diff --git a/cicd/builds/triggering-builds-build-hooks.adoc b/cicd/builds/triggering-builds-build-hooks.adoc index d983cf533746..a8aab2aa3946 100644 --- a/cicd/builds/triggering-builds-build-hooks.adoc +++ b/cicd/builds/triggering-builds-build-hooks.adoc @@ -14,11 +14,22 @@ include::modules/builds-webhook-triggers.adoc[leveloffset=+2] include::modules/unauthenticated-users-system-webhook.adoc[leveloffset=+3] +// Preventing cluster failure due to webhooks +include::modules/preventing-cluster-webhook-failure.adoc[leveloffset=+3] + +// Recovering an unstable cluster due to admission webhooks +include::modules/recover-unstable-cluster-webhooks.adoc[leveloffset=+3] + [role="_additional-resources"] .Additional resources * xref:../../authentication/using-rbac.adoc#unauthenticated-users-cluster-role-bindings-concept_using-rbac[Cluster role bindings for unauthenticated groups] +ifndef::openshift-rosa-hcp[] +* xref:../../architecture/admission-plug-ins.adoc#admission-webhooks-about_admission-plug-ins[Webhook admission plugins] + +endif::openshift-rosa-hcp[] + include::modules/builds-using-github-webhooks.adoc[leveloffset=+3] include::modules/builds-using-gitlab-webhooks.adoc[leveloffset=+3] diff --git a/modules/monitoring-about-accessing-monitoring-web-service-apis.adoc b/modules/monitoring-about-accessing-monitoring-web-service-apis.adoc index 16d6aaaba09e..0599013ddaf6 100644 --- a/modules/monitoring-about-accessing-monitoring-web-service-apis.adoc +++ b/modules/monitoring-about-accessing-monitoring-web-service-apis.adoc @@ -1,17 +1,13 @@ // Module included in the following assemblies: // -// * observability/monitoring/accessing-third-party-monitoring-apis.adoc +// * observability/monitoring/accessing-metrics/accessing-monitoring-apis-by-using-the-cli.adoc :_mod-docs-content-type: CONCEPT [id="about-accessing-monitoring-web-service-apis_{context}"] = About accessing monitoring web service APIs -You can directly access web service API endpoints from the command line for the following monitoring stack components: - -* Prometheus -* Alertmanager -* Thanos Ruler -* Thanos Querier +[role="_abstract"] +To interact with the monitoring stack by using the command line, you can access web service API endpoints for Prometheus, Alertmanager, Thanos Ruler, and Thanos Querier. Direct API access requires bearer token authentication and the correct namespace permissions. [IMPORTANT] ==== diff --git a/modules/preventing-cluster-webhook-failure.adoc b/modules/preventing-cluster-webhook-failure.adoc new file mode 100644 index 000000000000..2d1d488c98d7 --- /dev/null +++ b/modules/preventing-cluster-webhook-failure.adoc @@ -0,0 +1,20 @@ +// Module included in the following assemblies: +// +// * builds/triggering-builds-build-hooks.adoc + +:_mod-docs-content-type: CONCEPT +[id="third-party-cluster-webhook-failure_{context}"] += Prevent cluster failure due to webhooks + +[role="_abstract"] +To prevent potential cluster failure and ensure pods can always start, you must configure third-party admission webhooks to exclude infrastructure namespaces. Implementing specific selectors and adopting a `ValidatingAdmissionPolicy` resource provides a more stable environment for cluster recovery and management. + +When possible, use a `ValidatingAdmissionPolicy` resource instead of an admission webhook. It does not require an external service, has no timeout limitations, and cannot cause cluster-wide failures. + +If you use admission webhooks take the following precautions: + +* Configure the webhook to exclude {product-title} and Kubernetes infrastructure namespaces. + +* Configure webhook timeouts to 10 seconds or less to provide a safety buffer for the system-enforced 13-second limit. + +* Set the `failurePolicy` value to `Ignore` for non-critical webhooks so that requests can proceed if the webhook is unavailable. \ No newline at end of file diff --git a/modules/recover-unstable-cluster-webhooks.adoc b/modules/recover-unstable-cluster-webhooks.adoc new file mode 100644 index 000000000000..d69a0a75066e --- /dev/null +++ b/modules/recover-unstable-cluster-webhooks.adoc @@ -0,0 +1,68 @@ +// Module included in the following assemblies: +// +// * builds/triggering-builds-build-hooks.adoc + +:_mod-docs-content-type: PROCEDURE +[id="third-party-cluster-webhook-failures_{context}"] += Recovering an unstable cluster due to admission webhooks + +[role="_abstract"] +If a misconfigured admission webhook causes your cluster to fail, you must delete the webhook configuration to restore functionality. + +.Procedure + +. Back up the webhook configuration. Choose either `ValidatingWebhookConfiguration` or `MutatingWebhookConfiguration` for the `` value. ++ +[source,terminal] +---- +oc get -o yaml > webhook-backup.yaml +---- + +. Delete the webhook. ++ +[source,terminal] +---- +oc delete +---- + +. Fix the webhook configuration to exclude infrastructure namespaces when you reapply it. ++ +.Example +[source,yaml] +---- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: machine-api +webhooks: + - name: default.machine.machine.openshift.io + rules: + - apiGroups: [""] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["pods"] + scope: "*" + clientConfig: + service: + namespace: machine-api-operator-webhook + name: openshift-machine-api + path: "/validate" + admissionReviewVersions: ["v1"] + sideEffects: None + timeoutSeconds: 5 + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - openshift + - openshift-apiserver + - openshift-authentication + - openshift-monitoring + - kube-system + - kube-public + - kube-node-lease + - default +---- ++ +Where `kind` is the type of webhook configuration you are using. Valid values are `ValidatingWebhookConfiguration` or `MutatingWebhookConfiguration`. \ No newline at end of file diff --git a/modules/rn-async-errata.adoc b/modules/rn-async-errata.adoc index 57a757ca8a46..d938f63077ab 100644 --- a/modules/rn-async-errata.adoc +++ b/modules/rn-async-errata.adoc @@ -2,7 +2,6 @@ // // * release_notes/ocp-4-20-release-notes.adoc - :_mod-docs-content-type: CONCEPT [id="ocp-release-asynchronous-errata-updates_{context}"] = Asynchronous errata updates diff --git a/modules/zstream-4-20-0.adoc b/modules/zstream-4-20-0.adoc new file mode 100644 index 000000000000..b5775f9d28e2 --- /dev/null +++ b/modules/zstream-4-20-0.adoc @@ -0,0 +1,27 @@ +// Module included in the following assemblies: +// +// * release_notes/ocp-4-20-release-notes.adoc + +//Update with relevant advisory information +:_mod-docs-content-type: REFERENCE +[id="ocp-4-20-0_{context}"] += RHSA-2025:9562 - {product-title} {product-version}.0 image release, bug fix, and security update advisory + +[role="_abstract"] +Issued: 21 Oct 2025 + +{product-title} release {product-version}.0, which includes security updates, is now available. The list of fixed issues that are included in the update is documented in the link:https://access.redhat.com/errata/RHSA-2025:9562[RHSA-2025:9562] advisory. The RPM packages that are included in the update are provided by the link:https://access.redhat.com/errata/RHEA-2025:4782[RHEA-2025:4782] advisory. + +Space precluded documenting all of the container images for this release in the advisory. + +You can view the container images in this release by running the following command: + +[source,terminal] +---- +$ oc adm release info 4.20.0 --pullspecs +---- + +[id="ocp-4-20-0-updating_{context}"] +== Updating + +To update an {product-title} 4.20 cluster to this latest release, see xref:../updating/updating_a_cluster/updating-cluster-cli.adoc#updating-cluster-cli[Updating a cluster using the CLI]. diff --git a/modules/zstream-4-20-1.adoc b/modules/zstream-4-20-1.adoc new file mode 100644 index 000000000000..fea238fd91e5 --- /dev/null +++ b/modules/zstream-4-20-1.adoc @@ -0,0 +1,69 @@ +// Module included in the following assemblies: +// +// * release_notes/ocp-4-20-release-notes.adoc + +:_mod-docs-content-type: REFERENCE +[id="ocp-4-20-1_{context}"] += RHSA-2025:19003 - {product-title} {product-version}.1 image release, bug fix, and security update advisory + +[role="_abstract"] +Issued: 28 Oct 2025 + +{product-title} release {product-version}.1, which includes security updates, is now available. The list of fixed issues that are included in the update is documented in the link:https://access.redhat.com/errata/RHSA-2025:19003[RHSA-2025:19003] advisory. The RPM packages that are included in the update are provided by the link:https://access.redhat.com/errata/RHEA-2025:19001[RHEA-2025:19001] advisory. + +Space precluded documenting all of the container images for this release in the advisory. + +You can view the container images in this release by running the following command: + +[source,terminal] +---- +$ oc adm release info 4.20.1 --pullspecs +---- + +[id="ocp-4-20-1-known-issues_{context}"] +== Known issues + +This release contains the following known issues: + +* Starting with {product-title} 4.20, there is a decrease in the default maximum open files soft limit for containers. As a consequence, end users may experience application failures. To work around this problem, increase the container runtimes (CRI-O) ulimit configuration. (link:https://issues.redhat.com/browse/OCPBUGS-62095[OCPBUGS-62095]) + +[id="ocp-4-20-1-fixed-issues_{context}"] +== Fixed issues + +The following issues are fixed for this release: + +* Before this update, iDRAC10 hardware provisioning was failing due to an incorrect data type for the Dell Original Equipment Manufacturer (OEM) `Target` property and the use of an incorrect virtual media slot. As a result, users were unable to provision Dell iDRAC10 servers. With this release, the Dell iDRAC10 can be provisioned. (link:https://issues.redhat.com/browse/OCPBUGS-52427[OCPBUGS-52427]) + +* Before this release, two identical copies of the same controller were updating the same certificate authority (CA) bundle in a `configmap` causing them to receive different metadata inputs, rewrite each other's changes, and create duplicate events. With this release, the controllers use optimistic updating and server-side apply to avoid update events and handle update conflicts. As a result, metadata updates no longer trigger duplicate events, and the expected metadata is set correctly. (link:https://issues.redhat.com/browse/OCPBUGS-55217[OCPBUGS-55217]) + +* Before this update, when installing a cluster on {ibm-power-server-title} you could only specify a name for an existing Transit Gateway or virtual private cloud (VPC). As the uniqueness of names was not guaranteed, this could cause conflicts and installation failures. With this release, you can use Universally Unique Identifiers (UUIDs) for a Transit Gateway and VPC. By using unique identifiers, the installation program can unambiguously identify the correct Transit Gateway or VPC. This prevents the naming conflicts and the issue is resolved. (link:https://issues.redhat.com/browse/OCPBUGS-59678[OCPBUGS-59678]) + +* Before this update, the Cloud event proxy for the Precision Time Protocol (PTP) Operator incorrectly parsed BF3 Network Interface Card (NIC) names, causing the interface alias to be formatted incorrectly. As a consequence, the incorrect parsing caused end users to misinterpret cloud events. With this release, the Cloud event proxy has been updated to correctly parse BF3 NIC names in the PTP Operator. As a result, fix improves parsing of BF3 NIC names, ensuring correct event publication for the PTP Operator. (link:https://issues.redhat.com/browse/OCPBUGS-60466[OCPBUGS-60466]) + +* Before this update, a pod with a secondary interface in an OVN-Kubernetes Localnet network (mapped to the br-ex bridge) could communicate with pods on the same node that used the default network for connectivity only if the Localnet IP addresses were within the same subnet as the host network. With this release, the localnet IP addresses can be drawn from any subnet; in this generalized case, an external router outside the cluster is expected to connect the localnet subnet to the host network. (link:https://issues.redhat.com/browse/OCPBUGS-61453[OCPBUGS-61453]) + +* Before this update, the Precision Time Protocol (PTP) Operator wrongly parsed network interface controller (NIC) names. As a result, interface aliases were incorrectly formatted and this impacted identifying a PTP hardware clock (PHC) when using Mellaonox cards to send clock state events. With this release, the PTP now correctly parses the NIC names so that generated aliases align with Mellanox naming conventions. Mellanox cards can now accurately identify a PHC when sending clock state events. (link:https://issues.redhat.com/browse/OCPBUGS-61581[OCPBUGS-61581]) + +* Before this update, the `cluster in workload identity mode` warning was missing when only the `token-auth-azure` annotation was set, which could lead to misconfiguration. This update adds a check for the `token-auth-azure` annotation when showing the warning. As a result, clusters that use only Azure Workload Identity now show the “cluster in workload identity mode” warning as expected. (link:https://issues.redhat.com/browse/OCPBUGS-61861[OCPBUGS-61861]) + +* Before this update, the YAML editor in the web console would default to indenting YAML files with 4 spaces. With this release, the default indentation has changed to 2 spaces to align with recommendations. (link:https://issues.redhat.com/browse/OCPBUGS-61990[OCPBUGS-61990]) + +* Before this update, deploying hosted control planes in version 4.20 or later with user-supplied `ignition-server-serving-cert` and `ignition-server-ca-cert` secrets`, along with the `disable-pki-reconciliation annotation`, caused the system to remove the user supplied ignition secrets and the `ignition-server` pods to fail. With this release, the `ignition-server` secrets are preserved during reconciliation after removing the delete action for the `disable-pki-reconciliation` annotation ensuring ignition-server pods start. (link:https://issues.redhat.com/browse/OCPBUGS-62006[OCPBUGS-62006]) + +* Before this update, if the `OVNKube-controller` on a node failed to process updates and configure its local OVN database, the `OVN-controller` could connect to this stale database. This caused the `OVN-controller` to consume outdated `EgressIP` configurations and send incorrect Gratuitous ARPs (GARPs) for an IP address that might have already moved to a different node. With this release, the `OVN-controller` is blocked from sending these GARPs during the time when the `OVNKube-controller` is not processing updates. As a result, network disruptions are prevented by ensuring GARPs are not sent based on stale database information. (link:https://issues.redhat.com/browse/OCPBUGS-62273[OCPBUGS-62273]) + +* Before this update, upgrading a `ClusterExtension` could fail when unhandled Customer Resource Definition (CRD) changes produced a large JSON diff for the validation status. This diff often exceeded the Kubernetes 32 KB limit, causing the status update to fail and leaving users with no information about why the upgrade did not occur. With this release, the diff output is truncated and summarized for unhandled scenarios instead of including the full JSON diff. This ensures the status updates remain within size limits, allowing them to post successfully and provide users with clear, actionable error messages. (link:https://issues.redhat.com/browse/OCPBUGS-62722[OCPBUGS-62722]) + +* Before this update, gRPC connection logs were set at a highly verbose log level. This generated an excessive number of messages, which caused the logs to overflow. With this release, the gRPC connection logs have been moved to the V(4) log level. Consequently, the logs no longer overflow, as these specific messages are now less verbose by default. (link:https://issues.redhat.com/browse/OCPBUGS-62844[OCPBUGS-62844]) + +* Before this update, running `oc-mirror` without displaying its version caused delays in debugging, as the correct version with required fixes was not known. As a consequence, the user was unable to identify `oc-mirror` version, hindering efficient debugging. With this release, `oc-mirror` now displays its version in the output, aiding faster debugging and ensuring correct fix application. (link:https://issues.redhat.com/browse/OCPBUGS-62283[OCPBUGS-62283]) + +* Before this update, a bug occurred when the `cluster-api-operator` kubeconfig controller tried to use a regenerated authentication token secret before the token value was fully populated. This caused users to experience recurring, transient reconciliation errors every 30 minutes, which briefly put the Operator into a degraded state. With this release, the controller now waits for the authentication token to be populated within the secret before proceeding, preventing the Operator from going into a degraded state and eliminates the recurring errors. (link:https://issues.redhat.com/browse/OCPBUGS-62755[OCPBUGS-62755]) + +* Before this update, in {product-title} 4.19.9, the Cluster Version Operator (CVO) began requiring bearer token authentication in metrics requests. As a consequence, this broke the metrics scraper on hosted control plane clusters because their scrapers provided no client authentication. With this release, the CVO no longer requires client authentication for metrics requests in hosted control plane clusters. (link:https://issues.redhat.com/browse/OCPBUGS-62867[OCPBUGS-62867]) + +* Before this update, during failover, the system's duplicate address detection (DAD) could incorrectly disable the Egress IPv6 address if it was briefly present on both nodes, breaking the connection. With this release, the Egress IPv6 is configured to skip the DAD check during failover, guaranteeing uninterrupted egress IPv6 traffic after an Egress IP address successfully moves to a different node and ensuring greater network stability. (link:https://issues.redhat.com/browse/OCPBUGS-62913[OCPBUGS-62913]) + +[id="ocp-4-20-1-updating_{context}"] +== Updating +To update an {product-title} 4.20 cluster to this latest release, see xref:../updating/updating_a_cluster/updating-cluster-cli.adoc#updating-cluster-cli[Updating a cluster using the CLI]. diff --git a/modules/zstream-4-20-10-about.adoc b/modules/zstream-4-20-10-about.adoc deleted file mode 100644 index ce0d49aa703c..000000000000 --- a/modules/zstream-4-20-10-about.adoc +++ /dev/null @@ -1,22 +0,0 @@ -// Module included in the following assemblies: -// -// * release_notes/ocp-4-20-release-notes.adoc - - -:_mod-docs-content-type: CONCEPT -[id="zstream-4-20-10-about_{context}"] -= RHBA-2026:0370 - {product-title} {product-version}.10 fixed issues advisory - -[role="_abstract"] -Issued: 13 January 2026 - -{product-title} release {product-version}.10 is now available. The list of fixed issues that are included in the update is documented in the link:https://access.redhat.com/errata/RHBA-2026:0370[RHBA-2026:0370] advisory. The RPM packages that are included in the update are provided by the link:https://access.redhat.com/errata/RHBA-2026:0419[RHBA-2026:0419] advisory. - -Space precluded documenting all of the container images for this release in the advisory. - -You can view the container images in this release by running the following command: - -[source,terminal] ----- -$ oc adm release info 4.20.10 --pullspecs ----- diff --git a/modules/zstream-4-20-10-enhancements.adoc b/modules/zstream-4-20-10-enhancements.adoc deleted file mode 100644 index 55ee2b32f07c..000000000000 --- a/modules/zstream-4-20-10-enhancements.adoc +++ /dev/null @@ -1,13 +0,0 @@ -// Module included in the following assemblies: -// -// * release_notes/ocp-4-20-release-notes.adoc - - -:_mod-docs-content-type: REFERENCE -[id="zstream-4-20-10-enhancements_{context}"] -= Enhancements - -[role="_abstract"] -The following enhancements are included in this z-stream release: - -* With this update, the Cluster Network Operator now supports `KubeVirt` as a platform for dual-stack networking in {VirtProductName}, resolving a previous issue where `KubeVirt` was not recognized as a supported platform for dual-stack. This enhancement enables successful deployment of a Hosted Control Plane on {VirtProductName} with IPv4/IPv6 dual-stack networking. This improvement reduces deployment failures and ensure a smoother experience for users deploying {VirtProductName} with `KubeVirt`. (link:https://issues.redhat.com/browse/OCPBUGS-66235[OCPBUGS-66235]) diff --git a/modules/zstream-4-20-10-updating.adoc b/modules/zstream-4-20-10-updating.adoc deleted file mode 100644 index 6e70fc8c7f14..000000000000 --- a/modules/zstream-4-20-10-updating.adoc +++ /dev/null @@ -1,12 +0,0 @@ -// Module included in the following assemblies: -// -// * release_notes/ocp-4-20-release-notes.adoc - - -:_mod-docs-content-type: REFERENCE -[id="zstream-4-20-10-updating_{context}"] -= Updating - - -[role="_abstract"] -To update an {product-title} 4.20 cluster to this latest release, see xref:../updating/updating_a_cluster/updating-cluster-cli.adoc#updating-cluster-cli[Updating a cluster using the CLI]. \ No newline at end of file diff --git a/modules/zstream-4-20-10-fixed-issues.adoc b/modules/zstream-4-20-10.adoc similarity index 76% rename from modules/zstream-4-20-10-fixed-issues.adoc rename to modules/zstream-4-20-10.adoc index ab3ce159ee2d..2d583d96edef 100644 --- a/modules/zstream-4-20-10-fixed-issues.adoc +++ b/modules/zstream-4-20-10.adoc @@ -2,12 +2,34 @@ // // * release_notes/ocp-4-20-release-notes.adoc - :_mod-docs-content-type: REFERENCE -[id="zstream-4-20-10-fixed-issues_{context}"] -= Fixed issues +[id="ocp-4-20-10_{context}"] += RHBA-2026:0370 - {product-title} {product-version}.10 fixed issues advisory [role="_abstract"] +Issued: 13 January 2026 + +{product-title} release {product-version}.10 is now available. The list of fixed issues that are included in the update is documented in the link:https://access.redhat.com/errata/RHBA-2026:0370[RHBA-2026:0370] advisory. The RPM packages that are included in the update are provided by the link:https://access.redhat.com/errata/RHBA-2026:0419[RHBA-2026:0419] advisory. + +Space precluded documenting all of the container images for this release in the advisory. + +You can view the container images in this release by running the following command: + +[source,terminal] +---- +$ oc adm release info 4.20.10 --pullspecs +---- + +[id="ocp-4-20-10-enhancements_{context}"] +== Enhancements + +The following enhancements are included in this z-stream release: + +* With this update, the Cluster Network Operator now supports `KubeVirt` as a platform for dual-stack networking in {VirtProductName}, resolving a previous issue where `KubeVirt` was not recognized as a supported platform for dual-stack. This enhancement enables successful deployment of a Hosted Control Plane on {VirtProductName} with IPv4/IPv6 dual-stack networking. This improvement reduces deployment failures and ensure a smoother experience for users deploying {VirtProductName} with `KubeVirt`. (link:https://issues.redhat.com/browse/OCPBUGS-66235[OCPBUGS-66235]) + +[id="ocp-4-20-10-fixed-issues_{context}"] +== Fixed issues + The following issues are fixed for this release: * Before this update, when a HyperShift `HostedCluster` used external Domain Name Service (DNS) domains and endpoint access with PublicAndPrivate, the `allowedCIDRBlocks` parameters were wrongly applied only to the internal `kube-apiserver`, leaving the control plane Operator in an error state. With this release, the control plane Operator functions correctly and the `LoadBalancerSourceRanges` configuration has been added to the external router `LoadBalancer` service, ensuring that external `kube-apiserver` access is now properly restricted to the specified `allowedCIDRBlocks`. (link:https://issues.redhat.com/browse/OCPBUGS-63509[OCPBUGS-63509]) @@ -27,3 +49,8 @@ The following issues are fixed for this release: * Before this update, the Baremetal Operator defaulted to x86_64 architecture when no architecture information was available from hardware inspection or the `BareMetalHost` spec. This caused provisioning to fail on ARM-based bare-metal clusters. With this release, the Baremetal Operator now automatically detects and uses the architecture of the running controller, enabling successful bare-metal provisioning on both x86_64 and ARM64 architectures. (link:https://issues.redhat.com/browse/OCPBUGS-69667[OCPBUGS-69667]) * With this release, when service endpoints are deleted or updated, the cleanup process correctly uses the service port to match and remove stale `conntrack` entries. This change ensures that network connectivity continues to work reliably across endpoint lifecycle events. (link:https://issues.redhat.com/browse/OCPBUGS-66049[OCPBUGS-66049]) + +[id="ocp-4-20-10-updating_{context}"] +== Updating + +To update an {product-title} 4.20 cluster to this latest release, see xref:../updating/updating_a_cluster/updating-cluster-cli.adoc#updating-cluster-cli[Updating a cluster using the CLI]. diff --git a/modules/zstream-4-20-11-about.adoc b/modules/zstream-4-20-11-about.adoc deleted file mode 100644 index a111e3713469..000000000000 --- a/modules/zstream-4-20-11-about.adoc +++ /dev/null @@ -1,22 +0,0 @@ -// Module included in the following assemblies: -// -// * release_notes/ocp-4-20-release-notes.adoc - - -:_mod-docs-content-type: CONCEPT -[id="zstream-4-20-11-about_{context}"] -= RHSA-2026:0663 - {product-title} {product-version}.11 fixed issues advisory - -[role="_abstract"] -Issued: 20 January 2026 - -{product-title} release {product-version}.11 is now available. The list of fixed issues that are included in the update is documented in the link:https://access.redhat.com/errata/RHSA-2026:0663[RHSA-2026:0663] advisory. The RPM packages that are included in the update are provided by the link:https://access.redhat.com/errata/RHBA-2026:0661[RHBA-2026:0661] advisory. - -Space precluded documenting all of the container images for this release in the advisory. - -You can view the container images in this release by running the following command: - -[source,terminal] ----- -$ oc adm release info 4.20.11 --pullspecs ----- diff --git a/modules/zstream-4-20-11-enhancements.adoc b/modules/zstream-4-20-11-enhancements.adoc deleted file mode 100644 index 68182ea574a2..000000000000 --- a/modules/zstream-4-20-11-enhancements.adoc +++ /dev/null @@ -1,13 +0,0 @@ -// Module included in the following assemblies: -// -// * release_notes/ocp-4-20-release-notes.adoc - - -:_mod-docs-content-type: REFERENCE -[id="zstream-4-20-11-enhancements_{context}"] -= Enhancements - -[role="_abstract"] -The following enhancements are included in this z-stream release: - -* With this update, the Cluster Network Operator supports `KubeVirt` as a platform for dual-stack networking in {VirtProductName}, resolving a previous issue where `KubeVirt` was not recognized as a supported platform for dual-stack. This enhancement enables successful deployment of {hcp} on {VirtProductName} with IPv4 and IPv6 dual-stack networking. This improvement reduces deployment failures and ensures a smoother experience for users deploying {VirtProductName} with `KubeVirt`. (link:https://issues.redhat.com/browse/OCPBUGS-66253[OCPBUGS-66253]) diff --git a/modules/zstream-4-20-11-updating.adoc b/modules/zstream-4-20-11-updating.adoc deleted file mode 100644 index c050bbbf5a25..000000000000 --- a/modules/zstream-4-20-11-updating.adoc +++ /dev/null @@ -1,12 +0,0 @@ -// Module included in the following assemblies: -// -// * release_notes/ocp-4-20-release-notes.adoc - - -:_mod-docs-content-type: REFERENCE -[id="zstream-4-20-11-updating_{context}"] -= Updating - - -[role="_abstract"] -To update an {product-title} 4.20 cluster to this latest release, see xref:../updating/updating_a_cluster/updating-cluster-cli.adoc#updating-cluster-cli[Updating a cluster using the CLI]. \ No newline at end of file diff --git a/modules/zstream-4-20-11-fixed-issues.adoc b/modules/zstream-4-20-11.adoc similarity index 60% rename from modules/zstream-4-20-11-fixed-issues.adoc rename to modules/zstream-4-20-11.adoc index 13381a7d9bdc..d6847e65be3f 100644 --- a/modules/zstream-4-20-11-fixed-issues.adoc +++ b/modules/zstream-4-20-11.adoc @@ -2,12 +2,34 @@ // // * release_notes/ocp-4-20-release-notes.adoc - :_mod-docs-content-type: REFERENCE -[id="zstream-4-20-11-fixed-issues_{context}"] -= Fixed issues +[id="ocp-4-20-11_{context}"] += RHSA-2026:0663 - {product-title} {product-version}.11 fixed issues advisory [role="_abstract"] +Issued: 20 January 2026 + +{product-title} release {product-version}.11 is now available. The list of fixed issues that are included in the update is documented in the link:https://access.redhat.com/errata/RHSA-2026:0663[RHSA-2026:0663] advisory. The RPM packages that are included in the update are provided by the link:https://access.redhat.com/errata/RHBA-2026:0661[RHBA-2026:0661] advisory. + +Space precluded documenting all of the container images for this release in the advisory. + +You can view the container images in this release by running the following command: + +[source,terminal] +---- +$ oc adm release info 4.20.11 --pullspecs +---- + +[id="ocp-4-20-11-enhancements_{context}"] +== Enhancements + +The following enhancements are included in this z-stream release: + +* With this update, the Cluster Network Operator supports `KubeVirt` as a platform for dual-stack networking in {VirtProductName}, resolving a previous issue where `KubeVirt` was not recognized as a supported platform for dual-stack. This enhancement enables successful deployment of {hcp} on {VirtProductName} with IPv4 and IPv6 dual-stack networking. This improvement reduces deployment failures and ensures a smoother experience for users deploying {VirtProductName} with `KubeVirt`. (link:https://issues.redhat.com/browse/OCPBUGS-66253[OCPBUGS-66253]) + +[id="ocp-4-20-11-fixed-issues_{context}"] +== Fixed issues + The following issues are fixed for this release: * Before this update, Domain Name System (DNS) pods that were deleted and then re-created in {product-title} clusters that used OVN-Kubernetes networking caused inactive User Datagram Protocol (UDP) entries to remain on worker nodes. With this release, when DNS pods are deleted or updated, the cleanup process correctly uses service port 53 to match and remove inactive entries. (link:https://issues.redhat.com/browse/OCPBUGS-66049[OCPBUGS-66049]) @@ -19,3 +41,8 @@ The following issues are fixed for this release: * Before this update, the instance architecture in worker machines did not match the Amazon Machine Image (AMI) architecture, which caused a mismatch with the user's instance type. This resulted in failed installations. With this release, the ARM64 AMI architecture mismatch with the x86_64 instance type is resolved. As a result, the installation process does not fail due to an architecture mismatch and improves the successful provisioning of worker machines. (link:https://issues.redhat.com/browse/OCPBUGS-70322[OCPBUGS-70322]) * Before this update, a {op-system-first} networking timeout occurred during agent-based {product-title} installation on Virtual Local Area Network (VLAN) interfaces. As a consequence, {op-system} nodes failed to automatically configure networking during installation on bare metal systems. With this release, the {op-system} networking auto-configuration timeout has been fixed, allowing automatic network setup. As a result, {op-system} nodes automatically configure networking during installation on bare metal systems. (link:https://issues.redhat.com/browse/OCPBUGS-71212[OCPBUGS-71212]) + +[id="ocp-4-20-11-updating_{context}"] +== Updating + +To update an {product-title} 4.20 cluster to this latest release, see xref:../updating/updating_a_cluster/updating-cluster-cli.adoc#updating-cluster-cli[Updating a cluster using the CLI]. \ No newline at end of file diff --git a/modules/zstream-4-20-12-about.adoc b/modules/zstream-4-20-12-about.adoc deleted file mode 100644 index a1a70a620f48..000000000000 --- a/modules/zstream-4-20-12-about.adoc +++ /dev/null @@ -1,22 +0,0 @@ -// Module included in the following assemblies: -// -// * release_notes/ocp-4-20-release-notes.adoc - - -:_mod-docs-content-type: CONCEPT -[id="zstream-4-20-12-about_{context}"] -= RHSA-2026:1000 - {product-title} {product-version}.12 fixed issues advisory - -[role="_abstract"] -Issued: 27 January 2026 - -{product-title} release {product-version}.12 is now available. The list of fixed issues that are included in the update is documented in the link:https://access.redhat.com/errata/RHSA-2026:1000[RHSA-2026:1000] advisory. The RPM packages that are included in the update are provided by the link:https://access.redhat.com/errata/RHBA-2026:0977[RHBA-2026:0977] advisory. - -Space precluded documenting all of the container images for this release in the advisory. - -You can view the container images in this release by running the following command: - -[source,terminal] ----- -$ oc adm release info 4.20.12 --pullspecs ----- diff --git a/modules/zstream-4-20-12-known-issues.adoc b/modules/zstream-4-20-12-known-issues.adoc deleted file mode 100644 index 592efbd5deb0..000000000000 --- a/modules/zstream-4-20-12-known-issues.adoc +++ /dev/null @@ -1,17 +0,0 @@ -// Module included in the following assemblies: -// -// * release_notes/ocp-4-20-release-notes.adoc - -:_mod-docs-content-type: REFERENCE -[id="zstream-4-20-12-known-issues_{context}"] -= Known issues - -[role="_abstract"] -This release contains the following known issues: - - -* If a `must-gather` archive features a custom namespace directory ending with the suffix `nodes`, the Performance Profile Creator tool fails to analyze the archive. This occurs because of the tool's search logic, which incorrectly reports a `multiple matches` error. To work around this problem, rename the custom namespace directory so that it does not end with the `nodes` suffix, and run the tool again. (link:https://issues.redhat.com/browse/OCPBUGS-63751[OCPBUGS-63751]) - -* Upgrading to {product-title} 4.20 sets incorrect `ulimit` values and caused serverless Operator issues. To resolve this issue, upgrade to a nightly build later than {product-title} `4.20.0-0.nightly-2026-01-16-181948`. (link:https://issues.redhat.com/browse/OCPBUGS-70201[OCPBUGS-70201]) - - diff --git a/modules/zstream-4-20-12-updating.adoc b/modules/zstream-4-20-12-updating.adoc deleted file mode 100644 index 8ec231a42db8..000000000000 --- a/modules/zstream-4-20-12-updating.adoc +++ /dev/null @@ -1,12 +0,0 @@ -// Module included in the following assemblies: -// -// * release_notes/ocp-4-20-release-notes.adoc - - -:_mod-docs-content-type: REFERENCE -[id="zstream-4-20-12-updating_{context}"] -= Updating - - -[role="_abstract"] -To update an {product-title} 4.20 cluster to this latest release, see xref:../updating/updating_a_cluster/updating-cluster-cli.adoc#updating-cluster-cli[Updating a cluster using the CLI]. \ No newline at end of file diff --git a/modules/zstream-4-20-12-fixed-issues.adoc b/modules/zstream-4-20-12.adoc similarity index 59% rename from modules/zstream-4-20-12-fixed-issues.adoc rename to modules/zstream-4-20-12.adoc index 063e22b5a5b7..57d98c43ff2b 100644 --- a/modules/zstream-4-20-12-fixed-issues.adoc +++ b/modules/zstream-4-20-12.adoc @@ -2,12 +2,36 @@ // // * release_notes/ocp-4-20-release-notes.adoc - :_mod-docs-content-type: REFERENCE -[id="zstream-4-20-12-fixed-issues_{context}"] -= Fixed issues +[id="ocp-4-20-12_{context}"] += RHSA-2026:1000 - {product-title} {product-version}.12 fixed issues advisory [role="_abstract"] +Issued: 27 January 2026 + +{product-title} release {product-version}.12 is now available. The list of fixed issues that are included in the update is documented in the link:https://access.redhat.com/errata/RHSA-2026:1000[RHSA-2026:1000] advisory. The RPM packages that are included in the update are provided by the link:https://access.redhat.com/errata/RHBA-2026:0977[RHBA-2026:0977] advisory. + +Space precluded documenting all of the container images for this release in the advisory. + +You can view the container images in this release by running the following command: + +[source,terminal] +---- +$ oc adm release info 4.20.12 --pullspecs +---- + +[id="ocp-4-20-12-known-issues_{context}"] +== Known issues + +This release contains the following known issues: + +* If a `must-gather` archive features a custom namespace directory ending with the suffix `nodes`, the Performance Profile Creator tool fails to analyze the archive. This occurs because of the tool's search logic, which incorrectly reports a `multiple matches` error. To work around this problem, rename the custom namespace directory so that it does not end with the `nodes` suffix, and run the tool again. (link:https://issues.redhat.com/browse/OCPBUGS-63751[OCPBUGS-63751]) + +* Upgrading to {product-title} 4.20 sets incorrect `ulimit` values and caused serverless Operator issues. To resolve this issue, upgrade to a nightly build later than {product-title} `4.20.0-0.nightly-2026-01-16-181948`. (link:https://issues.redhat.com/browse/OCPBUGS-70201[OCPBUGS-70201]) + +[id="ocp-4-20-12-fixed-issues_{context}"] +== Fixed issues + The following issues are fixed for this release: * Before this update, the `maxUnhealthy` field in the `MachineHealthCheck` custom resource definition (CRD), did not document the default value. With this release, the CRD documents the default value. (link:https://issues.redhat.com/browse/OCPBUGS-61314[OCPBUGS-61314]) @@ -22,3 +46,7 @@ The following issues are fixed for this release: * Before this update, control plane machines were created in incorrect availability zones due to improper machine specification configuration. With this release, control plane machines created in incorrect zones are fixed and cluster stability is improved. (link:https://issues.redhat.com/browse/OCPBUGS-73785[OCPBUGS-73785]) +[id="ocp-4-20-12-updating_{context}"] +== Updating + +To update an {product-title} 4.20 cluster to this latest release, see xref:../updating/updating_a_cluster/updating-cluster-cli.adoc#updating-cluster-cli[Updating a cluster using the CLI]. diff --git a/modules/zstream-4-20-13-about.adoc b/modules/zstream-4-20-13-about.adoc deleted file mode 100644 index 3e82c7496c8c..000000000000 --- a/modules/zstream-4-20-13-about.adoc +++ /dev/null @@ -1,22 +0,0 @@ -// Module included in the following assemblies: -// -// * release_notes/ocp-4-20-release-notes.adoc - - -:_mod-docs-content-type: CONCEPT -[id="zstream-4-20-13-about_{context}"] -= RHSA-2026:1555 - {product-title} {product-version}.13 bug fix and security update advisory - -[role="_abstract"] -Issued: 4 February 2026 - -{product-title} release {product-version}.13 is now available. The list of fixed issues that are included in the update is documented in the link:https://access.redhat.com/errata/RHSA-2026:1555[RHSA-2026:1555] advisory. The RPM packages that are included in the update are provided by the link:https://access.redhat.com/errata/RHBA-2026:1547[RHBA-2026:1547] advisory. - -Space precluded documenting all of the container images for this release in the advisory. - -You can view the container images in this release by running the following command: - -[source,terminal] ----- -$ oc adm release info 4.20.13 --pullspecs ----- diff --git a/modules/zstream-4-20-13-enhancements.adoc b/modules/zstream-4-20-13-enhancements.adoc deleted file mode 100644 index 4d09e136b056..000000000000 --- a/modules/zstream-4-20-13-enhancements.adoc +++ /dev/null @@ -1,13 +0,0 @@ -// Module included in the following assemblies: -// -// * release_notes/ocp-4-20-release-notes.adoc - - -:_mod-docs-content-type: REFERENCE -[id="zstream-4-20-13-enhancements_{context}"] -= Enhancements - -[role="_abstract"] -The following enhancements are included in this z-stream release. - -* With this update, a new guard has been introduced to the 4.20 Machine-Config Operator to protect clusters that depend on mirrored {product-title} release images during the transition to {product-title} 4.21. This enhancement notifies customers operating in disconnected environments in advance that {product-title} 4.21 requires `Sigstore` signatures to be present. This check ensures users are notified that their image mirrors must be hosted on an OCI-compatible registry. Consequently, this ensures they use the version of `oc-mirror` aligned with the 4.21 release to automatically capture the required signatures within the payload, preventing upgrade failures due to missing cryptographic metadata. (link:https://issues.redhat.com/browse/OCPBUGS-73884[OCPBUGS-73884]) \ No newline at end of file diff --git a/modules/zstream-4-20-13-updating.adoc b/modules/zstream-4-20-13-updating.adoc deleted file mode 100644 index 0f790cb413fe..000000000000 --- a/modules/zstream-4-20-13-updating.adoc +++ /dev/null @@ -1,12 +0,0 @@ -// Module included in the following assemblies: -// -// * release_notes/ocp-4-20-release-notes.adoc - - -:_mod-docs-content-type: REFERENCE -[id="zstream-4-20-13-updating_{context}"] -= Updating - - -[role="_abstract"] -To update an {product-title} 4.20 cluster to this latest release, see xref:../updating/updating_a_cluster/updating-cluster-cli.adoc#updating-cluster-cli[Updating a cluster using the CLI]. \ No newline at end of file diff --git a/modules/zstream-4-20-13-fixed-issues.adoc b/modules/zstream-4-20-13.adoc similarity index 50% rename from modules/zstream-4-20-13-fixed-issues.adoc rename to modules/zstream-4-20-13.adoc index b0511348597b..bd1e90659542 100644 --- a/modules/zstream-4-20-13-fixed-issues.adoc +++ b/modules/zstream-4-20-13.adoc @@ -2,12 +2,34 @@ // // * release_notes/ocp-4-20-release-notes.adoc - :_mod-docs-content-type: REFERENCE -[id="zstream-4-20-13-fixed-issues_{context}"] -= Fixed issues +[id="ocp-4-20-13_{context}"] += RHSA-2026:1555 - {product-title} {product-version}.13 bug fix and security update advisory [role="_abstract"] +Issued: 4 February 2026 + +{product-title} release {product-version}.13 is now available. The list of fixed issues that are included in the update is documented in the link:https://access.redhat.com/errata/RHSA-2026:1555[RHSA-2026:1555] advisory. The RPM packages that are included in the update are provided by the link:https://access.redhat.com/errata/RHBA-2026:1547[RHBA-2026:1547] advisory. + +Space precluded documenting all of the container images for this release in the advisory. + +You can view the container images in this release by running the following command: + +[source,terminal] +---- +$ oc adm release info 4.20.13 --pullspecs +---- + +[id="ocp-4-20-13-enhancements_{context}"] +== Enhancements + +The following enhancements are included in this z-stream release: + +* With this update, a new guard has been introduced to the 4.20 Machine-Config Operator to protect clusters that depend on mirrored {product-title} release images during the transition to {product-title} 4.21. This enhancement notifies customers operating in disconnected environments in advance that {product-title} 4.21 requires `Sigstore` signatures to be present. This check ensures users are notified that their image mirrors must be hosted on an OCI-compatible registry. Consequently, this ensures they use the version of `oc-mirror` aligned with the 4.21 release to automatically capture the required signatures within the payload, preventing upgrade failures due to missing cryptographic metadata. (link:https://issues.redhat.com/browse/OCPBUGS-73884[OCPBUGS-73884]) + +[id="ocp-4-20-13-fixed-issues_{context}"] +== Fixed issues + The following issues are fixed for this release. * Before this update, Operator items were not visible in the Software Catalog on clusters without a `CloudCredential` resource as this optional resource was required. With this release, the requirement for the `CloudCredential` resource is removed so that Operators always appear in the Software Catalog. (link:https://issues.redhat.com/browse/OCPBUGS-72417[OCPBUGS-72417]) @@ -16,3 +38,7 @@ The following issues are fixed for this release. * Before this update, the deletion sequence attempted to remove machine instances while their primary network interface cards (NICs) were still attached, which conflicted with environments enforcing strict policies against deleting a primary NIC on an active server. This created a circular dependency that caused machine deletions to fail or hang indefinitely. With this release, the order of deletion for machines and ports has been corrected to ensure that resources are decommissioned in the proper sequence. As a result, machines can now be successfully deleted even in restricted environments, ensuring reliable resource cleanup and adherence to local security policies. (link:https://issues.redhat.com/browse/OCPBUGS-74226[OCPBUGS-74226]) +[id="ocp-4-20-13-updating_{context}"] +== Updating + +To update an {product-title} 4.20 cluster to this latest release, see xref:../updating/updating_a_cluster/updating-cluster-cli.adoc#updating-cluster-cli[Updating a cluster using the CLI]. diff --git a/modules/zstream-4-20-14.adoc b/modules/zstream-4-20-14.adoc index 896d4c0fbdf8..27dc5ccf3541 100644 --- a/modules/zstream-4-20-14.adoc +++ b/modules/zstream-4-20-14.adoc @@ -2,9 +2,8 @@ // // * release_notes/ocp-4-20-release-notes.adoc - :_mod-docs-content-type: REFERENCE -[id="zstream-4-20-14_{context}"] +[id="ocp-4-20-14_{context}"] = RHSA-2026:2119 - {product-title} {product-version}.14 fixed issues advisory [role="_abstract"] @@ -21,20 +20,7 @@ You can view the container images in this release by running the following comma $ oc adm release info 4.20.14 --pullspecs ---- -//// -[id="zstream-4-20-z-enhancements_{context}"] -== Enhancements -//// - -//// -[id="zstream-4-20-z-known-issues_{context}"] -== Known issues - - -This release contains the following known issues: -//// - -[id="zstream-4-20-14-fixed-issues_{context}"] +[id="ocp-4-20-14-fixed-issues_{context}"] == Fixed issues The following issues are fixed for this release: @@ -53,9 +39,7 @@ The following issues are fixed for this release: * Before this update, the `Jobset-controller-manager` pod lacked the necessary permissions to list pods in the cluster scope, and prevented users from accessing the required pods. With this release, the `Jobset-controller-manager` pod is granted full access to the required resources, resolving the pod readiness issue and improving user experience. (link:https://issues.redhat.com/browse/OCPBUGS-75881[OCPBUGS-75881]) - - -[id="zstream-4-20-14-updating_{context}"] +[id="ocp-4-20-14-updating_{context}"] == Updating To update an {product-title} 4.20 cluster to this latest release, see xref:../updating/updating_a_cluster/updating-cluster-cli.adoc#updating-cluster-cli[Updating a cluster using the CLI]. \ No newline at end of file diff --git a/modules/zstream-4-20-2.adoc b/modules/zstream-4-20-2.adoc new file mode 100644 index 000000000000..92b38427a6d9 --- /dev/null +++ b/modules/zstream-4-20-2.adoc @@ -0,0 +1,52 @@ +// Module included in the following assemblies: +// +// * release_notes/ocp-4-20-release-notes.adoc + +:_mod-docs-content-type: REFERENCE +[id="ocp-4-20-2_{context}"] += RHSA-2025:19296 - {product-title} {product-version}.2 image release, bug fix, and security update advisory + +[role="_abstract"] +Issued: 04 November 2025 + +{product-title} release {product-version}.2, which includes security updates, is now available. The list of fixed issues that are included in the update is documented in the link:https://access.redhat.com/errata/RHSA-2025:19296[RHSA-2025:19296] advisory. The RPM packages that are included in the update are provided by the link:https://access.redhat.com/errata/RHBA-2025:19294[RHBA-2025:19294] advisory. + +Space precluded documenting all of the container images for this release in the advisory. + +You can view the container images in this release by running the following command: + +[source,terminal] +---- +$ oc adm release info 4.20.2 --pullspecs +---- + +[id="ocp-4-20-2-enhancements_{context}"] +== Enhancements + +* With this update, the `adm upgrade recommend` command now retrieves and displays critical and non-critical alerts that can be used by cluster administrators for cluster updates. Cluster administrators can also use a new `--accept` option with the `--version` command to accept specific acceptable issues. The command exits nonzero if unaccepted issues are detected. (link:https://issues.redhat.com/browse/OCPBUGS-61757[OCPBUGS-61757]) + +[id="ocp-4-20-2-fixed-issues_{context}"] +== Fixed issues + +The following issues are fixed for this release: + +* Before this update, if NetworkManager was restarted or crashed on a node with a `br-ex` interface managed by NMState, the node lost network connectivity. With this release, a fallback check in the dispatcher script was added to detect NMState-managed `br-ex` interfaces by checking for the `br-ex-br` bridge ID when the standard `br-ex` bridge ID is not found. As a result, nodes with this interface type do not lose network connectivity when NetworkManager restarts or crashes. (link:https://issues.redhat.com/browse/OCPBUGS-62167[OCPBUGS-62167]) + +* Before this update, the `driver-config` parameter in the config map content was flapping due to the Go randomized map iteration order. As a consequence, storage classes and related components were appearing in different sequences on each reconcile loop even when the actual data did not change. The frequent and unnecessary config map updates in the hosted cluster namespace caused instability and potential performance issues. With this release, consistent alphabetical sorting is implemented for storage groups, storage classes within each group, volume snapshot classes within each group, and the `allowList` array to ensure deterministic output. As a result, the `driver-config` config map does not experience content flapping, which eliminates unnecessary updates and improves stability. (link:https://issues.redhat.com/browse/OCPBUGS-62806[OCPBUGS-62806]) + +* Before this update, missing manifest files in a release caused the `TechPreviewNoUpgrade` cluster to not present the Cluster Version Operator (CVO) API object in a cluster. As a consequence, the cluster adminsitrator could not change the log level for the CVO in the `TechPreviewNoUpgrade` cluster. With this release, the missing manifest files are added. As a result, the CVO log level can be changed in a `TechPreviewNoUpgrade` cluster. (link:https://issues.redhat.com/browse/OCPBUGS-63001[OCPBUGS-63001]) + +* Before this update, when you ran the `ocp-tuned-one-shot.service` systemd unit that was owned by the Node Tuning Operator (NTO), a dependency failure might have occurred for the kubelet. As a consequence, the kubelet did not start. With this release, running the `ocp-tuned-one-shot.service` unit does not cause a dependency failure. As a result, the kubelet starts when you run the unit. (link:https://issues.redhat.com/browse/OCPBUGS-63334[OCPBUGS-63334]) + +* Before this update, the *Observe -> Metric* page used the cluster-wide metrics API even when you did not have cluster-wide metrics API permissions. As a consequence, the query input displayed an error and the autofill for the query input did not work without cluster-wide metrics API access. With this release, the `namespace-tenancy` metrics API is used if you do not have cluster-wide metrics API permissions, As a result, an error does not occur and autofill is available for the metrics within the selected namespace. (link:https://issues.redhat.com/browse/OCPBUGS-63440[OCPBUGS-63440]) + +* Before this update, the node log length was unlimited. As a consequence, an extremely large log could prevent the display of the log or cause the browser to crash. With this release, the node log length is limited to 1,000 lines. As a result, the log displays correctly. (link:https://issues.redhat.com/browse/OCPBUGS-63440[OCPBUGS-63470]) + +* Before this update, the {azure-short} machine provider was not passing the `dataDisks` configuration from the `MachineSet` specification into the virtual machine creation API request for the {azure-short} Stack Hub. As a consequence, new machines were created without the specified data disks because the configuration was silently ignored during the VM creation process. With this release, the VM creation for the {azure-short} Stack Hub is updated to include the `dataDisks` configuration. An additional update manually implements the behavior of the `deletionPolicy: Delete` parameter in the controller because the {azure-short} Stack Hub does not natively support this option. As a result, data disks are correctly provisioned on the {azure-short} Stack Hub VMs. The `Delete` policy is also functionally supported, which ensures that disks are properly removed when their machines are removed. (link:https://issues.redhat.com/browse/OCPBUGS-63535[OCPBUGS-63535]) + +* Before this update, the `internalUser` parameter was `true` by default. As a consequence, if you did not specify this value when you created or updated the custom resource (CR), the default value was `true` for external users. With this release, the default value is changed to `false`. As a result, if an external user attempts to use internal user credentials to access https://sftp.access.redhat.com, the parameter value is `internalUser=false`. (link:https://issues.redhat.com/browse/OCPBUGS-63579[OCPBUGS-63579]) + +[id="ocp-4-20-2-updating_{context}"] +== Updating + +To update an {product-title} 4.20 cluster to this latest release, see xref:../updating/updating_a_cluster/updating-cluster-cli.adoc#updating-cluster-cli[Updating a cluster using the CLI]. diff --git a/modules/zstream-4-20-3.adoc b/modules/zstream-4-20-3.adoc new file mode 100644 index 000000000000..fa9668c628a8 --- /dev/null +++ b/modules/zstream-4-20-3.adoc @@ -0,0 +1,35 @@ +// Module included in the following assemblies: +// +// * release_notes/ocp-4-20-release-notes.adoc + +:_mod-docs-content-type: REFERENCE +[id="ocp-4-20-3_{context}"] += RHSA-2025:19890 - {product-title} {product-version}.3 image release, bug fix, and security update advisory + +[role="_abstract"] +Issued: 11 November 2025 + +{product-title} release {product-version}.3, which includes security updates, is now available. The list of fixed issues that are included in the update is documented in the link:https://access.redhat.com/errata/RHSA-2025:19890[RHSA-2025:19890] advisory. The RPM packages that are included in the update are provided by the link:https://access.redhat.com/errata/RHBA-2025:19888[RHBA-2025:19888] advisory. + +Space precluded documenting all of the container images for this release in the advisory. + +You can view the container images in this release by running the following command: + +[source,terminal] +---- +$ oc adm release info 4.20.3 --pullspecs +---- + +[id="ocp-4-20-3-fixed-issues_{context}"] +== Fixed issues + +The following issues are fixed for this release: + +* Before this update, the communication matrix project failed to create EndPointSlice objects for open ports 9193 and 9194 on the primary node because of a missing service connection. As a consequence, inaccurate communication matrixes resulted. With this release, the service is connected to open ports 9193 and 9194, which resolve the missing EndPointSlice objects. As a result, open ports 9193 and 9194 on the primary node are associated with a service, resulting in accurate communication matrixes for {product-title} users. (link:https://issues.redhat.com/browse/OCPBUGS-63587[OCPBUGS-63587]) + +* Before this update, the metric denylist incorrectly formatted the regular expression for the `kube_customresource`, omitting the `annotations` field. As a consequence, users experienced missing metrics due to an incorrect denylist configuration. With this release, unnecessary entries are removed from the metric denylist. As a result, registry metrics include missing annotations, which improves data accuracy. (link:https://issues.redhat.com/browse/OCPBUGS-64577[OCPBUGS-64577]) + +[id="ocp-4-20-3-updating_{context}"] +== Updating + +To update an {product-title} 4.20 cluster to this latest release, see xref:../updating/updating_a_cluster/updating-cluster-cli.adoc#updating-cluster-cli[Updating a cluster using the CLI]. diff --git a/modules/zstream-4-20-4.adoc b/modules/zstream-4-20-4.adoc new file mode 100644 index 000000000000..f0c8defac908 --- /dev/null +++ b/modules/zstream-4-20-4.adoc @@ -0,0 +1,39 @@ +// Module included in the following assemblies: +// +// * release_notes/ocp-4-20-release-notes.adoc + +:_mod-docs-content-type: REFERENCE +[id="ocp-4-20-4_{context}"] += RHSA-2025:21228 - {product-title} {product-version}.4 image release, bug fix, and security update advisory + +[role="_abstract"] +Issued: 18 November 2025 + +{product-title} release {product-version}.4, which includes security updates, is now available. The list of fixed issues that are included in the update is documented in the link:https://access.redhat.com/errata/RHBA-2025:21228[RHBA-2025:21228] advisory. The RPM packages that are included in the update are provided by the link:https://access.redhat.com/errata/RHBA-2025:21223[RHBA-2025:21223] advisory. + +Space precluded documenting all of the container images for this release in the advisory. + +You can view the container images in this release by running the following command: + +[source,terminal] +---- +$ oc adm release info 4.20.4 --pullspecs +---- + +[id="ocp-4-20-4-fixed-issues_{context}"] +== Fixed issues + +The following issues are fixed for this release: + +* Before this update, the horizontal pod autoscaler (HPA) form in the web console incorrectly required you to provide values for both CPU and memory utilization, even though the API allows for HPAs to be created with a single metric or with no metrics (to use the API default). As a consequence, you could not use the form to create single-metric HPAs, for example, Memory-only, or HPAs that rely on the API default (80% CPU). This issue required you to use the YAML view for these common configurations. With this release, the HPA form logic is updated to align with the API so that the user interface no longer requires both fields to be completed. As a result, an empty utilization field correctly omits that HPA metric from the HPA manifest, which allows the API to apply its default behavior or create a single-metric HPA. You can use the HPA form to create single-metric HPAs, for example, CPU-only or Memory-only. If both utilization fields are left empty, the HPA is created and correctly falls back to the API default of 80% CPU utilization. (link:https://issues.redhat.com/browse/OCPBUGS-63339[OCPBUGS-63339]) + +* Before this update, during rolling cluster updates from etcd 3.5.19 to a release of 3.6, the wrong membership data could be propagated to new members. As a consequence, cluster updates failed with an error indicating too many learner members in the cluster. With this release, etcd is updated to 3.5.24, which includes fixes that prevent membership-related errors. (link:https://issues.redhat.com/browse/OCPBUGS-63474[OCPBUGS-63474]) + +* Before this update, the `ccoctl` utility would automatically generate a new keypair if the private key was not found, even when users intentionally provided only the public key as per documented security procedures. This behavior caused a problem, as the newly generated keys would not match the cluster's keys, resulting in service outages for users following the correct process. With this update, the utility was changed to ensure a new keypair is never generated when the `--public-key-file` parameter is specified, and this parameter was added to all create-all functions for consistency. As a result, specifying the public key file now guarantees the provided key is used, ensuring the cluster continues to function as expected without interruption. (link:https://issues.redhat.com/browse/OCPBUGS-63546[OCPBUGS-63546]) + +* Before this update, the binary version data for Kubernetes binaries was incorrectly set to `v0.0.0`, which caused problems with vulnerability scanning tools. With this release, the build issue is fixed. As a result, the most recent upstream `kube` version is shown, for example, `v1.33.5`. (link:https://issues.redhat.com/browse/OCPBUGS-63749[OCPBUGS-63749]) + +[id="ocp-4-20-4-updating_{context}"] +== Updating + +To update an {product-title} 4.20 cluster to this latest release, see xref:../updating/updating_a_cluster/updating-cluster-cli.adoc#updating-cluster-cli[Updating a cluster using the CLI]. diff --git a/modules/zstream-4-20-5-about.adoc b/modules/zstream-4-20-5-about.adoc deleted file mode 100644 index 597cd332ffed..000000000000 --- a/modules/zstream-4-20-5-about.adoc +++ /dev/null @@ -1,22 +0,0 @@ -// Module included in the following assemblies: -// -// * release_notes/ocp-4-20-release-notes.adoc - - -:_mod-docs-content-type: CONCEPT -[id="zstream-4-20-5-about_{context}"] -= RHBA-2025:21811 - {product-title} {product-version}.5 bug fix advisory - -[role="_abstract"] -Issued: 25 November 2025 - -{product-title} release {product-version}.5 is now available. The list of bug fixes that are included in the update is documented in the link:https://access.redhat.com/errata/RHBA-2025:21811[RHBA-2025:21811] advisory. The RPM packages that are included in the update are provided by the link:https://access.redhat.com/errata/RHBA-2025:21809[RHBA-2025:21809] advisory. - -Space precluded documenting all of the container images for this release in the advisory. - -You can view the container images in this release by running the following command: - -[source,terminal] ----- -$ oc adm release info 4.20.5 --pullspecs ----- diff --git a/modules/zstream-4-20-5-bug-fixes.adoc b/modules/zstream-4-20-5-bug-fixes.adoc deleted file mode 100644 index d01e1ffba312..000000000000 --- a/modules/zstream-4-20-5-bug-fixes.adoc +++ /dev/null @@ -1,25 +0,0 @@ -// Module included in the following assemblies: -// -// * release_notes/ocp-4-20-release-notes.adoc - - -:_mod-docs-content-type: REFERENCE -[id="zstream-4-20-5-bug-fixes_{context}"] -= Bug fixes - -[role="_abstract"] -The following bugs are fixed for this release: - -* Before this update, the `oauth` pods in the `openshift-authentication` namespaces could get stuck while rolling out changes when one of the corresponding nodes these pods are running on is not ready or not available. This was causing authentication to completely stop until the blocked rollout concludes. With this release, the pods can proceed with the rolling update even when an unhealthy node is down or unavailable (link:https://issues.redhat.com/browse/OCPBUGS-61896[OCPBUGS-61896]) - -* Before this update, alerts in the project overview were not visible because the application was querying an incorrect API. With this release, the application now queries the correct API and displays the project alerts. (link:https://issues.redhat.com/browse/OCPBUGS-63125[OCPBUGS-63125]) - -* Before this update, the aggregated API servers on {product-title} were provisioned with `in-memory` loopback certificates that were valid for only 1 year. With this release, the aggregated API servers on {product-title} are provisioned with `in-memory` loopback certificates that are valid for 3 years. (link:https://issues.redhat.com/browse/OCPBUGS-63532[OCPBUGS-63532]) - -* Before this update, when directly navigating to a page created by a web console dynamic plugin, the web console might redirect to a different URL. With this release, the URL redirect has been removed. (link:https://issues.redhat.com/browse/OCPBUGS-63616[OCPBUGS-63616]) - -* Before this release, any unrelated changes to a `netpol` resource triggered a full reconcile of the object, including deleting and re-adding rules. With this release, a `netpol` object fully reconciles when required. Otherwise, it is skipped. (link:https://issues.redhat.com/browse/OCPBUGS-64590[OCPBUGS-64590]) - -* Before this update, the Horizontal Pod Autoscaler (HPA) form incorrectly mandated both CPU and memory values, forcing users to use YAML for single-metric HPAs (such as memory-only) or to rely on the default CPU setting. With this release, the form has been updated and leaving a field empty now correctly omits that metric, allowing users to create CPU-only, memory-only, or default 80% CPU HPAs from the web form. (link:https://issues.redhat.com/browse/OCPBUGS-64639[OCPBUGS-64639]) - -* Before this update, it was impossible to schedule a `must-gather` pod to a specific worker node when the `--node-name` argument was used as the pod's node affinity accepted only control plane nodes. With this release, the `must-gather` logic is updated to avoid setting node affinity when the `--node-name` argument is set. (link:https://issues.redhat.com/browse/OCPBUGS-65523[OCPBUGS-65523]) \ No newline at end of file diff --git a/modules/zstream-4-20-5-enhancements.adoc b/modules/zstream-4-20-5-enhancements.adoc deleted file mode 100644 index d95b39a6e423..000000000000 --- a/modules/zstream-4-20-5-enhancements.adoc +++ /dev/null @@ -1,42 +0,0 @@ -// Module included in the following assemblies: -// -// * release_notes/ocp-4-20-release-notes.adoc - - -:_mod-docs-content-type: REFERENCE -[id="zstream-4-20-5-enhancements_{context}"] -= Enhancements - -[role="_abstract"] -The following enhancements for direct authentication with an external OpenID Connect (OIDC) identity provider are included in this z-stream release: - -General availability of direct authentication with an external OIDC identity provider:: -Using direct authentication with an external OIDC identity provider is now generally available. This authentication method bypasses the built-in OAuth server and uses the external identity provider directly. - -Support for additional identity providers:: -The following OIDC identity providers are now supported for direct authentication: - -* Active Directory Federation Services for Windows Server -* GitLab -* Google -* Okta -* Ping Identity -* Red Hat Single Sign-On - -Deactivation of OAuth services:: -The following internal OAuth resources are now disabled when you configure direct authentication: - -* OpenShift OAuth server and OpenShift OAuth API server -* User and group APIs (`*.user.openshift.io`) -* OAuth APIs (`*.oauth.openshift.io`) -* OAuth server and client configurations - -[IMPORTANT] -==== -Ensure that you do not rely on these removed resources before configuring direct authentication. -==== - -Support for additional claim mappings:: -You can now use the `uid` and `extra` claim mapping fields when configuring an external OIDC provider for direct authentication. - -For more information, see xref:../authentication/external-auth.adoc#external-auth[Enabling direct authentication with an external OIDC identity provider]. diff --git a/modules/zstream-4-20-5-known-issues.adoc b/modules/zstream-4-20-5-known-issues.adoc deleted file mode 100644 index 8f405a8223de..000000000000 --- a/modules/zstream-4-20-5-known-issues.adoc +++ /dev/null @@ -1,19 +0,0 @@ -// Module included in the following assemblies: -// -// * release_notes/ocp-4-20-release-notes.adoc - -:_mod-docs-content-type: REFERENCE -[id="zstream-4-20-5-known-issues_{context}"] -= Known issues - -[role="_abstract"] -This release contains the following known issues: - - -* When using GitLab or Google as the external OIDC identity provider for direct authentication, clicking *Log out* from the {product-title} web console does not log you out of the console. (link:https://issues.redhat.com/browse/OCPBUGS-61649[OCPBUGS-61649]) - -* When using Active Directory Federation Services for Windows Server as the external OIDC identity provider for direct authentication, logging into the {product-title} web console the first time produces an authentication error. As a workaround, reload the web console until it displays properly. (link:https://issues.redhat.com/browse/OCPBUGS-62142[OCPBUGS-62142]) - -* If you configure direct authentication with an external OIDC provider and do not provide a value for `issuerCertificateAuthority` for the issuer in the OIDC provider configuration, the Machine Config Operator degrades. This can cause the Console Operator to degrade and some control plane nodes might fail to become available. As a workaround, set the `issuerCertificateAuthority` value for the issuer. (link:https://issues.redhat.com/browse/OCPBUGS-62011[OCPBUGS-62011]) - - diff --git a/modules/zstream-4-20-5-updating.adoc b/modules/zstream-4-20-5-updating.adoc deleted file mode 100644 index 7b7f41145c22..000000000000 --- a/modules/zstream-4-20-5-updating.adoc +++ /dev/null @@ -1,12 +0,0 @@ -// Module included in the following assemblies: -// -// * release_notes/ocp-4-20-release-notes.adoc - - -:_mod-docs-content-type: REFERENCE -[id="zstream-4-20-5-updating_{context}"] -= Updating - - -[role="_abstract"] -To update an {product-title} 4.20 cluster to this latest release, see xref:../updating/updating_a_cluster/updating-cluster-cli.adoc#updating-cluster-cli[Updating a cluster using the CLI]. \ No newline at end of file diff --git a/modules/zstream-4-20-5.adoc b/modules/zstream-4-20-5.adoc new file mode 100644 index 000000000000..a14131cf4a3e --- /dev/null +++ b/modules/zstream-4-20-5.adoc @@ -0,0 +1,92 @@ +// Module included in the following assemblies: +// +// * release_notes/ocp-4-20-release-notes.adoc + +:_mod-docs-content-type: REFERENCE +[id="ocp-4-20-5_{context}"] += RHBA-2025:21811 - {product-title} {product-version}.5 fixed issues advisory + +[role="_abstract"] +Issued: 25 November 2025 + +{product-title} release {product-version}.5 is now available. The list of fixed issues that are included in the update is documented in the link:https://access.redhat.com/errata/RHBA-2025:21811[RHBA-2025:21811] advisory. The RPM packages that are included in the update are provided by the link:https://access.redhat.com/errata/RHBA-2025:21809[RHBA-2025:21809] advisory. + +Space precluded documenting all of the container images for this release in the advisory. + +You can view the container images in this release by running the following command: + +[source,terminal] +---- +$ oc adm release info 4.20.5 --pullspecs +---- + +[id="ocp-4-20-5-enhancements_{context}"] +== Enhancements + +The following enhancements for direct authentication with an external OpenID Connect (OIDC) identity provider are included in this z-stream release: + +General availability of direct authentication with an external OIDC identity provider:: +Using direct authentication with an external OIDC identity provider is now generally available. This authentication method bypasses the built-in OAuth server and uses the external identity provider directly. + +Support for additional identity providers:: +The following OIDC identity providers are now supported for direct authentication: + +* Active Directory Federation Services for Windows Server +* GitLab +* Google +* Okta +* Ping Identity +* Red Hat Single Sign-On + +Deactivation of OAuth services:: +The following internal OAuth resources are now disabled when you configure direct authentication: + +* OpenShift OAuth server and OpenShift OAuth API server +* User and group APIs (`*.user.openshift.io`) +* OAuth APIs (`*.oauth.openshift.io`) +* OAuth server and client configurations + +[IMPORTANT] +==== +Ensure that you do not rely on these removed resources before configuring direct authentication. +==== + +Support for additional claim mappings:: +You can now use the `uid` and `extra` claim mapping fields when configuring an external OIDC provider for direct authentication. + +For more information, see xref:../authentication/external-auth.adoc#external-auth[Enabling direct authentication with an external OIDC identity provider]. + +[id="ocp-4-20-5-known-issues_{context}"] +== Known issues + +This release contains the following known issues: + +* When using GitLab or Google as the external OIDC identity provider for direct authentication, clicking *Log out* from the {product-title} web console does not log you out of the console. (link:https://issues.redhat.com/browse/OCPBUGS-61649[OCPBUGS-61649]) + +* When using Active Directory Federation Services for Windows Server as the external OIDC identity provider for direct authentication, logging into the {product-title} web console the first time produces an authentication error. As a workaround, reload the web console until it displays properly. (link:https://issues.redhat.com/browse/OCPBUGS-62142[OCPBUGS-62142]) + +* If you configure direct authentication with an external OIDC provider and do not provide a value for `issuerCertificateAuthority` for the issuer in the OIDC provider configuration, the Machine Config Operator degrades. This can cause the Console Operator to degrade and some control plane nodes might fail to become available. As a workaround, set the `issuerCertificateAuthority` value for the issuer. (link:https://issues.redhat.com/browse/OCPBUGS-62011[OCPBUGS-62011]) + +[id="ocp-4-20-5-fixed-issues_{context}"] +== Fixed issues + +The following issues are fixed for this release: + +* Before this update, the `oauth` pods in the `openshift-authentication` namespaces could get stuck while rolling out changes when one of the corresponding nodes these pods are running on is not ready or not available. This was causing authentication to completely stop until the blocked rollout concludes. With this release, the pods can proceed with the rolling update even when an unhealthy node is down or unavailable (link:https://issues.redhat.com/browse/OCPBUGS-61896[OCPBUGS-61896]) + +* Before this update, alerts in the project overview were not visible because the application was querying an incorrect API. With this release, the application now queries the correct API and displays the project alerts. (link:https://issues.redhat.com/browse/OCPBUGS-63125[OCPBUGS-63125]) + +* Before this update, the aggregated API servers on {product-title} were provisioned with `in-memory` loopback certificates that were valid for only 1 year. With this release, the aggregated API servers on {product-title} are provisioned with `in-memory` loopback certificates that are valid for 3 years. (link:https://issues.redhat.com/browse/OCPBUGS-63532[OCPBUGS-63532]) + +* Before this update, when directly navigating to a page created by a web console dynamic plugin, the web console might redirect to a different URL. With this release, the URL redirect has been removed. (link:https://issues.redhat.com/browse/OCPBUGS-63616[OCPBUGS-63616]) + +* Before this release, any unrelated changes to a `netpol` resource triggered a full reconcile of the object, including deleting and re-adding rules. With this release, a `netpol` object fully reconciles when required. Otherwise, it is skipped. (link:https://issues.redhat.com/browse/OCPBUGS-64590[OCPBUGS-64590]) + +* Before this update, the Horizontal Pod Autoscaler (HPA) form incorrectly mandated both CPU and memory values, forcing users to use YAML for single-metric HPAs (such as memory-only) or to rely on the default CPU setting. With this release, the form has been updated and leaving a field empty now correctly omits that metric, allowing users to create CPU-only, memory-only, or default 80% CPU HPAs from the web form. (link:https://issues.redhat.com/browse/OCPBUGS-64639[OCPBUGS-64639]) + +* Before this update, it was impossible to schedule a `must-gather` pod to a specific worker node when the `--node-name` argument was used as the pod's node affinity accepted only control plane nodes. With this release, the `must-gather` logic is updated to avoid setting node affinity when the `--node-name` argument is set. (link:https://issues.redhat.com/browse/OCPBUGS-65523[OCPBUGS-65523]) + +[id="ocp-4-20-5-updating_{context}"] +== Updating + +To update an {product-title} 4.20 cluster to this latest release, see xref:../updating/updating_a_cluster/updating-cluster-cli.adoc#updating-cluster-cli[Updating a cluster using the CLI]. \ No newline at end of file diff --git a/modules/zstream-4-20-6-about.adoc b/modules/zstream-4-20-6-about.adoc deleted file mode 100644 index ea7d0238263b..000000000000 --- a/modules/zstream-4-20-6-about.adoc +++ /dev/null @@ -1,22 +0,0 @@ -// Module included in the following assemblies: -// -// * release_notes/ocp-4-20-release-notes.adoc - - -:_mod-docs-content-type: CONCEPT -[id="zstream-4-20-6-about_{context}"] -= RHSA-2025:22257 - {product-title} {product-version}.6 bug fix advisory - -[role="_abstract"] -Issued: 02 December 2025 - -{product-title} release {product-version}.6 is now available. The list of bug fixes that are included in the update is documented in the link:https://access.redhat.com/errata/RHSA-2025:22257[RHSA-2025:22257] advisory. The RPM packages that are included in the update are provided by the link:https://access.redhat.com/errata/RHSA-2025:22255[RHSA-2025:22255] advisory. - -Space precluded documenting all of the container images for this release in the advisory. - -You can view the container images in this release by running the following command: - -[source,terminal] ----- -$ oc adm release info 4.20.6 --pullspecs ----- diff --git a/modules/zstream-4-20-6-enhancements.adoc b/modules/zstream-4-20-6-enhancements.adoc deleted file mode 100644 index 7892b252a4b6..000000000000 --- a/modules/zstream-4-20-6-enhancements.adoc +++ /dev/null @@ -1,18 +0,0 @@ -// Module included in the following assemblies: -// -// * release_notes/ocp-4-20-release-notes.adoc - - -:_mod-docs-content-type: REFERENCE -[id="zstream-4-20-6-enhancements_{context}"] -= Enhancements - -[role="_abstract"] -The following enhancements are included in this z-stream release: - -Support for installing a cluster without an external registry (Technology Preview):: -As a Technology Preview feature, you can deploy a cluster without an external registry, using self-contained installation media that also provides a simplified user interface similar to the {ai-full} during on-premise installations. - -For more information, see the following documentation: - -* xref:../installing/installing_with_agent_based_installer/installing-ove.adoc#installing-ove[Installing a cluster without an external registry] \ No newline at end of file diff --git a/modules/zstream-4-20-6-updating.adoc b/modules/zstream-4-20-6-updating.adoc deleted file mode 100644 index 8affe9822499..000000000000 --- a/modules/zstream-4-20-6-updating.adoc +++ /dev/null @@ -1,12 +0,0 @@ -// Module included in the following assemblies: -// -// * release_notes/ocp-4-20-release-notes.adoc - - -:_mod-docs-content-type: REFERENCE -[id="zstream-4-20-6-updating_{context}"] -= Updating - - -[role="_abstract"] -To update an {product-title} 4.20 cluster to this latest release, see xref:../updating/updating_a_cluster/updating-cluster-cli.adoc#updating-cluster-cli[Updating a cluster using the CLI]. \ No newline at end of file diff --git a/modules/zstream-4-20-6-bug-fixes.adoc b/modules/zstream-4-20-6.adoc similarity index 55% rename from modules/zstream-4-20-6-bug-fixes.adoc rename to modules/zstream-4-20-6.adoc index c18e16a64be4..a37d9eeb13f2 100644 --- a/modules/zstream-4-20-6-bug-fixes.adoc +++ b/modules/zstream-4-20-6.adoc @@ -2,12 +2,39 @@ // // * release_notes/ocp-4-20-release-notes.adoc - :_mod-docs-content-type: REFERENCE -[id="zstream-4-20-6-bug-fixes_{context}"] -= Bug fixes +[id="ocp-4-20-6_{context}"] += RHSA-2025:22257 - {product-title} {product-version}.6 fixed issues advisory [role="_abstract"] +Issued: 02 December 2025 + +{product-title} release {product-version}.6 is now available. The list of fixed issues that are included in the update is documented in the link:https://access.redhat.com/errata/RHSA-2025:22257[RHSA-2025:22257] advisory. The RPM packages that are included in the update are provided by the link:https://access.redhat.com/errata/RHSA-2025:22255[RHSA-2025:22255] advisory. + +Space precluded documenting all of the container images for this release in the advisory. + +You can view the container images in this release by running the following command: + +[source,terminal] +---- +$ oc adm release info 4.20.6 --pullspecs +---- + +[id="ocp-4-20-6-enhancements_{context}"] +== Enhancements + +The following enhancements are included in this z-stream release: + +Support for installing a cluster without an external registry (Technology Preview):: +As a Technology Preview feature, you can deploy a cluster without an external registry, using self-contained installation media that also provides a simplified user interface similar to the {ai-full} during on-premise installations. + +For more information, see the following documentation: + +* xref:../installing/installing_with_agent_based_installer/installing-ove.adoc#installing-ove[Installing a cluster without an external registry] + +[id="ocp-4-20-6-fixed-issues_{context}"] +== Fixed issues + The following bugs are fixed for this release: * Before this update, the `CloudFront` object distribution was not deleted due to a failed tag-based retrieval, and caused persistence of resources, including the origin access identity. With this release, the `CloudFront` origin access identity is deleted after using the distribution command. As a result, the `CloudFront` object distribution and origin access identity are deleted after using the delete command. (link:https://issues.redhat.com/browse/OCPBUGS-63690[OCPBUGS-63690]) @@ -17,3 +44,8 @@ The following bugs are fixed for this release: * Before this update, the Ironic API service advertised an inaccessible IP address because there was no accessibility check. As a consequence, the inaccessible Ironic API service caused service unavailability for users. With this release, the advertised IP address for the Ironic API service checks for accessibility. As a result, the advertised IP address for the Ironic API service is reachable. (link:https://issues.redhat.com/browse/OCPBUGS-65519[OCPBUGS-65519]) * Before this update, worker virtual machine (VM) creation failures in the `CentralUSEUAP` hub were due to a hard-coded `platformUpdateDomainCount` parameter in Microsoft Messaging API (MAPI) code. As a consequence, this caused an incompatible `availability set` configuration and VM creation failures in the {azure-first} `CentralUSEUAP` hub. With this release, the hard-coded `platformUpdateDomainCount` parameter is updated to match the parameter in the `CentralUSEUAP` hub. As a result, worker VMs are created without `availability set` errors. (link:https://issues.redhat.com/browse/OCPBUGS-65708[OCPBUGS-65708]) + +[id="ocp-4-20-6-updating_{context}"] +== Updating + +To update an {product-title} 4.20 cluster to this latest release, see xref:../updating/updating_a_cluster/updating-cluster-cli.adoc#updating-cluster-cli[Updating a cluster using the CLI]. diff --git a/modules/zstream-4-20-8-about.adoc b/modules/zstream-4-20-8-about.adoc deleted file mode 100644 index 00087adcc209..000000000000 --- a/modules/zstream-4-20-8-about.adoc +++ /dev/null @@ -1,22 +0,0 @@ -// Module included in the following assemblies: -// -// * release_notes/ocp-4-20-release-notes.adoc - - -:_mod-docs-content-type: CONCEPT -[id="zstream-4-20-8-about_{context}"] -= RHBA-2025:23103 - {product-title} {product-version}.8 fixed issues advisory - -[role="_abstract"] -Issued: 16 December 2025 - -{product-title} release {product-version}.8 is now available. The list of fixed issues that are included in the update is documented in the link:https://access.redhat.com/errata/RHBA-2025:23103[RHBA-2025:23103] advisory. The RPM packages that are included in the update are provided by the link:https://access.redhat.com/errata/RHBA-2025:23101[RHBA-2025:23101] advisory. - -Space precluded documenting all of the container images for this release in the advisory. - -You can view the container images in this release by running the following command: - -[source,terminal] ----- -$ oc adm release info 4.20.8 --pullspecs ----- diff --git a/modules/zstream-4-20-8-fixed-issues.adoc b/modules/zstream-4-20-8.adoc similarity index 76% rename from modules/zstream-4-20-8-fixed-issues.adoc rename to modules/zstream-4-20-8.adoc index 601b45812218..3d84db6a6f4b 100644 --- a/modules/zstream-4-20-8-fixed-issues.adoc +++ b/modules/zstream-4-20-8.adoc @@ -2,12 +2,27 @@ // // * release_notes/ocp-4-20-release-notes.adoc - :_mod-docs-content-type: REFERENCE -[id="zstream-4-20-8-fixed-issues_{context}"] -= Fixed issues +[id="ocp-4-20-8_{context}"] += RHBA-2025:23103 - {product-title} {product-version}.8 fixed issues advisory [role="_abstract"] +Issued: 16 December 2025 + +{product-title} release {product-version}.8 is now available. The list of fixed issues that are included in the update is documented in the link:https://access.redhat.com/errata/RHBA-2025:23103[RHBA-2025:23103] advisory. The RPM packages that are included in the update are provided by the link:https://access.redhat.com/errata/RHBA-2025:23101[RHBA-2025:23101] advisory. + +Space precluded documenting all of the container images for this release in the advisory. + +You can view the container images in this release by running the following command: + +[source,terminal] +---- +$ oc adm release info 4.20.8 --pullspecs +---- + +[id="ocp-4-20-8-fixed-issues_{context}"] +== Fixed issues + The following issues are fixed for this release: * Before this update, resizing or cloning small {gcp-first} hyperdisk volumes failed due to an input/output operations per second (IOPS) validation error from the {gcp-first} Application Programming Interface (API). This occurred because the Container Storage Interface (CSI) driver did not automatically adjust the provisioned IOPS to meet the minimum requirements of the new volume size. With this release, the driver is updated to correctly calculate and provide the required IOPS during volume expansion operations. (link:https://issues.redhat.com/browse/OCPBUGS-62117[OCPBUGS-62117]) @@ -24,4 +39,9 @@ The following issues are fixed for this release: * Before this update, when opening a terminal to a running pod, the session disconnected whenever the annotations of the pod changed. With this release, the terminal session does not disconnect when the annotations are changed. (link:https://issues.redhat.com/browse/OCPBUGS-65900[OCPBUGS-65900]) -* Before this update, unit conversion formulas were missing, which resulted in units showing `undefined` when one of the missing formulas was selected. With this release, the missing unit conversion formulas are added, ensuring that results show the correct units rather than showing an `undefined` state. (link:https://issues.redhat.com/browse/OCPBUGS-65947[OCPBUGS-65947]) \ No newline at end of file +* Before this update, unit conversion formulas were missing, which resulted in units showing `undefined` when one of the missing formulas was selected. With this release, the missing unit conversion formulas are added, ensuring that results show the correct units rather than showing an `undefined` state. (link:https://issues.redhat.com/browse/OCPBUGS-65947[OCPBUGS-65947]) + +[id="ocp-4-20-8-updating_{context}"] +== Updating + +To update an {product-title} 4.20 cluster to this latest release, see xref:../updating/updating_a_cluster/updating-cluster-cli.adoc#updating-cluster-cli[Updating a cluster using the CLI]. diff --git a/release_notes/ocp-4-20-release-notes.adoc b/release_notes/ocp-4-20-release-notes.adoc index d78fcef5fcc7..7bca845c3c1a 100644 --- a/release_notes/ocp-4-20-release-notes.adoc +++ b/release_notes/ocp-4-20-release-notes.adoc @@ -3015,282 +3015,47 @@ In both cases, the installation program generates a user-assigned identity. (lin // [id="ocp-storage-core-release-known-issues_{context}"] - // 4.20.14 about async include::modules/rn-async-errata.adoc[leveloffset=+1] -// 4.20.14 RNs -include::modules/zstream-4-20-14.adoc[leveloffset=+2] - -// About 4-20-12 release notes -include::modules/zstream-4-20-13-about.adoc[leveloffset=+2] - -// 4-20-12 release notes enhancements -include::modules/zstream-4-20-13-enhancements.adoc[leveloffset=+3] - -// 4-20-12 release notes fixed issues -include::modules/zstream-4-20-13-fixed-issues.adoc[leveloffset=+3] - -// 4-20-12 release notes updating -include::modules/zstream-4-20-13-updating.adoc[leveloffset=+3] - -// About 4-20-12 release notes -include::modules/zstream-4-20-12-about.adoc[leveloffset=+2] - -// 4-20-12 release notes enhancements -include::modules/zstream-4-20-12-known-issues.adoc[leveloffset=+3] - -// 4-20-12 release notes fixed issues -include::modules/zstream-4-20-12-fixed-issues.adoc[leveloffset=+3] - -// 4-20-12 release notes updating -include::modules/zstream-4-20-12-updating.adoc[leveloffset=+3] - -// About 4-20-11 release notes -include::modules/zstream-4-20-11-about.adoc[leveloffset=+2] - -// 4-20-11 release notes enhancements -include::modules/zstream-4-20-11-enhancements.adoc[leveloffset=+3] - -// 4-20-11 release notes fixed issues -include::modules/zstream-4-20-11-fixed-issues.adoc[leveloffset=+3] - -// 4-20-11 release notes updating -include::modules/zstream-4-20-11-updating.adoc[leveloffset=+3] - -// About 4-20-10 release notes -include::modules/zstream-4-20-10-about.adoc[leveloffset=+2] - -// 4-20-10 release notes enhancements -include::modules/zstream-4-20-10-enhancements.adoc[leveloffset=+3] - -// 4-20-10 release notes fixed issues -include::modules/zstream-4-20-10-fixed-issues.adoc[leveloffset=+3] - -// 4-20-10 release notes updating -include::modules/zstream-4-20-10-updating.adoc[leveloffset=+3] - -// About 4-20-8 release notes -include::modules/zstream-4-20-8-about.adoc[leveloffset=+2] - -// 4-20-8 release notes fixed issues -include::modules/zstream-4-20-8-fixed-issues.adoc[leveloffset=+3] - -// 4-20-8 release notes updating -include::modules/zstream-4-20-x-updating.adoc[leveloffset=+3] - -// About 4-20-6 release notes -include::modules/zstream-4-20-6-about.adoc[leveloffset=+2] - -// 4-20-6 release notes enhancements -include::modules/zstream-4-20-6-enhancements.adoc[leveloffset=+3] - -// 4-20-6 release notes bug fixes -include::modules/zstream-4-20-6-bug-fixes.adoc[leveloffset=+3] - -// 4-20-6 release notes updating -include::modules/zstream-4-20-6-updating.adoc[leveloffset=+3] - -// About 4-20-5 release notes -include::modules/zstream-4-20-5-about.adoc[leveloffset=+2] - -// 4-20-5 release notes enhancements -include::modules/zstream-4-20-5-enhancements.adoc[leveloffset=+3] - -// 4-20-5 release notes known issues -include::modules/zstream-4-20-5-known-issues.adoc[leveloffset=+3] - -// 4-20-5 release notes bug fixes -include::modules/zstream-4-20-5-bug-fixes.adoc[leveloffset=+3] - -// 4-20-5 release notes updating -include::modules/zstream-4-20-5-updating.adoc[leveloffset=+3] - -//4.20.4 -[id="ocp-4-20-4_{context}"] -=== RHSA-2025:21228 - {product-title} {product-version}.4 image release, bug fix, and security update advisory - -Issued: 18 November 2025 - -{product-title} release {product-version}.4, which includes security updates, is now available. The list of bug fixes that are included in the update is documented in the link:https://access.redhat.com/errata/RHBA-2025:21228[RHBA-2025:21228] advisory. The RPM packages that are included in the update are provided by the link:https://access.redhat.com/errata/RHBA-2025:21223[RHBA-2025:21223] advisory. - -Space precluded documenting all of the container images for this release in the advisory. - -You can view the container images in this release by running the following command: - -[source,terminal] ----- -$ oc adm release info 4.20.4 --pullspecs ----- - -[id="ocp-4-20-4-bug-fixes_{context}"] -==== Bug fixes - -* Before this update, the horizontal pod autoscaler (HPA) form in the web console incorrectly required you to provide values for both CPU and memory utilization, even though the API allows for HPAs to be created with a single metric or with no metrics (to use the API default). As a consequence, you could not use the form to create single-metric HPAs, for example, Memory-only, or HPAs that rely on the API default (80% CPU). This issue required you to use the YAML view for these common configurations. With this release, the HPA form logic is updated to align with the API so that the user interface no longer requires both fields to be completed. As a result, an empty utilization field correctly omits that HPA metric from the HPA manifest, which allows the API to apply its default behavior or create a single-metric HPA. You can use the HPA form to create single-metric HPAs, for example, CPU-only or Memory-only. If both utilization fields are left empty, the HPA is created and correctly falls back to the API default of 80% CPU utilization. (link:https://issues.redhat.com/browse/OCPBUGS-63339[OCPBUGS-63339]) - -* Before this update, during rolling cluster updates from etcd 3.5.19 to a release of 3.6, the wrong membership data could be propagated to new members. As a consequence, cluster updates failed with an error indicating too many learner members in the cluster. With this release, etcd is updated to 3.5.24, which includes fixes that prevent membership-related errors. (link:https://issues.redhat.com/browse/OCPBUGS-63474[OCPBUGS-63474]) - -* Before this update, the `ccoctl` utility would automatically generate a new keypair if the private key was not found, even when users intentionally provided only the public key as per documented security procedures. This behavior caused a problem, as the newly generated keys would not match the cluster's keys, resulting in service outages for users following the correct process. With this update, the utility was changed to ensure a new keypair is never generated when the `--public-key-file` parameter is specified, and this parameter was added to all create-all functions for consistency. As a result, specifying the public key file now guarantees the provided key is used, ensuring the cluster continues to function as expected without interruption. (link:https://issues.redhat.com/browse/OCPBUGS-63546[OCPBUGS-63546]) - -* Before this update, the binary version data for Kubernetes binaries was incorrectly set to `v0.0.0`, which caused problems with vulnerability scanning tools. With this release, the build issue is fixed. As a result, the most recent upstream `kube` version is shown, for example, `v1.33.5`. (link:https://issues.redhat.com/browse/OCPBUGS-63749[OCPBUGS-63749]) - -[id="ocp-4-20-4-updating_{context}"] -==== Updating -To update an {product-title} 4.20 cluster to this latest release, see xref:../updating/updating_a_cluster/updating-cluster-cli.adoc#updating-cluster-cli[Updating a cluster using the CLI]. - -//4.20.3 -[id="ocp-4-20-3_{context}"] -=== RHSA-2025:19890 - {product-title} {product-version}.3 image release, bug fix, and security update advisory - -Issued: 11 November 2025 - -{product-title} release {product-version}.3, which includes security updates, is now available. The list of bug fixes that are included in the update is documented in the link:https://access.redhat.com/errata/RHSA-2025:19890[RHSA-2025:19890] advisory. The RPM packages that are included in the update are provided by the link:https://access.redhat.com/errata/RHBA-2025:19888[RHBA-2025:19888] advisory. - -Space precluded documenting all of the container images for this release in the advisory. - -You can view the container images in this release by running the following command: - -[source,terminal] ----- -$ oc adm release info 4.20.3 --pullspecs ----- +// Add all z-stream release notes modules in the descending order below this comment. -[id="ocp-4-20-3-bug-fixes_{context}"] -==== Bug fixes -* Before this update, the communication matrix project failed to create EndPointSlice objects for open ports 9193 and 9194 on the primary node because of a missing service connection. As a consequence, inaccurate communication matrixes resulted. With this release, the service is connected to open ports 9193 and 9194, which resolve the missing EndPointSlice objects. As a result, open ports 9193 and 9194 on the primary node are associated with a service, resulting in accurate communication matrixes for {product-title} users. (link:https://issues.redhat.com/browse/OCPBUGS-63587[OCPBUGS-63587]) - -* Before this update, the metric denylist incorrectly formatted the regular expression for the `kube_customresource`, omitting the `annotations` field. As a consequence, users experienced missing metrics due to an incorrect denylist configuration. With this release, unnecessary entries are removed from the metric denylist. As a result, registry metrics include missing annotations, which improves data accuracy. (link:https://issues.redhat.com/browse/OCPBUGS-64577[OCPBUGS-64577]) - -[id="ocp-4-20-3-updating_{context}"] -==== Updating -To update an {product-title} 4.20 cluster to this latest release, see xref:../updating/updating_a_cluster/updating-cluster-cli.adoc#updating-cluster-cli[Updating a cluster using the CLI]. - -//4.20.2 -[id="ocp-4-20-2_{context}"] -=== RHSA-2025:19296 - {product-title} {product-version}.2 image release, bug fix, and security update advisory - -Issued: 04 November 2025 - -{product-title} release {product-version}.2, which includes security updates, is now available. The list of bug fixes that are included in the update is documented in the link:https://access.redhat.com/errata/RHSA-2025:19296[RHSA-2025:19296] advisory. The RPM packages that are included in the update are provided by the link:https://access.redhat.com/errata/RHBA-2025:19294[RHBA-2025:19294] advisory. - -Space precluded documenting all of the container images for this release in the advisory. - -You can view the container images in this release by running the following command: - -[source,terminal] ----- -$ oc adm release info 4.20.2 --pullspecs ----- - -[id="ocp-4-20-2-enhancements_{context}"] -==== Enhancements - -* With this update, the `adm upgrade recommend` command now retrieves and displays critical and non-critical alerts that can be used by cluster administrators for cluster updates. Cluster administrators can also use a new `--accept` option with the `--version` command to accept specific acceptable issues. The command exits nonzero if unaccepted issues are detected. (link:https://issues.redhat.com/browse/OCPBUGS-61757[OCPBUGS-61757]) - -[id="ocp-4-20-2-bug-fixes_{context}"] -==== Bug fixes - -* Before this update, if NetworkManager was restarted or crashed on a node with a `br-ex` interface managed by NMState, the node lost network connectivity. With this release, a fallback check in the dispatcher script was added to detect NMState-managed `br-ex` interfaces by checking for the `br-ex-br` bridge ID when the standard `br-ex` bridge ID is not found. As a result, nodes with this interface type do not lose network connectivity when NetworkManager restarts or crashes. (link:https://issues.redhat.com/browse/OCPBUGS-62167[OCPBUGS-62167]) - -* Before this update, the `driver-config` parameter in the config map content was flapping due to the Go randomized map iteration order. As a consequence, storage classes and related components were appearing in different sequences on each reconcile loop even when the actual data did not change. The frequent and unnecessary config map updates in the hosted cluster namespace caused instability and potential performance issues. With this release, consistent alphabetical sorting is implemented for storage groups, storage classes within each group, volume snapshot classes within each group, and the `allowList` array to ensure deterministic output. As a result, the `driver-config` config map does not experience content flapping, which eliminates unnecessary updates and improves stability. (link:https://issues.redhat.com/browse/OCPBUGS-62806[OCPBUGS-62806]) - -* Before this update, missing manifest files in a release caused the `TechPreviewNoUpgrade` cluster to not present the Cluster Version Operator (CVO) API object in a cluster. As a consequence, the cluster adminsitrator could not change the log level for the CVO in the `TechPreviewNoUpgrade` cluster. With this release, the missing manifest files are added. As a result, the CVO log level can be changed in a `TechPreviewNoUpgrade` cluster. (link:https://issues.redhat.com/browse/OCPBUGS-63001[OCPBUGS-63001]) - -* Before this update, when you ran the `ocp-tuned-one-shot.service` systemd unit that was owned by the Node Tuning Operator (NTO), a dependency failure might have occurred for the kubelet. As a consequence, the kubelet did not start. With this release, running the `ocp-tuned-one-shot.service` unit does not cause a dependency failure. As a result, the kubelet starts when you run the unit. (link:https://issues.redhat.com/browse/OCPBUGS-63334[OCPBUGS-63334]) - -* Before this update, the *Observe -> Metric* page used the cluster-wide metrics API even when you did not have cluster-wide metrics API permissions. As a consequence, the query input displayed an error and the autofill for the query input did not work without cluster-wide metrics API access. With this release, the `namespace-tenancy` metrics API is used if you do not have cluster-wide metrics API permissions, As a result, an error does not occur and autofill is available for the metrics within the selected namespace. (link:https://issues.redhat.com/browse/OCPBUGS-63440[OCPBUGS-63440]) - -* Before this update, the node log length was unlimited. As a consequence, an extremely large log could prevent the display of the log or cause the browser to crash. With this release, the node log length is limited to 1,000 lines. As a result, the log displays correctly. (link:https://issues.redhat.com/browse/OCPBUGS-63440[OCPBUGS-63470]) - -* Before this update, the {azure-short} machine provider was not passing the `dataDisks` configuration from the `MachineSet` specification into the virtual machine creation API request for the {azure-short} Stack Hub. As a consequence, new machines were created without the specified data disks because the configuration was silently ignored during the VM creation process. With this release, the VM creation for the {azure-short} Stack Hub is updated to include the `dataDisks` configuration. An additional update manually implements the behavior of the `deletionPolicy: Delete` parameter in the controller because the {azure-short} Stack Hub does not natively support this option. As a result, data disks are correctly provisioned on the {azure-short} Stack Hub VMs. The `Delete` policy is also functionally supported, which ensures that disks are properly removed when their machines are removed. (link:https://issues.redhat.com/browse/OCPBUGS-63535[OCPBUGS-63535]) - -* Before this update, the `internalUser` parameter was `true` by default. As a consequence, if you did not specify this value when you created or updated the custom resource (CR), the default value was `true` for external users. With this release, the default value is changed to `false`. As a result, if an external user attempts to use internal user credentials to access https://sftp.access.redhat.com, the parameter value is `internalUser=false`. (link:https://issues.redhat.com/browse/OCPBUGS-63579[OCPBUGS-63579]) - -[id="ocp-4-20-2-updating_{context}"] -==== Updating -To update an {product-title} 4.20 cluster to this latest release, see xref:../updating/updating_a_cluster/updating-cluster-cli.adoc#updating-cluster-cli[Updating a cluster using the CLI]. - -//4.20.1 -[id="ocp-4-20-1_{context}"] -=== RHSA-2025:19003 - {product-title} {product-version}.1 image release, bug fix, and security update advisory - -Issued: 28 Oct 2025 - -{product-title} release {product-version}.1, which includes security updates, is now available. The list of bug fixes that are included in the update is documented in the link:https://access.redhat.com/errata/RHSA-2025:19003[RHSA-2025:19003] advisory. The RPM packages that are included in the update are provided by the link:https://access.redhat.com/errata/RHEA-2025:19001[RHEA-2025:19001] advisory. - -Space precluded documenting all of the container images for this release in the advisory. - -You can view the container images in this release by running the following command: - -[source,terminal] ----- -$ oc adm release info 4.20.1 --pullspecs ----- - -[id="ocp-4-20-1-known-issues_{context}"] -==== Known issues - -* Starting with {product-title} 4.20, there is a decrease in the default maximum open files soft limit for containers. As a consequence, end users may experience application failures. To work around this problem, increase the container runtimes (CRI-O) ulimit configuration. (link:https://issues.redhat.com/browse/OCPBUGS-62095[OCPBUGS-62095]) - -[id="ocp-4-20-1-bug-fixes_{context}"] -==== Bug fixes - -* Before this update, iDRAC10 hardware provisioning was failing due to an incorrect data type for the Dell Original Equipment Manufacturer (OEM) `Target` property and the use of an incorrect virtual media slot. As a result, users were unable to provision Dell iDRAC10 servers. With this release, the Dell iDRAC10 can be provisioned. (link:https://issues.redhat.com/browse/OCPBUGS-52427[OCPBUGS-52427]) - -* Before this release, two identical copies of the same controller were updating the same certificate authority (CA) bundle in a `configmap` causing them to receive different metadata inputs, rewrite each other's changes, and create duplicate events. With this release, the controllers use optimistic updating and server-side apply to avoid update events and handle update conflicts. As a result, metadata updates no longer trigger duplicate events, and the expected metadata is set correctly. (link:https://issues.redhat.com/browse/OCPBUGS-55217[OCPBUGS-55217]) - -* Before this update, when installing a cluster on {ibm-power-server-title} you could only specify a name for an existing Transit Gateway or virtual private cloud (VPC). As the uniqueness of names was not guaranteed, this could cause conflicts and installation failures. With this release, you can use Universally Unique Identifiers (UUIDs) for a Transit Gateway and VPC. By using unique identifiers, the installation program can unambiguously identify the correct Transit Gateway or VPC. This prevents the naming conflicts and the issue is resolved. (link:https://issues.redhat.com/browse/OCPBUGS-59678[OCPBUGS-59678]) - -* Before this update, the Cloud event proxy for the Precision Time Protocol (PTP) Operator incorrectly parsed BF3 Network Interface Card (NIC) names, causing the interface alias to be formatted incorrectly. As a consequence, the incorrect parsing caused end users to misinterpret cloud events. With this release, the Cloud event proxy has been updated to correctly parse BF3 NIC names in the PTP Operator. As a result, fix improves parsing of BF3 NIC names, ensuring correct event publication for the PTP Operator. (link:https://issues.redhat.com/browse/OCPBUGS-60466[OCPBUGS-60466]) - -* Before this update, a pod with a secondary interface in an OVN-Kubernetes Localnet network (mapped to the br-ex bridge) could communicate with pods on the same node that used the default network for connectivity only if the Localnet IP addresses were within the same subnet as the host network. With this release, the localnet IP addresses can be drawn from any subnet; in this generalized case, an external router outside the cluster is expected to connect the localnet subnet to the host network. (link:https://issues.redhat.com/browse/OCPBUGS-61453[OCPBUGS-61453]) - -* Before this update, the Precision Time Protocol (PTP) Operator wrongly parsed network interface controller (NIC) names. As a result, interface aliases were incorrectly formatted and this impacted identifying a PTP hardware clock (PHC) when using Mellaonox cards to send clock state events. With this release, the PTP now correctly parses the NIC names so that generated aliases align with Mellanox naming conventions. Mellanox cards can now accurately identify a PHC when sending clock state events. (link:https://issues.redhat.com/browse/OCPBUGS-61581[OCPBUGS-61581]) - -* Before this update, the `cluster in workload identity mode` warning was missing when only the `token-auth-azure` annotation was set, which could lead to misconfiguration. This update adds a check for the `token-auth-azure` annotation when showing the warning. As a result, clusters that use only Azure Workload Identity now show the “cluster in workload identity mode” warning as expected. (link:https://issues.redhat.com/browse/OCPBUGS-61861[OCPBUGS-61861]) - -* Before this update, the YAML editor in the web console would default to indenting YAML files with 4 spaces. With this release, the default indentation has changed to 2 spaces to align with recommendations. (link:https://issues.redhat.com/browse/OCPBUGS-61990[OCPBUGS-61990]) - -* Before this update, deploying hosted control planes in version 4.20 or later with user-supplied `ignition-server-serving-cert` and `ignition-server-ca-cert` secrets`, along with the `disable-pki-reconciliation annotation`, caused the system to remove the user supplied ignition secrets and the `ignition-server` pods to fail. With this release, the `ignition-server` secrets are preserved during reconciliation after removing the delete action for the `disable-pki-reconciliation` annotation ensuring ignition-server pods start. (link:https://issues.redhat.com/browse/OCPBUGS-62006[OCPBUGS-62006]) - -* Before this update, if the `OVNKube-controller` on a node failed to process updates and configure its local OVN database, the `OVN-controller` could connect to this stale database. This caused the `OVN-controller` to consume outdated `EgressIP` configurations and send incorrect Gratuitous ARPs (GARPs) for an IP address that might have already moved to a different node. With this release, the `OVN-controller` is blocked from sending these GARPs during the time when the `OVNKube-controller` is not processing updates. As a result, network disruptions are prevented by ensuring GARPs are not sent based on stale database information. (link:https://issues.redhat.com/browse/OCPBUGS-62273[OCPBUGS-62273]) - -* Before this update, upgrading a `ClusterExtension` could fail when unhandled Customer Resource Definition (CRD) changes produced a large JSON diff for the validation status. This diff often exceeded the Kubernetes 32 KB limit, causing the status update to fail and leaving users with no information about why the upgrade did not occur. With this release, the diff output is truncated and summarized for unhandled scenarios instead of including the full JSON diff. This ensures the status updates remain within size limits, allowing them to post successfully and provide users with clear, actionable error messages. (link:https://issues.redhat.com/browse/OCPBUGS-62722[OCPBUGS-62722]) - -* Before this update, gRPC connection logs were set at a highly verbose log level. This generated an excessive number of messages, which caused the logs to overflow. With this release, the gRPC connection logs have been moved to the V(4) log level. Consequently, the logs no longer overflow, as these specific messages are now less verbose by default. (link:https://issues.redhat.com/browse/OCPBUGS-62844[OCPBUGS-62844]) - -* Before this update, running `oc-mirror` without displaying its version caused delays in debugging, as the correct version with required fixes was not known. As a consequence, the user was unable to identify `oc-mirror` version, hindering efficient debugging. With this release, `oc-mirror` now displays its version in the output, aiding faster debugging and ensuring correct fix application. (link:https://issues.redhat.com/browse/OCPBUGS-62283[OCPBUGS-62283]) +// 4.20.14 release notes +include::modules/zstream-4-20-14.adoc[leveloffset=+2] -* Before this update, a bug occurred when the `cluster-api-operator` kubeconfig controller tried to use a regenerated authentication token secret before the token value was fully populated. This caused users to experience recurring, transient reconciliation errors every 30 minutes, which briefly put the Operator into a degraded state. With this release, the controller now waits for the authentication token to be populated within the secret before proceeding, preventing the Operator from going into a degraded state and eliminates the recurring errors. (link:https://issues.redhat.com/browse/OCPBUGS-62755[OCPBUGS-62755]) +// 4-20-13 release notes +include::modules/zstream-4-20-13.adoc[leveloffset=+2] -* Before this update, in {product-title} 4.19.9, the Cluster Version Operator (CVO) began requiring bearer token authentication in metrics requests. As a consequence, this broke the metrics scraper on hosted control plane clusters because their scrapers provided no client authentication. With this release, the CVO no longer requires client authentication for metrics requests in hosted control plane clusters. (link:https://issues.redhat.com/browse/OCPBUGS-62867[OCPBUGS-62867]) +// 4-20-12 release notes +include::modules/zstream-4-20-12.adoc[leveloffset=+2] -* Before this update, during failover, the system's duplicate address detection (DAD) could incorrectly disable the Egress IPv6 address if it was briefly present on both nodes, breaking the connection. With this release, the Egress IPv6 is configured to skip the DAD check during failover, guaranteeing uninterrupted egress IPv6 traffic after an Egress IP address successfully moves to a different node and ensuring greater network stability. (link:https://issues.redhat.com/browse/OCPBUGS-62913[OCPBUGS-62913]) +// 4-20-11 release notes +include::modules/zstream-4-20-11.adoc[leveloffset=+2] -[id="ocp-4-20-1-updating_{context}"] -==== Updating -To update an {product-title} 4.20 cluster to this latest release, see xref:../updating/updating_a_cluster/updating-cluster-cli.adoc#updating-cluster-cli[Updating a cluster using the CLI]. +// 4-20-10 release notes +include::modules/zstream-4-20-10.adoc[leveloffset=+2] -//Update with relevant advisory information -[id="ocp-4-20-0-ga_{context}"] -=== RHSA-2025:9562 - {product-title} {product-version}.0 image release, bug fix, and security update advisory +// 4-20-8 release notes +include::modules/zstream-4-20-8.adoc[leveloffset=+2] -Issued: 21 Oct 2025 +// 4-20-6 release notes +include::modules/zstream-4-20-6.adoc[leveloffset=+2] -{product-title} release {product-version}.0, which includes security updates, is now available. The list of bug fixes that are included in the update is documented in the link:https://access.redhat.com/errata/RHSA-2025:9562[RHSA-2025:9562] advisory. The RPM packages that are included in the update are provided by the link:https://access.redhat.com/errata/RHEA-2025:4782[RHEA-2025:4782] advisory. +// 4-20-5 release notes +include::modules/zstream-4-20-5.adoc[leveloffset=+2] -Space precluded documenting all of the container images for this release in the advisory. +// 4-20-4 release notes +include::modules/zstream-4-20-4.adoc[leveloffset=+2] -You can view the container images in this release by running the following command: +// 4-20-3 release notes +include::modules/zstream-4-20-3.adoc[leveloffset=+2] -[source,terminal] ----- -$ oc adm release info 4.20.0 --pullspecs ----- +// 4-20-2 release notes +include::modules/zstream-4-20-2.adoc[leveloffset=+2] -[id="ocp-4-20-0-updating_{context}"] -==== Updating -To update an {product-title} 4.20 cluster to this latest release, see xref:../updating/updating_a_cluster/updating-cluster-cli.adoc#updating-cluster-cli[Updating a cluster using the CLI]. +// 4-20-1 release notes +include::modules/zstream-4-20-1.adoc[leveloffset=+2] -//replace 4.y.z for the correct values for the release. You do not need to update oc to run this command. +// 4-20-0 release notes +include::modules/zstream-4-20-0.adoc[leveloffset=+2]