes 1.30 with CRI-O runtime. New features, changes, and known issues that pertain to OpenShift Container Platform 4.17 are included in this topic.

OpenShift Container Platform 4.17 clusters are available at https://console.redhat.com/openshift. With the Red Hat OpenShift Cluster Manager application for OpenShift Container Platform, you can deploy OpenShift Container Platform clusters to either on-premises or cloud environments.

OpenShift Container Platform 4.17 is supported on Red Hat Enterprise Linux (RHEL) 8.8-8.10, and on Red Hat Enterprise Linux CoreOS (RHCOS) 9.4.

You must use RHCOS machines for the control plane, and you can use either RHCOS or RHEL for compute machines. RHEL machines are deprecated in OpenShift Container Platform 4.16 and will be removed in a future release.

The support lifecycle for odd-numbered releases, such as OpenShift Container Platform 4.17, on all supported architectures, including x86_64, 64-bit ARM (aarch64), IBM Power® (ppc64le), and IBM Z® (s390x) architectures is 18 months. For more information about support for all versions, see the Red Hat OpenShift Container Platform Life Cycle Policy.

Commencing with the OpenShift Container Platform 4.14 release, Red Hat is simplifying the administration and management of Red Hat shipped cluster Operators with the introduction of three new life cycle classifications; Platform Aligned, Platform Agnostic, and Rolling Stream. These life cycle classifications provide additional ease and transparency for cluster administrators to understand the life cycle policies of each Operator and form cluster maintenance and upgrade plans with predictable support boundaries. For more information, see OpenShift Operator Life Cycles.

OpenShift Container Platform is designed for FIPS. When running Red Hat Enterprise Linux (RHEL) or Red Hat Enterprise Linux CoreOS (RHCOS) booted in FIPS mode, OpenShift Container Platform core components use the RHEL cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the x86_64, ppc64le, and s390x architectures.

For more information about the NIST validation program, see Cryptographic Module Validation Program. For the latest NIST status for the individual versions of RHEL cryptographic libraries that have been submitted for validation, see Compliance Activities and Government Standards.

OpenShift Container Platform layered and dependent component support and compatibility

The scope of support for layered and dependent components of OpenShift Container Platform changes independently of the OpenShift Container Platform version. To determine the current support status and compatibility for an add-on, refer to its release notes. For more information, see the Red Hat OpenShift Container Platform Life Cycle Policy.

New features and enhancements

This release adds improvements related to the following components and concepts:

Red Hat Enterprise Linux CoreOS (RHCOS)

Support for the DNF package manager

With this release, you can now use DNF to install additional packages to your customized Red Hat Enterprise Linux CoreOS (RHCOS) builds. For more information, see Red Hat Enterprise Linux CoreOS (RHCOS) layering.

Installation and update

Deploy Azure in the Spain region

You can deploy OpenShift Container Platform 4.17 in Microsoft Azure in the Spain, Central (spaincentral) region. For more information, see Supported Azure regions.

Cluster API replaces Terraform for Microsoft Azure installations

In OpenShift Container Platform 4.17, the installation program uses Cluster API instead of Terraform to provision cluster infrastructure during installations on Azure.

With the replacement of Terraform, the following permissions are required if you use a service principal with limited privileges:

Microsoft.Network/loadBalancers/inboundNatRules/read
Microsoft.Network/loadBalancers/inboundNatRules/write
Microsoft.Network/loadBalancers/inboundNatRules/join/action
Microsoft.Network/loadBalancers/inboundNatRules/delete
Microsoft.Network/routeTables/read
Microsoft.Network/routeTables/write
Microsoft.Network/routeTables/join/action

For more information on required permissions, see Required Azure permissions for installer-provisioned infrastructure.

Installing a cluster on AWS by using an existing IAM profile

With this release, you can install OpenShift Container Platform on Amazon Web Services (AWS) by using an existing identity and access management (IAM) instance profile. For more information, see Optional AWS configuration parameters.

Postinstallation configuration

Web console

Administrator perspective

This release introduces the following updates to the Administrator perspective of the web console:

Developer Perspective

This release introduces the following updates to the Developer perspective of the web console:

OpenShift CLI (oc)

IBM Z and IBM LinuxONE

With this release, IBM Z® and IBM® LinuxONE are now compatible with OpenShift Container Platform 4.17. You can perform the installation with z/VM, LPAR, or Red Hat Enterprise Linux (RHEL) Kernel-based Virtual Machine (KVM). For installation instructions, see Preparing to install on IBM Z and IBM LinuxONE.

Compute nodes must run Red Hat Enterprise Linux CoreOS (RHCOS).

IBM Z and IBM LinuxONE notable enhancements

The IBM Z® and IBM® LinuxONE release on OpenShift Container Platform 4.17 adds improvements and new capabilities to OpenShift Container Platform components and concepts.

This release introduces support for the following features on IBM Z® and IBM® LinuxONE:

CPU manager
Non-volatile memory express (NVMe) support for LPAR
Tuning etcd latency tolerances

IBM Power

IBM Power® is now compatible with OpenShift Container Platform 4.17. For installation instructions, see the following documentation:

Compute nodes must run Red Hat Enterprise Linux CoreOS (RHCOS).

IBM Power notable enhancements

The IBM Power® release on OpenShift Container Platform 4.17 adds improvements and new capabilities to OpenShift Container Platform components.

This release introduces support for the following features on IBM Power:

Tuning etcd latency tolerances
Installer Provisioned Infrastructure for IBM PowerVS - move to CAPI

IBM Power, IBM Z, and IBM LinuxONE support matrix

Starting in OpenShift Container Platform 4.14, Extended Update Support (EUS) is extended to the IBM Power® and the IBM Z® platform. For more information, see the OpenShift EUS Overview.

Table 1. OpenShift Container Platform features
Feature	IBM Power®	IBM Z® and IBM® LinuxONE
Alternate authentication providers	Supported	Supported
Agent-based Installer	Supported	Supported
Assisted Installer	Supported	Supported
Automatic Device Discovery with Local Storage Operator	Unsupported	Supported
Automatic repair of damaged machines with machine health checking	Unsupported	Unsupported
Cloud controller manager for IBM Cloud®	Supported	Unsupported
Controlling overcommit and managing container density on nodes	Unsupported	Unsupported
CPU manager	Supported	Supported
Cron jobs	Supported	Supported
Descheduler	Supported	Supported
Egress IP	Supported	Supported
Encrypting data stored in etcd	Supported	Supported
FIPS cryptography	Supported	Supported
Helm	Supported	Supported
Horizontal pod autoscaling	Supported	Supported
Hosted control planes (Technology Preview)	Supported	Supported
IBM Secure Execution	Unsupported	Supported
Installer-provisioned Infrastructure Enablement for IBM Power® Virtual Server	Supported	Unsupported
Installing on a single node	Supported	Supported
IPv6	Supported	Supported
Monitoring for user-defined projects	Supported	Supported
Multi-architecture compute nodes	Supported	Supported
Multi-architecture control plane	Supported	Supported
Multipathing	Supported	Supported
Network-Bound Disk Encryption - External Tang Server	Supported	Supported
Non-volatile memory express drives (NVMe)	Supported	Unsupported
nx-gzip for Power10 (Hardware Acceleration)	Supported	Unsupported
oc-mirror plugin	Supported	Supported
OpenShift CLI (`oc`) plugins	Supported	Supported
Operator API	Supported	Supported
OpenShift Virtualization	Unsupported	Unsupported
OVN-Kubernetes, including IPsec encryption	Supported	Supported
PodDisruptionBudget	Supported	Supported
Precision Time Protocol (PTP) hardware	Unsupported	Unsupported
Red Hat OpenShift Local	Unsupported	Unsupported
Scheduler profiles	Supported	Supported
Secure Boot	Unsupported	Supported
Stream Control Transmission Protocol (SCTP)	Supported	Supported
Support for multiple network interfaces	Supported	Supported
The `openshift-install` utility to support various SMT levels on IBM Power® (Hardware Acceleration)	Supported	Supported
Three-node cluster support	Supported	Supported
Topology Manager	Supported	Unsupported
z/VM Emulated FBA devices on SCSI disks	Unsupported	Supported
4K FCP block device	Supported	Supported

Table 2. Persistent storage options
Feature	IBM Power®	IBM Z® and IBM® LinuxONE
Persistent storage using iSCSI	Supported ^[1]	Supported ^[1],^[2]
Persistent storage using local volumes (LSO)	Supported ^[1]	Supported ^[1],^[2]
Persistent storage using hostPath	Supported ^[1]	Supported ^[1],^[2]
Persistent storage using Fibre Channel	Supported ^[1]	Supported ^[1],^[2]
Persistent storage using Raw Block	Supported ^[1]	Supported ^[1],^[2]
Persistent storage using EDEV/FBA	Supported ^[1]	Supported ^[1],^[2]

Persistent shared storage must be provisioned by using either Red Hat OpenShift Data Foundation or other supported storage protocols.
Persistent non-shared storage must be provisioned by using local storage, such as iSCSI, FC, or by using LSO with DASD, FCP, or EDEV/FBA.

Table 3. Operators
Feature	IBM Power®	IBM Z® and IBM® LinuxONE
cert-manager Operator for Red Hat OpenShift	Supported	Supported
Cluster Logging Operator	Supported	Supported
Cluster Resource Override Operator	Supported	Supported
Compliance Operator	Supported	Supported
Cost Management Metrics Operator	Supported	Supported
File Integrity Operator	Supported	Supported
HyperShift Operator	Technology Preview	Technology Preview
IBM Power® Virtual Server Block CSI Driver Operator	Supported	Unsupported
Ingress Node Firewall Operator	Supported	Supported
Local Storage Operator	Supported	Supported
MetalLB Operator	Supported	Supported
Network Observability Operator	Supported	Supported
NFD Operator	Supported	Supported
NMState Operator	Supported	Supported
OpenShift Elasticsearch Operator	Supported	Supported
Vertical Pod Autoscaler Operator	Supported	Supported

Table 4. Multus CNI plugins
Feature	IBM Power®	IBM Z® and IBM® LinuxONE
Bridge	Supported	Supported
Host-device	Supported	Supported
IPAM	Supported	Supported
IPVLAN	Supported	Supported

Table 5. CSI Volumes
Feature	IBM Power®	IBM Z® and IBM® LinuxONE
Cloning	Supported	Supported
Expansion	Supported	Supported
Snapshot	Supported	Supported

Authentication and authorization

Networking

Microsoft Azure for the Kubernetes NMState Operator

Red Hat support exists for using the Kubernetes NMState Operator on Microsoft Azure but in a limited capacity. Support is limited to configuring DNS servers on your system as a postinstallation task.

For more information, see About the Kubernetes NMState Operator.

View metrics collected by the Kubernetes NMState Operator

The Kubernetes NMState Operator, kubernetes-nmstate-operator, can collect metrics from the kubernetes_nmstate_features_applied component and expose them as ready-to-use metrics. You can view these metrics by using the Administrator and Developer perspectives.

For more information, see Viewing metrics collected by the Kubernetes NMState Operator.

New PTP fast events REST API version 2 available

A new PTP fast events O-RAN Release 3 compliant REST API version 2 is available. Now, you can develop PTP event consumer applications that receive host hardware PTP events directly from the PTP Operator-managed pod. The PTP fast events REST API v1 will be deprecated in a future release.

In O-RAN O-Cloud Notification API Specification for Event Consumers 3.0, the resource is defined as a hierarchical path for the subsystem that produces the notifications. The PTP events REST API v2 does not have a global subscription for all lower hierarchy resources contained in the resource path. You subscribe consumer applications to the various available event types separately.

For more information, see Developing PTP event consumer applications with the REST API v2.

Automatic leap seconds handling for PTP grandmaster clocks

The PTP Operator now automatically updates the leap second file by using Global Positioning System (GPS) announcements.

Leap second information is stored in an automatically generated ConfigMap resource named leap-configmap in the openshift-ptp namespace.

For more information, see Configuring dynamic leap seconds handling for PTP grandmaster clocks.

NIC partitioning for SR-IOV devices (Generally Available)

With this update, the ability to enable NIC partitioning for Single Root I/O Virtualization (SR-IOV) devices at install time is Generally Available.

For more information, see NIC partitioning for SR-IOV devices.

Host network settings for SR-IOV VFs (Generally Available)

With this update, the ability to update host network settings for Single Root I/O Virtualization (SR-IOV) network virtual functions in an existing cluster is Generally Available.

For more information, see Node network configuration policy for virtual functions.

CoreDNS update to version 1.11.3

OpenShift Container Platform 4.17 now includes CoreDNS version 1.11.3.

Registry

New chunkSizeMiB configuration parameter for S3 registry storage

A new, optional configuration parameter, chunkSizeMiB, is now available for deployments using S3 API-compatible backend storage. When configured, it determines the size of the multipart upload chunks for the S3 API. The default value is 10 MiB, with a minimum of 5 MiB.

For more information, see Image Registry Operator configuration parameters for AWS S3.

Storage

AWS EFS CSI storage usage metrics is generally available

Amazon Web Services (AWS) Elastic File Service (EFS) usage metrics allow you to monitor how much space is used by EFS volumes. This feature is generally available.

Turning on these metrics can lead to performance degradation because the CSI driver walks through the whole volume. Therefore, this option is disabled by default. Administrators must explicitly enable this feature.

For more information, see Amazon Elastic File CSI Storage usage metrics.

Preventing unauthorized volume mode conversion is generally available

Previously, there was no validation of whether the mode of an original volume (filesystem or raw block), whose snapshot was taken, matches the mode of a newly created volume. This presented a security gap that could allow malicious users to potentially exploit an as-yet-unknown vulnerability in the host operating system.

Nevertheless, some users have a legitimate need to perform such conversions. This feature allows cluster administrators to provide these rights (ability to perform update or patch operations on VolumeSnapshotContents objects) only to trusted users or applications, such as backup vendors.

To convert a volume mode, an authorized user needs to change snapshot.storage.kubernetes.io/allow-volume-mode-change: "true" for VolumeSnapshotContent of the snapshot source.

This feature is supported as generally available.

Automatic deletion of resources for GCP Filestore is generally available

In earlier versions of OpenShift Container Platform, when destroying a cluster, Google Compute Platform (GCP) Filestore Storage did not delete all of the cloud resources belonging to that cluster. This required manually deleting all of the persistent volume claims (PVCs) that used the Filestore storage class before destroying the cluster.

With OpenShift Container Platform 4.17, when destroying a cluster the OpenShift Container Platform installer should generally delete all of the cloud resources that belong to that cluster, and therefore manual deletion of PVCs should not be required. However, due to the special nature of the Google Compute Platform (GCP) Filestore resources, the automated cleanup process might not remove all of the resources in some rare cases. This feature is supported as generally available.

For more information, see Destroying clusters and GCP Filestore.

Azure File CSI supports snapshots (Technology Preview)

OpenShift Container Platform 4.17 introduces volume snapshot support for the Microsoft Azure File Container Storage Interface (CSI) Driver Operator. This capability is supported as a Technology Preview feature.

For more information, see CSI drivers supported by OpenShift Container Platform and CSI volume snapshots.

Multiple vCenter support for vSphere CSI (Technology Preview)

OpenShift Container Platform v4.17 introduces the ability to deploy OpenShift Container Platform across multiple vSphere clusters (vCenters). This feature is supported with Technology Preview status.

Multiple vCenters can only be configured during installation. The maximum number of supported vCenter clusters is three.

For more information, see Multiple vCenter support for vSphere CSI and Installation configuration parameters for vSphere.

Disabling and enabling storage on vSphere (Technology Preview)

Cluster administrators might want to disable the VMWare vSphere Container Storage Interface (CSI) Driver as a Day 2 operation, so the vSphere CSI Driver does not interface with your vSphere setup. This feature is supported at the Technology Preview level.

For more information, see Disabling and enabling storage on vSphere.

RWX/RWO SELinux Mount (Developer Preview)

Pods might take a very long time to start when the volume contains a large number of files. To avoid SELinux labeling issues while keeping SELinux confining, you can enable the ReadWriteMany/ReadWriteOnce (RWX/RWO) SELinux Mount feature. Be advised that the RWX/RWO SELinux Mount feature is a Developer Preview feature. It is not supported by Red Hat, and you should not enable this feature set on production or clusters that you plan to maintain over time.

RWX/RWO SELinux Mount is a Developer Preview feature only. Developer Preview features are not supported by Red Hat in any way and are not functionally complete or production-ready. Do not use Developer Preview features for production or business-critical workloads. Developer Preview features provide early access to upcoming product features in advance of their possible inclusion in a Red Hat product offering, enabling customers to test functionality and provide feedback during the development process. These features might not have any documentation, are subject to change or removal at any time, and testing is limited. Red Hat might provide ways to submit feedback on Developer Preview features without an associated SLA.

For more information about the RWX/RWO SELinux Mount feature, including how to enable it, see RWX/RWO SELinux Mount feature Knowledge Centered Service article.

Migrating CNS volumes between datastores with cns-migration (Developer Preview)

In OpenShift Container Platform 4.17, if you are running out of space in your current datastore, or want to move to a more performant datastore, you can migrate volumes between datastores. Be advised that this feature is a Developer Preview feature. It is not supported by Red Hat.

Migrating CNS Volumes Between Datastores is a Developer Preview feature only. Developer Preview features are not supported by Red Hat in any way and are not functionally complete or production-ready. Do not use Developer Preview features for production or business-critical workloads. Developer Preview features provide early access to upcoming product features in advance of their possible inclusion in a Red Hat product offering, enabling customers to test functionality and provide feedback during the development process. These features might not have any documentation, are subject to change or removal at any time, and testing is limited. Red Hat might provide ways to submit feedback on Developer Preview features without an associated SLA.

For more information about cns-migration, see Moving CNS volumes between datastores.

Oracle® Cloud Infrastructure (OCI)

Oracle® Cloud Infrastructure

Operator lifecycle

Operator development

Builds

Machine Config Operator

Control plane TLS security profiles supported by the MCO

The Machine Config Operator (MCO) and Machine Config Server now use the TLS security profile that is configured for the control plane components. For more information, see Configuring the TLS security profile for the control plane.

Updated boot images for AWS now supported (Technology Preview)

Updated boot images are now supported as a Technology Preview feature for Amazon Web Services (AWS) clusters. This feature allows you configure your cluster to update the node boot image whenever you update your cluster. By default, the boot image in your cluster is not updated along with your cluster. For more information, see Updated boot images.

Updated boot images for GCP clusters promoted to GA

Updated boot images has been promoted to GA for Google Cloud Platform (GCP) clusters. For more information, see Updated boot images.

Node disruption policies promoted to GA

Node disruption policies for Google Cloud Platform (GCP) clusters has been promoted to GA. A node disruption policy allows you to define a set of Ignition config objects changes that would require little or no disruption to your workloads. For more information, see Using node disruption policies to minimize disruption from machine config changes.

Machine management

Configuring Capacity Reservation by using machine sets

OpenShift Container Platform release 4.17 introduces support for on-demand Capacity Reservation with Capacity Reservation groups on Microsoft Azure clusters. For more information, see Configuring Capacity Reservation by using machine sets for compute or control plane machine sets.

Nodes

New flags added for must-gather command

OpenShift Container Platform release 4.17 adds two new flags for use with the oc adm must-gather command to limit the timespan of the information gathered. Only one of the following flags can be used at a time. Plugins are encouraged but not required to support these flags.

--since: Only return logs newer than a relative duration, such as 5s, 2m, or 3h. Defaults to all logs.
--since-time: Only return logs after a specific date, expressed in the RFC3339 format. Defaults to all logs.

For a full list of flags to use with the oc adm must-gather command, see Must-gather flags.

Monitoring

Network Observability Operator

The Network Observability Operator releases updates independently from the OpenShift Container Platform minor version release stream. Updates are available through a single, Rolling Stream which is supported on all currently supported versions of OpenShift Container Platform 4. Information regarding new features, enhancements, and bug fixes for the Network Observability Operator is found in the Network Observability release notes.

Scalability and performance

Node scaling for etcd

In this release, if your cluster is installed on a bare metal platform, you can scale a cluster to up to 5 nodes as a post-installation task. The etcd Operator scales accordingly to account for the additional node. For more information, see Node scaling for etcd.

Edge computing

Hosted control planes

Insights Operator

Security

Automatic rotation of signer certificates

With this release, all etcd certificates originate from a new namespace: openshift-etcd. When a new signer certificate is close to its expiration date, the following actions occur:

An automatic rotation of the signer certificate activates.
The certificate bundle updates.
All certificates regenerate with the new signers.

Manual rotation of signer certificates is still supported by deleting the specific secret and waiting for the status pod rollout to complete.

Sigstore signature image verification

With this release, Technology Preview clusters use Sigstore signatures to verify images that were retrieved using a pull spec that references the `quay.io/openshift-release-dev/ocp-release`repository.

Currently, if you are mirroring images, you must also mirror quay.io/openshift-release-dev/ocp-release:<release_image_digest_with_dash>.sig Sigstore signatures in order for the image verification to succeed.

Notable technical changes

OpenShift Container Platform 4.17 introduces the following notable technical changes:

Deprecated and removed features

Some features available in previous releases have been deprecated or removed.

Deprecated functionality is still included in OpenShift Container Platform and continues to be supported; however, it will be removed in a future release of this product and is not recommended for new deployments. For the most recent list of major functionality deprecated and removed within OpenShift Container Platform 4.17, refer to the table below. Additional details for more functionality that has been deprecated and removed are listed after the table.

In the following tables, features are marked with the following statuses:

Not Available
Technology Preview
General Availability
Deprecated
Removed

Operator lifecycle and development deprecated and removed features

Table 6. Operator lifecycle and development deprecated and removed tracker
Feature	4.15	4.16	4.17
Operator SDK	General Availability	Deprecated	Deprecated
Scaffolding tools for Ansible-based Operator projects	General Availability	Deprecated	Deprecated
Scaffolding tools for Helm-based Operator projects	General Availability	Deprecated	Deprecated
Scaffolding tools for Go-based Operator projects	General Availability	Deprecated	Deprecated
Scaffolding tools for Hybrid Helm-based Operator projects	Technology Preview	Deprecated	Deprecated
Scaffolding tools for Java-based Operator projects	Technology Preview	Deprecated	Deprecated
Platform Operators	Technology Preview	Removed	Removed
Plain bundles	Technology Preview	Removed	Removed
SQLite database format for Operator catalogs	Deprecated	Deprecated	Deprecated

Images deprecated and removed features

Table 7. Cluster Samples Operator deprecated and removed tracker
Feature	4.15	4.16	4.17
Cluster Samples Operator	General Availability	Deprecated	Deprecated

Monitoring deprecated and removed features

Table 8. Monitoring deprecated and removed tracker
Feature	4.15	4.16	4.17
`dedicatedServiceMonitors` setting that enables dedicated service monitors for core platform monitoring	Deprecated	Removed	Removed
`prometheus-adapter` component that queries resource metrics from Prometheus and exposes them in the metrics API	Deprecated	Removed	Removed

Installation deprecated and removed features

Table 9. Installation deprecated and removed tracker
Feature	4.15	4.16	4.17
`--cloud` parameter for `oc adm release extract`	Deprecated	Deprecated	Deprecated
CoreDNS wildcard queries for the `cluster.local` domain	Deprecated	Deprecated	Deprecated
`compute.platform.openstack.rootVolume.type` for RHOSP	Deprecated	Deprecated	Deprecated
`controlPlane.platform.openstack.rootVolume.type` for RHOSP	Deprecated	Deprecated	Deprecated
`ingressVIP` and `apiVIP` settings in the `install-config.yaml` file for installer-provisioned infrastructure clusters	Deprecated	Deprecated	Deprecated
Package-based RHEL compute machines	General Availability	Deprecated	Deprecated
`platform.aws.preserveBootstrapIgnition` parameter for Amazon Web Services (AWS)	General Availability	Deprecated	Deprecated
Terraform infrastructure provider for Amazon Web Services (AWS), VMware vSphere and Nutanix	General Availability	Removed	Removed
Terraform infrastructure provider for Google Cloud Platform (GCP)	General Availability	Removable as Technology Preview	Removable as Technology Preview
Installing a cluster on Alibaba Cloud with installer-provisioned infrastructure	Technology Preview	Removed	Removed

Updating clusters deprecated and removed features

Table 10. Updating clusters deprecated and removed tracker
Feature	4.15	4.16	4.17

Machine management deprecated and removed features

Table 11. Machine management deprecated and removed tracker
Feature	4.15	4.16	4.17
Managing machine with Machine API for Alibaba Cloud	Technology Preview	Removed	Removed
Cloud controller manager for Alibaba Cloud	Technology Preview	Removed	Removed

Storage deprecated and removed features

Table 12. Storage deprecated and removed tracker
Feature	4.15	4.16	4.17
AliCloud Disk CSI Driver Operator	General Availability	Removed	Removed

Specialized hardware and driver enablement deprecated and removed features

Table 13. Specialized hardware and driver enablement deprecated and removed tracker
Feature	4.15	4.16	4.17

Networking deprecated and removed features

Table 14. Networking deprecated and removed tracker
Feature	4.15	4.16	4.17
OpenShift SDN network plugin	Deprecated	Deprecated	Removed
iptables	Deprecated	Deprecated	Deprecated

Web console deprecated and removed features

Table 15. Web console deprecated and removed tracker
Feature	4.15	4.16	4.17
Patternfly 4	Deprecated	Deprecated	Deprecated
React Router 5	Deprecated	Deprecated	Deprecated

Node deprecated and removed features

Table 16. Node deprecated and removed tracker
Feature	4.15	4.16	4.17
`ImageContentSourcePolicy` (ICSP) objects	Deprecated	Deprecated	Deprecated
Kubernetes topology label `failure-domain.beta.kubernetes.io/zone`	Deprecated	Deprecated	Deprecated
Kubernetes topology label `failure-domain.beta.kubernetes.io/region`	Deprecated	Deprecated	Deprecated
cgroup v1	General Availability	Deprecated	Deprecated

OpenShift CLI (oc) deprecated and removed features

Feature

4.15

4.16

4.17

Workloads deprecated and removed features

Table 17. Workloads deprecated and removed tracker
Feature	4.15	4.16	4.17
`DeploymentConfig` objects	Deprecated	Deprecated	Deprecated

Bare metal monitoring deprecated and removed features

Table 18. Bare Metal Event Relay Operator tracker
Feature	4.15	4.16	4.17
Bare Metal Event Relay Operator	Deprecated	Deprecated	Removed

Deprecated features

Removed features

Bare Metal Event Relay Operator (BMER)

BMER was deprecated in OpenShift Container Platform version 4.15 and 4.16. With this release, BMER is no longer supported and the related BMER content is removed from the documentation.

Notice of future deprecation

Bug fixes

API Server and Authentication

Bare Metal Hardware Provisioning

Builds

Cloud Compute

Cloud Credential Operator

Cluster Version Operator

Developer Console

etcd Cluster Operator

Hosted control planes

Image Registry

In OpenShift Container Platform 4.14, installing a cluster with Microsoft Entra Workload ID was made generally available. With this feature, administrators can configure a Microsoft Azure cluster to use Workload ID. With Workload ID, cluster components use temporary security credentials that are managed outside of the cluster.

Previously, when OpenShift Container Platform was deployed on Azure clusters with Workload ID, storage accounts created for the cluster and the image registry had Storage Account Key Access enabled by default, which could pose security risks to the deployment.

With this update, shared access keys are disabled by default on new installations that use Workload ID, enhancing security by preventing the use of shared access keys.

Shared access keys should only be disabled if the cluster is configured to use Workload ID. Disabling shared access keys on a cluster not configured with Microsoft Entra Workload ID can cause the Image Registry Operator to become degraded.

For existing storage accounts created before this update, shared access keys are not automatically disabled. Administrators must manually disable shared access key support on these storage accounts to prevent the use of shared keys. For more information about disabling shared access keys, see Prevent Shared Key authorization for an Azure Storage account.

(OCPBUGS-39428)

Installer

Insights Operator

Kubernetes Controller Manager

Kubernetes Scheduler

Machine Config Operator

Management Console

Monitoring

Networking

Node

Node Tuning Operator (NTO)

OpenShift CLI (oc)

Operator Lifecycle Manager (OLM)

OpenShift API server

Red Hat Enterprise Linux CoreOS (RHCOS)

Scalability and performance

Storage

Windows containers

Technology Preview features status

Some features in this release are currently in Technology Preview. These experimental features are not intended for production use. Note the following scope of support on the Red Hat Customer Portal for these features:

Technology Preview Features Support Scope

In the following tables, features are marked with the following statuses:

Not Available
Technology Preview
General Availability
Deprecated
Removed

Networking Technology Preview features

Table 19. Networking Technology Preview tracker
Feature	4.15	4.16	4.17
Advertise using L2 mode the MetalLB service from a subset of nodes, using a specific pool of IP addresses	Technology Preview	Technology Preview	Technology Preview
Multi-network policies for SR-IOV networks	General Availability	General Availability	General Availability
Updating the interface-specific safe sysctls list	Technology Preview	Technology Preview	Technology Preview
Egress service custom resource	Technology Preview	Technology Preview	Technology Preview
VRF specification in `BGPPeer` custom resource	Technology Preview	Technology Preview	Technology Preview
VRF specification in `NodeNetworkConfigurationPolicy` custom resource	Technology Preview	Technology Preview	Technology Preview
Admin Network Policy (`AdminNetworkPolicy`)	Technology Preview	General Availability	General Availability
IPsec external traffic (north-south)	General Availability	General Availability	General Availability
Host network settings for SR-IOV VFs	Technology Preview	Technology Preview	General Availability
Integration of MetalLB and FRR-K8s	Not Available	Technology Preview	Technology Preview
Dual-NIC Intel E810 PTP boundary clock with highly available system clock	Not Available	General Availability	General Availability
Intel E810 Westport Channel NIC as PTP grandmaster clock	Technology Preview	General Availability	General Availability
Dual-NIC Intel E810 Westport Channel as PTP grandmaster clock	Technology Preview	General Availability	General Availability
Automatic leap seconds handling for PTP grandmaster clocks	Not Available	Not Available	General Availability
PTP events REST API v2	Not Available	Not Available	General Availability
Configure the `br-ex` bridge needed by OVN-Kuberenetes using NMState	Not Available	Technology Preview	Technology Preview
Live migration to OVN-Kubernetes from OpenShift SDN	Not Available	General Availability	General Availability
Overlapping IP configuration for multi-tenant networks with Whereabouts	Not Available	General Availability	General Availability

Storage Technology Preview features

Table 20. Storage Technology Preview tracker
Feature	4.15	4.16	4.17
AWS EFS storage CSI usage metrics	Not Available	Not Available	General Availability
Automatic device discovery and provisioning with Local Storage Operator	Technology Preview	Technology Preview	Technology Preview
Azure File CSI snapshot support	Not Available	Not Available	Technology Preview
IBM Power® Virtual Server Block CSI Driver Operator	General Availability	General Availability	General Availability
Read Write Once Pod access mode	Technology Preview	General Availability	General Availability
Shared Resources CSI Driver in OpenShift Builds	Technology Preview	Technology Preview	Technology Preview
Secrets Store CSI Driver Operator	Technology Preview	Technology Preview	Technology Preview
CIFS/SMB CSI Driver Operator	Not Available	Technology Preview	Technology Preview
VMWare vSphere multiple vCenter support	Not Available	Not Available	Technology Preview
Disabling/enabling storage on vSphere	Not Available	Not Available	Technology Preview
RWX/RWO SELinux Mount	Not Available	Not Available	Developer Preview
Migrating CNS Volumes Between Datastores	Not Available	Not Available	Developer Preview

Installation Technology Preview features

Table 21. Installation Technology Preview tracker
Feature	4.15	4.16	4.17
Installing OpenShift Container Platform on Oracle® Cloud Infrastructure (OCI) with VMs	Technology Preview	Technology Preview	Technology Preview
Installing OpenShift Container Platform on Oracle® Cloud Infrastructure (OCI) on bare metal	Developer Preview	Developer Preview	Developer Preview
Adding kernel modules to nodes with kvc	Technology Preview	Technology Preview	Technology Preview
Enabling NIC partitioning for SR-IOV devices	Technology Preview	Technology Preview	General Availability
User-defined labels and tags for Google Cloud Platform (GCP)	Technology Preview	Technology Preview	Technology Preview
Installing a cluster on Alibaba Cloud by using installer-provisioned infrastructure	Technology Preview	Not Available	Not Available
Installing a cluster on Alibaba Cloud by using Assisted Installer	Not Available	Technology Preview	Technology Preview
Mount shared entitlements in BuildConfigs in RHEL	Technology Preview	Technology Preview	Technology Preview
OpenShift Container Platform on Oracle® Cloud Infrastructure (OCI)	Technology Preview	Technology Preview	Technology Preview
Selectable Cluster Inventory	Technology Preview	Technology Preview	Technology Preview
Static IP addresses with VMware vSphere (IPI only)	Technology Preview	General Availability	General Availability
Support for iSCSI devices in RHCOS	Technology Preview	General Availability	General Availability
Installing a cluster on GCP using the Cluster API implementation	Not Available	Technology Preview	Technology Preview
Support for Intel® VROC-enabled RAID devices in RHCOS	Technology Preview	General Availability	General Availability

Node Technology Preview features

Table 22. Nodes Technology Preview tracker
Feature	4.15	4.16	4.17
`MaxUnavailableStatefulSet` featureset	Technology Preview	Technology Preview	Technology Preview

Multi-Architecture Technology Preview features

Table 23. Multi-Architecture Technology Preview tracker
Feature	4.15	4.16	4.17
IBM Power® Virtual Server using installer-provisioned infrastructure	General Availability	General Availability	General Availability
`kdump` on `arm64` architecture	Technology Preview	Technology Preview	Technology Preview
`kdump` on `s390x` architecture	Technology Preview	Technology Preview	Technology Preview
`kdump` on `ppc64le` architecture	Technology Preview	Technology Preview	Technology Preview
Multiarch Tuning Operator	Not available	Technology Preview	Technology Preview

Specialized hardware and driver enablement Technology Preview features

Table 24. Specialized hardware and driver enablement Technology Preview tracker
Feature	4.15	4.16	4.17

Scalability and performance Technology Preview features

Table 25. Scalability and performance Technology Preview tracker
Feature	4.15	4.16	4.17
factory-precaching-cli tool	Technology Preview	Technology Preview	Technology Preview
Hyperthreading-aware CPU manager policy	Technology Preview	Technology Preview	Technology Preview
HTTP transport replaces AMQP for PTP and bare-metal events	Technology Preview	General Availability	General Availability
Mount namespace encapsulation	Technology Preview	Technology Preview	Technology Preview
Node Observability Operator	Technology Preview	Technology Preview	Technology Preview
Tuning etcd latency tolerances	Technology Preview	General Availability	General Availability
Increasing the etcd database size	Not Available	Technology Preview	Technology Preview
Using RHACM `PolicyGenerator` resources to manage GitOps ZTP cluster policies	Not Available	Technology Preview	Technology Preview

Operator lifecycle and development Technology Preview features

Table 26. Operator lifecycle and development Technology Preview tracker
Feature	4.15	4.16	4.17
Operator Lifecycle Manager (OLM) v1	Technology Preview	Technology Preview	Technology Preview
RukPak	Technology Preview	Technology Preview	Technology Preview
Platform Operators	Technology Preview	Removed	Removed
Scaffolding tools for Hybrid Helm-based Operator projects	Technology Preview	Deprecated	Deprecated
Scaffolding tools for Java-based Operator projects	Technology Preview	Deprecated	Deprecated

OpenShift CLI (oc) Technology Preview features

Table 27. OpenShift CLI (`oc`) Technology Preview tracker
Feature	4.15	4.16	4.17
oc-mirror plugin v2	Not Available	Technology Preview	Technology Preview
Enclave support	Not Available	Technology Preview	Technology Preview
Delete functionality	Not Available	Technology Preview	Technology Preview

Monitoring Technology Preview features

Table 28. Monitoring Technology Preview tracker
Feature	4.15	4.16	4.17
Metrics Collection Profiles	Technology Preview	Technology Preview	Technology Preview
Metrics Server	Technology Preview	General Availability	General Availability

Red Hat OpenStack Platform (RHOSP) Technology Preview features

Table 29. RHOSP Technology Preview tracker
Feature	4.15	4.16	4.17
Dual-stack networking with installer-provisioned infrastructure	General Availability	General Availability	General Availability
Dual-stack networking with user-provisioned infrastructure	General Availability	General Availability	General Availability
RHOSP integration into the Cluster CAPI Operator	Technology Preview	Technology Preview	Technology Preview
Control Plane with `rootVolumes` and `etcd` on local disk	Technology Preview	Technology Preview	Technology Preview

Hosted control planes Technology Preview features

Table 30. Hosted control planes Technology Preview tracker
Feature	4.15	4.16	4.17
Hosted control planes for OpenShift Container Platform on Amazon Web Services (AWS)	Technology Preview	Technology Preview	Technology Preview
Hosted control planes for OpenShift Container Platform using non-bare metal agent machines	Technology Preview	Technology Preview	Technology Preview
Hosted control planes for an ARM64 OpenShift Container Platform cluster on Amazon Web Services	Technology Preview	Technology Preview	Technology Preview
Hosted control planes for OpenShift Container Platform on IBM Power	Technology Preview	Technology Preview	Technology Preview
Hosted control planes for OpenShift Container Platform on IBM Z	Technology Preview	Technology Preview	Technology Preview

Machine management Technology Preview features

Table 31. Machine management Technology Preview tracker
Feature	4.15	4.16	4.17
Managing machines with the Cluster API for Amazon Web Services	Technology Preview	Technology Preview	Technology Preview
Managing machines with the Cluster API for Google Cloud Platform	Technology Preview	Technology Preview	Technology Preview
Managing machines with the Cluster API for VMware vSphere	Not Available	Technology Preview	Technology Preview
Defining a vSphere failure domain for a control plane machine set	Technology Preview	General Availability	General Availability
Cloud controller manager for Alibaba Cloud	Technology Preview	Removed	Removed
Cloud controller manager for Google Cloud Platform	General Availability	General Availability	General Availability
Cloud controller manager for IBM Power® Virtual Server	Technology Preview	Technology Preview	Technology Preview

Authentication and authorization Technology Preview features

Table 32. Authentication and authorization Technology Preview tracker
Feature	4.15	4.16	4.17
Pod security admission restricted enforcement	Technology Preview	Technology Preview	Technology Preview

Machine Config Operator Technology Preview features

Table 33. Machine Config Operator Technology Preview tracker
Feature	4.15	4.16	4.17
Improved MCO state reporting	Technology Preview	Technology Preview	Technology Preview
On-cluster RHCOS image layering	Not Available	Technology Preview	Technology Preview
Node disruption policies	Not Available	Technology Preview	General Availability
Updating boot images for GCP clusters	Not Available	Technology Preview	General Availability
Updating boot images for AWS clusters	Not Available	Not Available	Technology Preview

Edge computing Technology Preview features

Table 34. Edge computing Technology Preview tracker
Feature	4.15	4.16	4.17
Accelerated provisioning of GitOps ZTP	Not Available	Technology Preview	Technology Preview
Deploying IPsec encryption to managed clusters with GitOps ZTP and RHACM	Not Available	Technology Preview	Technology Preview

Known issues

The oc annotate command does not work for LDAP group names that contain an equal sign (=), because the command uses the equal sign as a delimiter between the annotation name and value. As a workaround, use oc patch or oc edit to add the annotation. (BZ#1917280)
The DNF package manager included in Red Hat Enterprise Linux CoreOS (RHCOS) images cannot be used at runtime, because DNF relies on additional packages to access entitled nodes in a cluster that are under a Red Hat subscription. As a workaround, use the rpm-ostree command instead. (OCPBUGS-35247)

If the controller pod terminates while cloning, or taking or restoring a volume snapshot, is in progress, the Microsoft Azure File clone or snapshot persistent volume claims (PVCs) remain in the Pending state. To resolve this issue, delete any affected clone or snapshot PVCs, and then recreate those PVCs. (OCPBUGS-35977)

Asynchronous errata updates

Security, bug fix, and enhancement updates for OpenShift Container Platform 4.17 are released as asynchronous errata through the Red Hat Network. All OpenShift Container Platform 4.17 errata is available on the Red Hat Customer Portal. See the OpenShift Container Platform Life Cycle for more information about asynchronous errata.

Red Hat Customer Portal users can enable errata notifications in the account settings for Red Hat Subscription Management (RHSM). When errata notifications are enabled, users are notified through email whenever new errata relevant to their registered systems are released.

Red Hat Customer Portal user accounts must have systems registered and consuming OpenShift Container Platform entitlements for OpenShift Container Platform errata notification emails to generate.

This section will continue to be updated over time to provide notes on enhancements and bug fixes for future asynchronous errata releases of OpenShift Container Platform 4.17. Versioned asynchronous releases, for example with the form OpenShift Container Platform 4.17.z, will be detailed in subsections. In addition, releases in which the errata text cannot fit in the space provided by the advisory will be detailed in subsections that follow.

For any OpenShift Container Platform release, always review the instructions on updating your cluster properly.

RHSA-2024:XXXX - OpenShift Container Platform 4.17.0 image release, bug fix, and security update advisory

Issued: TBD

OpenShift Container Platform release 4.17.0, which includes security updates, is now available. The list of bug fixes that are included in the update is documented in the RHSA-2024:XXXX advisory. The RPM packages that are included in the update are provided by the RHSA-2024:XXXX advisory.

Space precluded documenting all of the container images for this release in the advisory.

You can view the container images in this release by running the following command:

$ oc adm release info 4.17.0 --pullspecs