OpenShift Container Platform 4.18 release notes

Scaffolding tools for Hybrid Helm-based Operator projects

Scaffolding tools for Java-based Operator projects

Updating Go-based Operator projects

Updating Ansible-based Operator projects

Updating Helm-based Operator projects

Not Available

Technology Preview

General Availability

Deprecated

Removed

Previously, API validation did not prevent an authorized client from decreasing the current revision of a static pod operand, such as kube-apiserver, or prevent the operand from progressing concurrently on two nodes. With this release, requests that attempt to do either are now rejected. (OCPBUGS-48502)

Previously, the oauth-server would crash when configuring an oath identity provider (IDP) with a callback path that contained spaces. With this release, the issue is resolved.(OCPBUGS-44099)

Previously, the Bare Metal Operator (BMO) created the HostFirmwareComponents custom resource for all Bare Metal hosts (BMH), including ones based on the intelligent platform management interface (IPMI), which did not support it. With this release, HostFirmwareComponents custom resources are only created for BMH that support it. (OCPBUGS-49699)

Previously, in bare-metal configurations where the provisioning network is disabled but the bootstrapProvisioningIP field is set, the bare-metal provisioning components might fail to start. These failures occur when the provisioning process reconfigures the external network interface on the bootstrap VM during the process of pulling container images. With this release, dependencies were added to ensure that interface reconfiguration only occurs when the network is idle, preventing conflicts with other processes. As a result, the bare-metal provisioning components now start reliably, even when the bootstrapProvisioningIP field is set and the provisioning network is disabled. (OCPBUGS-36869)

Previously, Ironic inspection failed if special or invalid characters existed in the serial number of a block device. This occurred because the lsblk command failed to escape the characters. With this release, the command now escapes the characters so this issue no longer persists. (OCPBUGS-36492)

Previously, a check for unexpected IP addresses on the provisioning interface during metal3 pod startup was triggered. This issue occurred because of the presence of an IP addresses supplied by DHCP from a previous version of the pod that existed on another node. With this release, a pod startup check now looks only for IP addresses that exist outside the provisioning network subnet, so that a metal3 pod starts immediately, even when if the node has moved to a different node. (OCPBUGS-38507)

Previously, the availability set fault domain count was hardcoded to 2. This value works in most regions in Microsoft Azure because the fault domain counts are typically at least 2, but failed in the centraluseuap and eastusstg regions. With this release, the availability set fault domain count in a region is set dynamically. (OCPBUGS-48659)

Previously, an updated zone API error message from Google Cloud Platform (GCP) with increased granularity caused the machine controller to mistakenly mark the machine as valid with a temporary cloud error instead of recognizing it as an invalid machine configuration error. This prevented the invalid machine from transitioning to a failed state. With this update, the machine controller handles the new error messages correctly, and machines with an invalid zone or project ID now transition properly to a failed state. (OCPBUGS-47790)

Previously, the certificate signing request (CSR) approver included certificates from other systems within its calculations for whether it was overwhelmed and should stop approving certificates. In larger clusters, with other subsystems using CSRs, the CSR approver counted unrelated unapproved CSRs towards its total and prevented further approvals. With this release, the CSR approver only includes CSRs that it can approve, by using the signerName property as a filter. As a result, the CSR approver only prevents new approvals when there are a large number of unapproved CSRs for the relevant signerName values. (OCPBUGS-46425)

Previously, some cluster autoscaler metrics were not initialized, and therefore were not available. With this release, these metrics are initialized and available. (OCPBUGS-46416)

Previously, if an informer watch stream missed an event because of a temporary disconnection, the informer might return a special signal type after it reconnected to the network, especially when the informer recognizes that an EndpointSlice object was deleted during the temporary disconnection. The returned signal type indicated that the state of the event has stalled and that the object was deleted. The returned signal type was not accurate and might have caused confusion for a OpenShift Container Platform user. With this release, the Cloud Controller Manager (CCM) handles unexpected signal types so that OpenShift Container Platform users do not receive confusing information from returned types. (OCPBUGS-45972)

Previously, when the AWS DHCP option set was configured to use a custom domain name that contains a trailing period (.), OpenShift Container Platform installation failed. With this release, the logic that extracts the hostname of EC2 instances and turns them into Kubelet node names is updated to trim trailing periods so that the resulting Kubernetes object name is valid. Trailing periods in the DHCP option set no longer cause installation to fail. (OCPBUGS-45889)

Previously, installation of an AWS cluster failed in certain environments on existing subnets when the publicIp parameter for the MachineSet object was explicity set to false. With this release, a configuration value set for publicIp no longer causes issues when the installation program provisions machines for your AWS cluster in certain environment. (OCPBUGS-45130)

Previously, enabling a provisioning network by editing the cluster-wide Provisioning resource was only possible on clusters with platform type baremetal, such as ones created by the IPI installer. On baremetal SNO and UPI clusters that would result in a validation error. The excessive validation has been removed, and enabling a provisioning network is now possible on baremetal clusters with platform type none. As with IPI, users are responsible for making sure that all networking requirements are met for this operation. (OCPBUGS-43371)

Previously, the installation program populated the network.devices, template and workspace fields in the spec.template.spec.providerSpec.value section of the VMware vSphere control plane machine set custom resource (CR). These fields should be set in the vSphere failure domain, and the installation program populating them caused unintended behaviors. Updating these fields did not trigger an update to the control plane machines, and these fields were cleared when the control plane machine set was deleted. With this release, the installation program is updated to no longer populate values that are included in the failure domain configuration. If these values are not defined in a failure domain configuration, for instance on a cluster that is updated to OpenShift Container Platform 4.18 from an earlier version, the values defined by the installation program are used. (OCPBUGS-32947)

Previously, the cluster autoscaler would occasionally leave a node with a PreferNoSchedule taint during deletion. With this release, the maximum bulk deletion limit is disabled so that nodes with this taint no longer remain after deletion. (OCPBUGS-42132)

Previously, the Cloud Controller Manager (CCM) liveness probe used on IBM Cloud cluster installations could not use loopback and this caused the probe to continuously restart. With this release, the probe can use loopback so that this issue not longer occurs. (OCPBUGS-41936)

Previously, the approval mechanism for certificate signing requests (CSRs) failed because the node name and internal DNS entry for a CSR did not match in terms of character case differences. With this release, an update to the approval mechanism for CSRs skips case-sensitive checks so that a CSR with a matching node name and internal DNS entry does not fail the check because of character case differences. (OCPBUGS-36871)

Previously, the cloud node manager had permission to update any node object when it needed to update only the node on which it was running. With this release, restrictions have been put in place to prevent the node manager from one node updating the node object of another node.(OCPBUGS-22190)

Previously, the aws-sdk-go-v2 software development kit (SDK) failed to authenticate an AssumeRoleWithWebIdentity API operation on an Amazon Web Services (AWS) Security Token Service (STS) cluster. With this release, pod-identity-webhook now includes a default region so that this issue no longer persists. (OCPBUGS-45937)

Previously, secrets in the cluster were fetched in a single call. When there were a large number of secrets, this caused the API to time out. With this release, the Cloud Credential Operator fetches secrets in batches limited to 100 secrets. This change prevents timeouts when there are large number of secrets in the cluster. (OCPBUGS-39531)

Previously, if you specified the forceSelinuxRelabel field in a ClusterResourceOverride custom resource (CR), and then modified it afterwards, the change would not be reflected in the clusterresourceoverride-configuration config map, which is used to apply the SELinux re-labeling workaround feature. With this update, the Cluster Resource Override Operator can track the change to the forceSelinuxRelabel feature in order to reconcile the config map object. As a result, the config map object is correctly updated when you change the ClusterResourceOverride CR field. (OCPBUGS-48692)

Previously, a custom security context constraint (SCC) impacted any pod that was generated by the Cluster Version Operator from receiving a cluster version upgrade. With this release, OpenShift Container Platform now sets a default SCC to each pod, so that any custom SCC created does not impact a pod. (OCPBUGS-46410)

Previously, the Cluster Version Operator (CVO) did not filter internal errors that were propogated to the ClusterVersion Failing condition message. As a result, errors that did not negatively impact the update were shown in the "ClusterVersion Failing" condition message. With this release, the errors that are propogated to the ClusterVersion Failing condition message are filtered. (OCPBUGS-15200)

Previously, if a PipelineRun was using a resolver, rerunning that PipelineRun resulted in an error. With this fix, a user can rerun PipelineRun if it is using resolver. (OCPBUGS-45228)

Previously, on the if you edited a deployment config in Form view, the ImagePullSecrets values were duplicated. With this update, editing the form does not add duplicate entries. (OCPBUGS-45227)

Previously, when you searched on the OperatorHub or another catalog, you would experience periods of latency between each key press. With this update, the input on the catalog search bars are debounced. (OCPBUGS-43799)

Previously, no option existed to close the Getting started resources section in the Administrator perspective. With this change, user can close the Getting started resources section. (OCPBUGS-38860)

Previously, when cronjobs were created, the creation of pods happens too quickly, causing the component that fetches new pods off the cronjob to fail. With this update, a 3 second delay was added before starting to fetch the pods of the cronjob. (OCPBUGS-37584)

Previously, resources created when a new user is created were not removed automatically when the user was deleted. This caused clutter on the cluster with configuration maps, roles, and role-bindings. With this update, ownerRefs was added to the resources, so they are cleared once the user is deleted and the cluster no longer clutters with users. (OCPBUGS-37560)

Previously, when importing a Git repository using the serverless import strategy, the environment variables from the func.yaml were not automatically loaded into the form. With this update, the environment variables are now loaded upon import. (OCPBUGS-34764)

Previously, users would erroneously see an option to import a repository using the pipeline build strategy when the devfile import strategy was selected; however, this was not possible. With this update, the pipeline strategy has been removed when the devfile import strategy is selected. (OCPBUGS-32526)

Previously, when using a custom template, you could not enter multi-line parameters, such as private keys. With this release, you can switch between single-line and multi-line modes so you can fill out template fields with multi-line inputs. (OCPBUGS-23080)

Previously, you could not install a cluster on AWS in the ap-southeast-5 region or other regions because the OpenShift Container Platform internal registry did not support these regions. With this release, the internal registry is updated to include the following regions so that this issue no longer occurs:

Previously, when the Image Registry Operator was configured with networkAccess: Internal in Microsoft Azure, it would not be possible to successfully set managementState to Removed in the Operator configuration. This occurred because of an authorization error when the Operator tried to delete the storage container. With this update, the Image Registry Operator continues with the deletion of the storage account, which automatically deletes the storage container, resulting in a successful change into the Removed state. (OCPBUGS-42732)

Previously, when configuring the image registry to use an Microsoft Azure storage account located in a resource group other than the cluster’s resource group, the Image Registry Operator would become degraded due to a validation error. This update changes the Image Registry Operator to allow for authentication by only storage account key without validating for other authentication requirements. (OCPBUGS-42514)

Previously, installation with the OpenShift installer used the cluster API. Virtual networks created by the cluster API use a different tag template. Consequently, setting .spec.storage.azure.networkAccess.type: Internal in the Image Registry Operator’s config.yaml file resulted in the Image Registry Operator unable to discover the virtual network. With this update, the Image Registry Operator searches for both new and old tag templates, resolving the issue. (OCPBUGS-42196)

Previously, the image registry would, in some cases, panic when attempting to purge failed uploads from s3-compatible storage providers. This was caused by the image registry’s s3 driver mishandling empty directory paths. With this update, the image registry properly handles empty directory paths, fixing the panic. (OCPBUGS-39108)

Previously, during entitled builds on a Red Hat OpenShift Container Platform cluster running on IBM Z hardware, repositories were not enabled. This issue has been resolved. You can now enable repositories during entitled builds on a Red Hat OpenShift Container Platform cluster running on IBM Z hardware. (OCPBUG-32233)

Previously, Red Hat Enterprise Linux (RHEL) CoreOS templates that were shipped by the Machine Config Operator (MCO) caused node scaling to fail on Red Hat OpenStack Platform (RHOSP). This issue happened because of an issue with systemd and the presence of a legacy boot image from older versions of OpenShift Container Platform. With this release, a patch fixes the issue with systemd and removes the legacy boot image, so that node scaling can continue as expected. (OCPBUGS-42324)

Previously, if you enabled on-cluster layering for your cluster and you attempted to configure kernel arguments in the machine configuration, machine config pools (MCPs) and nodes entered a degraded state. This happened because of a configuration mismatch. With this release, a check for kernel arguments for a cluster with OCL-enabled ensures that the arguments are configured and applied to nodes in the cluster. This update prevents any mismatch that previously occurred between the machine configuration and the node configuration. (OCPBUGS-34647)

Previously, clicking the "Don’t show again" link in the Lightspeed modal dialog did not correctly navigate to the general User Preference tab when one of the other User Preference tabs was displayed. After this update, clicking the "Don’t show again" link correctly navigates to the general User Preference tab. (OCPBUGS-48106)

Previously, multiple external link icons might show in the primary action button of the OperatorHub modal. With this update, only a single external link icon appears. (OCPBUGS-47742)

Previously, the web console was disabled when the authorization type was set to None in the cluster authentication configuration. With this update, the web console no longer disables when the authorization type was set to None. (OCPBUGS-46068)

Previously, the MachineConfig Details tab displayed an error when one or more spec.config.storage.file did not include optional data. With this update, the error no longer occurs and the Details tab renders as expected. (OCPBUGS-44049)

Previously, an extra name property was passed into resource list page extensions used to list related Operands on the CSV details page. As a result, the Operand list was filtered by the cluster service version (CSV) name and often returned an empty list. With this update, Operands are listed as expected. (OCPBUGS-42796)

Previously, the Sample tab did not show when creating a new ConfigMap with one or more ConfigMap ConsoleYAMLSamples present on the cluster. After this update, the Sample tab shows with one or more ConfigMap ConsoleYAMLSamples present. (OCPBUGS-41492)

Previously, the Events page resource type filter incorrectly reported the number of resources when three or more resources were selected. With this update, the filter always reports the correct number of resources. (OCPBUGS-38701)

Previously, the version number text in the updates graph on the Cluster Settings page appeared as black text on a dark background while viewing the page using Firefox in dark mode. With this update, the text appears as white text. (OCPBUGS-37988)

Previously, Alerting pages did not show resource information in their empty state. With this update, resource information is available on the Alerting pages. (OCPBUGS-36921)

Previously, the Operator Lifecycle Manager (OLM) CSV annotation contained unexpected JSON, which was successfully parsed, but then threw a runtime error when attempting to use the resulting value. With this update, JSON values from OLM annotations are validated before use, errors are logged, and the console does not fail when unexpected JSON is received in an annotation. (OCPBUGS-35744)

Previously, silenced alerts were visible on the Overview page of the OpenShift Container Platform web console. This occurred because the alerts did not include any external labels. With this release, silenced alerts include the external labels so they are filtered out and are not viewable. (OCPBUGS-31367)

Previously, if the SMTP smarthost or from fields under the emailConfigs object were not specified at the global or receiver level in the AlertmanagerConfig custom resource (CR), Alertmanager would crash because these fields are required. With this release, the Prometheus Operator fails reconciliation if these fields are not specified. Therefore, the Prometheus Operator no longer pushes invalid configurations to Alertmanager, preventing it from crashing. (OCPBUGS-48050)

Previously, the Cluster Monitoring Operator (CMO) did not mark configurations in cluster-monitoring-config and user-workload-monitoring-config config maps as invalid for unknown (for example, no longer supported) or duplicated fields. With this release, stricter validation is added that helps identify such errors. (OCPBUGS-42671)

Previously, it was not possible for a user to query the user workload monitoring Thanos API endpoint with POST requests. With this update, a cluster admin can bind a new pod-metrics-reader cluster role with a role binding or cluster role binding to allow POST queries for a user or service account. (OCPBUGS-41158)

Previously, an invalid config map configuration for core platform monitoring, user workload monitoring, or both caused Cluster Monitoring Operator (CMO) to report an InvalidConfiguration error. With this release, if only the user workload monitoring configuration is invalid, CMO reports UserWorkloadInvalidConfiguration, making it clear where the issue is located. (OCPBUGS-33863)

Previously, telemeter-client containers showed a TelemeterClientFailures Warnings message in multiple clusters. With this release, a runbook is added for the TelemeterClientFailures alert to explain the cause of the alert triggering and the alert provides resolution steps. (OCPBUGS-33285)

Previously, AlertmanagerConfig objects with invalid child routes generated invalid Alertmanager configuration leading to Alertmanager disruption. With this release, Prometheus Operator rejects such AlertmanagerConfig objects, and users receive a warning about the invalid child routes in logs. (OCPBUGS-30122)

Previously, the config-reloader for Prometheus for user-defined projects would fail if unset environment variables were used in the ServiceMonitor configuration, which resulted in Prometheus pods failing. With this release, the reloader no longer fails when an unset environment variable is encountered. Instead, unset environment variables are left as they are, while set environment variables are expanded as usual. Any expansion errors, suppressed or otherwise, can be tracked through the reloader_config_environment_variable_expansion_errors variable. (OCPBUGS-23252)

Previously, enabling encapsulated security payload (ESP) offload hardware when using IPSec on Open vSwitch attached interfaces would break connectivity in your cluster. To resolve this issue, OpenShift Container Platform by default disables ESP offload hardware on Open vSwitch attached interfaces. This fixes the issue. (OCPBUGS-42987)

Previously, if you deleted the default sriovOperatorConfig custom resource (CR), you could not recreate the default sriovOperatorConfig CR, because the ValidatingWebhookConfiguration was not initially deleted. With this release, the Single Root I/O Virtualization (SR-IOV) Network Operator removes validating webhooks when you delete the sriovOperatorConfig CR, so that you can create a new sriovOperatorConfig CR. (OCPBUGS-41897)

Previously, if you set custom annotations in a custom resource (CR), the SR-IOV Operator would override all the default annotations in the SriovNetwork CR. With this release, when you define custom annotations in a CR, the SR-IOV Operator does not override the default annotations. (OCPBUGS-41352)

Previously, bonds that were configured in active-backup mode would have IPsec Encapsulating Security Payload (ESP) offload active even if underlying links did not support ESP offload. This caused IPsec associations to fail. With this release, ESP offload is disabled for bonds so that IPsec associations pass. (OCPBUGS-39438)

Previously, the Machine Config Operator (MCO)'s vSphere resolve-prepender script used systemd directives that were incompatible with old bootimage versions used in OpenShift Container Platform 4. With this release, nodes can scale using newer bootimage versions 4.18 4.13 and above, through manual intervention, or by upgrading to a release that includes this fix. (OCPBUGS-38012)

Previously, the Ingress Controller status incorrectly displayed as Degraded=False because of a migration time issue with the CanaryRepetitiveFailures condition. With this release, the Ingress Controller status is correctly marked as Degraded=True for the appropriate length of time that the CanaryRepetitiveFailures condition exists. (OCPBUGS-37491)

Previously, when a pod was running on a node on which egress IPv6 is assigned, the pod was not able to communicate with the Kubernetes service in a dual stack cluster. This resulted in the traffic with the IP family, that the egressIP is not applicable to, being dropped. With this release, only the source network address translation (SNAT) for the IP family that the egress IPs applied to is deleted, eliminating the risk of traffic being dropped. (OCPBUGS-37193)

Previously, the Single-Root I/O Virtualization (SR-IOV) Operator did not expire the acquired lease during the Operator’s shutdown operation. This impacted a new instance of the Operator, because the new instance had to wait for the lease to expire before the new instance was operational. With this release, an update to the Operator shutdown logic ensures that the Operator expires the lease when the Operator is shutting down. (OCPBUGS-23795)

Previously, for an Ingress resource with an IngressWithoutClassName alert, the Ingress Controller did not delete the alert along with deletion of the resource. The alert continued to show on the OpenShift Container Platform web console. With this release, the Ingress Controller resets the openshift_ingress_to_route_controller_ingress_without_class_name metric to 0 before the controller deletes the Ingress resource, so that the alert is deleted and no longer shows on the web console. (OCPBUGS-13181)

Previously, when either the clusterNetwork or serviceNetwork IP address pools overlapped with the default transit_switch_subnet 100.88.0.0/16 IP address and the custom value of transit_switch_subnet did not take effect, ovnkube-node pods crashed after the live migration operation. With this release, the custom value of transit_switch_subnet can be passed to ovnkube node pods, so that this issue no longer persists. (OCPBUGS-43740)

Previously, a change in OVN-Kubernetes that standardized the appProtocol value h2c to kubernetes.io/h2c was not recognized by OpenShift router. Consequently, specifying appProtocol: kubernetes.io/h2c on a service did not cause OpenShift router to use clear-text HTTP/2 to connect to the service endpoints. With this release, OpenShift router was changed to handle appProtocol: kubernetes.io/h2c the same way as it handles appProtocol: h2c resolving the issue. (OCPBUGS-42972)

Previously, instructions that guided the user after changing the LoadBalancer parameter from External to Internal were missing for IBM Power Virtual Server, Alibaba Cloud, and Red Hat OpenStack Platform (RHOSP). This caused the Ingress Controller to be put in a permanent Progressing state. With this release the message The IngressController scope was changed from Internal to External is followed by To effectuate this change, you must delete the service resolving the permanent Progressing state. (OCPBUGS-39151)

Previously, there was no event logged when an error occurred from failed conversion from ingress to route conversion. With this update, this error appear in the event logs. (OCPBUGS-29354)

Previously, an ovnkube-node pod on a node that uses cgroup v1 was failing because it could not find the kubelet cgroup path. With this release, an ovnkube-node pod no longer fails if the node uses cgroup v1. However, the OVN-Kubernetes network plugin outputs an UDNKubeletProbesNotSupported event notification. If you enable cgroup v2 for each node, OVN-Kubernetes no longer outputs the event notification.(OCPBUGS-50513)

Previously, when you finished the live migration for a kubevirt virtual machine (VM) that uses the Layer 2 topology, an old node still transmits IPv4 egress traffic to the virtual machine. With this release, the OVN-Kubernetes plugin updates the gateway MAC address for a kubevirt virtual machine (VM) during the live migration process so that this issue no longer occurs. (OCPBUGS-49857)

Previously, the DNS-based egress firewall incorrectly prevented creation of a firewall rule that contained a DNS name in uppercase characters. With this release, an fix to the egress firewall no longer prevents creation of a firewall rule that contains a DNS name in uppercase characters. (OCPBUGS-49589)

Previously, when you attempted to use the Cluster Network Operator (CNO) to upgrade a cluster with existing localnet networks, ovnkube-control-plane pods failed to run. This happened because the ovnkube-cluster-manager container could not process an OVN-Kubernetes localnet topology network that did not have subnets defined. With this release, a fix ensures that the ovnkube-cluster-manager container can process an OVN-Kubernetes localnet topology network that does not have subnets defined. (OCPBUGS-44195)

Previously, the SR-IOV Network Operator could not retrieve metadata when cloud-native network (CNF) workers were deployed with a configuration drive on Red Hat OpenStack Platform (RHOSP). A configuration drive is often unmounted after a boot operation on immutable systems, so now the Operator dynamically mounts a configuration drive when required. The Operator can now retrieve the metadata and then unmount the configuration drive. This means that you no longer need to manually mount and unmount the configuration drive. (OCPBUGS-41829)

Previously, when you switched your cluster to use a different load balancer, the Ingress Operator did not remove the values from the classicLoadBalancer and networkLoadBalancer parameters in the IngressController custom resource (CR) status. This situation caused the status of the CR to report wrong information from the classicLoadBalancer and networkLoadBalancer parameters. With this release, after you switch your cluster to use a different load balancer, the Ingress Operator removes values from these parameters so that the CR reports a more accurate and less confusing message status. (OCPBUGS-38217)

Previously, a duplicate feature gate, ExternalRouteCertificate, was added to the FeatureGate CR. With this release, ExternalRouteCertificate is removed because a OpenShift Container Platform cluster does not use this feature gate. (OCPBUGS-36479)

Previously, after a user created a route, the user needed both create and update permissions on the routes/custom-host sub-resource to edit the .spec.tls.externalCertificate field of a route. With this release, this permission requirement has been fixed, so that a user only needs the create permission to edit the .spec.tls.externalCertificate field of a route. The update permission is now marked as an optional permission. (OCPBUGS-34373)

Previously, CPU masks for interrupt and network handling CPU affinity were computed incorrectly on machines with more than 256 CPUs. This issue prevented proper CPU isolation and caused systemd unit failures during internal node configuration. This fix ensures accurate CPU affinity calculations, enabling correct CPU isolation on machines with more than 256 CPUs. (OCPBUGS-36431)

Previously, entering an invalid value in any cpuset field under spec.cpu in the PerformanceProfile resource caused the webhook validation to crash. With this release, improved error handling for the PerformanceProfile validation webhook ensures that invalid values for these fields return an informative error. (OCPBUGS-45616)

Previously, users could enter an invalid string for any CPU set in the performance profile, resulting in a broken cluster. With this release, the fix ensures that only valid strings can be entered, eliminating the risk of cluster breakage. (OCPBUGS-47678)

Previously, configuring the Node Tuning Operator (NTO) using PerformanceProfiles created the ocp-tuned-one-shot systemd service, which ran before kubelet and blocked its execution. The systemd service invoked Podman, which used the NTO image. When the NTO image was not present, Podman tried to fetch the image. With this release, support for cluster-wide proxy environment variables defined in /etc/mco/proxy.env is added. This support allows Podman to pull the NTO image in environments that need to use http(s) proxy for out-of-cluster connections. (OCPBUGS-39005)

Previously, CPU masks for interrupt and network handling CPU affinity were computed incorrectly on machines with more than 256 CPUs. This issue prevented proper CPU isolation and caused systemd unit failures during internal node configuration. With this release, a fix ensures accurate CPU affinity calculations, enabling correct CPU isolation on machines with more than 256 CPUs. (OCPBUGS-36431)

Previously, a namespace was passed to a full cluster query on the alerts graph, and this caused the tenancy API path to be used. The API lacked permissions to retrieve data so no data was shown on the alerts graph. With this release, the namespace is no longer passed to a full cluster query for an alert graph. A non-tenancy API path is now used because this API has the correct permissions to retrieve data. Data is not available on an alert graph. (OCPBUGS-46371)

Previously, bounds were based on the first bar in a bar chart. If a bar was larger in size than the first bar, the bar would extend beyond the bar chart boundary. With this release, the bound for a bar chart is based on the largest bar, so no bars extend outside the boundary of a bar chart. (OCPBUGS-46059)

Previously, a Red Hat Advanced Cluster Management (RHACM) Alerting UI refactor update caused an isEmpty check to go missing on the Observe → Metrics menu. The missing check inverted the behavior of the Show all Series and Hide all Series states. This release readds isEmpty check so that Show all Series is now visible when series are hidden and Hide all Series is now visible when the series are shown. (OCPBUGS-46047)

Previously, on the Observe → Alerting → Silences tab, the DateTime component changed the ordering of an event and its value. Because of this issue, you could not edit the until parameter for a silent alert in either the Developer or the Administrator perspective. With this release, a fix means to the DateTime component means that you can now edit the until parameter for a silent alert. (OCPBUGS-46021)

Previously, when using the Developer perspective with custom editors, clicking the n key caused the Namespace menu unexpectedly opened. The issue happened because the keyboard shortcut did not account for custom editors. With this release, the Namespace menu accounts for custom editors and does not open if you type 'n' key. (OCPBUGS-38775)

Previously, on the Observe → Alerting → Silences tab, the creator field was not autopopulated and was not designated as mandatory. This issue happened when the API made the field empty from OpenShift Container Platform 4.15 and onwards. With this update, the field is marked as mandatory and populated with the current user for correct validation. (OCPBUGS-35048)

Previously, when using oc-mirror --v2 delete --generate command, the contents of the working-dir/cluster-resources directory were cleared. With this fix, the working-dir/cluster-resources directory is not cleaned when the delete feature is used. (OCPBUGS-48430)

Previously, release images were signed using a SHA-1 key. On RHEL 9 FIPS STIG-compliant machines, verification of release signatures using the old SHA-1 key failed due to security restrictions on weak keys. With this release, release images are signed using a new SHA-256 trusted key so that the release signatures no longer fail. (OCPBUGS-48314)

Previously, when using the --force-cache-delete flag to delete images from a remote registry, the deletion process did not work as expected. With this update, the issue has been resolved, ensuring that images are deleted properly when the flag is used. (OCPBUGS-47690)

Previously, oc-mirror plugin v2 could not delete the graph image when the mirroring uses a partially disconnected mirroring workflow (mirror-to-mirror). With this update, graph images can now be deleted regardless of the mirroring workflow used. (OCPBUGS-46145)

Previously, if the same image was used by multiple OpenShift Container Platform release components, oc-mirror plugin v2 attempted to delete the image multiple times, but failed after the first attempt. This issue has been resolved by ensuring oc-mirror plugin v2 generates a list of unique images during the delete --generate phase. (OCPBUGS-45299)

Previously, oci catalogs on disk were not mirrored correctly in the oc-mirror plugin v2. With this update, oci catalogs are now successfully mirrored. (OCPBUGS-44225)

Previously, if you reran the oc-mirror command, the rebuild of the oci catalog failed and an error was generated. With this release, if you rerun the oc-mirror command, the wrokspace file is deleted so that the failed catalog issue does not happen. (OCPBUGS-45171)

Previously, if you ran the oc adm node-image create command on the first attempt, sometimes an image can’t be pulled error message was generated. With this release, a retry mechanism addresses temporary failures when pulling the image from the release payload. (OCPBUGS-44388)

Previously, duplicate entries could appear in the signature ConfigMap YAML and JSON files created in the clusterresource object, leading to issues when applying them to the cluster. This update ensures that the generated files do not contain duplicates. (OCPBUGS-42428)

Previously, the release signature ConfigMap for oc-mirror plugin v2 was incorrectly stored in an archived TAR file instead of in the cluster-resources folder. This caused mirror2disk to fail. With this release. the release signature ConfigMap for oc-mirror plugin v2 that is in JSON format or YAML format, compatible with oc-mirror plugin v1, now get stored in the cluster-resources folder. (OCPBUGS-38343) and (OCPBUGS-38233)

Previously, using an invalid log-level flag caused oc-mirror plugin v2 to panic. This update ensures that the oc-mirror plugin v2 handles invalid log levels gracefully. Additionally, the loglevel flag has been renamed to log-level to align with tools like Podman for the convenience of the user. (OCPBUGS-37740)

Previously, the oc adm node-image create --pxe generated command did not create only the Preboot Execution Environment (PXE) artifacts. Instead, the command created the PXE artifacts with other artifacts from a node-joiner pod and stored them all in the wrong subdirectory. Additionally, the PXE artifacts were incorrectly prefixed with agent instead of node. With this release, generated PXE artifacts are stored in the correct directory and receive the correct prefix. (OCPBUGS-46449)

Previously, concurrent reconciliation of the same namespace in Operator Lifecycle Manager (OLM) Classic led to ConstraintsNotSatisfiable errors on subscriptions. This update resolves the issue. (OCPBUGS-48660)

Previously, excessive catalog source snapshots caused severe performance regressions. This update fixes the issue. (OCPBUGS-48644)

Previously, when the kubelet terminated catalog registry pods with the TerminationByKubelet message, the registry pods were not recreated by the catalog Operator. This update fixes the issue. (OCPBUGS-46474)

Previously, OLM (Classic) failed to upgrade Operator cluster service versions (CSVs) due to a TLS validation error. This update fixes the issue. (OCPBUGS-43581)

Previously, service account tokens for Operator groups failed to generate automatically in Operator Lifecycle Manager (OLM) Classic. This update fixes the issue. (OCPBUGS-42360)

Previously when Operator Lifecycle Manager (OLM) v1 validated custom resource definition (CRD) upgrades, the message output when detecting changed default values was rendered in bytes instead of human-readable language. With this update, related messages are now updated to show human-readable values. (OCPBUGS-41726)

Previously, the status update function did not return an error when a connection error occurred in the Catalog Operator. As a result, the Operator might crash because the IP address returned a nil status. This update resolves the issue so that an errro message is returned and the Operator no longer crashes. (OCPBUGS-37637)

Previously, catalog source registry pods did not recover from cluster node failures. This update fixes the issue. (OCPBUGS-36661)

Previously, Operators with many custom resources (CRs) exceeded API server timeouts. As a result, the install plan for the Operator got stuck in a pending state. This update fixes the issue by adding a page view for list CRs deployed on the cluster. (OCPBUGS-35358)

Previously, the Performance Profile Creator (PPC) failed to build a performance profile for compute nodes that had different core ID numbering (core per socket) for their logical processors and the nodes existed under the same node pool. For example, the PPC failed in a situation for two compute nodes that have logical processors 2 and 18, where one node groups them as core ID 2 and the other node groups them as core ID 9.

Previously, if you specified a long string of isolated CPUs in a performance profile, such as 0,1,2,…​,512, the tuned, Machine Config Operator and rpm-ostree components failed to process the string as expected. As a consequence, after you applied the performance profile, the expected kernel arguments were missing. The system failed silently with no reported errors. With this release, the string for isolated CPUs in a performance profile is converted to sequential ranges, such as 0-512. As a result, the kernel arguments are applied as expected in most scenarios. (OCPBUGS-45264)

Previously, the kdump initramfs would stop responding when trying to open a local encrypted disk. This occurred even when the kdump destination was a remote machine that did not need access to the local disk. With this release, the issue is fixed and the kdump initramfs successfully opens a local encrypted disk. (OCPBUGS-43040)

Previously, explicitly disabling FIPS mode with fips=0 caused some systemd services, that assume FIPS mode was requested, to run and consequently fail. This issue resulted in RHCOS failing to boot. With this release, the relevant systemd services now only run if FIPS mode is enabled by specifying fips=1. As a result, RHCOS now correctly boots without FIPS mode enabled when fips=0 is specified. (OCPBUGS-39536)

Previously, you could configure the NUMA Resources Operator to map a nodeGroup to more than one MachineConfigPool. This implementation is contrary to the intended design of the Operator, which assumed a one-to-one mapping between a nodeGroup and a MachineConfigPool. With this release, if a nodeGroup maps to more than one MachineConfigPool, the Operator accepts the configuration, but the Operator state moves to Degraded. To retain the previous behavior, you can apply the config.node.openshift-kni.io/multiple-pools-per-tree: enabled annotation to the NUMA Resources Operator. However, the ability to assign a nodeGroup to more than one MachineConfigPool will be removed in a future release. (OCPBUGS-42523)

Previously, Portworx plugin Container Storage Interface (CSI) migration failed without the inclusion of an upstream patch. With this release, the Portworx plugin CSI translation now copies the secret name and namespace to Kubernetes version to 1.31 so that an upstream patch is not required. (OCPBUGS-49437)

Previously, the VSphere Problem Detector Operator waited up to 24 hours to reflect a change in the clustercsidrivers.managementState parameter from Managed to Removed for a VMware vSphere cluster. With this release, the VSphere Problem Detector Operator now reflects this state change in about 1 hour. (OCPBUGS-39358)

Previously, the Azure File Driver attempted to reuse existing storage accounts. With this release, the Azure File Driver creates storage accounts during dynamic provisioning. This means that updated clusters using newly-created Persistent Volumes (PVs) also use a new storage account. PVs that were previously provisioned continue using the same storage account used before the cluster update. (OCPBUGS-38922)

Previously, the configuration loader logged YAML unmarshall errors when the INI succeeded. With this release, the unmarshall errors are no longer logged when the INI succeeds. (OCPBUGS-38368)

Previously, the Storage Operator counted an incorrect number of control plane nodes that existed in a cluster. This count is needed for the Operator to determine the number of replicas for controllers. With this release, the Storage Operator now counts the correct number of control plane nodes, leading to a more accurate count of replica controllers. (OCPBUGS-36233)

Previously, the manila-csi-driver and node registrar pods had missing health checks because of a configuration issue. With this release, the health checks are now added to both of these resources. (OCPBUGS-29240)

Not Available

Technology Preview

General Availability

Deprecated

Removed