diff --git a/release_notes/ocp-4-18-release-notes.adoc b/release_notes/ocp-4-18-release-notes.adoc index 26de935f4cad..3b2740307fe9 100644 --- a/release_notes/ocp-4-18-release-notes.adoc +++ b/release_notes/ocp-4-18-release-notes.adoc @@ -3023,6 +3023,70 @@ This section will continue to be updated over time to provide notes on enhanceme For any {product-title} release, always review the instructions on xref:../updating/updating_a_cluster/updating-cluster-web-console.adoc#updating-cluster-web-console[updating your cluster] properly. ==== +// 4.18.20 +[id="ocp-4-18-20_{context}"] +=== RHSA-2025:10767 - {product-title} {product-version}.20 bug fix and security update + +Issued: 16 July 2025 + +{product-title} release {product-version}.20 is now available. The list of bug fixes that are included in the update is documented in the link:https://access.redhat.com/errata/RHSA-2025:10767[RHSA-2025:10767] advisory. The RPM packages that are included in the update are provided by the link:https://access.redhat.com/errata/RHSA-2025:10768[RHSA-2025:10768] advisory. + +Space precluded documenting all of the container images for this release in the advisory. + +You can view the container images in this release by running the following command: + +[source,terminal] +---- +$ oc adm release info 4.18.20 --pullspecs +---- + +[id="ocp-4-18-20-bug-fixes_{context}"] +==== Bug fixes + +* Before this update, a subset of endpoints on the console backend were gated by `TokenReview` requests to the API server. In some cases, the API server would throttle these requests, causing slower load times in the UI. With this release, the `TokenReview` gating was removed from all but one of our endpoints resulting in improved performance. (link:https://issues.redhat.com/browse/OCPBUGS-58317[OCPBUGS-58317]) + +* Before this update, useful error messages were not generated when the`oc adm node-image create` command failed. With this release, the `oc adm node-image create` command generates error messages when the command fails. (link:https://issues.redhat.com/browse/OCPBUGS-58233[OCPBUGS-58233]) + +* Before this update, the HAProxy configuration used the `/version` endpoint for health checks causing unreliable health checks to be generated. With this release, the liveness probe is customized to use `/livez?exclude=etcd&exclude=log` on {ibm-cloud-title} for more accurate health checks avoiding disruptions due to inappropriate probe configurations on Hypershift, while retaining `/version` for other platforms. (link:https://issues.redhat.com/browse/OCPBUGS-58126[OCPBUGS-58126]) + +* Before this update, the Machine Config Operator (MCO) updated boot images without verifying that the current boot image was from the marketplace. As a consequence, the MCO overrode a marketplace boot image with a standard {product-title} installer image. With this release, the MCO references a lookup table in {aws-first} that contains all standard installer Amazon Machine Images (AMIs) in {product-title} before it updates the boot image. In {gcp-first}, the MCO checks the URL header before updating the boot image. As a result, the MCO does not update machine sets that have a marketplace boot image. (link:https://issues.redhat.com/browse/OCPBUGS-58044[OCPBUGS-58044]) + +* Before this update, a validation issue within the `oc-mirror` plugin caused the command to reject the `file://.` reference. Users attempting to use `file://.` for a content path received an error message stating `content filepath is tainted`. With this release, `oc-mirror` properly validates the '.' directory reference. (link:https://issues.redhat.com/browse/OCPBUGS-57970[OCPBUGS-57970]) + +* Before this update, the `oc-mirror v2` plugin was not using the correct filtered catalog during its operations. As a consequence, unspecified operators were included in the configuration and the plugin tried to connect to the catalog registry during disk-to-mirror workflows even in air-gapped environments. With this release, the correct filtered catalog is used. (link:https://issues.redhat.com/browse/OCPBUGS-57964[OCPBUGS-57964]) + +* Before this update, modals that used the same `useModal` hook instance overwrote each other. As a consequence, the {product-title} Lightspeed user interface disappeared. With this release, modals have unique IDs. As a result, modal conflicts are resolved, which enables the simultaneous user interface display for the *Lightspeed*, *Troubleshooting Panel*, and *Networking* pages. (link:https://issues.redhat.com/browse/OCPBUGS-57931[OCPBUGS-57931]) + +* Before this update, images were ignored and recreated on every reconcile call, which caused new caches and prevented the use of cached images. As a consequence, memory usage of Hypershift quickly grew, which created performance issues. With this release, images in Hypershift are cached effectively by creating and using a global registry provider instead of recreating registry and release providers on every reconcile call. As a result, memory usage is optimized in Hypershift. (link:https://issues.redhat.com/browse/OCPBUGS-57818[OCPBUGS-57818]) + +* Before this update, `OLMv1` was used to install Operators with the `olm.maxOpenShiftVersion` set to `4.19`. Because of an issue with the `OLMv1` parsing logic for floating-point formatted `olm.maxOpenShiftVersion`values, the system failed to prevent upgrades to {product-title} 4.20. With this release, the parsing logic for `olm.maxOpenShiftVersion` is corrected. As a result, this correction prevents upgrades to {product-title} 4.20 when Operators that include `olm.maxOpenShiftVersion:4.19` are installed. (link:https://issues.redhat.com/browse/OCPBUGS-57767[OCPBUGS-57767]) + +* Before this update, the catalog-operator captured catalog snapshots with a frequency of five minutes. Under conditions with many namespaces and subscriptions, and with larger catalog sources available in 4.15, 4.16, the snapshots began failing but cascaded across the catalog sources which caused CPU loads to spike. This additional load caused an inability to upgrade and install operators. With this release, the cache lifetime is 30 minutes which provides sufficient time for attempts to be resolved without undue load on the catalog source pods. (link:https://issues.redhat.com/browse/OCPBUGS-57427[OCPBUGS-57427]) + +* Before this update, deleting a common user data network (CUDN) resource in a namespace with an existing, endpoint-less Service caused the `ovnkube-node` pod restart to fail. With this release, the `ovnkube-node` pod restarts successfully after you delete CUDN resources with existing, endpoint-less services in the targeted namespace. (link:https://issues.redhat.com/browse/OCPBUGS-57318[OCPBUGS-57318]) + +* Before this update, the *Create PodDisruptionBudget* page contained a typo. With this release, the typo is corrected. (link:https://issues.redhat.com/browse/OCPBUGS-57213[OCPBUGS-57213]) + +* Before this update, when re-running oc-mirror plugin v2 with the same working directory, existing `tar` archive files from previous runs were not removed. This resulted in a mix of outdated and new archives, which could cause mirroring failures when pushing to the target registry. With this release, oc-mirror plugin v2 automatically deletes old `tar` archive files at the beginning of each run, ensuring that the working directory contains only archives from the current execution. (link:https://issues.redhat.com/browse/OCPBUGS-57197[OCPBUGS-57197]) + +* Before this update, oc-mirror v2 rejected valid `ImageSetConfiguration` parameter values that contained the words `mirror` or `delete`. With this release, oc-mirror v2 now correctly validates the words `delete` and `mirror` in the `ImageSetConfiguration` parameter and rejects only invalid configurations. (link:https://issues.redhat.com/browse/OCPBUGS-57124[OCPBUGS-57124]) + +* Before this update, the `cadvisor` endpoint on the kubelet reported invalid metrics values, which conflated the counter for different devices in one metric. With this release, the `cadvisor` endpoint reports valid metrics. (link:https://issues.redhat.com/browse/OCPBUGS-57070[OCPBUGS-57070]) + +* Before this update, one of the `keepalived` health check scripts failed due to missing permissions. This failure sometimes caused the ingress VIP to be misplaced when shared ingress services were in use. With this release, the necessary permission is added back to the container. As a result, the health check works correctly. (link:https://issues.redhat.com/browse/OCPBUGS-56624[OCPBUGS-56624]) + +* Before this update, `hostPath` volumes in the `kube-rbac-proxy-crio` pod were configured with read-write access, which violated security best practices for Kubernetes security. As a consequence, unauthorized modification of system files occurred because of the read/write `hostPath` mounts. With this release, `hostPath` mounts in the `kube-rbac-proxy-crio`pod are read-only to improve security. (link:https://issues.redhat.com/browse/OCPBUGS-55246[OCPBUGS-55246]) + +* Before this update, for clusters that were installed with the Agent-based Installer for versions 4.15.0 to 4.15.26, root certificates that were built in from CoreOS were added to the user-ca-bundle, even though they were not explicitly specified by the user. In previous releases, when you added a node to one of these clusters using the `oc adm node-image create` command, the `additionalTrustBundle` value obtained from the cluster's user-ca-bundle was too large to process, resulting in a failure to add the node. With this release, the built-in certificates are filtered out when generating the `additionalTrustBundle` value, so that only explicitly user-configured certificates are included, and nodes can be added successfully. (link:https://issues.redhat.com/browse/OCPBUGS-54744[OCPBUGS-54744]) + +* Before this update, the `HostedCluster` command failed to create network policies because of an invalid IP address format in the `nodePort` configuration. As a consequence, the creation of the hosted cluster failed due to an incorrect IP address determination. With this release, a bug fix adds log messages for IP address type determination in the `virt` launcher network policy reconciliation. The additional log messages resolve the incorrect IP address determination in the `kubevirt` hosted cluster. As a result, the `HostedCluster` command successfully creates the network policies and the hosted cluster. (link:https://issues.redhat.com/browse/OCPBUGS-46629[OCPBUGS-46629]) + +* Before this update, Kubernetes VM with dynamic IPv6 configuration used primary user-defined network (UDN) layer2, which caused the default IPv6 gateway to be multipath. As a consequence, user traffic flowed incorrectly between nodes because of multiple default IPv6 gateways. With this release, the default IPv6 gateway is correct for dynamic VM configurations by using the new Open Virtual Network (OVN) transit router topology. As a result, the default IPv6 gateway points to the correct node, which reduces inter-node traffic and improves network stability during node maintenance. (link:https://issues.redhat.com/browse/OCPBUGS-46401[OCPBUGS-46401]) + +[id="ocp-4-18-20-updating_{context}"] +==== Updating +To update an {product-title} 4.18 cluster to this latest release, see xref:../updating/updating_a_cluster/updating-cluster-cli.adoc#updating-cluster-cli[Updating a cluster using the CLI]. + // 4.18.19 [id="ocp-4-18-19_{context}"] === RHSA-2025:9725 - {product-title} {product-version}.19 bug fix and security update