Chapter 1. OpenShift Container Platform 4.17 release notes

PDF

Red Hat OpenShift Container Platform provides developers and IT organizations with a hybrid cloud application platform for deploying both new and existing applications on secure, scalable resources with minimal configuration and management. OpenShift Container Platform supports a wide selection of programming languages and frameworks, such as Java, JavaScript, Python, Ruby, and PHP.

Built on Red Hat Enterprise Linux (RHEL) and Kubernetes, OpenShift Container Platform provides a more secure and scalable multitenant operating system for today’s enterprise-class applications, while delivering integrated application runtimes and libraries. OpenShift Container Platform enables organizations to meet security, privacy, compliance, and governance requirements.

1.1. About this release

OpenShift Container Platform (RHSA-2024:3718) is now available. This release uses Kubernetes 1.30 with CRI-O runtime. New features, changes, and known issues that pertain to OpenShift Container Platform 4.17 are included in this topic.

OpenShift Container Platform 4.17 clusters are available at https://console.redhat.com/openshift. With the Red Hat OpenShift Cluster Manager application for OpenShift Container Platform, you can deploy OpenShift Container Platform clusters to either on-premises or cloud environments.

OpenShift Container Platform 4.17 is supported on Red Hat Enterprise Linux (RHEL) 8.8-8.10, and on Red Hat Enterprise Linux CoreOS (RHCOS) 9.4.

You must use RHCOS machines for the control plane, and you can use either RHCOS or RHEL for compute machines. RHEL machines are deprecated in OpenShift Container Platform 4.16 and will be removed in a future release.

The support lifecycle for odd-numbered releases, such as OpenShift Container Platform 4.17, on all supported architectures, including x86_64, 64-bit ARM (aarch64), IBM Power® (ppc64le), and IBM Z® (s390x) architectures is 18 months. For more information about support for all versions, see the Red Hat OpenShift Container Platform Life Cycle Policy.

Commencing with the OpenShift Container Platform 4.14 release, Red Hat is simplifying the administration and management of Red Hat shipped cluster Operators with the introduction of three new life cycle classifications; Platform Aligned, Platform Agnostic, and Rolling Stream. These life cycle classifications provide additional ease and transparency for cluster administrators to understand the life cycle policies of each Operator and form cluster maintenance and upgrade plans with predictable support boundaries. For more information, see OpenShift Operator Life Cycles.

OpenShift Container Platform is designed for FIPS. When running Red Hat Enterprise Linux (RHEL) or Red Hat Enterprise Linux CoreOS (RHCOS) booted in FIPS mode, OpenShift Container Platform core components use the RHEL cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the x86_64, ppc64le, and s390x architectures.

For more information about the NIST validation program, see Cryptographic Module Validation Program. For the latest NIST status for the individual versions of RHEL cryptographic libraries that have been submitted for validation, see Compliance Activities and Government Standards.

1.2. OpenShift Container Platform layered and dependent component support and compatibility

The scope of support for layered and dependent components of OpenShift Container Platform changes independently of the OpenShift Container Platform version. To determine the current support status and compatibility for an add-on, refer to its release notes. For more information, see the Red Hat OpenShift Container Platform Life Cycle Policy.

1.3. New features and enhancements

This release adds improvements related to the following components and concepts:

1.3.1. Cluster Resource Override Admission Operator

1.3.1.1. Moving the Cluster Resource Override Operator

By default, the installation process creates a Cluster Resource Override Operator pod on a worker node and two Cluster Resource Override pods on control plane nodes. You can move these pods to other nodes, such as an infrastructure node, as needed. For more information, see Moving the Cluster Resource Override Operator pods.

1.3.1.2. Cluster Resource Override Operator pod is owned by a deployment object

The Cluster Resource Override Operator pod is now owned by a deployment object. Previously, the Operator was owned by a daemon set object. Using a deployment for the Operator addresses a number of issues, including additional security and add the ability to run the pods on worker nodes.

1.3.2. Extensions (OLM v1)

1.3.2.1. Operator Lifecycle Manager (OLM) v1 documentation moved to new Extensions guide (Technology Preview)

The documentation for OLM v1, which has been in Technology Preview starting in OpenShift Container Platform 4.14, is now moved and reworked as a separate guide called Extensions. Previously, OLM v1 documentation was a subsection of the existing Operators guide, which otherwise documents the existing OLM feature set.

The updated location and guide name reflect a more focused documentation experience and aims to differentiate between OLM v1 and existing OLM.

1.3.2.2. OLM v1 Technology Preview features

This Technology Preview phase of OLM v1 introduces the following features:

Custom resource definition (CRD) upgrade safety

When you update a CRD that is provided by a cluster extension, OLM v1 now runs a CRD upgrade safety preflight check to ensure backwards compatibility with previous versions of that CRD. The CRD update must pass the validation checks before the change is allowed to progress on a cluster.

For more information, see Custom resource definition (CRD) upgrade safety.

Single object ownership for cluster extensions

In OLM v1, a Kubernetes object can only be owned by a single ClusterExtension object at a time. This ensures that objects within an OpenShift Container Platform cluster are managed consistently and prevents conflicts between multiple cluster extensions attempting to control the same object.

For more information, see Object ownership for cluster extensions.

Enhanced security

OLM v1 now requires a dedicated service account for installing, updating, and managing cluster extensions. Additionally, catalogd uses HTTPS encryption to secure catalog server responses.

For more information, see Creating a service account to manage cluster extensions.

Improved status conditions

In this release, OLM v1 includes improved status conditions and error messaging via the ClusterExtension API.

1.3.2.3. OLM v1 supported extensions and known issue

Currently, Operator Lifecycle Manager (OLM) v1 supports installing cluster extensions that meet all of the following criteria:

The extension must use the registry+v1 bundle format introduced in existing OLM.
The extension must support installation via the AllNamespaces install mode.
The extension must not use webhooks.
The extension must not declare dependencies by using any of the following file-based catalog properties:
- olm.gvk.required
- olm.package.required
- olm.constraint

OLM v1 checks that the extension you want to install meets these constraints. If the extension that you want to install does not meet these constraints, an error message is printed in the cluster extension’s conditions.

Operator Lifecycle Manager (OLM) v1 does not support the OperatorConditions API introduced in existing OLM.

If an extension relies on only the OperatorConditions API to manage updates, the extension might not install correctly. Most extensions that rely on this API fail at start time, but some might fail during reconciliation.

As a workaround, you can pin your extension to a specific version. When you want to update your extension, consult the extension’s documentation to find out when it is safe to pin the extension to a new version.

Important

Currently, Operator Lifecycle Manager (OLM) v1 cannot authenticate private registries, such as the Red Hat-provided Operator catalogs. This is a known issue. As a result, the OLM v1 procedures that rely on having the Red Hat Operators catalog installed do not work. (OCPBUGS-36364)

1.3.3. Edge computing

1.3.3.1. Managing host firmware settings with GitOps ZTP

You can now configure host firmware settings for managed clusters that you deploy with GitOps ZTP. You save host profile YAML files alongside SiteConfig custom resources (CRs) that you use to deploy the managed clusters. GitOps ZTP uses the host profiles to configure firmware settings in the managed cluster hosts during deployment. On the hub cluster, you can use FirmwareSchema CRs to discover managed cluster host firmware schema, and HostFirmwareSettings CRs and retrieve managed clusters firmware settings.

For more information, see Managing host firmware settings with GitOps ZTP.

1.3.3.2. Image-based upgrade enhancements

With this release, the image-based upgrade introduces the following enhancements:

Simplifies the upgrade process for a large group of managed clusters by adding the ImageBasedGroupUpgrade API on the hub
Labels the managed clusters for action completion when using the ImageBasedGroupUpgrade API
Improves seed cluster validation before the seed image generation
Automatically cleans up the container storage disk if usage reaches a certain threshold on the managed clusters
Adds comprehensive event history in the new status.history field of the ImageBasedUpgrade CR

For more information about the ImageBasedGroupUpgrade API, see Managing the image-based upgrade at scale using the ImageBasedGroupUpgrade CR on the hub.

1.3.3.3. Disk encryption with TPM and PCR protection (Technology Preview)

With this release, you can enable disk encryption with Trusted Platform Module (TPM) and Platform Configuration Registers (PCRs) protection. You can use the diskEncryption field in the SiteConfig custom resource (CR) to configure the disk encryption. Configuring the SiteConfig CR enables disk encryption at the time of cluster installation.

For more information, see Enabling disk encryption with TPM and PCR protection.

1.3.3.4. IPsec encryption for multi-node clusters using GitOps ZTP and SiteConfig resources

You can now enable IPsec encryption in managed multi-node clusters that you deploy with GitOps ZTP and Red Hat Advanced Cluster Management (RHACM). You can encrypt traffic between the managed cluster and IPsec endpoints external to the managed cluster. All network traffic between nodes on the OVN-Kubernetes cluster network is encrypted with IPsec in Transport mode.

For more information, see Configuring IPsec encryption for multi-node clusters using GitOps ZTP and SiteConfig resources.

1.3.4. IBM Z and IBM LinuxONE

With this release, IBM Z® and IBM® LinuxONE are now compatible with OpenShift Container Platform 4.17. You can perform the installation with z/VM, LPAR, or Red Hat Enterprise Linux (RHEL) Kernel-based Virtual Machine (KVM). For installation instructions, see Preparing to install on IBM Z and IBM LinuxONE.

Important

Compute nodes must run Red Hat Enterprise Linux CoreOS (RHCOS).

IBM Z and IBM LinuxONE notable enhancements

The IBM Z® and IBM® LinuxONE release on OpenShift Container Platform 4.17 adds improvements and new capabilities to OpenShift Container Platform components and concepts.

This release introduces support for the following features on IBM Z® and IBM® LinuxONE:

CPU manager
Non-volatile memory express (NVMe) support for LPAR
Tuning etcd latency tolerances

1.3.5. IBM Power

IBM Power® is now compatible with OpenShift Container Platform 4.17. For installation instructions, see the following documentation:

Important

Compute nodes must run Red Hat Enterprise Linux CoreOS (RHCOS).

IBM Power notable enhancements

The IBM Power® release on OpenShift Container Platform 4.17 adds improvements and new capabilities to OpenShift Container Platform components.

This release introduces support for the following features on IBM Power:

Tuning etcd latency tolerances
Installer Provisioned Infrastructure for IBM PowerVS - move to CAPI

IBM Power, IBM Z, and IBM LinuxONE support matrix

Starting in OpenShift Container Platform 4.14, Extended Update Support (EUS) is extended to the IBM Power® and the IBM Z® platform. For more information, see the OpenShift EUS Overview.

Table 1.1. OpenShift Container Platform features
Feature	IBM Power®	IBM Z® and IBM® LinuxONE
Alternate authentication providers	Supported	Supported
Agent-based Installer	Supported	Supported
Assisted Installer	Supported	Supported
Automatic Device Discovery with Local Storage Operator	Unsupported	Supported
Automatic repair of damaged machines with machine health checking	Unsupported	Unsupported
Cloud controller manager for IBM Cloud®	Supported	Unsupported
Controlling overcommit and managing container density on nodes	Unsupported	Unsupported
CPU manager	Supported	Supported
Cron jobs	Supported	Supported
Descheduler	Supported	Supported
Egress IP	Supported	Supported
Encrypting data stored in etcd	Supported	Supported
FIPS cryptography	Supported	Supported
Helm	Supported	Supported
Horizontal pod autoscaling	Supported	Supported
Hosted control planes (Technology Preview)	Supported	Supported
IBM Secure Execution	Unsupported	Supported
Installer-provisioned Infrastructure Enablement for IBM Power® Virtual Server	Supported	Unsupported
Installing on a single node	Supported	Supported
IPv6	Supported	Supported
Monitoring for user-defined projects	Supported	Supported
Multi-architecture compute nodes	Supported	Supported
Multi-architecture control plane	Supported	Supported
Multipathing	Supported	Supported
Network-Bound Disk Encryption - External Tang Server	Supported	Supported
Non-volatile memory express drives (NVMe)	Supported	Unsupported
nx-gzip for Power10 (Hardware Acceleration)	Supported	Unsupported
oc-mirror plugin	Supported	Supported
OpenShift CLI (`oc`) plugins	Supported	Supported
Operator API	Supported	Supported
OpenShift Virtualization	Unsupported	Unsupported
OVN-Kubernetes, including IPsec encryption	Supported	Supported
PodDisruptionBudget	Supported	Supported
Precision Time Protocol (PTP) hardware	Unsupported	Unsupported
Red Hat OpenShift Local	Unsupported	Unsupported
Scheduler profiles	Supported	Supported
Secure Boot	Unsupported	Supported
Stream Control Transmission Protocol (SCTP)	Supported	Supported
Support for multiple network interfaces	Supported	Supported
The `openshift-install` utility to support various SMT levels on IBM Power® (Hardware Acceleration)	Supported	Supported
Three-node cluster support	Supported	Supported
Topology Manager	Supported	Unsupported
z/VM Emulated FBA devices on SCSI disks	Unsupported	Supported
4K FCP block device	Supported	Supported

Table 1.2. Persistent storage options
Feature	IBM Power®	IBM Z® and IBM® LinuxONE
Persistent storage using iSCSI	Supported ^[1]	Supported ^[1],^[2]
Persistent storage using local volumes (LSO)	Supported ^[1]	Supported ^[1],^[2]
Persistent storage using hostPath	Supported ^[1]	Supported ^[1],^[2]
Persistent storage using Fibre Channel	Supported ^[1]	Supported ^[1],^[2]
Persistent storage using Raw Block	Supported ^[1]	Supported ^[1],^[2]
Persistent storage using EDEV/FBA	Supported ^[1]	Supported ^[1],^[2]

Persistent shared storage must be provisioned by using either Red Hat OpenShift Data Foundation or other supported storage protocols.
Persistent non-shared storage must be provisioned by using local storage, such as iSCSI, FC, or by using LSO with DASD, FCP, or EDEV/FBA.

Table 1.3. Operators
Feature	IBM Power®	IBM Z® and IBM® LinuxONE
cert-manager Operator for Red Hat OpenShift	Supported	Supported
Cluster Logging Operator	Supported	Supported
Cluster Resource Override Operator	Supported	Supported
Compliance Operator	Supported	Supported
Cost Management Metrics Operator	Supported	Supported
File Integrity Operator	Supported	Supported
HyperShift Operator	Technology Preview	Technology Preview
IBM Power® Virtual Server Block CSI Driver Operator	Supported	Unsupported
Ingress Node Firewall Operator	Supported	Supported
Local Storage Operator	Supported	Supported
MetalLB Operator	Supported	Supported
Network Observability Operator	Supported	Supported
NFD Operator	Supported	Supported
NMState Operator	Supported	Supported
OpenShift Elasticsearch Operator	Supported	Supported
Vertical Pod Autoscaler Operator	Supported	Supported

Table 1.4. Multus CNI plugins
Feature	IBM Power®	IBM Z® and IBM® LinuxONE
Bridge	Supported	Supported
Host-device	Supported	Supported
IPAM	Supported	Supported
IPVLAN	Supported	Supported

Table 1.5. CSI Volumes
Feature	IBM Power®	IBM Z® and IBM® LinuxONE
Cloning	Supported	Supported
Expansion	Supported	Supported
Snapshot	Supported	Supported

1.3.6. Insights Operator

The Insights Operator now collects the haproxy_exporter_server_threshold metric. (OCPBUGS-36687)
Previously, the Insights Operator gathered information about all Ingress Controller certificates, including their NotBefore and NotAfter dates. This data is now compiled into a JSON file located at aggregated/ingress_controllers_certs.json for easier monitoring of certificate validity across the cluster. (OCPBUGS-35727)

1.3.7. Installation and update

1.3.7.1. User-defined labels and tags for GCP

With this update, the user-defined labels and tags for Google Cloud Platform (GCP) is Generally Available.

For more information, see Managing user-defined labels and tags for GCP.

1.3.7.2. Installing a cluster on Azure in the Central Spain region

You can now install an OpenShift Container Platform cluster on Azure in the Central Spain region, spaincentral.

For more information, see Supported Azure regions.

1.3.7.3. Installing a cluster with the support for configuring multi-architecture compute machines

With this release, you can install an Amazon Web Services (AWS) cluster and Google Cloud Platform (GCP) cluster with the support for configuring multi-architecture compute machines. While installing the cluster, you can specify different CPU architectures for the control plane and compute machines in the following ways:

64-bit x86 compute machines and 64-bit ARM control plane machines
64-bit ARM compute machines and 64-bit x86 control plane machines

An OpenShift Container Platform cluster with multi-architecture compute machines supports compute machines with different architectures. For more information, see the following documentation:

1.3.7.4. Cluster API replaces Terraform for Microsoft Azure installations

In OpenShift Container Platform 4.17, the installation program uses Cluster API instead of Terraform to provision cluster infrastructure during installations on Azure.

Note

With the replacement of Terraform, the following permissions are required if you use a service principal with limited privileges:

Microsoft.Network/loadBalancers/inboundNatRules/read
Microsoft.Network/loadBalancers/inboundNatRules/write
Microsoft.Network/loadBalancers/inboundNatRules/join/action
Microsoft.Network/loadBalancers/inboundNatRules/delete
Microsoft.Network/routeTables/read
Microsoft.Network/routeTables/write
Microsoft.Network/routeTables/join/action

For more information on required permissions, see Required Azure permissions for installer-provisioned infrastructure.

1.3.7.5. Installing a cluster on Google Cloud Platform by using an existing service account

With this update, you can install a cluster on GCP by using an existing service account, allowing you to minimize the permissions that you grant to the service account the installation program uses. You can specify this service account in the compute.platform.gcp.serviceAccount and controlPlane.platform.gcp.serviceAccount parameters in the install-config.yaml file. For more information, see Available installation configuration parameters for GCP.

1.3.7.6. Installing a cluster on AWS by using an existing IAM profile

With this release, you can install OpenShift Container Platform on Amazon Web Services (AWS) by using an existing identity and access management (IAM) instance profile. For more information, see Optional AWS configuration parameters.

1.3.7.7. Installing a cluster on GCP using the N4 machine series

With this release, you can deploy a cluster on GCP using the N4 machine series for compute or control plane machines. The supported disk type of N4 machine series is hyperdisk-balanced. For more information, see Installation configuration parameters for GCP.

1.3.7.8. Cluster API replaces Terraform for Google Cloud Platform (GCP) installations

With this release, the installation program uses Cluster API instead of Terraform to provision cluster infrastructure during installations on GCP.

1.3.7.9. Three-node cluster support for RHOSP

Deploying a three-node cluster on installer-provisioned infrastructure is now supported on Red Hat OpenStack Platform (RHOSP).

For more information, see Installing a three-node cluster on OpenStack.

1.3.7.10. Deploying Red Hat OpenStack Platform (RHOSP) with root volume and etcd on local disk (Generally Available)

You can now move etcd from a root volume (Cinder) to a dedicated ephemeral local disk as a Day 2 deployment with this generally available feature.

For more information, see Deploying on OpenStack with rootVolume and etcd on local disk.

1.3.7.11. Announcement of the deprecation of extending compute nodes into AWS Outposts for clusters deployed on AWS Public Cloud

With this release, extending compute nodes into AWS Outposts for clusters deployed on AWS Public Cloud is deprecated. The ability to deploy compute nodes into AWS Outposts after installation, as an extension of an existing OpenShift Container Platform cluster operating in a public AWS region, will be removed with the release of OpenShift Container Platform version 4.20.

For more information, see Extending an AWS VPC cluster into an AWS Outpost.

1.3.8. Operator lifecycle

1.3.8.1. New guide location and release notes section for Operator Lifecycle Manager (OLM) v1 (Technology Preview)

For release notes about OLM v1 in OpenShift Container Platform 4.17 and later, including its new guide location starting this release, see the new features and enhancements section for Extensions (OLM v1).

This "Operator lifecycle" section will continue to document new features and enhancements for existing OLM in future releases.

1.3.9. Operator development

1.3.9.1. Token authentication for Operators on cloud providers: GCP Workload Identity

With this release, Operators managed by Operator Lifecycle Manager (OLM) can support token authentication when running on Google Cloud Platform (GCP) clusters configured for GCP Workload Identity. Updates to the Cloud Credential Operator (CCO) enable semi-automated provisioning of certain short-term credentials, provided that the Operator author has enabled their Operator to support GCP Workload Identity.

For more information, see CCO-based workflow for OLM-managed Operators with GCP Workload Identity.

1.3.10. OpenShift CLI (oc)

1.3.10.1. oc-mirror to include the HyperShift KubeVirt CoreOS container

With this release, oc-mirror now includes the Red Hat Enterprise Linux CoreOS (RHCOS) image for the HyperShift KubeVirt provider when mirroring the OpenShift Container Platform release payload.

The kubeVirtContainer flag, which is set to false by default, must be set to true in the imageSetConfig.yaml file to extract the KubeVirt Container RHCOS. This ensures support for disconnected environments by including the required image for KubeVirt virtual machines acting as nodes for hosted clusters.

1.3.11. Machine Config Operator

1.3.11.1. Control plane TLS security profiles supported by the MCO

The Machine Config Operator (MCO) and Machine Config Server now use the TLS security profile that is configured for the control plane components. For more information, see Configuring the TLS security profile for the control plane.

1.3.11.2. Updated boot images for AWS now supported (Technology Preview)

Updated boot images are now supported as a Technology Preview feature for Amazon Web Services (AWS) clusters. This feature allows you configure your cluster to update the node boot image whenever you update your cluster. By default, the boot image in your cluster is not updated along with your cluster. For more information, see Updated boot images.

1.3.11.3. Updated boot images for GCP clusters promoted to GA

Updated boot images has been promoted to GA for Google Cloud Platform (GCP) clusters. For more information, see Updated boot images.

1.3.11.4. Node disruption policies promoted to GA

The node disruption policies feature has been promoted to GA. A node disruption policy allows you to define a set of Ignition config objects changes that would require little or no disruption to your workloads. For more information, see Using node disruption policies to minimize disruption from machine config changes.

1.3.12. Machine management

1.3.12.1. Configuring Capacity Reservation by using machine sets

OpenShift Container Platform release 4.17 introduces support for on-demand Capacity Reservation with Capacity Reservation groups on Microsoft Azure clusters. For more information, see Configuring Capacity Reservation by using machine sets for compute or control plane machine sets.

1.3.13. Monitoring

The in-cluster monitoring stack for this release includes the following new and modified features.

1.3.13.1. Updates to monitoring stack components and dependencies

This release includes the following version updates for in-cluster monitoring stack components and dependencies:

Alertmanager to 0.27.0
Prometheus Operator to 0.75.2
Prometheus to 2.53.1
kube-state-metrics to 2.13.0
node-exporter to 1.8.2
Thanos to 0.35.1

1.3.13.2. Changes to alerting rules

Note

Red Hat does not guarantee backward compatibility for recording rules or alerting rules.

Added the PrometheusKubernetesListWatchFailures alert to warn users about Prometheus and Kubernetes API failures, such as unreachable API and permissions issues, which can lead into silent service discovery failures.

1.3.13.3. Updated Prometheus to tolerate jitters at scrape time for user-defined projects

With this update, the Prometheus configuration for monitoring for user-defined projects now tolerates jitters at scrape time. This update optimizes data compression for monitoring deployments that show sub-optimal chunk compression for data storage, which reduces the disk space used by the time series database in these deployments.

1.3.13.4. Network Observability Operator

The Network Observability Operator releases updates independently from the OpenShift Container Platform minor version release stream. Updates are available through a single, Rolling Stream which is supported on all currently supported versions of OpenShift Container Platform 4. Information regarding new features, enhancements, and bug fixes for the Network Observability Operator is found in the Network Observability release notes.

1.3.14. Nodes

1.3.14.1. New CRIO command behavior

Beginning in OpenShift Container Platform 4.17, when a node is rebooted, the crio wipe command checks that the CRI-O binary exited cleanly. Those images that did not exit cleanly are targeted as corrupted and removed. This behavior prevents CRI-O from failing to start due to half-pulled images or other unsynced files. In OpenShift Container Platform 4.15 and 4.16, the crio wipe command removed all images when a node was rebooted. The crio wipe command’s new behavior increases efficiency while still reducing the risk of image corruption when a node is rebooted.

1.3.14.2. New flags added for must-gather command

OpenShift Container Platform release 4.17 adds two new flags for use with the oc adm must-gather command to limit the timespan of the information gathered. Only one of the following flags can be used at a time. Plugins are encouraged but not required to support these flags.

--since: Only return logs newer than a relative duration, such as 5s, 2m, or 3h. Defaults to all logs.
--since-time: Only return logs after a specific date, expressed in the RFC3339 format. Defaults to all logs.

For a full list of flags to use with the oc adm must-gather command, see Must-gather flags.

1.3.14.3. Linux user namespaces now supported for pods (Technology Preview)

OpenShift Container Platform release 4.17 adds support for deploying pods and containers into Linux user namespaces. Running pods and containers in individual user namespaces can mitigate several vulnerabilities that a compromised container can pose to other pods and the node itself. For more information, see Running pods in Linux user namespaces.

1.3.14.4. CRI-O metrics port now uses TLS

OpenShift Container Platform monitoring now uses a TLS-backed endpoint to fetch CRI-O container runtime metrics. These certificates are managed by the system and not the user. OpenShift Container Platform monitoring queries have been updated to the new port. For information on the certificates used by monitoring, see Monitoring and OpenShift Logging Operator component certificates.

1.3.14.5. Adding compute nodes to on-premise clusters

With this release, you can add compute nodes by using the OpenShift CLI (oc) to generate an ISO image, which can then be used to boot one or more nodes in your target cluster. This process can be used regardless of how you installed your cluster.

For more information, see Adding worker nodes to an on-premise cluster.

1.3.15. Networking

1.3.15.1. Dual-NIC Intel E810 Logan Beach as PTP grandmaster clock

You can now configure linuxptp services as a grandmaster clock (T-GM) for dual Intel E810 Logan Beach network interface controllers (NICs). You can configure the linuxptp services as a T-GM for the following dual E810 NICs:

Intel E810-XXVDA4T Westport Channel NICs
Intel E810-CQDA2T Logan Beach NICs

The host system clock is synchronized from the NIC that is connected to the Global Navigation Satellite Systems (GNSS) time source. The second NIC is synced to the 1PPS timing output provided by the NIC that is connected to GNSS. For more information, see Configuring linuxptp services as a grandmaster clock for dual E810 NICs.

1.3.15.2. Enabling the SR-IOV network metrics exporter

With this release, you can query the Single Root I/O Virtualization (SR-IOV) virtual function (VF) metrics by using the OpenShift Container Platform web console to monitor the networking activity of the SR-IOV pods. When you query the SR-IOV VF metrics by using the web console, the SR-IOV network metrics exporter fetches and returns the VF network statistics along with the name and namespace of the pod that the VF is attached to.

For more information, see Enabling the SR-IOV network metrics exporter.

1.3.15.3. Microsoft Azure for the Kubernetes NMState Operator

Red Hat support exists for using the Kubernetes NMState Operator on Microsoft Azure but in a limited capacity. Support is limited to configuring DNS servers on your system as a postinstallation task.

For more information, see About the Kubernetes NMState Operator.

1.3.15.4. View metrics collected by the Kubernetes NMState Operator

The Kubernetes NMState Operator, kubernetes-nmstate-operator, can collect metrics from the kubernetes_nmstate_features_applied component and expose them as ready-to-use metrics. You can view these metrics by using the Administrator and Developer perspectives.

For more information, see Viewing metrics collected by the Kubernetes NMState Operator.

1.3.15.5. New PTP fast events REST API version 2 available

A new PTP fast events O-RAN Release 3 compliant REST API version 2 is available. Now, you can develop PTP event consumer applications that receive host hardware PTP events directly from the PTP Operator-managed pod. The PTP fast events REST API v1 will be deprecated in a future release.

Note

In O-RAN O-Cloud Notification API Specification for Event Consumers 3.0, the resource is defined as a hierarchical path for the subsystem that produces the notifications. The PTP events REST API v2 does not have a global subscription for all lower hierarchy resources contained in the resource path. You subscribe consumer applications to the various available event types separately.

For more information, see Developing PTP event consumer applications with the REST API v2.

1.3.15.6. Automatic leap seconds handling for PTP grandmaster clocks

The PTP Operator now automatically updates the leap second file by using Global Positioning System (GPS) announcements.

Leap second information is stored in an automatically generated ConfigMap resource named leap-configmap in the openshift-ptp namespace.

For more information, see Configuring dynamic leap seconds handling for PTP grandmaster clocks.

1.3.15.7. NIC partitioning for SR-IOV devices (Generally Available)

With this update, the ability to enable NIC partitioning for Single Root I/O Virtualization (SR-IOV) devices at install time is Generally Available.

For more information, see NIC partitioning for SR-IOV devices.

1.3.15.8. Host network settings for SR-IOV VFs (Generally Available)

With this update, the ability to update host network settings for Single Root I/O Virtualization (SR-IOV) network virtual functions in an existing cluster is Generally Available.

For more information, see Node network configuration policy for virtual functions.

1.3.15.9. User-defined network segmentation (Technology Preview)

With OpenShift Container Platform 4.17, users can create multiple networks and declare them as primary or secondary networks for their workloads through the technology preview of the UserDefinedNetwork (UDN) custom resource definition (CRD). With UDN, users can isolate namespaces without configuring and managing complex network policies.

For more information, see Understanding user-defined networks

1.3.15.10. CoreDNS update to version 1.11.3

OpenShift Container Platform 4.17 now includes CoreDNS version 1.11.3.

1.3.15.11. eBPF manager Operator (Tech Preview)

The eBPF manager Operator, available as a Technology Preview, allows you to securely deploy and manage eBPF programs. It facilitates the secure loading, unloading, modifying, and monitoring of eBPF programs in OpenShift Container Platform clusters. For more information about deploying the bpfman Operator, see About the eBPF manager Operator.

1.3.15.12. eBPF program support for Ingress Node Firewall Operator (Technology Preview)

Secure management of eBPF programs for the Ingress Node Firewall Operator is available as a Technology Preview. Use of this feature requires installation of the eBPF manager Operator, also available as a Technology Preview. For more information, see Ingress Node Firewall Operator integration.

1.3.15.13. Changes to MetalLB

With this update, MetalLB uses FRR-K8s as the default backend. Previously, this was an optional feature available in Technology Preview. For more information, see Configuring the integration of MetalLB and FRR-K8s.

MetalLB also includes a new field for the Border Gateway Protocol (BGP) peer custom resource, connectTime. You can use this field to specify how long BGP waits between connection attempts to a neighbor. For more information, see About the BGP peer custom resource.

1.3.15.14. Exposing MTU for vfio-pci SR-IOV devices

With this release, maximum transmission unit (MTU) on virtual function using the vfio-pci driver is available in the network-status pod annotation, and inside the container.

For more information, see Exposing MTU for vfio-pci SR-IOV devices to pod.

1.3.15.15. MetalLB metrics naming update

With this release, the naming convention for MetalLB BGP and BFD metrics was updated:

The naming for BGP metrics was updated from metallb_bgp_<metric_name> to frrk8s_bgp_<metric_name>.
The naming for BFD metrics was updated from metallb_bfd_<metric_name> to frrk8s_bfd_<metric_name>.

To view all the metrics in the new format, see MetalLB metrics for BGP and BFD.

1.3.16. Registry

1.3.16.1. New chunkSizeMiB configuration parameter for S3 registry storage

A new, optional configuration parameter, chunkSizeMiB, is now available for deployments using S3 API-compatible backend storage. When configured, it determines the size of the multipart upload chunks for the S3 API. The default value is 10 MiB, with a minimum of 5 MiB.

For more information, see Image Registry Operator configuration parameters for AWS S3.

1.3.17. Red Hat Enterprise Linux CoreOS (RHCOS)

1.3.17.1. RHCOS uses RHEL 9.4

RHCOS uses Red Hat Enterprise Linux (RHEL) 9.4 packages in OpenShift Container Platform 4.17. These packages ensure that your OpenShift Container Platform instance receives the latest fixes, features, enhancements, hardware support, and driver updates.

1.3.17.2. Support for the DNF package manager

With this release, you can now use DNF to install additional packages to your customized Red Hat Enterprise Linux CoreOS (RHCOS) builds. For more information, see Red Hat Enterprise Linux CoreOS (RHCOS) image layering.

1.3.18. Storage

1.3.18.1. AWS EFS CSI storage usage metrics is generally available

Amazon Web Services (AWS) Elastic File Service (EFS) usage metrics allow you to monitor how much space is used by EFS volumes. This feature is generally available.

Important

Turning on these metrics can lead to performance degradation because the CSI driver walks through the whole volume. Therefore, this option is disabled by default. Administrators must explicitly enable this feature.

For more information, see AWS EFS storage CSI usage metrics.

1.3.18.2. Preventing unauthorized volume mode conversion is generally available

Previously, there was no validation of whether the mode of an original volume (filesystem or raw block), whose snapshot was taken, matches the mode of a newly created volume. This presented a security gap that could allow malicious users to potentially exploit an as-yet-unknown vulnerability in the host operating system.

Nevertheless, some users have a legitimate need to perform such conversions. This feature allows cluster administrators to provide these rights (ability to perform update or patch operations on VolumeSnapshotContents objects) only to trusted users or applications, such as backup vendors.

To convert a volume mode, an authorized user needs to change snapshot.storage.kubernetes.io/allow-volume-mode-change: "true" for VolumeSnapshotContent of the snapshot source.

This feature is supported as generally available.

1.3.18.3. Automatic deletion of resources for GCP Filestore is generally available

In earlier versions of OpenShift Container Platform, when destroying a cluster, Google Compute Platform (GCP) Filestore Storage did not delete all of the cloud resources belonging to that cluster. This required manually deleting all of the persistent volume claims (PVCs) that used the Filestore storage class before destroying the cluster.

With OpenShift Container Platform 4.17, when destroying a cluster the OpenShift Container Platform installer should generally delete all of the cloud resources that belong to that cluster, and therefore manual deletion of PVCs should not be required. However, due to the special nature of the Google Compute Platform (GCP) Filestore resources, the automated cleanup process might not remove all of the resources in some rare cases. This feature is supported as generally available.

For more information, see Destroying clusters and GCP Filestore.

1.3.18.4. Azure File CSI supports snapshots (Technology Preview)

OpenShift Container Platform 4.17 introduces volume snapshot support for the Microsoft Azure File Container Storage Interface (CSI) Driver Operator. This capability is supported as a Technology Preview feature.

For more information, see CSI drivers supported by OpenShift Container Platform and CSI volume snapshots.

1.3.18.5. Multiple vCenter support for vSphere CSI (Technology Preview)

OpenShift Container Platform v4.17 introduces the ability to deploy OpenShift Container Platform across multiple vSphere clusters (vCenters). This feature is supported with Technology Preview status.

Multiple vCenters can only be configured during installation. The maximum number of supported vCenter clusters is three.

For more information, see Multiple vCenter support for vSphere CSI and Installation configuration parameters for vSphere.

1.3.18.6. Disabling and enabling storage on vSphere (Technology Preview)

Cluster administrators might want to disable the VMWare vSphere Container Storage Interface (CSI) Driver as a Day 2 operation, so the vSphere CSI Driver does not interface with your vSphere setup. This feature is supported at the Technology Preview level.

For more information, see Disabling and enabling storage on vSphere.

1.3.18.7. RWX/RWO SELinux Mount (Developer Preview)

Pods might take a very long time to start when the volume contains a large number of files. To avoid SELinux labeling issues while keeping SELinux confining, you can enable the ReadWriteMany/ReadWriteOnce (RWX/RWO) SELinux Mount feature. Be advised that the RWX/RWO SELinux Mount feature is a Developer Preview feature. It is not supported by Red Hat, and you should not enable this feature set on production or clusters that you plan to maintain over time.

Important

RWX/RWO SELinux Mount is a Developer Preview feature only. Developer Preview features are not supported by Red Hat in any way and are not functionally complete or production-ready. Do not use Developer Preview features for production or business-critical workloads. Developer Preview features provide early access to upcoming product features in advance of their possible inclusion in a Red Hat product offering, enabling customers to test functionality and provide feedback during the development process. These features might not have any documentation, are subject to change or removal at any time, and testing is limited. Red Hat might provide ways to submit feedback on Developer Preview features without an associated SLA.

For more information about the RWX/RWO SELinux Mount feature, including how to enable it, see RWX/RWO SELinux Mount feature Knowledge Centered Service article.

1.3.18.8. Migrating CNS volumes between datastores with cns-migration (Developer Preview)

In OpenShift Container Platform 4.17, if you are running out of space in your current datastore, or want to move to a more performant datastore, you can migrate volumes between datastores. Be advised that this feature is a Developer Preview feature. It is not supported by Red Hat.

Important

Migrating CNS Volumes Between Datastores is a Developer Preview feature only. Developer Preview features are not supported by Red Hat in any way and are not functionally complete or production-ready. Do not use Developer Preview features for production or business-critical workloads. Developer Preview features provide early access to upcoming product features in advance of their possible inclusion in a Red Hat product offering, enabling customers to test functionality and provide feedback during the development process. These features might not have any documentation, are subject to change or removal at any time, and testing is limited. Red Hat might provide ways to submit feedback on Developer Preview features without an associated SLA.

For more information about cns-migration, see Moving CNS volumes between datastores.

1.3.18.9. Node scaling for etcd

In this release, if your cluster is installed on a bare metal platform, you can scale a cluster to up to 5 nodes as a post-installation task. The etcd Operator scales accordingly to account for the additional node. For more information, see Node scaling for etcd.

1.3.19. Security

1.3.19.1. Automatic rotation of signer certificates

With this release, all etcd certificates originate from a new namespace: openshift-etcd. When a new signer certificate is close to its expiration date, the following actions occur:

An automatic rotation of the signer certificate activates.
The certificate bundle updates.
All certificates regenerate with the new signers.

Manual rotation of signer certificates is still supported by deleting the specific secret and waiting for the status pod rollout to complete.

1.3.19.2. Sigstore signature image verification

With this release, Technology Preview clusters use Sigstore signatures to verify images that were retrieved using a pull spec that references the quay.io/openshift-release-dev/ocp-release repository.

Currently, if you are mirroring images, you must also mirror quay.io/openshift-release-dev/ocp-release:<release_image_digest_with_dash>.sig Sigstore signatures in order for the image verification to succeed.

1.3.20. Web console

1.3.20.1. OpenShift Lightspeed Operator is available in the web console

Starting with OpenShift Container Platform 4.16, OpenShift Lightspeed Operator is available for use in the web console. With this release, a hover button was added to help you discover OpenShift Lightspeed. Once you click the hover button, the chat window appears with instructions on how to enable and install OpenShift Lightspeed on the cluster. You can hide the OpenShift Lightspeed button when changing the default user preferences.

1.3.20.2. Administrator perspective

This release introduces the following updates to the Administrator perspective of the web console:

Deprecated Operators are displayed in the OperatorHub before and after installation along with a warning notification that the Operator is deprecated.
You can check contnet of the configuration files for MachineConfig objects without having to manually retrieve its contents.
An alert was added to the Operator details page and the Operator installation page if your cluster is on Google Cloud Platform (GCP) with Workload Identity Foundation (WIF).
A page for ShipWright BuildStrategy was added to the Shipwright page with a ClusterBuildStrategy and BuildStrategy tab.

1.3.20.2.2. External OpenID Connect (OIDC) token issuer is now functional in the web console

With this update, the web console works as expected when internal oauth-server resource and oauth-apiserver resource are removed and replaced with an external OpenID Connect (OIDC) issuer.

1.3.20.3. Developer Perspective

This release introduces the following updates to the Developer perspective of the web console:

When you use one of the add flows to create a new deployment, the Import from Git or Container images automatically opens them in the sidebar.
You can easily select the desired Git Type without having to use the list if OpenShift Container Platform is unable to identify its type.
Import from Git supports GitEA, an open-source alternitve to GitHub.
A warning notification displays on the Topology page if the PodDisruptionBudget limit is reached.
When importing applications through the Import from Git flows you can use Shipwright Build strategies such as S2I, buildpack, and buildah strategy for building the image.

1.4. Notable technical changes

OpenShift Container Platform 4.17 introduces the following notable technical changes:

Operator SDK 1.36.1

OpenShift Container Platform 4.17 supports Operator SDK 1.36.1. See Installing the Operator SDK CLI to install or update to this latest version.

Note

Operator SDK 1.36.1 now supports Kubernetes 1.29 and uses a Red Hat Enterprise Linux (RHEL) 9 base image.

If you have Operator projects that were previously created or maintained with Operator SDK 1.31.0, update your projects to keep compatibility with Operator SDK 1.36.1.

1.5. Deprecated and removed features

Some features available in previous releases have been deprecated or removed.

Deprecated functionality is still included in OpenShift Container Platform and continues to be supported; however, it will be removed in a future release of this product and is not recommended for new deployments. For the most recent list of major functionality deprecated and removed within OpenShift Container Platform 4.17, refer to the table below. Additional details for more functionality that has been deprecated and removed are listed after the table.

In the following tables, features are marked with the following statuses:

Not Available
Technology Preview
General Availability
Deprecated
Removed

Bare metal monitoring deprecated and removed features

Table 1.6. Bare Metal Event Relay Operator tracker
Feature	4.15	4.16	4.17
Bare Metal Event Relay Operator	Deprecated	Deprecated	Removed

Images deprecated and removed features

Table 1.7. Cluster Samples Operator deprecated and removed tracker
Feature	4.15	4.16	4.17
Cluster Samples Operator	General Availability	Deprecated	Deprecated

Installation deprecated and removed features

Table 1.8. Installation deprecated and removed tracker
Feature	4.15	4.16	4.17
`--cloud` parameter for `oc adm release extract`	Deprecated	Deprecated	Deprecated
CoreDNS wildcard queries for the `cluster.local` domain	Deprecated	Deprecated	Deprecated
`compute.platform.openstack.rootVolume.type` for RHOSP	Deprecated	Deprecated	Deprecated
`controlPlane.platform.openstack.rootVolume.type` for RHOSP	Deprecated	Deprecated	Deprecated
`ingressVIP` and `apiVIP` settings in the `install-config.yaml` file for installer-provisioned infrastructure clusters	Deprecated	Deprecated	Deprecated
Package-based RHEL compute machines	General Availability	Deprecated	Deprecated
`platform.aws.preserveBootstrapIgnition` parameter for Amazon Web Services (AWS)	General Availability	Deprecated	Deprecated
Terraform infrastructure provider for Amazon Web Services (AWS), VMware vSphere and Nutanix	General Availability	Removed	Removed
Installing a cluster on Alibaba Cloud with installer-provisioned infrastructure	Technology Preview	Removed	Removed
Installing a cluster on AWS with compute nodes in AWS Outposts	Deprecated	Deprecated	Deprecated

Operator lifecycle and development deprecated and removed features

Table 1.9. Operator lifecycle and development deprecated and removed tracker
Feature	4.15	4.16	4.17
Operator SDK	General Availability	Deprecated	Deprecated
Scaffolding tools for Ansible-based Operator projects	General Availability	Deprecated	Deprecated
Scaffolding tools for Helm-based Operator projects	General Availability	Deprecated	Deprecated
Scaffolding tools for Go-based Operator projects	General Availability	Deprecated	Deprecated
Scaffolding tools for Hybrid Helm-based Operator projects	Technology Preview	Deprecated	Deprecated
Scaffolding tools for Java-based Operator projects	Technology Preview	Deprecated	Deprecated
Platform Operators	Technology Preview	Removed	Removed
Plain bundles	Technology Preview	Removed	Removed
SQLite database format for Operator catalogs	Deprecated	Deprecated	Deprecated

Machine management deprecated and removed features

Table 1.10. Machine management deprecated and removed tracker
Feature	4.15	4.16	4.17
Managing machine with Machine API for Alibaba Cloud	Technology Preview	Removed	Removed
Cloud controller manager for Alibaba Cloud	Technology Preview	Removed	Removed

Monitoring deprecated and removed features

Table 1.11. Monitoring deprecated and removed tracker
Feature	4.15	4.16	4.17
`dedicatedServiceMonitors` setting that enables dedicated service monitors for core platform monitoring	Deprecated	Removed	Removed
`prometheus-adapter` component that queries resource metrics from Prometheus and exposes them in the metrics API	Deprecated	Removed	Removed

Networking deprecated and removed features

Table 1.12. Networking deprecated and removed tracker
Feature	4.15	4.16	4.17
OpenShift SDN network plugin	Deprecated	Deprecated	Removed
iptables	Deprecated	Deprecated	Deprecated
Limited live migration to OVN-Kubernetes from OpenShift SDN	Not Available	General Availability	Removed

Storage deprecated and removed features

Table 1.13. Storage deprecated and removed tracker
Feature	4.15	4.16	4.17
AliCloud Disk CSI Driver Operator	General Availability	Removed	Removed

Node deprecated and removed features

Table 1.14. Node deprecated and removed tracker
Feature	4.15	4.16	4.17
`ImageContentSourcePolicy` (ICSP) objects	Deprecated	Deprecated	Deprecated
Kubernetes topology label `failure-domain.beta.kubernetes.io/zone`	Deprecated	Deprecated	Deprecated
Kubernetes topology label `failure-domain.beta.kubernetes.io/region`	Deprecated	Deprecated	Deprecated
cgroup v1	General Availability	Deprecated	Deprecated

Web console deprecated and removed features

Table 1.15. Web console deprecated and removed tracker
Feature	4.15	4.16	4.17
Patternfly 4	Deprecated	Deprecated	Deprecated
React Router 5	Deprecated	Deprecated	Deprecated

Workloads deprecated and removed features

Table 1.16. Workloads deprecated and removed tracker
Feature	4.15	4.16	4.17
`DeploymentConfig` objects	Deprecated	Deprecated	Deprecated

1.5.1. Deprecated features

1.5.1.1. The preserveBootstrapIgnition parameter for AWS

The preserveBootstrapIgnition parameter for AWS in the install-config.yaml file has been deprecated. You can use the bestEffortDeleteIgnition parameter instead. (OCPBUGS-33661)

1.5.1.2. kube-apiserver no longer gets a valid cloud configuration object

In OpenShift Container Platform 4.17, kube-apiserver no longer gets a valid cloud configuration object. As a result, the PersistentVolumeLabel admission plugin rejects in-tree Google Compute Engine (GCE) persistent disk persistent volumes (PD PVs), that do not have the correct topology. (OCPBUGS-34544)

1.5.1.3. kube-apiserver no longer gets a valid cloud configuration object

In OpenShift Container Platform 4.16, Patternfly 4 and React Router 5 were deprecated. The deprecated static remains the same for OpenShift Container Platform 4.17. All plugins should migrate to Patternfly 5 and React Router 6 as soon as possible. (OCPBUGS-34538)

1.5.2. Removed features

1.5.2.1. Bare Metal Event Relay Operator (BMER)

BMER was deprecated in OpenShift Container Platform version 4.15 and 4.16. With this release, BMER is no longer supported and the related BMER content is removed from the documentation.

1.5.2.2. OpenShift SDN network plugin (Removed)

OpenShift SDN network plugin was deprecated in 4.15 and 4.16. With this release, the SDN network plugin is no longer supported and the content has been removed from the documentation.

1.5.2.3. Removal of RukPak (Technology Preview)

RukPak was introduced as a Technology Preview feature in OpenShift Container Platform 4.12. Starting in OpenShift Container Platform 4.14, it was used as a component in the Technology Preview of Operator Lifecycle Manager (OLM) v1.

Starting in OpenShift Container Platform 4.17, RukPak is now removed and relevant functionality relied upon by OLM v1 has been moved to other components.

1.6. Bug fixes

Bare Metal Hardware Provisioning

Previously, attempting to configure RAID on specific hardware models by using Redfish might have resulted in the following error: The attribute StorageControllers/Name is missing from the resource. With this update, the validation logic no longer requires the Name field, because the field is not mandated by the Redfish standard. (OCPBUGS-38465)
Previously, the management interface for the iDRAC9 Redfish management interface in the Redfish Bare Metal Operator (BMO) module was incorrectly set to iPXE. This caused the error Could not find the following interface in the ironic.hardware.interfaces.management entrypoint: ipxe and the deployment failed on Dell Remote Access Controller (iDRAC)-based servers. With this release, the issue is resolved. (OCPBUGS-37261)

Builds

Previously, builds could not set the GIT_LFS_SKIP_SMUDGE environment variable and use its value when cloning the source code. This caused builds to fail for some Git repositories with LFS files. With this release, the build is able to set this environment variable and use it during the git clone step of the build, which resolves the issue. (OCPBUGS-33215)
Previously, if the developer or cluster admin used lowercase environment variable names for proxy information, these environment variables were carried into the build output container image. At runtime, the proxy settings were active and had to be unset. With this release, lowercase versions of the _PROXY environment variables are prevented from leaking into built container images. Now, buildDefaults are only kept during the build and settings created for the build process only are removed before pushing the image in the registry. (OCPBUGS-12699)

Cloud Compute

Previously, a machine controller failed to save the VMware vSphere task ID of an instance template clone operation. This caused the machine to go into the Provisioning state and to power off. With this release, the VMware vSphere machine controller can detect and recover from this state. (OCPBUGS-1735)
Previously, the machine-api Operator reacted when it deleted a server that was in an ERROR state. This happened because the server did not pass a port list. With this release, deleting a machine stuck in an ERROR state does not cause an Operator reaction. (OCPBUGS-33806)
Previously, you could not configure capacity reservation on a Microsoft Azure Workload Identity cluster because of missing permissions. With this release, the Microsoft.Compute/capacityReservationGroups/deploy/action permission is added as a default credential request in the <infra-name>-openshift-machine-api-azure-cloud-credentials custom role, so that you can now configure capacity reservation as expected. (OCPBUGS-37154)
Previously, an optional internal function of the cluster autoscaler caused repeated log entries when it was not implemented. The issue is resolved in this release. (OCPBUGS-33592)
Previously, a node associated with a restarting machine briefly having a status of Ready=Unknown triggered the UnavailableReplicas condition in the Control Plane Machine Set Operator. This condition caused the Operator to enter the Available=False state and trigger alerts because that state indicates a nonfunctional component that requires immediate administrator intervention. This alert should not have been triggered for the brief and expected unavailabilty during a restart. With this release, a grace period for node unreadiness is added to avoid triggering unnecessary alerts. (OCPBUGS-20061)
Previously, when an OpenShift Container Platform cluster was installed with no capabilities and later enabled the Build capability, the related Build cluster configuration custom resource definition (CRD) was not created. With this release, the Build cluster configuration CRD and its default instance are created. This allows the Build capability to be fully configured and customized. (OCPBUGS-34395)
Previously, role bindings related to the Image Registry, Build, and DeploymentConfig capabilities were created in every namespace, even if the capabilities were disabled. With this release, role bindings is only created if the capability is enabled on the cluster. (OCPBUGS-34077)

Cloud Credential Operator

Previously, secrets in the cluster were fetched in a single call. When there was a large number of secrets, the API timed out. With this release, the Cloud Credential Operator fetches secrets in batches limited to 100 secrets. This change prevents timeouts when there is a large number of secrets in the cluster. (OCPBUGS-41233)
Previously, the Cloud Credential Operator reported an error when the awsSTSIAMRoleARN role was not present on a cluster that used manual mode with AWS Security Token Service. With this release, the Cloud Credential Operator no longer reports this as an error. (OCPBUGS-33566)
Previously, when checking whether passthrough permissions are sufficient, the Cloud Credential Operator sometimes received a response from the Google Cloud Platform (GCP) API that a permission is invalid for a project. This response caused the Operator to become degraded and installation to fail. With this release, the Operator is updated to handle this error gracefully. (OCPBUGS-36140)

Cluster Version Operator

Previously, a rarely occurring race condition between Go routines caused the Cluster Version Operator (CVO) to panic after the CVO started. With this release, the Go routines synchronization is improved and the issue is resolved. (OCPBUGS-32678)

Developer Console

Previously, on some browsers, some icons in the samples catalog were stretched, making it hard to read. With this update, the icons were resized correctly, and now the icons are no longer stretched and easier to read. (OCPBUGS-34516)
Previously, s2i build strategy was not explicitly mentioned in the func.yml. Therefore you could not create OpenShift Serverless functions with the repository. Additionally, error messages were not available if s2i is not mentioned or if func.yml. As a result, identifying the reason of failures was not apparent. With this update, if the s2i build strategy is not mentioned, users can still create a function. If it is not s2i, users cannot create a function. The error messages are now different for both the cases. (OCPBUGS-33733)
Previously, when using a Quick Start guided tour in the OpenShift Container Platform web console, it took multiple clicks of the Next button to skip to the next step if the check your work dialog was ignored. With this update, it only takes one click, regardless of the state of the check your work box. (OCPBUGS-25929)

Driver ToolKit (DTK)

Previously, DTK incorrectly included the same values for KERNEL_VERSION and RT_KERNEL_VERSION that exist in the /etc/driver-toolkit-release.json configuration file. With this update, the RT_KERNEL_VERSION is displayed correctly. (OCPBUGS-33699)

etcd Cluster Operator

Previous versions of the etcd Operator checked the health of etcd members in serial with an all-member timeout that matched the single-member timeout. As a result, one slow member check could consume the entire timeout and cause later member checks to fail, regardless of the health of that later member. In this release, the etcd Operator checks the health of members in parallel, so the health and speed of one member’s check does not affect the other members' checks. (OCPBUGS-36301)
Previously, the health checks for the etcd Operator were not ordered. As a consequence, the health check sometimes failed even though all etcd members were healthy. The health-check failure triggered a scale-down event that caused the Operator to prematurely remove a healthy member. With this release, the health checks in the Operator are ordered. As a result, the health checks correctly reflect the health of etcd members and an incorrect scale-down event does not occur. (OCPBUGS-36462)

Hosted control planes

Previously, when a hosted cluster proxy was configured and it used an identity provider (IDP) that had an HTTP or HTTPS endpoint, the hostname of the IDP was unresolved before sending it through the proxy. Consequently, hostnames that could only be resolved by the data plane failed to resolve for IDPs. With this update, a DNS lookup is performed before sending IPD traffic through the konnectivity tunnel. As a result, IDPs with hostnames that can only be resolved by the data plane can be verified by the Control Plane Operator. (OCPBUGS-41371)
Previously, when the hosted cluster controllerAvailabilityPolicy was set to SingleReplica, podAntiAffinity on networking components blocked the availability of the components. With this release, the issue is resolved. (OCPBUGS-39313)
Previously, the AdditionalTrustedCA that was specified in the hosted cluster image configuration was not reconciled into the openshift-config namespace, as expected by the image-registry-operator, and the component did not become available. With this release, the issue is resolved. (OCPBUGS-39225)
Previously, Red Hat HyperShift periodic conformance jobs failed because of changes to the core operating system. These failed jobs caused the OpenShift API deployment to fail. With this release, an update recursively copies individual trusted certificate authority (CA) certificates instead of copying a single file, so that the periodic conformance jobs succeed and the OpenShift API runs as expected. (OCPBUGS-38941)
Previously, the Konnectivity proxy agent in a hosted cluster always sent all TCP traffic through an HTTP/S proxy. It also ignored host names in the NO_PROXY configuration because it only received resolved IP addresses in its traffic. As a consequence, traffic that was not meant to be proxied, such as LDAP traffic, was proxied regardless of configuration. With this release, proxying is completed at the source (control plane) and the Konnectivity agent proxying configuration is removed. As a result, traffic that is not meant to be proxied, such as LDAP traffic, is not proxied anymore. The NO_PROXY configuration that includes host names is honored. (OCPBUGS-38637)
Previously, the azure-disk-csi-driver-controller image was not getting appropriate override values when using registryOverride. This was intentional so as to avoid propagating the values to the azure-disk-csi-driver data plane images. With this update, the issue is resolved by adding a separate image override value. As a result, the azure-disk-csi-driver-controller can be used with registryOverride and no longer affects azure-disk-csi-driver data plane images. (OCPBUGS-38183)
Previously, the AWS cloud controller manager within a hosted control plane that was running on a proxied management cluster would not use the proxy for cloud API communication. With this release, the issue is fixed. (OCPBUGS-37832)
Previously, proxying for Operators that run in the control plane of a hosted cluster was performed through proxy settings on the Konnectivity agent pod that runs in the data plane. It was not possible to distinguish if proxying was needed based on application protocol.
For parity with OpenShift Container Platform, IDP communication via HTTPS or HTTP should be proxied, but LDAP communication should not be proxied. This type of proxying also ignores NO_PROXY entries that rely on host names because by the time traffic reaches the Konnectivity agent, only the destination IP address is available.
With this release, in hosted clusters, proxy is invoked in the control plane via konnectivity-https-proxy and konnectivity-socks5-proxy, and proxying traffic is stopped from the Konnectivity agent. As a result, traffic that is destined for LDAP servers is no longer proxied. Other HTTPS or HTTPS traffic is proxied correctly. The NO_PROXY setting is honored when you specify hostnames. (OCPBUGS-37052)
Previously, proxying for IDP communication occurred in the Konnectivity agent. By the time traffic reached Konnectivity, its protocol and hostname were no longer available. As a consequence, proxying was not done correctly for the OAUTH server pod. It did not distinguish between protocols that require proxying (http/s) and protocols that do not (ldap://). In addition, it did not honor the no_proxy variable that is configured in the HostedCluster.spec.configuration.proxy spec.
With this release, you can configure the proxy on the Konnectivity sidecar of the OAUTH server so that traffic is routed appropriately, honoring your no_proxy settings. As a result, the OAUTH server can communicate properly with identity providers when a proxy is configured for the hosted cluster. (OCPBUGS-36932)
Previously, the HostedClusterConfig Operator (HCCO) did not delete the ImageDigestMirrorSet CR (IDMS) after you removed the ImageContentSources field from the HostedCluster object. As a consequence, the IDMS persisted in the HostedCluster object when it should not. With this release, the HCCO manages the deletion of IDMS resources from the HostedCluster object. (OCPBUGS-34820)
Previously, deploying a hostedCluster in a disconnected environment required setting the hypershift.openshift.io/control-plane-operator-image annotation. With this update, the annotation is no longer needed. Additionally, the metadata inspector works as expected during the hosted Operator reconciliation, and OverrideImages is populated as expected. (OCPBUGS-34734)
Previously, hosted clusters on AWS leveraged their VPC’s primary CIDR range to generate security group rules on the data plane. As a consequence, if you installed a hosted cluster into an AWS VPC with multiple CIDR ranges, the generated security group rules could be insufficient. With this update, security group rules are generated based on the provided machine CIDR range to resolve this issue. (OCPBUGS-34274)
Previously, the OpenShift Cluster Manager container did not have the right TLS certificates. As a consequence, you could not use image streams in disconnected deployments. With this release, the TLS certificates are added as projected volumes to resolve this issue. (OCPBUGS-31446)

Image Registry

Previously, the internal image registry would not correctly authenticate users on clusters configured with external OpenID Connect (OIDC) users. Consequently, this made it impossible for users to push or pull images to and from the internal image registry. With this update, the internal image registry starts by using the SelfSubjectReview API, dropping use of the openshift specific user API, which is not available on clusters configured with external OIDC users. As a result, it is now possible to successfully authenticate with the internal image registry again. (OCPBUGS-35335)
Previously, the image registry was unable to run due to a permissions error in the certificate directory. This issue has been resolved. (OCPBUGS-38885)
Previously, when enabling virtualHostedStyle with regionEndpoint set in image registry Operator config, the image registry would ignore the virtual hosted style config and would fail to start. This update fixes the issue by using a new upstream distribution configuration, which is force path style, in favor of the downstream only version, which is virtual hosted style. (OCPBUGS-32710)
Previously, when OpenShift Container Platform was deployed on Azure clusters with Workload ID, storage accounts created for the cluster and the image registry had Storage Account Key Access enabled by default, which could pose security risks to the deployment.
With this update, shared access keys are disabled by default on new installations that use Workload ID, enhancing security by preventing the use of shared access keys.
Important
Shared access keys should only be disabled if the cluster is configured to use Workload ID. Disabling shared access keys on a cluster not configured with Microsoft Entra Workload ID can cause the Image Registry Operator to become degraded.
For existing storage accounts created before this update, shared access keys are not automatically disabled. Administrators must manually disable shared access key support on these storage accounts to prevent the use of shared keys. For more information about disabling shared access keys, see Prevent Shared Key authorization for an Azure Storage account.
(OCPBUGS-39428)

Installer

Previously, extracting the IP address from the Cluster API Machine object only returned a single address. On VMware vSphere, the returned address would always be an IPv6 address and this caused issues with the must-gather implementation if the address was non-routable. With this release, the Cluster API Machine object returns all IP addresses, including IPv4, so that the must-gather issue no longer occurs on VMware vSphere. (OCPBUGS-37427)
Previously, when installing a cluster on IBM Cloud® into an existing VPC, the installation program retrieved an unsupported VPC region. Attempting to install into a supported VPC region that follows the unsupported VPC region alphabetically caused the installation program to crash. With this release, the installation program is updated to ignore any VPC regions that are not fully available during resource lookups. (OCPBUGS-14963)
Previously, the installation program attempted to download the OVA on VMware vSphere whether the template field was defined or not. With this update, the issue is resolved. The installation program verifies if the template field is defined. If the template field is not defined, the OVA is downloaded. If the template field is defined, the OVA is not downloaded. (OCPBUGS-39240)
Previously, enabling custom feature gates sometimes caused installation on an AWS cluster to fail if the feature gate ClusterAPIInstallAWS=true was not enabled. With this release, the ClusterAPIInstallAWS=true feature gate is not required. (OCPBUGS-34708)
Previously, some processes could be left running if the installation program exited due to infrastructure provisioning failures. With this update, all installation-related processes are terminated when the installation program terminates. (OCPBUGS-36378)
Previously, the installation program required permission to create and delete IAM roles when installing a cluster on AWS even when an existing IAM role was provided. With this update, the installation program only requires these permissions when it is creating IAM roles. (OCPBUGS-36390)
Previously, long cluster names were trimmed without warning the user. With this update, the installation program warns the user when trimming long cluster names. (OCPBUGS-33840)
Previously, the openshift-install CLI sometimes failed to connect to the bootstrap node when collecting bootstrap gather logs. The installation program reported an error message such as The bootstrap machine did not execute the release-image.service systemd unit. With this release and after the bootstrap gather logs issue occurs, the installation program now reports Invalid log bundle or the bootstrap machine could not be reached and bootstrap logs were not collected, which is a more accurate error message. (OCPBUGS-34953)
Previously, when installing a cluster on AWS, subnets that the installation program created were incorrectly tagged with the kubernetes.io/cluster/<clusterID>: shared tag. With this update, these subnets are correctly tagged with the kubernetes.io/cluster/<clusterID>: owned tag. (OCPBUGS-36904)
Previously, the local etcd data store that is saved during installation was not deleted if the installation failed, consuming extra space on the installation host. With this update, the data store is deleted if infrastructure provisioning failures prevent a successful installation. (OCPBUGS-36284)
Previously, when a folder was undefined and the data center was located in a data center folder, an wrong folder structure was created starting from the root of the vCenter server. By using the Govmomi DatacenterFolders.VmFolder, it used the a wrong path. With this release, the folder structure uses the data center inventory path and joins it with the virtual machine (VM) and cluster ID value, and the issue is resolved. (OCPBUGS-38616)
Previously, when templates are defined for each failure domain, the installation program required an external connection to download the OVA in VMware vSphere. With this release, the issue is resolved. (OCPBUGS-39239)
Previously, installing a cluster with a Dynamic Host Configuration Protocol (DHCP) network on Nutanix caused a failure. With this release, this issue is resolved. (OCPBUGS-38934)
Previously, due to an EFI Secure Boot failure in the SCOS, when the FCOS pivoted to the SCOS the virtual machine (VM) failed to boot. With this release, the Secure Boot is disabled only when the Secure Boot is enabled in the coreos.ovf configuration file, and the issue is resolved. (OCPBUGS-37736)
Previously, if you specified an unsupported architecture in the install-config.yaml file the installation program would fail with a connection refused message. With this update, the installation program correctly validates the cluster architecture parameter, leading to successful installations. (OCPBUGS-38841)
Previously, a rare condition om VMware vSphere Cluster API machines caused the vCenter session management to time out unexpectedly. With this release, the Keep Alive support is disabled in the current and later versions of CAPV, and the issue is resolved. (OCPBUGS-38677)
Previously, the installation program on Amazon Web Services (AWS) used multiple IPv4 public IP addresses that Amazon has started charging for. With this release, support is provided for bring your own (BYO) public IPv4 pools in OpenShift Container Platform so that users have control of IP addresses that are used by their services. Where the BYO public IPv4 pools feature is enabled, two new permissions, ec2:DescribePublicIpv4Pools and ec2:DisassociateAddress, are required, and the issue is resolved. (OCPBUGS-35504)
Previously, when users provided public subnets while using existing subnets and creating a private cluster, the installation program occasionally exposed on the public internet the load balancers that were created in public subnets. This invalidated the reason for a private cluster. With this release, the issue is resolved by displaying a warning during a private installation that providing public subnets might break the private clusters and, to prevent this, users must fix their inputs. (OCPBUGS-38963)
Previously, during installation the oc adm node-image create command used the kube-system/cluster-config-v1 resource to determine the platform type. With this release, the installation program uses the infrastructure resource, which provides more accurate information about the platform type. (OCPBUGS-39092)
Previously, the oc adm node-image create command failed when run against a cluster in a restricted environment with a proxy because the command ignored the cluster-wide proxy setting. With this release, when the command is run it checks the cluster proxy resource settings, where available, to ensure the command is run successfully and the issue is resolved. (OCPBUGS-39090)
Previously, when installing a cluster with the Agent-based installer, the assisted-installer process could timeout when attempting to add control plane nodes to the cluster. With this update, the assisted-installer process loads fresh data from the assisted-service process, preventing the timeout. (OCPBUGS-36779)
Previously, when the VMware vSphere vCenter cluster contained an ESXi host that did not have a standard port group defined and the installation program tried to select that host to import the OVA, the import failed and the error Invalid Configuration for device 0 was reported. With this release, the installation program verifies whether a standard port group for an ESXi host is defined and, if not, continues until it locates an ESXi host with a defined standard port group, or reports an error message if it fails to locate one, resolving the issue. (OCPBUGS-38560)
Previously, extracting the IP address from the Cluster API Machine object only returned a single IP address. On VMware vSphere, the returned address would always be an IPv6 address and this caused issues with the must-gather implementation if the address was non-routable. With this release, the Cluster API Machine object returns all IP addresses, including IPv4, so that the must-gather issue no longer occurs on VMware vSphere. (OCPBUGS-37607)
Previously, when installing a cluster on AWS, Elastic Kubernetes Service (EKS) messages could appear in the installation logs even when EKS was meant to be disabled. With this update, EKS log messages have been disabled. (OCPBUGS-35752)
Previously, unexpected output would appear in the terminal when creating an installer-provisioned infrastructure cluster. With this release, the issue has been resolved and the unexpected output no longer shows. (OCPBUGS-35547)
Previously, when installing a cluster on AWS after deleting a cluster with the ./openshift-install destroy cluster command, the installation would fail with an error stating that there might already be a running cluster. With this update, all leftover artifacts are removed when the cluster is destroyed, resulting in successful installations afterwards. (OCPBUGS-35542)
Previously, when installing a cluster on AWS, load balancer ingress rules were continuously revoked and re-authorized, causing unnecessary API calls and delays in cluster provisioning. With this update, load balancer ingress rules are no longer revoked during installation, reducing API traffic and installation delays. (OCPBUGS-35440)
Previously, when setting platform.openstack.controlPlanePort.network without a fixedIPs value, the installation program would output a misleading error message about the network missing subnets. With this release, the installation program validates that the install-config field controlPlanePort has a valid subnet filter set because it is a required value. (OCPBUGS-37104)
Previously, adding IPv6 support for user-provisioned installation platforms caused an issue with naming Red Hat OpenStack Platform (RHOSP) resources, especially when you run two user-provisioned installation clusters on the same Red Hat OpenStack Platform (RHOSP) platform. This happened because the two clusters share the same names for network, subnets, and router resources. With this release, all the resources names for a cluster remain unique for that cluster so no interfere occurs. (OCPBUGS-33973)
Previously, when installing a cluster on IBM Power® Virtual Server with installer-provisioned infrastructure, the installation could fail due to load balancer timeouts. With this update, the installation program waits for the load balancer to be available instead of timing out. (OCPBUGS-34869)
Previously, when using the Assisted Installer, using a password that contained the colon character (:) resulted in a failed installation. With this update, pull secrets containing a colon in the password do not cause the Assisted Installer to fail. (OCPBUGS-31727)
Previously, solid state drives (SSD) that used SATA hardware were identified as removable. The Assisted Installer for OpenShift Container Platform reported that no eligible disks were found and the installation stopped. With this release, removable disks are eligible for installation. (OCPBUGS-33404)
Previously, when installing a cluster on bare metal using installer provisioned infrastructure, the installation could time out if the network to the bootstrap virtual machine is slow. With this update, the timeout duration has been increased to cover a wider range of network performance scenarios. (OCPBUGS-41500)
Previously, when installing a cluster on IBM Power® Virtual Server, the installation program did not list the e980 system type in the madrid region. With this update, the installation program correctly lists this region. (OCPBUGS-38439)
Previously, after installing a single-node OpenShift cluster, the monitoring system could produce an alert that applied to clusters with multiple nodes. With this update, single-node OpenShift clusters only produce monitoring alerts that apply to single-node OpenShift clusters. (OCPBUGS-35833)
Previously, when installing a cluster on IBM Power® Virtual Server, the installation could fail due to a DHCP server network collision. With this update, the installation program selects a random number to generate the DHCP network to avoid collision. (OCPBUGS-33912)
Previously, the installation program used the Neutron API endpoint to tag security groups. This API does not support special characters, so some Red Hat OpenStack Platform (RHOSP) clusters failed to install on RHOSP. With this release, the installation program uses an alternative endpoint to tag security groups so that the issue no longer persists. (OCPBUGS-36913)
Previously, setting an invalid Universally Unique Identifier (UUID) for the additionalNetworkIDs parameter of a machine pool in your install-config configuration file could result in the installation program exiting from installing the cluster. With this release, the installation program checks the validity of the additionalNetworkIDs parameter before the program continuing with installing the cluster so that this issue no longer persists. (OCPBUGS-35420)
Previously, for IBM Power® Virtual Server installer-provisioned infrastructure clusters, if no network name existed for a Dynamic Host Configuration Protocol (DHCP), the destroy code would skip deleting the DHCP resource. With this release, a test now checks if a DHCP is in an ERROR state, so that the DHCP resource is deleted. (OCPBUGS-35039)

Insights Operator

Previously, in some Hypershift hosted clusters, the IO archive contained the hostname even with network obfuscation enabled. This issue has been resolved, and IO archives no longer contain hostnames when they are obfuscated. (OCPBUGS-33082)

Machine Config Operator

Previously, in a cluster that runs OpenShift Container Platform 4.16 with the Telco RAN DU reference configuration, long duration cyclictest or timerlat tests could fail with maximum latencies detected above 20 us. This issue occured because the psi kernel command line argument was being set to 1 by default when cgroup v2 is enabled. With this release, the issue is fixed by setting psi=0 in the kernel arguments when enabling cgroup v2. The cyclictest latency issue reported in OCPBUGS-34022 is now also fixed. (OCPBUGS-37271)
Previously, if a cluster admin creates a new MachineOSConfig object that references a legacy pull secret, the canonicalized version of this secret that gets created is not updated whenever the original pull secret changes. With this release, the issue is resolved. (OCPBUGS-34079)
Previously, the /etc/mco/internal-registry-pull-secret.json secret was being managed by the Machine Config Operator (MCO). Due to a recent change, this secret rotates on an hourly basis. Whenever the MCO detected a change to this secret, it rolled the secret out to each node in the cluster, which resulted in disruptions. With this fix, a different internal mechanism processes changes to the internal registry pull secret to avoid rolling out repeated MachineConfig updates. (OCPBUGS-33913)
Previously, if you created more than one MachineOSConfig object that required a canonicalized secret, only the first object would build. With this fix, the build controller handles multiple MachineOSBuilds that use the same canonicalized secret. (OCPBUGS-33671)
Previously, if machine config pools (MCP) had a higher maxUnavailable value than the cluster’s number of unavailable nodes, cordoned nodes were able to be erroneously selected as an update candidate. This fix adds a node readiness check in the node controller so that cordoned nodes are queued for an update. (OCPBUGS-33397)
Previously, nodes could be drained twice if the node was queued multiple times in the drain controller. This behaviour might have been due to increased activity on the node object by on-cluster layering functionality. With this fix, a node queued for drain only drains once. (OCPBUGS-33134)
Previously, a potential panic was seen in Machine Config Controller and Machine Build Controller objects if a de-reference accidentally deleted MachineOSConfig/MachineOSBuild to read the build status. The panic is controlled with additional error conditions to warn for allowed MachineOSConfig deletions. (OCPBUGS-33129)
Previously, after upgrading from OpenShift Container Platform 4.1 or 4.2 to version 4.15, some machines could get stuck during provisioning and never became available. This was because the machine-config-daemon-firstboot service was failing due to an incompatible machine-config-daemon binary on those nodes. With this release, the correct machine-config-daemon binary is copied to nodes before booting. (OCPBUGS-28974)
Previously, if you attempted to configure on-cluster Red Hat Enterprise Linux CoreOS (RHCOS) image layering on a non-RHCOS node, the node became degraded. With this fix, in this situation, an error message is produced in the node logs, but the node is not degraded. (OCPBUGS-19537)

Management Console

Previously, the Cluster overview page included a View all steps in documentation link that resulted in a 404 error for Red Hat OpenShift Service on AWS and Red Hat OpenShift Dedicated clusters. With this update, the link does not appear for Red Hat OpenShift Service on AWS and Red Hat OpenShift Dedicated clusters. (OCPBUGS-37054)
Previously, a warning was not provided when you were on a Google Cloud Platform (GCP) cluster that supports GCP Workload Identity and that the Operator supports it. With this release, logic was added to support GCP Workload Identity and Federated Identity Operator installs, so now you are alerted when you are on a GCP cluster. (OCPBUGS-38591)
Previously, the version number text in the Updates graph on the Cluster Settings page appeared as black text on a dark background when using Firefox in dark mode. With this update, the text appears as white text. (OCPBUGS-38427)
Previously, dynamic plugins using PatternFly 4 referenced variables that are not available in OpenShift Container Platform 4.15 and later. This was causing contrast issues for Red Hat Advanced Cluster Management (RHACM) in dark mode. With this update, older chart styles are now available to support PatternFly 4 charts used by dynamic plugins. (OCPBUGS-36816)
Previously, when the Display Admission Webhook warning implementation presented issues with some incorrect code. With this update, the unnecessary warning message has been removed. (OCPBUGS-35940)
Previously, the global sync lock that applied to all HTTP servers spawned goroutines with a sync lock that is specific to each of the refresh tokens. With this release, the global refresh sync lock on a cluster with an external OIDC environment was replaced with a sync that refreshes for each token. As a result, refresh token performance is improved by 30% to 50%. (OCPBUGS-35080)
Previously, a warning was not displayed for the minAvailable warning in PodDisruptionBudget create and edit form. With this update, code logic for displaying the minAvailable warning was added, and the minAvailable warning is displayed if violated. (OCPBUGS-34937)
Previously, the OperandDetails page displayed information for the first CRD that matched by name. After this fix, the OperandDetails page displays information for the CRD that matches by name and the version of the operand. (OCPBUGS-34901)
Previously, one inactive or idle browser tab caused session expiration for all other tabs. With this change, activity in any tab will prevent session expiration even if there is one inactive or idle browser tab. (OCPBUGS-34387)
Previously, text areas were not resizable. With this update, you are now able to resize text areas. (OCPBUGS-34200)
Previously, the Console Operator was not able to tolerate the absence of the ingress capability. With this update, the Console Operator configuration API has been enhanced with the possibility to add alternative ingress for the environments where the ingress cluster capability is disabled. (OCPBUGS-33787)
Previously, the Debug container link was not displayed for pods with a Completed status. With this change, the link now appears. (OCPBUGS-33631)
Previously, the OpenShift Container Platform web console did not show filesystem metrics on the Nodes list page due to incorrect Prometheus query. With this update, filesystem metrics are correctly displayed. (OCPBUGS-33136)
Previously, pseudolocalization was not working due to a configuration issue. After this fix, pseudolocalization works again. (OCPBUGS-30218)
Previously, console pods would crash loop if the --user-auth flag was set to disabled. With this update, the console backend properly handles this value. (OCPBUGS-29510)
Previously, utilization cards displayed a limit that incorrectly implied a relationship between capacity and limits. With this update, the position of limit was changed and the wording updated. (OCPBUGS-23332)
Previously, in some edge cases, the wrong resource could be fetched when using websockets to watch a namespaced resource without providing a namespace. With this update, a validation to the resource watch logic was added to prevent the websocket request and log an error under this condition. (OCPBUGS-19855)
Previously, perspective switching was not properly handled. With this update, perspectives that are passed with URL search parameters or plugin route page extensions now correctly switch the perspective and retain the correct URL path. (OCPBUGS-19048)

Networking

Previously, the SR-IOV Network Operator was listing the SriovNetworkNodePolicies resources in random order. This caused the sriov-device-plugin pod to enter a continuous restart loop. With this release, the SR-IOV Network Operator lists policies in a deterministic order so that the sriov-device-plugin pod does not enter a continuous restart loop. (OCPBUGS-36243)
Previously, an interface created inside a new pod would remain inactive and the Gratuitous Address Resolution Protocol (GARP) notification would be generated. The notification did not reach the cluster and this prevented ARP tables of other pods inside the cluster from updating the MAC address of the new pod. This situation caused cluster traffic to stall until ARP table entries expired. With this release, a GARP notification is now sent after the interface inside a pod is active so that the GARP notification reaches the cluster. As a result, surrounding pods can identify the new pod earlier than they could with the previous behavior. (OCPBUGS-30549)
Previously, enabling FIPS for a cluster caused SR-IOV device plugin pods to fail. With this release, SR-IOV device plugin pods have FIPS enabled so that when you enable FIPS for the cluster, the pods do not fail. (OCPBUGS-41131)
Previously, a race condition was generated after rebooting an OpenShift Container Platform node that used a performance profile with a small number of reserved CPUs. This occurred because Single Root I/O Virtualization (SR-IOV) virtual functions (VFs) shared the same MAC address and any pods that used the VFs would experience communication issues. With this release, an update to the SR-IOV Network Operator config daemon ensures that the Operator checks that no duplicate MAC addresses do not exist on VFs. (OCPBUGS-33137)
Previously, if you deleted the sriovOperatorConfig custom resource (CR), you could not create a new sriovOperatorConfig CR. With this release, the Single Root I/O Virtualization (SR-IOV) Network Operator removes validating webhooks when you delete the sriovOperatorConfig CR, so that you can create a new sriovOperatorConfig CR. (OCPBUGS-37567)
Previously, when you switched your cluster to use a different load balancer, the Ingress Operator did not remove the values from the classicLoadBalancer and networkLoadBalancer parameters in the IngressController custom resource (CR) status. This situation caused the status of the CR to report wrong information from the classicLoadBalancer and networkLoadBalancer parameters. With this release, after you switch your cluster to use a different load balancer, the Ingress Operator removes values from these parameters so that the CR reports a more accurate and less confusing message status. (OCPBUGS-38646)
Previously, no multicast packets reached their intended target nodes when a multicast sender and a multicast receiver existed on the same node. This happened because of an OVN-Kubernetes RPM package update. With this release, this regression is fixed in the OVN-Kubernetes RPM package, so that the issue no longer persists. (OCPBUGS-34778)
Previously, when you created a LoadBalancer service for the Ingress Operator, a log message was generated that stated the change was not effective. This log message should only trigger for a change to an Infra custom resource. With this release, this log message is no longer generated when you create a LoadBalancer service for the Ingress Operator. (OCPBUGS-34413)
Previously, the DNSNameResolver controller sent DNS requests to CoreDNS pods for DNS names that had IP addresses with expired time-to-live (TTL) values. This caused a continuous generation of DNS requests and memory leak issues for those pods. With this release, the DNSNameResolver controller waits until it receives the updated list of IP addresses and TTL values for a DNS name before sending any more requests to the DNS name. As a result, the controller no longer generates erroneous requests and sends them to pods. CoreDNS pods can now respond to DNS requests in a timely manner and update the DNSNameResolver objects with the latest IP addresses and TTLs. (OCPBUGS-33750)
Previously, when you used the must-gather tool, a Multus Container Network Interface (CNI) log file, multus.log, was stored in a node’s file system. This situation caused the tool to generate unnecessary debug pods in a node. With this release, the Multus CNI no longer creates a multus.log file, and instead uses a CNI plugin pattern to inspect any logs for Multus DaemonSet pods in the openshift-multus namespace. (OCPBUGS-33959)
Previously, an alert for OVNKubernetesNorthdInactive would not fire in circumstances where it should fire. With this release, the issue is fixed so that the alert for OVNKubernetesNorthdInactive fires as expected. (OCPBUGS-33758)
Previously, for all pods where the default route has been customized, a missing route for the Kubernetes-OVN masquerade address caused each pod to be unable to connect to itself through a service for which it acts as a backend. With this release, the missing route for Kubernetes-OVN masquerade address is added to pods so that the issue no longer occurs. (OCPBUGS-36865)
Previously, the iptables-alerter pod did not handle errors from the crictl command-line interface, which could cause the pod to incorrectly log events from host-network pods or cause pod restarts. With this release, the errors are handled correctly so that these issues no longer persist. (OCPBUGS-37713)
Previously, if you created a hosted cluster by using a proxy for the purposes of making the cluster reach a control plane from a compute node, the compute node would be unavailable to the cluster. With this release, the proxy settings are updated for the node so that the node can use a proxy to successfully communicate with the control plane. (OCPBUGS-37786)
Previously, when a cluster failed to install on an on-premise platform with a configured load balancer, the LoadBalancer service’s LoadBalancerReady condition received the SyncLoadBalancerFailed status. The status generated the following message:
```
The kube-controller-manager logs might contain more details.
```
This message is wrong because the logs are stored in the cloud-controller-manager namespace of a project. With this release, the SyncLoadBalancerFailed status now communicates the correct message:
```
The cloud-controller-manager logs may contain more details.
```
(OCPBUGS-31664)
Previously, you could not control log levels for the internal component that selects IP addresses for cluster nodes. With this release, you can now enable debug log levels so that you can either increase or decrease log levels on-demand. To adjust log levels, you must create a config map manifest file with a configuration similar to the following:
```
apiVersion: v1
data:
  enable-nodeip-debug: "true"
kind: ConfigMap
metadata:
  name: logging
  namespace: openshift-vsphere-infra
# ...
```
(OCPBUGS-32348)
Previously, the Ingress Operator could not successfully update the canary route because the Operator did not have permission to update spec.host or spec.subdomain fields on an existing route. With this release, the required permission is added to the cluster role for the Operator’s service account and the Ingress Operator can update the canary route. (OCPBUGS-36465)
Previously, administrator privileges were required to run some networking containers, such as Keepalived, on supported on-premise platforms. With this release, these containers no longer require administrator privileges to run them on supported on-premise platforms. (OCPBUGS-36175)
Previously, if your NodeNetworkConfigurationPolicy (NNCP) custom resource (CR) is set to use the default spanning tree protocol (STP) implementation, the CR configuration file would show stp.enabled: true, but the OpenShift Container Platform web console cleared the STP checkbox. With this release, the web console only clears the STEP checkbox after you define stp.enabled: false in the NNCP CR YAML file. (OCPBUGS-36238)
Previously, the Ingress Controller status was incorrectly displayed as Degraded=False because of a migration time issue with the CanaryRepetitiveFailures condition. With this release, the Ingress Controller status is correctly marked as Degraded=True for the appropriate length of time that the CanaryRepetitiveFailures condition exists. (OCPBUGS-39220)

Node

Previously, the Container Runtime Config controller did not detect whether a mirror configuration was in use before adding the scope from a ClusterImagePolicy CR to the /etc/containers/registries.d/sigstore-registries.yaml file. As a consequence, image verification failed with a Not looking for sigstore attachments message. With this fix, images are pulled from the mirror registry as expected. (OCPBUGS-36344)
Previously, a group ID was not added to the /etc/group directory within a container when the spec.securityContext.runAsGroup attribute was set in the pod specification. With this release, this issue is fixed. (OCPBUGS-39478)
Previously, because of a critical regression on RHEL 9.4 kernels earlier than 5.14.0-427.26.1.el9_4, the mglru feature had memory management disabled. In this release, the regression issue is fixed so that the mglru feature is now enabled in OpenShift Container Platform 4.17. (OCPBUGS-35436)

Node Tuning Operator (NTO)

Previously, due to an internal bug, the Node Tuning Operator incorrectly computed CPU masks for interrupt and network-handling CPU affinity if a machine had more than 256 CPUs. This prevented proper CPU isolation on those machines and resulted in systemd unit failures. With this release, the Node Tuning Operator computes the masks correctly. (OCPBUGS-39164)
Previously, the Open vSwitch (OVS) pinning procedure set the CPU affinity of the main thread, but other CPU threads did not pick up this affinity if they had already been created. As a consequence, some OVS threads did not run on the correct CPU set, which might interfere with the performance of pods with a Quality of Service (QoS) class of Guaranteed. With this update, the OVS pinning procedure updates the affinity of all the OVS threads, ensuring that all OVS threads run on the correct CPU set. (OCPBUGS-35347)

Observability

Previously, when you log on under the Administrator perspective on the OpenShift Container Platform web console and use the Observe Alerting function, an S is not a function displayed on alert metrics graph. This issue happened because of a missing function validation check. With this release, the function validation check is added so the alert metric chart displays collected metrics. (OCPBUGS-37291)

OpenShift CLI (oc)

Previously, when using oc-mirror plugin v2 with the --delete flag to remove Operator catalogs from mirror registries, the process failed with the following error:
```
2024/08/02 12:18:03 [ERROR]: [OperatorImageCollector] pinging container registry localhost:55000: Get "https://localhost:55000/v2/": http: server gave HTTP response to HTTPS client.
```
This occurred because oc-mirror plugin v2 was querying the local cache using HTTPS instead of HTTP. With this update, the HTTP client is now properly configured before the query, resolving the issue. (OCPBUGS-41503)
Previously, when using the oc-mirror plugin v2 in mirror-to-disk mode, catalog images and contents were stored in subfolders under working-dir, based on the image digest. During the disk-to-mirror process in fully disconnected environments, the plugin tried to resolve the catalog image tag through the source registry, which was unavailable, leading to such errors:
```
[ERROR] : [OperatorImageCollector] pinging container registry registry.redhat.io: Get "http://registry.redhat.io/v2/": dial tcp 23.217.255.152:80: i/o timeout
```
With this update, the plugin checks the local cache during the disk-to-mirror process to determine the digest, avoiding the need to query the registry. (OCPBUGS-36214)
Previously, when using oc-mirror plugin v2 in mirror-to-disk mode in disconnected environments, the plugin was unable to access api.openshift.com to download graph.tar.gz, resulting in mirroring failures. With this update, the plugin now searches the local cache for the graph image in disconnected environments where the UPDATE_URL_OVERRIDE environment variable is set. If the graph image is missing, the plugin skips it without failing. (OCPBUGS-38469)
Previously, oc-mirror plugin v2 failed to mirror Operator catalogs from disk-to-mirror in fully disconnected environments. This issue also affected catalogs that specified a targetCatalog in the ImageSetConfiguration file. With this update, the plugin can now successfully mirror catalogs in fully disconnected environments, and the targetCatalog functionality works as expected. (OCPBUGS-34521)
Previously, with the oc-mirror plugin v2, there was no validation for the -v2 vs --v2 flags for the oc-mirror command. As a result, users who mistakenly used -v2, which sets the log level to 2, instead of --v2, which switches to oc-mirror plugin v2, received unclear error messages. With this update, flag validation is provided. If the -v2 flag is used while the ImageSetConfig is using the v2alpha1 API and --v2 is not specified, an error message is displayed. The following message is now enabled that provides a clear guidance to the user:
```
[ERROR]: Detected a v2 `ImageSetConfiguration`, please use `--v2` instead of `-v2`.
```
(OCPBUGS-33121)
Previously, oc-mirror plugin v2 did not automatically perform retries when it encountered errors on registries, such as timeouts, expired authentication tokens, HTTP 500 errors, and so on. With this update, retries for these errors are implemented, and users can configure retry behavior with the following flags:
- --retry-times: Specifies the number of retry attempts. Default is 2.
- --retry-delay: Sets the delay between retries. Default is 1 second.
- --image-timeout: Defines the timeout period for mirroring an image. Default is 10 minutes.
- --max-parallel-downloads: Controls the maximum number of layers to pull simultaneously during a single copy operation. Default is 6.
  (OCPBUGS-34021)
Previously, when using the oc-mirror plugin v2 with the --rebuild-catalogs flag, the catalog cache was regenerated locally, which caused failures either due to compatibility issues with the opm binary and the platform or due to cache integrity problems on the cluster. With this update, the --rebuild-catalogs flag defaults to true, so catalogs are rebuilt without regenerating the internal cache. Additionally, the image command has been modified to generate the cache during pod startup, which may delay pod initialization. (OCPBUGS-37667)
Previously, the oc-mirror plugin v2 did not use the system proxy configuration to recover signatures for releases when running behind a proxy with system proxy settings. With this release, the system proxy settings are now applied during the signature recovery process. (OCPBUGS-37055)
Previously, oc-mirror plugin v2 would stop the mirroring process when it encountered Operators using bundle versions that were not compliant with semantic versioning, which also prevented the creation of cluster resources like IDMS, ITMS, and CatalogSource objects. With this fix, the plugin now skips these problematic images instead of halting the process. If an image uses incorrect semantic versioning, a warning message is displayed in the console with the relevant image details. (OCPBUGS-33081)
Previously, oc-mirror plugin v2 did not generate ImageDigestMirrorSet (IDMS) or ImageTagMirrorSet (ITMS) files when mirroring failed due to network issues or invalid Operator catalogs. With this update, the oc-mirror continues mirroring other images when Operator or additional images fail, and stops only when release images fail. Cluster resources are generated based on successfully mirrored images, and all errors are collected in a log file for review. (OCPBUGS-34020)
Previously, OpenShift Container Platform release images were not visible in certain registries, such as Red Hat Quay. This prevented users from installing OpenShift Container Platform due to the missing release images. With this update, release images are always tagged to ensure they appear in registries like Red Hat Quay, enabling proper installation. (OCPBUGS-36410)
Previously, the oc adm must-gather command took a long time to gather CPU-related performance data in large clusters. With this release, the data is gathered in parallel instead of sequentially, which shortens the data collection time. (OCPBUGS-34360)
Previously, the oc set env command incorrectly changed the API version of Route and DeploymentConfig objects, for example, apps.openshift.io/v1 became v1. This caused the command to exit with unable to recognize no matches for kind errors. With this release, the error is fixed so that the os set env command keeps the correct API version in Route and DeploymentConfig objects. (OCPBUGS-32108)
Previously, when a must-gather operation failed for any reason and the user manually deleted the leftover namespace, a cluster role binding created by the must-gather command would remain in the cluster. With this release, when the temporary must-gather namespace is deleted, the associated cluster role binding is automatically deleted with it. (OCPBUGS-31848)
Previously, when using the --v2 flag with the oc-mirror plugin v2, if no images were mirrored and some were skipped, empty imds.yaml and itms.yaml files were generated. With this release, the custom resource generation is only triggered when at least one image is successfully mirrored, preventing the creation of empty files. (OCPBUGS-33775)

Operator Lifecycle Manager (OLM)

Previously, clusters with many custom resources (CRs) experienced timeouts from the API server and stranded updates where the only workaround was to uninstall and then reinstall the stranded Operators. This occurred because OLM evaluated potential updates by using a dynamic client lister. With this fix, OLM uses a paging lister for custom resource definitions (CRDs) to avoid timeouts and stranded updates. (OCPBUGS-41549)
Previously, catalog source pods could not recover from a cluster node failure when the registryPoll parameter was unset. With this fix, OLM updates its logic for checking for dead pods. As a result, catalog source pods now recover from node failures as expected. (OCPBUGS-39574)
Previously, if you tried to install a previously-deleted Operator after an OpenShift Container Platform update, the installation might fail. This occurred because OLM could not find previously created bundle unpack jobs. With this fix, OLM correctly installs previously installed Operators. (OCPBUGS-32439)
Previously, when a new version of a custom resource definition (CRD) specified a new conversion strategy, this conversion strategy was expected to successfully convert resources. However, OLM cannot run the new conversion strategies for CRD validation without actually performing the update operation. With this release, OLM generates a warning message during the update process when CRD validations fail with the existing conversion strategy, and the new conversion strategy is specified in the new version of the CRD. (OCPBUGS-31522)
Previously, if the spec.grpcPodConfig.securityContextConfig field in CatalogSource objects was unset within namespaces with a PodSecurityAdmission (PSA) level value of restricted, the catalog pod would not pass PSA validation. With this release, the OLM Catalog Operator now configures the catalog pod with the securityContexts necessary to pass PSA validation. (OCPBUGS-29729)
Previously, the catalogd-controller-manager pod might not have been deployed to a node despite being in the scheduling queue, and the OLM Operator would fail to install. With this fix, CPU requests are reduced for the related resources, and the issue no longer occurs. (OCPBUGS-29705)
Previously, the Catalog Operator sometimes attempted to connect to deleted catalog sources that were stored in the cache. With this fix, the Catalog Operator queries a client to list the catalog sources on a cluster. (OCPBUGS-8659)

Red Hat Enterprise Linux CoreOS (RHCOS)

Previously, LUKS encryption on a system using 512 emulation disks caused provisioning to fail at the ignition-ostree-growfs step because of an sfdisk alignment issue. With this release, the ignition-ostree-growfs script detects this situation and fixes the alignment automatically. As a result, the system no longer fails during provisioning. (OCPBUGS-35410)
Previously, a bug in the growpart utility caused a LUKS device to lock. This caused the system to boot into an emergency mode. With this release, the call to the growpart utility is removed and the system successfully boots without issue. (OCPBUGS-33124)
Previously, if a new deployment was done at the OSTree level on the host, which is identical to the current deployment on a different stateroot, OSTree identified them as equal. This behavior prevented the bootloader from updating when the set-default command was invoked, because OSTree did not recognize the two stateroots as a differentiating factor for deployments. With this release, OSTree’s logic is modified to consider the stateroots. As a result, OSTree properly sets the default deployment to a new deployment that has different stateroots. (OCPBUGS-30276)

Storage

Previously, the Secrets Store Container Storage Interface (CSI) Driver on hosted control planes clusters failed to mount secrets because of an issue when using the hosted control planes command-line interface, hcp, to create OpenID Connect (OIDC) infrastructure on Amazon Web Services. With this release, the issue has been fixed so that the driver can now mount volumes. (OCPBUGS-18711)

1.7. Technology Preview features status

Some features in this release are currently in Technology Preview. These experimental features are not intended for production use. Note the following scope of support on the Red Hat Customer Portal for these features:

Technology Preview Features Support Scope

In the following tables, features are marked with the following statuses:

Not Available
Technology Preview
General Availability
Deprecated
Removed

Networking Technology Preview features

Table 1.17. Networking Technology Preview tracker
Feature	4.15	4.16	4.17
Ingress Node Firewall Operator	General Availability	General Availability	General Availability
eBPF manager Operator	N/A	N/A	Technology Preview
Advertise by using L2 mode the MetalLB service from a subset of nodes, using a specific pool of IP addresses	Technology Preview	Technology Preview	Technology Preview
Multi-network policies for SR-IOV networks	General Availability	General Availability	General Availability
Updating the interface-specific safe sysctls list	Technology Preview	Technology Preview	Technology Preview
Egress service custom resource	Technology Preview	Technology Preview	Technology Preview
VRF specification in `BGPPeer` custom resource	Technology Preview	Technology Preview	Technology Preview
VRF specification in `NodeNetworkConfigurationPolicy` custom resource	Technology Preview	Technology Preview	Technology Preview
Admin Network Policy (`AdminNetworkPolicy`)	Technology Preview	General Availability	General Availability
IPsec external traffic (north-south)	General Availability	General Availability	General Availability
Host network settings for SR-IOV VFs	Technology Preview	Technology Preview	General Availability
Integration of MetalLB and FRR-K8s	Not Available	Technology Preview	General Availability
Dual-NIC Intel E810 PTP boundary clock with highly available system clock	Not Available	General Availability	General Availability
Intel E810 Westport Channel NIC as PTP grandmaster clock	Technology Preview	General Availability	General Availability
Dual-NIC Intel E810 Westport Channel as PTP grandmaster clock	Technology Preview	General Availability	General Availability
Automatic leap seconds handling for PTP grandmaster clocks	Not Available	Not Available	General Availability
PTP events REST API v2	Not Available	Not Available	General Availability
Configure the `br-ex` bridge needed by OVN-Kuberenetes using NMState	Not Available	Technology Preview	Technology Preview
Overlapping IP configuration for multi-tenant networks with Whereabouts	Not Available	General Availability	General Availability
User defined network segmentation	Not Available	Not Available	Technology Preview

Storage Technology Preview features

Table 1.18. Storage Technology Preview tracker
Feature	4.15	4.16	4.17
AWS EFS storage CSI usage metrics	Not Available	Not Available	General Availability
Automatic device discovery and provisioning with Local Storage Operator	Technology Preview	Technology Preview	Technology Preview
Azure File CSI snapshot support	Not Available	Not Available	Technology Preview
IBM Power® Virtual Server Block CSI Driver Operator	General Availability	General Availability	General Availability
Read Write Once Pod access mode	Technology Preview	General Availability	General Availability
Shared Resources CSI Driver in OpenShift Builds	Technology Preview	Technology Preview	Technology Preview
Secrets Store CSI Driver Operator	Technology Preview	Technology Preview	Technology Preview
CIFS/SMB CSI Driver Operator	Not Available	Technology Preview	Technology Preview
VMWare vSphere multiple vCenter support	Not Available	Not Available	Technology Preview
Disabling/enabling storage on vSphere	Not Available	Not Available	Technology Preview
RWX/RWO SELinux Mount	Not Available	Not Available	Developer Preview
Migrating CNS Volumes Between Datastores	Not Available	Not Available	Developer Preview

Installation Technology Preview features

Table 1.19. Installation Technology Preview tracker
Feature	4.15	4.16	4.17
Installing OpenShift Container Platform on Oracle® Cloud Infrastructure (OCI) with VMs	Technology Preview	Technology Preview	Technology Preview
Installing OpenShift Container Platform on Oracle® Cloud Infrastructure (OCI) on bare metal	Developer Preview	Developer Preview	Developer Preview
Adding kernel modules to nodes with kvc	Technology Preview	Technology Preview	Technology Preview
Enabling NIC partitioning for SR-IOV devices	Technology Preview	Technology Preview	General Availability
User-defined labels and tags for Google Cloud Platform (GCP)	Technology Preview	Technology Preview	General Availability
Installing a cluster on Alibaba Cloud by using installer-provisioned infrastructure	Technology Preview	Not Available	Not Available
Installing a cluster on Alibaba Cloud by using Assisted Installer	Not Available	Technology Preview	Technology Preview
Mount shared entitlements in BuildConfigs in RHEL	Technology Preview	Technology Preview	Technology Preview
OpenShift Container Platform on Oracle® Cloud Infrastructure (OCI)	Technology Preview	Technology Preview	Technology Preview
Selectable Cluster Inventory	Technology Preview	Technology Preview	Technology Preview
Static IP addresses with VMware vSphere (IPI only)	Technology Preview	General Availability	General Availability
Support for iSCSI devices in RHCOS	Technology Preview	General Availability	General Availability
Installing a cluster on GCP using the Cluster API implementation	Not Available	Technology Preview	General Availability
Support for Intel® VROC-enabled RAID devices in RHCOS	Technology Preview	General Availability	General Availability

Node Technology Preview features

Table 1.20. Nodes Technology Preview tracker
Feature	4.15	4.16	4.17
`MaxUnavailableStatefulSet` featureset	Technology Preview	Technology Preview	Technology Preview
Linux user namespace support	Not Available	Not Available	Technology Preview

Multi-Architecture Technology Preview features

Table 1.21. Multi-Architecture Technology Preview tracker
Feature	4.15	4.16	4.17
IBM Power® Virtual Server using installer-provisioned infrastructure	General Availability	General Availability	General Availability
`kdump` on `arm64` architecture	Technology Preview	Technology Preview	Technology Preview
`kdump` on `s390x` architecture	Technology Preview	Technology Preview	Technology Preview
`kdump` on `ppc64le` architecture	Technology Preview	Technology Preview	Technology Preview
Multiarch Tuning Operator	Not available	Technology Preview	Technology Preview

Scalability and performance Technology Preview features

Table 1.22. Scalability and performance Technology Preview tracker
Feature	4.15	4.16	4.17
factory-precaching-cli tool	Technology Preview	Technology Preview	Technology Preview
Hyperthreading-aware CPU manager policy	Technology Preview	Technology Preview	Technology Preview
HTTP transport replaces AMQP for PTP and bare-metal events	Technology Preview	General Availability	General Availability
Mount namespace encapsulation	Technology Preview	Technology Preview	Technology Preview
Node Observability Operator	Technology Preview	Technology Preview	Technology Preview
Tuning etcd latency tolerances	Technology Preview	General Availability	General Availability
Increasing the etcd database size	Not Available	Technology Preview	Technology Preview
Using RHACM `PolicyGenerator` resources to manage GitOps ZTP cluster policies	Not Available	Technology Preview	Technology Preview
Pinned Image Sets	Not Available	Technology Preview	Technology Preview

Operator lifecycle and development Technology Preview features

Table 1.23. Operator lifecycle and development Technology Preview tracker
Feature	4.15	4.16	4.17
Operator Lifecycle Manager (OLM) v1	Technology Preview	Technology Preview	Technology Preview
RukPak	Technology Preview	Technology Preview	Removed
Platform Operators	Technology Preview	Removed	Removed
Scaffolding tools for Hybrid Helm-based Operator projects	Technology Preview	Deprecated	Deprecated
Scaffolding tools for Java-based Operator projects	Technology Preview	Deprecated	Deprecated

OpenShift CLI (oc) Technology Preview features

Table 1.24. OpenShift CLI (oc) Technology Preview tracker
Feature	4.15	4.16	4.17
oc-mirror plugin v2	Not Available	Technology Preview	Technology Preview
Enclave support	Not Available	Technology Preview	Technology Preview
Delete functionality	Not Available	Technology Preview	Technology Preview

Monitoring Technology Preview features

Table 1.25. Monitoring Technology Preview tracker
Feature	4.15	4.16	4.17
Metrics Collection Profiles	Technology Preview	Technology Preview	Technology Preview
Metrics Server	Technology Preview	General Availability	General Availability

Monitoring Technology Preview features

Table 1.26. Monitoring Technology Preview tracker
Feature	4.15	4.16	4.17
Red Hat OpenShift Lightspeed in the OpenShift Container Platform web console	Not Available	Developer Preview	Developer Preview

Red Hat OpenStack Platform (RHOSP) Technology Preview features

Table 1.27. RHOSP Technology Preview tracker
Feature	4.15	4.16	4.17
Dual-stack networking with installer-provisioned infrastructure	General Availability	General Availability	General Availability
Dual-stack networking with user-provisioned infrastructure	General Availability	General Availability	General Availability
RHOSP integration into the Cluster CAPI Operator	Technology Preview	Technology Preview	Technology Preview
Control Plane with `rootVolumes` and `etcd` on local disk	Technology Preview	Technology Preview	General Availability

Hosted control planes Technology Preview features

Table 1.28. Hosted control planes Technology Preview tracker
Feature	4.15	4.16	4.17
Hosted control planes for OpenShift Container Platform on Amazon Web Services (AWS)	Technology Preview	Technology Preview	Technology Preview
Hosted control planes for OpenShift Container Platform using non-bare metal agent machines	Technology Preview	Technology Preview	Technology Preview
Hosted control planes for an ARM64 OpenShift Container Platform cluster on Amazon Web Services	Technology Preview	Technology Preview	Technology Preview
Hosted control planes for OpenShift Container Platform on IBM Power	Technology Preview	Technology Preview	Technology Preview
Hosted control planes for OpenShift Container Platform on IBM Z	Technology Preview	Technology Preview	Technology Preview
Hosted control planes for OpenShift Container Platform on RHOSP	Not Available	Not Available	Developer Preview

Machine management Technology Preview features

Table 1.29. Machine management Technology Preview tracker
Feature	4.15	4.16	4.17
Managing machines with the Cluster API for Amazon Web Services	Technology Preview	Technology Preview	Technology Preview
Managing machines with the Cluster API for Google Cloud Platform	Technology Preview	Technology Preview	Technology Preview
Managing machines with the Cluster API for VMware vSphere	Not Available	Technology Preview	Technology Preview
Defining a vSphere failure domain for a control plane machine set	Technology Preview	General Availability	General Availability
Cloud controller manager for Alibaba Cloud	Technology Preview	Removed	Removed
Cloud controller manager for Google Cloud Platform	General Availability	General Availability	General Availability
Cloud controller manager for IBM Power® Virtual Server	Technology Preview	Technology Preview	Technology Preview

Authentication and authorization Technology Preview features

Table 1.30. Authentication and authorization Technology Preview tracker
Feature	4.15	4.16	4.17
Pod security admission restricted enforcement	Technology Preview	Technology Preview	Technology Preview

Machine Config Operator Technology Preview features

Table 1.31. Machine Config Operator Technology Preview tracker
Feature	4.15	4.16	4.17
Improved MCO state reporting	Technology Preview	Technology Preview	Technology Preview
On-cluster RHCOS image layering	Not Available	Technology Preview	Technology Preview
Node disruption policies	Not Available	Technology Preview	General Availability
Updating boot images for GCP clusters	Not Available	Technology Preview	General Availability
Updating boot images for AWS clusters	Not Available	Not Available	Technology Preview

Edge computing Technology Preview features

Table 1.32. Edge computing Technology Preview tracker
Feature	4.15	4.16	4.17
Accelerated provisioning of GitOps ZTP	Not Available	Technology Preview	Technology Preview
Enabling disk encryption with TPM and PCR protection	Not Available	Not Available	Technology Preview

1.8. Known issues

The oc annotate command does not work for LDAP group names that contain an equal sign (=), because the command uses the equal sign as a delimiter between the annotation name and value. As a workaround, use oc patch or oc edit to add the annotation. (BZ#1917280)
A known issue exists when deleting a NetworkAttachmentDefinition (NAD) resource created by a UserDefinedNetwork resource. You must check to see if a pod is referencing the NAD before deleting the NAD. The pod should be deleted before the NAD. Failure to do so can leave pods in an unexpected state. (OCPBUGS-39185)
The DNF package manager included in Red Hat Enterprise Linux CoreOS (RHCOS) images cannot be used at runtime, because DNF relies on additional packages to access entitled nodes in a cluster that are under a Red Hat subscription. As a workaround, use the rpm-ostree command instead. (OCPBUGS-35247)
When installing a cluster on Microsoft Azure, the installation will fail if no install-config.yaml file is provided. If an install-config.yaml file is provided, and controlPlane.platform is present but controlPlane.platform.azure is not provided, the installation will fail. (OCPBUGS-42296)
See Sample customized install-config.yaml file for Azure for a sample configuration file, or set a non-null parameter as in the following example:
```
controlPlane:
  platform:
    azure: {}
```
When installing multiple clusters on Microsoft Azure, running multiple installations simultaneously from the same installation host will result in only one of the clusters installing successfully. If you run the installations sequentially rather than simultaneously, you can install multiple clusters on Azure from the same installation host. (OCPBUGS-36202)
When installing a cluster on Microsoft Azure, specifying the Standard_M8-4ms instance type for control plane machines results in an error due to that instance type specifying its memory in decimal format instead of integer format. (OCPBUGS-42241)
Due to a change in storage account naming in OpenShift Container Platform 4.17, the Azure File Container Storage Interface (CSI) driver now alphabetically matches storage account of the Image Registry Operator. With this change, there is a known issue where the Azure File CSI driver fails to mount all volumes when the image registry is configured as private. The mount failures occur because the CSI driver tries to use the storage account of the Image Registry Operator, which is not configured to allow connections from worker subnets.
As a temporary workaround, the image registry should not be configured as private when using the Azure File CSI driver. This is a known issue and will be fixed in a future version of OpenShift Container Platform. (OCPBUGS-42308)
When installing a cluster on Azure, the installation fails if a customer-managed encryption key is specified. (OCPBUGS-42349)
When an error occurs during mirroring Operators and additional images, the log message "Generating Catalog Source" might still appear, even if no files are generated. (OCPBUGS-42503)

When you run Cloud-native Network Functions (CNF) latency tests on an OpenShift Container Platform cluster, the test can sometimes return results greater than the latency threshold for the test; for example, 20 microseconds for cyclictest testing. This results in a test failure. (OCPBUGS-42328)

When the globallyDisableIrqLoadBalancing field is set to true in the PerformanceProfile object, the isolated CPUs are listed in the IRQBALANCE_BANNED_CPULIST variable instead of the IRQBALANCE_BANNED_CPUS variable. However, changing the value of the globallyDisableIrqLoadBalancing field from true to false does not update the IRQBALANCE_BANNED_CPULIST variable correctly. As a result, the number of CPUs available for load rebalancing does not increase, as the isolated CPUs remain in the IRQBALANCE_BANNED_CPULIST variable. (OCPBUGS-42323)
Note
The IRQBALANCE_BANNED_CPULIST variable and the IRQBALANCE_BANNED_CPUS variable are stored in the /etc/sysconfig/irqbalance file.
Each node group must only match one MachineConfigPool object. In some cases, the NUMA Resources Operator can allow a configuration where a node group matches more than one MachineConfigPool object. This issue could lead to unexpected behavior in resource management. (OCPBUGS-42523)
When the bond mode in the NetworkNodeConfigurationPolicy is changed from balance-rr to active-backup on kernel bonds that are attached to the br-ex interface, the change might fail on arbitrary nodes. As a workaround, create a NetworkNodeConfigurationPolicy object without specifying the bond port configuration. (OCPBUGS-42031)

If the controller pod terminates while cloning, or taking or restoring a volume snapshot, is in progress, the Microsoft Azure File clone or snapshot persistent volume claims (PVCs) remain in the Pending state. To resolve this issue, delete any affected clone or snapshot PVCs, and then recreate those PVCs. (OCPBUGS-35977)

Deploying a self-managed private hosted cluster on AWS fails because the bootstrap-kubeconfig file uses an incorrect KAS port. As a result, the AWS instances are provisioned, but cannot join the hosted cluster as nodes. (OCPBUGS-31840)

1.9. Asynchronous errata updates

Security, bug fix, and enhancement updates for OpenShift Container Platform 4.17 are released as asynchronous errata through the Red Hat Network. All OpenShift Container Platform 4.17 errata is available on the Red Hat Customer Portal. See the OpenShift Container Platform Life Cycle for more information about asynchronous errata.

Red Hat Customer Portal users can enable errata notifications in the account settings for Red Hat Subscription Management (RHSM). When errata notifications are enabled, users are notified through email whenever new errata relevant to their registered systems are released.

Note

Red Hat Customer Portal user accounts must have systems registered and consuming OpenShift Container Platform entitlements for OpenShift Container Platform errata notification emails to generate.

This section will continue to be updated over time to provide notes on enhancements and bug fixes for future asynchronous errata releases of OpenShift Container Platform 4.17. Versioned asynchronous releases, for example with the form OpenShift Container Platform 4.17.z, will be detailed in subsections. In addition, releases in which the errata text cannot fit in the space provided by the advisory will be detailed in subsections that follow.

Important

For any OpenShift Container Platform release, always review the instructions on updating your cluster properly.

1.9.1. RHSA-2024:3718 - OpenShift Container Platform 4.17.0 image release, bug fix, and security update advisory

Issued: 01 October 2024

OpenShift Container Platform release 4.17.0, which includes security updates, is now available. The list of bug fixes that are included in the update is documented in the RHSA-2024:3718 advisory. The RPM packages that are included in the update are provided by the RHSA-2024:3722 advisory.

Space precluded documenting all of the container images for this release in the advisory.

You can view the container images in this release by running the following command:

$ oc adm release info 4.17.0 --pullspecs

1.9.1.1. Updating

To update an OpenShift Container Platform 4.16 cluster to this latest release, see Updating a cluster using the CLI.