-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: OpenShift Container Platform 4.13.0 security update Advisory ID: RHSA-2023:1326-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2023:1326 Issue date: 2023-05-17 CVE Names: CVE-2021-4235 CVE-2021-4238 CVE-2021-20329 CVE-2021-38561 CVE-2021-43519 CVE-2021-44964 CVE-2022-1271 CVE-2022-1586 CVE-2022-1587 CVE-2022-1785 CVE-2022-1897 CVE-2022-1927 CVE-2022-2509 CVE-2022-2990 CVE-2022-3080 CVE-2022-3259 CVE-2022-4203 CVE-2022-4304 CVE-2022-4450 CVE-2022-21698 CVE-2022-23525 CVE-2022-23526 CVE-2022-26280 CVE-2022-27191 CVE-2022-29154 CVE-2022-29824 CVE-2022-34903 CVE-2022-38023 CVE-2022-38177 CVE-2022-38178 CVE-2022-40674 CVE-2022-41316 CVE-2022-41717 CVE-2022-41721 CVE-2022-41723 CVE-2022-41724 CVE-2022-41725 CVE-2022-42010 CVE-2022-42011 CVE-2022-42012 CVE-2022-42898 CVE-2022-42919 CVE-2022-46146 CVE-2022-47629 CVE-2023-0056 CVE-2023-0215 CVE-2023-0216 CVE-2023-0217 CVE-2023-0229 CVE-2023-0286 CVE-2023-0361 CVE-2023-0401 CVE-2023-0620 CVE-2023-0665 CVE-2023-0778 CVE-2023-25000 CVE-2023-25165 CVE-2023-25173 CVE-2023-25577 CVE-2023-25725 CVE-2023-25809 CVE-2023-27561 CVE-2023-28642 CVE-2023-30570 CVE-2023-30841 ===================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.13.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.0. See the following advisory for the RPM packages for this release: https://access.redhat.com/errata/RHSA-2023:1325 Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html Security Fix(es): * goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be (CVE-2021-4238) * go-yaml: Denial of Service in go-yaml (CVE-2021-4235) * mongo-go-driver: specific cstrings input may not be properly validated (CVE-2021-20329) * golang: out-of-bounds read in golang.org/x/text/language leads to DoS (CVE-2021-38561) * prometheus/client_golang: Denial of service using InstrumentHandlerCounter (CVE-2022-21698) * helm: Denial of service through through repository index file (CVE-2022-23525) * helm: Denial of service through schema file (CVE-2022-23526) * golang: crash in a golang.org/x/crypto/ssh server (CVE-2022-27191) * vault: insufficient certificate revocation list checking (CVE-2022-41316) * golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717) * x/net/http2/h2c: request smuggling (CVE-2022-41721) * net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723) * golang: crypto/tls: large handshake records may cause panics (CVE-2022-41724) * golang: net/http, mime/multipart: denial of service from excessive resource consumption (CVE-2022-41725) * exporter-toolkit: authentication bypass via cache poisoning (CVE-2022-46146) * vault: Vault’s Microsoft SQL Database Storage Backend Vulnerable to SQL Injection Via Configuration File (CVE-2023-0620) * hashicorp/vault: Vault’s PKI Issuer Endpoint Did Not Correctly Authorize Access to Issuer Metadata (CVE-2023-0665) * hashicorp/vault: Cache-Timing Attacks During Seal and Unseal Operations (CVE-2023-25000) * helm: getHostByName Function Information Disclosure (CVE-2023-25165) * containerd: Supplementary groups are not set up properly (CVE-2023-25173) * runc: volume mount race condition (regression of CVE-2019-19921) (CVE-2023-27561) * runc: AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration (CVE-2023-28642) * baremetal-operator: plain-text username and hashed password readable by anyone having a cluster-wide read-access (CVE-2023-30841) * runc: Rootless runc makes `/sys/fs/cgroup` writable (CVE-2023-25809) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html 3. Solution: For OpenShift Container Platform 4.13 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html You may download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags The sha values for the release are: (For x86_64 architecture) The image digest is sha256:74b23ed4bbb593195a721373ed6693687a9b444c97065ce8ac653ba464375711 (For s390x architecture) The image digest is sha256:a32d509d960eb3e889a22c4673729f95170489789c85308794287e6e9248fb79 (For ppc64le architecture) The image digest is sha256:bca0e4a4ed28b799e860e302c4f6bb7e11598f7c136c56938db0bf9593fb76f8 (For aarch64 architecture) The image digest is sha256:e07e4075c07fca21a1aed9d7f9c165696b1d0fa4940a219a000894e5683d846c All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1770297 - console odo download link needs to go to an official location or have caveats [openshift-4.4] 1853264 - Metrics produce high unbound cardinality 1877261 - [RFE] Mounted volume size issue when restore a larger size pvc than snapshot 1904573 - OpenShift: containers modify /etc/passwd group writable 1943194 - when using gpus, more nodes than needed are created by the node autoscaler 1948666 - After entering valid git repo url on Import from git page, throwing warning message instead Validated 1971033 - CVE-2021-20329 mongo-go-driver: specific cstrings input may not be properly validated 2005232 - Pods list page should only show Create Pod button to user has sufficient permission 2016006 - Repositories list does not show the running pipelinerun as last pipelinerun 2027000 - The user is ignored when we create a new file using a MachineConfig 2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter 2047299 - nodeport not reachable port connection timeout 2050230 - Implement LIST call chunking in openshift-sdn 2064702 - CVE-2022-27191 golang: crash in a golang.org/x/crypto/ssh server 2065166 - GCP - Less privileged service accounts are created with Service Account User role 2066388 - Wrong Error generates when https is missing in the value of `regionEndpoint` in `configs.imageregistry.operator.openshift.io/cluster` 2066664 - [cluster-storage-operator] - Minimize wildcard/privilege Usage in Cluster and Local Roles 2070744 - openshift-install destroy in us-gov-west-1 results in infinite loop - AWS govcloud 2075548 - Support AllocateLoadBalancerNodePorts=False with ETP=local, LGW mode 2076619 - Could not create deployment with an unknown git repo and builder image build strategy 2078222 - egressIPs behave inconsistently towards in-cluster traffic (hosts and services backed by host-networked pods) 2079981 - PVs not deleting on azure (or very slow to delete) since CSI migration to azuredisk 2081858 - OVN-Kubernetes: SyncServices for nodePortWatcherIptables should propagate failures back to caller 2083087 - "Delete dependent objects of this resource" might cause confusions 2084452 - PodDisruptionBudgets help message should be semantic 2087043 - Cluster API components should use K8s 1.24 dependencies 2087553 - No rhcos-4.11/x86_64 images in the 2 new regions on alibabacloud, "ap-northeast-2 (South Korea (Seoul))" and "ap-southeast-7 (Thailand (Bangkok))" 2089093 - CVO hotloops on OperatorGroup due to the diff of "upgradeStrategy": string("Default") 2089138 - CVO hotloops on ValidatingWebhookConfiguration /performance-addon-operator 2090680 - upgrade for a disconnected cluster get hang on retrieving and verifying payload 2092567 - Network policy is not being applied as expected 2092811 - Datastore name is too long 2093339 - [rebase v1.24] Only known images used by tests 2095719 - serviceaccounts are not updated after upgrade from 4.10 to 4.11 2100181 - WebScale: configure-ovs.sh fails because it picks the wrong default interface 2100429 - [apiserver-auth] default SCC restricted allow volumes don't have "ephemeral" caused deployment with Generic Ephemeral Volumes stuck at Pending 2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS 2104978 - MCD degrades are not overwrite-able by subsequent errors 2110565 - PDB: Remove add/edit/remove actions in Pod resource action menu 2110570 - Topology sidebar: Edit pod count shows not the latest replicas value when edit the count again 2110982 - On GCP, need to check load balancer health check IPs required for restricted installation 2113973 - operator scc is nor fixed when we define a custom scc with readOnlyRootFilesystem: true 2114515 - Getting critical NodeFilesystemAlmostOutOfSpace alert for 4K tmpfs 2115265 - Search page: LazyActionMenus are shown below Add/Remove from navigation button 2116686 - [capi] Cluster kind should be valid 2117374 - Improve Pod Admission failure for restricted-v2 denials that pass with restricted 2135339 - CVE-2022-41316 vault: insufficient certificate revocation list checking 2149436 - CVE-2022-46146 exporter-toolkit: authentication bypass via cache poisoning 2154196 - CVE-2022-23526 helm: Denial of service through schema file 2154202 - CVE-2022-23525 helm: Denial of service through through repository index file 2156727 - CVE-2021-4235 go-yaml: Denial of Service in go-yaml 2156729 - CVE-2021-4238 goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be 2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests 2162182 - CVE-2022-41721 x/net/http2/h2c: request smuggling 2168458 - CVE-2023-25165 helm: getHostByName Function Information Disclosure 2174485 - CVE-2023-25173 containerd: Supplementary groups are not set up properly 2175721 - CVE-2023-27561 runc: volume mount race condition (regression of CVE-2019-19921) 2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding 2178488 - CVE-2022-41725 golang: net/http, mime/multipart: denial of service from excessive resource consumption 2178492 - CVE-2022-41724 golang: crypto/tls: large handshake records may cause panics 2182883 - CVE-2023-28642 runc: AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration 2182884 - CVE-2023-25809 runc: Rootless runc makes `/sys/fs/cgroup` writable 2182972 - CVE-2023-25000 hashicorp/vault: Cache-Timing Attacks During Seal and Unseal Operations 2182981 - CVE-2023-0665 hashicorp/vault: Vault?s PKI Issuer Endpoint Did Not Correctly Authorize Access to Issuer Metadata 2184663 - CVE-2023-0620 vault: Vault?s Microsoft SQL Database Storage Backend Vulnerable to SQL Injection Via Configuration File 2190116 - CVE-2023-30841 baremetal-operator: plain-text username and hashed password readable by anyone having a cluster-wide read-access 5. JIRA issues fixed (https://issues.jboss.org/): OCPBUGS-10036 - Enable aesgcm encryption provider by default in openshift/api OCPBUGS-10038 - Enable aesgcm encryption provider by default in openshift/cluster-config-operator OCPBUGS-10042 - Enable aesgcm encryption provider by default in openshift/cluster-kube-apiserver-operator OCPBUGS-10043 - Enable aesgcm encryption provider by default in openshift/cluster-openshift-apiserver-operator OCPBUGS-10044 - Enable aesgcm encryption provider by default in openshift/cluster-authentication-operator OCPBUGS-10047 - oc-mirror print log: unable to parse reference oci://mno/redhat-operator-index:v4.12 OCPBUGS-10057 - With WPC card configured as GM or BC, phc2sys clock lock state is shown as FREERUN in ptp metrics while it should be LOCKED OCPBUGS-10213 - aws: mismatch between RHCOS and AWS SDK regions OCPBUGS-10220 - Newly provisioned machines unable to join cluster OCPBUGS-10221 - Risk cache warming takes too long on channel changes OCPBUGS-10237 - Limit the nested repository path while mirroring the images using oc-mirror for those who cant have nested paths in their container registry OCPBUGS-10239 - [release-4.13] Fix of ServiceAccounts gathering OCPBUGS-10249 - PollConsoleUpdates won't fire toast if one or more manifests errors when plugins change OCPBUGS-10267 - NetworkManager TUI quits regardless of a detected unsupported configuration OCPBUGS-10271 - [4.13] Netflink overflow alert OCPBUGS-10278 - Graph-data is not mounted on graph-builder correctly while install using graph-data image built by oc-mirror OCPBUGS-10281 - Openshift Ansible OVS version out of sync with RHCOS OCPBUGS-10291 - Broken link for Ansible tagging OCPBUGS-10298 - TenantID is ignored in some cases OCPBUGS-10320 - Catalogs should not be included in the ImageContentSourcePolicy.yaml OCPBUGS-10321 - command cannot be worked after chroot /host for oc debug pod OCPBUGS-1033 - Multiple extra manifests in the same file are not applied correctly OCPBUGS-10334 - Nutanix cloud-controller-manager pod not have permission to get/list ConfigMap OCPBUGS-10353 - kube-apiserver not receiving or processing shutdown signal after coreos 9.2 bump OCPBUGS-10367 - Pausing pools in OCP 4.13 will cause critical alerts to fire OCPBUGS-10377 - [gcp] IPI installation with Shielded VMs enabled failed on restarting the master machines OCPBUGS-10404 - Workload annotation missing from deployments OCPBUGS-10421 - RHCOS 4.13 live iso x84_64 contains restrictive policy.json OCPBUGS-10426 - node-topology is not exported due to kubelet.sock: connect: permission denied OCPBUGS-10427 - 4.1 born cluster fails to scale-up due to podman run missing `--authfile` flag OCPBUGS-10432 - CSI Inline Volume admission plugin does not log object name correctly OCPBUGS-10440 - OVN IPSec - does not create IPSec tunnels OCPBUGS-10474 - OpenShift pipeline TaskRun(s) column Duration is not present as column in UI OCPBUGS-10476 - Disable netlink mode of netclass collector in Node Exporter. OCPBUGS-1048 - if tag categories don't exist, the installation will fail to bootstrap OCPBUGS-10483 - [4.13 arm64 image][AWS EFS] Driver fails to get installed/exec format error OCPBUGS-10558 - MAPO failing to retrieve flavour information after rotating credentials OCPBUGS-10585 - [4.13] Request to update RHCOS installer bootimage metadata OCPBUGS-10586 - Console shows x509 error when requesting token from oauth endpoint OCPBUGS-10597 - The agent-tui shows again during the installation OCPBUGS-1061 - administrator console, monitoring-alertmanager-edit user list or create silence, "Observe - Alerting - Silences" page is pending OCPBUGS-10645 - 4.13: Operands running management side missing affinity, tolerations, node selector and priority rules than the operator OCPBUGS-10656 - create image command erroneously logs that Base ISO was obtained from release OCPBUGS-10657 - When releaseImage is a digest the create image command generates spurious warning OCPBUGS-10658 - Wrong PrimarySubnet in OpenstackProviderSpec when using Failure Domains OCPBUGS-10661 - machine API operator failing with No Major.Minor.Patch elements found OCPBUGS-10678 - Developer catalog shows ImageStreams as samples which has no sampleRepo OCPBUGS-10679 - Show type of sample on the samples view OCPBUGS-10689 - [IPI on BareMetal]: Workers failing inspection when installing with proxy OCPBUGS-10697 - [release-4.13] User is allowed to create IP Address pool with duplicate entries for namespace and matchExpression for serviceSelector and namespaceSelector OCPBUGS-10698 - [release-4.13] Already assigned IP address is removed from a service on editing the ip address pool. OCPBUGS-10710 - Metal virtual media job permafails during early bootstrap OCPBUGS-10716 - Image Registry default to Removed on IBM cloud after 4.13.0-ec.3 OCPBUGS-10739 - [4.13] Bootimage bump tracker OCPBUGS-10744 - [4.13] EgressFirewall status disappeared OCPBUGS-10746 - Downstream Operator-SDK v1.22.2 to OCP 4.13 OCPBUGS-10771 - upgrade test failure with "Cluster operator control-plane-machine-set is not available" OCPBUGS-10773 - TestNewAppRun unit test failing OCPBUGS-10792 - Hypershift namespace servicemonitor has wrong API group OCPBUGS-10793 - Ignore device list missing in Node Exporter OCPBUGS-10796 - [4.13] Egress firewall is not retried on error OCPBUGS-10799 - Network policy perf improvements OCPBUGS-10801 - [4.13] Upgrade to 4.10 stalled on timeout completing syncEgressFirewall OCPBUGS-10811 - Missing vCenter build number in telemetry OCPBUGS-10813 - SCOS bootstrap should skip pivot when root is not writable OCPBUGS-10826 - RHEL 9.2 doesn't contain the `kernel-abi-whitelists` package. OCPBUGS-10832 - Edit Deployment (and DC) form doesn't enable Save button when changing strategy type OCPBUGS-10833 - update the default pipelineRun template name OCPBUGS-10834 - [OVNK] [IC] Having only one leader election in the master process OCPBUGS-10873 - OVN to OVN-H migration seems broken OCPBUGS-10888 - oauth-server fails to invalidate cache, causing non existing groups being referenced OCPBUGS-10890 - Hypershift replace upgrade: node in NotReady after upgrading from a 4.14 image to another 4.14 image OCPBUGS-10891 - Cluster Autoscaler balancing similar nodes test fails randomly OCPBUGS-10892 - Passwords printed in log messages OCPBUGS-10893 - Remove unsupported warning in oc-mirror when using the --skip-pruning flag OCPBUGS-10902 - [IBMCloud] destroyed the private cluster, fail to cleanup the dns records OCPBUGS-10903 - [IBMCloud] fail to ssh to master/bootstrap/worker nodes from the bastion inside a customer vpc. OCPBUGS-10907 - move to rhel9 in DTK for 4.13 OCPBUGS-10914 - Node healthz server: return unhealthy when pod is to be deleted OCPBUGS-10919 - Update Samples Operator to use latest jenkins 4.12 release OCPBUGS-10923 - Cluster bootstrap waits for only one master to join before finishing OCPBUGS-10929 - Kube 1.26 for ovn-k OCPBUGS-10946 - For IPv6-primary dual-stack cluster, kubelet.service renders only single node-ip OCPBUGS-10951 - When imagesetconfigure without OCI FBC format config, but command with use-oci-feature flag, the oc-mirror command should check the imagesetconfigure firstly and print error immediately OCPBUGS-10953 - ovnkube-node does not close up correctly OCPBUGS-10955 - [release-4.13] NMstate complains about ping not working when adding multiple routing tables with different gateways OCPBUGS-10960 - [4.13] Vertical Scaling: do not trigger inadvertent machine deletion during bootstrap OCPBUGS-10965 - The network-tools image stream is missing in the cluster samples OCPBUGS-10982 - [4.13] nodeSelector in EgressFirewall doesn't work in dualstack cluster OCPBUGS-10989 - Agent create sub-command is returning fatal error OCPBUGS-10990 - EgressIP doesn't work in GCP XPN cluster OCPBUGS-11004 - Bootstrap kubelet client cert should include system:serviceaccounts group OCPBUGS-11010 - [vsphere] zone cluster installation fails if vSphere Cluster is embedded in Folder OCPBUGS-11022 - [4.13][scale] all egressfirewalls will be updated on every node update OCPBUGS-11023 - [4.13][scale] Ingress network policy creates more flows than before OCPBUGS-11031 - SNO OCP upgrade from 4.12 to 4.13 failed due to node-tuning operator is not available - tuned pod stuck at Terminating OCPBUGS-11032 - Update the validation interval for the cluster transfer to 12 hours OCPBUGS-11040 - --container-runtime is being removed in k8s 1.27 OCPBUGS-11054 - GCP: add europe-west12 region to the survey as supported region OCPBUGS-11055 - APIServer service isn't selected correctly for PublicAndPrivate cluster when external-dns is not configured OCPBUGS-11058 - [4.13] Conmon leaks symbolic links in /var/run/crio when pods are deleted OCPBUGS-11068 - nodeip-configuration not enabled for VSphere UPI OCPBUGS-11107 - Alerts display incorrect source when adding external alert sources OCPBUGS-11117 - The provided gcc RPM inside DTK does not match the gcc used to build the kernel OCPBUGS-11120 - DTK docs should mention the ubi9 base image instead of ubi8 OCPBUGS-11213 - BMH moves to deleting before all finalizers are processed OCPBUGS-11218 - "pipelines-as-code-pipelinerun-go" configMap is not been used for the Go repository OCPBUGS-11222 - kube-controller-manager cluster operator is degraded due connection refused while querying rules OCPBUGS-11227 - Relax CSR check due to k8s 1.27 changes OCPBUGS-11232 - All projects options shows as undefined after selection in Dev perspective Pipelines page OCPBUGS-11248 - Secret name variable get renders in Create Image pull secret alert OCPBUGS-1125 - Fix disaster recovery test [sig-etcd][Feature:DisasterRecovery][Disruptive] [Feature:EtcdRecovery] Cluster should restore itself after quorum loss [Serial] OCPBUGS-11257 - egressip cannot be assigned on hypershift hosted cluster node OCPBUGS-11261 - [AWS][4.13] installer get stuck if BYO private hosted zone is configured OCPBUGS-11263 - PTP KPI version 4.13 RC2 WPC - offset jumps to huge numbers OCPBUGS-11307 - Egress firewall node selector test missing OCPBUGS-11333 - startupProbe for UWM prometheus is still 15m OCPBUGS-11339 - ose-ansible-operator base image version is still 4.12 in the operators that generated by operator-sdk 4.13 OCPBUGS-11340 - ose-helm-operator base image version is still 4.12 in the operators that generated by operator-sdk 4.13 OCPBUGS-11341 - openshift-manila-csi-driver is missing the workload.openshift.io/allowed label OCPBUGS-11354 - CPMS: node readiness transitions not always trigger reconcile OCPBUGS-11384 - Switching from enabling realTime to disabling Realtime Workloadhint causes stalld to be enabled OCPBUGS-11390 - Service Binding Operator installation fails: "A subscription for this operator already exists in namespace ..." OCPBUGS-11424 - [release-4.13] new whereabouts reconciler relies on HOSTNAME which != spec.nodeName OCPBUGS-11427 - [release-4.13] whereabouts reads wrong annotation "k8s.v1.cni.cncf.io/networks-status", should be "k8s.v1.cni.cncf.io/network-status" OCPBUGS-11456 - PTP - When GM and downstream slaves are configured on same server, ptp metrics show slaves as FREERUN OCPBUGS-11458 - Ingress Takes 40s on Average Downtime During GCP OVN Upgrades OCPBUGS-11460 - CPMS doesn't always generate configurations for AWS OCPBUGS-11468 - Community operator cannot be mirrored due to malformed image address OCPBUGS-11469 - [release4.13] "exclude bundles with `olm.deprecated` property when rendering" not backport OCPBUGS-11473 - NS autolabeler requires RoleBinding subject namespace to be set when using ServiceAccount OCPBUGS-11485 - [4.13] NVMe disk by-id rename breaks LSO/ODF OCPBUGS-11503 - Update 4.13 cluster-network-operator image in Dockerfile to be consistent with ART OCPBUGS-11506 - CPMS e2e periodics tests timeout failures OCPBUGS-11507 - Potential 4.12 to 4.13 upgrade failure due to NIC rename OCPBUGS-11510 - Setting cpu-quota.crio.io to `disable` with crun causes container creation to fail OCPBUGS-11511 - [4.13] static container pod cannot be running due to CNI request failed with status 400 OCPBUGS-11529 - [Azure] fail to collect the vm serial log with ?gather bootstrap? OCPBUGS-11536 - Cluster monitoring operator runs node-exporter with btrfs collector OCPBUGS-11545 - multus-admission-controller should not run as root under Hypershift-managed CNO OCPBUGS-11558 - multus-admission-controller should not run as root under Hypershift-managed CNO OCPBUGS-11589 - Ensure systemd is compatible with rhel8 journalctl OCPBUGS-11598 - openshift-azure-routes triggered continously on rhel9 OCPBUGS-11606 - User configured In-cluster proxy configuration squashed in hypershift OCPBUGS-11643 - Updating kube-rbac-proxy images to be consistent with ART OCPBUGS-11657 - [4.13] Static IPv6 LACP bonding is randomly failing in RHCOS 413.92 OCPBUGS-11659 - Error extracting libnmstate.so.1.3.3 when create image OCPBUGS-11661 - AWS s3 policy changes block all OCP installs on AWS OCPBUGS-11669 - Bump to kubernetes 1.26.3 OCPBUGS-11683 - [4.13] Add Controller health to CEO liveness probe OCPBUGS-11694 - [4.13] Update legacy toolbox to use registry.redhat.io/rhel9/support-tools OCPBUGS-11706 - ccoctl cannot create STS documents in 4.10-4.13 due to s3 policy changes OCPBUGS-11750 - TuningCNI cnf-test failure: sysctl allowlist update OCPBUGS-11765 - [4.13] Keep current OpenSSH default config in RHCOS 9 OCPBUGS-11776 - [4.13] VSphereStorageDriver does not document the platform default OCPBUGS-11778 - Upgrade SNO: no resolv.conf caused by failure in forcedns dispatcher script OCPBUGS-11787 - Update 4.14 ose-vmware-vsphere-csi-driver image to be consistent with ART OCPBUGS-11789 - [4.13] Bootimage bump tracker OCPBUGS-11799 - [4.13] Bootimage bump tracker OCPBUGS-11823 - [Reliability]kube-apiserver's memory usage keep increasing to max 3GB in 7 days OCPBUGS-11848 - PtpOperatorsConfig not applying correctly OCPBUGS-11866 - Pipeline is not removed when Deployment/DC/Knative Service or Application is deleted OCPBUGS-11870 - [4.13] Nodes in Ironic are created without namespaces initially OCPBUGS-11876 - oc-mirror generated file-based catalogs crashloop OCPBUGS-11908 - Got the `file exists` error when different digest direct to the same tag OCPBUGS-11917 - the warn message won't disappear in co/node-tuning when scale down machineset OCPBUGS-11919 - Console metrics could have a high cardinality (4.13) OCPBUGS-11950 - fail to create vSphere IPI cluster as apiVIP and ingressVIP are not in machine networks OCPBUGS-11955 - NTP config not applied OCPBUGS-11968 - Instance shouldn't be moved back from f to a OCPBUGS-11985 - [4.13] Ironic inspector service should be proxied OCPBUGS-12172 - Users don't know what type of resource is being created by Import from Git or Deploy Image flows OCPBUGS-12179 - agent-tui is failing to start when using libnmstate.2 OCPBUGS-12186 - Pipeline doesn't render correctly when displayed but looks fine in edit mode OCPBUGS-12198 - create hosted cluster failed with aws s3 access issue OCPBUGS-12212 - cluster failed to convert from dualstack to ipv4 single stack OCPBUGS-12225 - Add new OCP 4.13 storage admission plugin OCPBUGS-12257 - Catalogs rebuilt by oc-mirror are in crashloop : cache is invalid OCPBUGS-12259 - oc-mirror fails to complete with heads only complaining about devworkspace-operator OCPBUGS-12271 - Hypershift conformance test fails new cpu partitioning tests OCPBUGS-12272 - Importing a kn Service shows a non-working Open URL decorator also when the Add Route checkbox was unselected OCPBUGS-12273 - When Creating Sample Devfile from the Samples Page, Topology Icon is not set OCPBUGS-12450 - [4.13] Fix Flake TestAttemptToScaleDown/scale_down_only_by_one_machine_at_a_time OCPBUGS-12465 - --use-oci-feature leads to confusion and needs to be better named OCPBUGS-12478 - CSI driver + operator containers are not pinned to mgmt cores OCPBUGS-1264 - e2e-vsphere-zones failing due to unable to parse cloud-config OCPBUGS-12698 - redfish-virtualmedia mount not working OCPBUGS-12703 - redfish-virtualmedia mount not working OCPBUGS-12708 - [4.13] Changing a PreprovisioningImage ImageURL and/or ExtraKernelParams should reboot the host OCPBUGS-1272 - "opm alpha render-veneer basic" doesn't support pipe stdin OCPBUGS-12737 - Multus admission controller must have "hypershift.openshift.io/release-image" annotation when CNO is managed by Hypershift OCPBUGS-12786 - OLM CatalogSources in guest cluster cannot pull images if pre-GA OCPBUGS-12804 - Dual stack VIPs incompatible with EnableUnicast setting OCPBUGS-12854 - `cluster-reader` role cannot access "k8s.ovn.org" API Group resources OCPBUGS-12862 - IPv6 ingress VIP not configured in keepalived on vSphere Dual-stack OCPBUGS-12865 - Kubernetes-NMState CI is perma-failing OCPBUGS-12933 - Node Tuning Operator crashloops when in Hypershift mode OCPBUGS-12994 - TCP DNS Local Preference is not working for Openshift SDN OCPBUGS-12999 - Backport owners through 4.13, 4.12 OCPBUGS-13029 - Update Cluster Sample Operator dependencies and libraries for OCP 4.13 OCPBUGS-13057 - ppc64le releases don't install because ovs fails to start (invalid permissions) OCPBUGS-13069 - [whereabouts-cni] CNO must use reconciliation controller in order to support dual stack in 4.12 [4.13 dependency] OCPBUGS-13071 - CI fails on TestClientTLS OCPBUGS-13072 - Capture tests don't work in OVNK OCPBUGS-13076 - Load balancers/ Ingress controller removal race condition OCPBUGS-13157 - CI fails on TestRouterCompressionOperation OCPBUGS-13254 - Nutanix cloud provider should use Kubernetes 1.26 dependencies OCPBUGS-1327 - [IBMCloud] Worker machines unreachable during initial bring up OCPBUGS-1352 - OVN silently failing in case of a stuck pod OCPBUGS-1427 - Ignore non-ready endpoints when processing endpointslices OCPBUGS-1428 - service account token secret reference OCPBUGS-1435 - [Ingress Node Firewall Operator] [Web Console] Allow user to override namespace where the operator is installed, currently user can install it only in openshift-operators ns OCPBUGS-1443 - Unable to get ClusterVersion error while upgrading 4.11 to 4.12 OCPBUGS-1453 - TargetDown alert expression is NOT correctly joining kube-state-metrics metric OCPBUGS-1458 - cvo pod crashloop during bootstrap: featuregates: connection refused OCPBUGS-1486 - Avoid re-metric'ing the pods that are already setup when ovnkube-master disrupts/reinitializes/restarts/goes through leader election OCPBUGS-1557 - Default to floating automaticRestart for new GCP instances OCPBUGS-1560 - [vsphere] installation fails when only configure single zone in install-config OCPBUGS-1565 - Possible split brain with keepalived unicast OCPBUGS-1566 - Automation Offline CPUs Test cases OCPBUGS-1577 - Incorrect network configuration in worker node with two interfaces OCPBUGS-1604 - Common resources out-of-date when using multicluster switcher OCPBUGS-1606 - Multi-cluster: We should not filter OLM catalog by console pod architecture and OS on managed clusters OCPBUGS-1612 - [vsphere] installation errors out when missing topology in a failure domain OCPBUGS-1617 - Remove unused node.kubernetes.io/not-reachable toleration OCPBUGS-1627 - [vsphere] installation fails when setting user-defined folder in failure domain OCPBUGS-1646 - [osp][octavia lb] LBs type svcs not updated until all the LBs are created OCPBUGS-166 - 4.11 SNOs fail to complete install because of "failed to get pod annotation: timed out waiting for annotations: context deadline exceeded" OCPBUGS-1665 - Scorecard failed because of the request of PodSecurity OCPBUGS-1671 - Creating a statefulset with the example image from the UI on ARM64 leads to a Pod in crashloopbackoff due to the only-amd64 image provided OCPBUGS-1704 - [gcp] when the optional Service Usage API is disabled, IPI installation cannot succeed OCPBUGS-1725 - Affinity rule created in router deployment for single-replica infrastructure and "NodePortService" endpoint publishing strategy OCPBUGS-1741 - Can't load additional Alertmanager templates with latest 4.12 OpenShift OCPBUGS-1748 - PipelineRun templates must be fetched from OpenShift namespace OCPBUGS-1761 - osImages that cannot be pulled do not set the node as Degraded properly OCPBUGS-1769 - gracefully fail when iam:GetRole is denied OCPBUGS-1778 - Can't install clusters with schedulable masters OCPBUGS-1791 - Wait-for install-complete did not exit upon completion. OCPBUGS-1805 - [vsphere-csi-driver-operator] CSI cloud.conf doesn't list multiple datacenters when specified OCPBUGS-1807 - Ingress Operator startup bad log message formatting OCPBUGS-1844 - Ironic dnsmasq doesn't include existing DNS settings during iPXE boot OCPBUGS-1852 - [RHOCP 4.10] Subscription tab for operator doesn't land on correct URL OCPBUGS-186 - PipelineRun task status overlaps status text OCPBUGS-1998 - Cluster monitoring fails to achieve new level during upgrade w/ unavailable node OCPBUGS-2015 - TestCertRotationTimeUpgradeable failing consistently in kube-apiserver-operator OCPBUGS-2083 - OCP 4.10.33 uses a weak 3DES cipher in the VMWare CSI Operator for communication and provides no method to disable it OCPBUGS-2088 - User can set rendezvous host to be a worker OCPBUGS-2141 - doc link in PrometheusDataPersistenceNotConfigured message is 4.8 OCPBUGS-2145 - 'maxUnavailable' and 'minAvailable' on PDB creation page - i18n misses OCPBUGS-2209 - Hard eviction thresholds is different with k8s default when PAO is enabled OCPBUGS-2248 - [alibabacloud] IPI installation failed with master nodes being NotReady and CCM error "alicloud: unable to split instanceid and region from providerID" OCPBUGS-2260 - KubePodNotReady - Increase Tolerance During Master Node Restarts OCPBUGS-2306 - On Make Serverless page, to change values of the inputs minpod, maxpod and concurrency fields, we need to click the ? + ? or ? - ', it can't be changed by typing in it. OCPBUGS-2319 - metal-ipi upgrade success rate dropped 30+% in last week OCPBUGS-2384 - [2035720] [IPI on Alibabacloud] deploying a private cluster by 'publish: Internal' failed due to 'dns_public_record' OCPBUGS-2440 - unknown field logs in prometheus-operator OCPBUGS-2471 - BareMetalHost is available without cleaning if the cleaning attempt fails OCPBUGS-2479 - Right border radius is 0 for the pipeline visualization wrapper in dark mode OCPBUGS-2500 - Developer Topology always blanks with large contents when first rendering OCPBUGS-2513 - Disconnected cluster installation fails with pull secret must contain auth for "registry.ci.openshift.org" OCPBUGS-2525 - [CI Watcher] Ongoing timeout failures associated with multiple CRD-extensions tests OCPBUGS-2532 - Upgrades from 4.11.9 to latest 4.12.x Nightly builds do not succeed OCPBUGS-2551 - "Error loading" when normal user check operands on All namespaces OCPBUGS-2569 - ovn-k network policy races OCPBUGS-2579 - Helm Charts and Samples are not disabled in topology actions if actions are disabled in customization OCPBUGS-266 - Project Access tab cannot differentiate between users and groups OCPBUGS-2666 - `create a project` link not backed by RBAC check OCPBUGS-272 - Getting duplicate word "find" when kube-apiserver degraded=true if webhook matches a virtual resource OCPBUGS-2727 - ClusterVersionRecommendedUpdate condition blocks explicitly allowed upgrade which is not in the available updates OCPBUGS-2729 - should ignore enP.* NICs from node-exporter on Azure cluster OCPBUGS-2735 - Operand List Page Layout Incorrect on small screen size. OCPBUGS-2738 - CVE-2022-26945 CVE-2022-30321 CVE-2022-30322 CVE-2022-30323 ose-baremetal-installer-container: various flaws [openshift-4.13.z] OCPBUGS-2824 - The dropdown list component will be covered by deployment details page on Topology page OCPBUGS-2827 - OVNK: NAT issue for packets exceeding check_pkt_larger() for NodePort services that route to hostNetworked pods OCPBUGS-2841 - Need validation rule for supported arch OCPBUGS-2845 - Unable to use application credentials for Cinder CSI after OpenStack credentials update OCPBUGS-2847 - GCP XPN should only be available with Tech Preview OCPBUGS-2851 - [OCI feature] registries.conf support in oc mirror OCPBUGS-2852 - etcd failure: failed to make etcd client for endpoints [https://[2620:52:0:1eb:367x:5axx:xxx:xxx]:2379]: context deadline exceeded OCPBUGS-2868 - Container networking pods cannot be access hosted network pods on another node in ipv6 single stack cluster OCPBUGS-2873 - Prometheus doesn't reload TLS certificate and key files on disk OCPBUGS-2886 - The LoadBalaner section shouldn't be set when using Kuryr on cloud-provider OCPBUGS-2891 - AWS Deprovision Fails with unrecognized elastic load balancing resource type listener OCPBUGS-2895 - [RFE] 4.11 Azure DiskEncryptionSet static validation does not support upper-case letters OCPBUGS-2904 - If all the actions are disabled in add page, Details on/off toggle switch to be disabled OCPBUGS-2907 - provisioning of baremetal nodes fails when using multipath device as rootDeviceHints OCPBUGS-2921 - br-ex interface not configured makes ovnkube-node Pod to crashloop OCPBUGS-2922 - 'Status' column sorting doesn't work as expected OCPBUGS-2926 - Unable to gather OpenStack console logs since kernel cmd line has no console args OCPBUGS-2934 - Ingress node firewall pod 's events container on the node causing pod in CrashLoopBackOff state when sctp module is loaded on node OCPBUGS-2941 - CIRO unable to detect swift when content-type is omitted in 204-responses OCPBUGS-2946 - [AWS] curl network Loadbalancer always get "Connection time out" OCPBUGS-2948 - Whereabouts CNI timesout while iterating exclude range OCPBUGS-2988 - apiserver pods cannot reach etcd on single node IPv6 cluster: transport: authentication handshake failed: x509: certificate is valid for ::1, 127.0.0.1, ::1, fd69::2, not 2620:52:0:198::10" OCPBUGS-2991 - CI jobs are failing with: admission webhook "validation.csi.vsphere.vmware.com" denied the request OCPBUGS-2992 - metal3 pod crashloops on OKD in BareMetal IPI or assisted-installer bare metal installations OCPBUGS-2994 - Keepalived monitor stuck for long period of time on kube-api call while installing OCPBUGS-2996 - [4.13] Bootimage bump tracker OCPBUGS-3018 - panic in WaitForBootstrapComplete OCPBUGS-3021 - GCP: missing me-west1 region OCPBUGS-3024 - Service list shows undefined:80 when type is ExternalName or LoadBalancer OCPBUGS-3027 - Metrics are not available when running console in development mode OCPBUGS-3029 - BareMetalHost CR fails to delete on cluster cleanup OCPBUGS-3033 - Clicking the logo in the masthead goes to `/dashboards`, even if metrics are disabled OCPBUGS-3041 - Guard Pod Hostnames Too Long and Truncated Down Into Collisions With Other Masters OCPBUGS-3069 - Should show information on page if the upgrade to a target version doesn't take effect. OCPBUGS-3072 - Operator-sdk run bundle with old sqllite index image failed OCPBUGS-3079 - RPS hook only sets the first queue, but there are now many OCPBUGS-3085 - [IPI-BareMetal]: Dual stack deployment failed on BootStrap stage OCPBUGS-3093 - The control plane should tag AWS security groups at creation OCPBUGS-3096 - The terraform binaries shipped by the installer are not statically linked OCPBUGS-3109 - Change text colour for ConsoleNotification that notifies user that the cluster is being OCPBUGS-3114 - CNO reporting incorrect status OCPBUGS-3123 - Operator attempts to render both GA and Tech Preview API Extensions OCPBUGS-3127 - nodeip-configuration retries forever on network failure, blocking ovs-configuration, spamming syslog OCPBUGS-3168 - Add Capacity button does not exist after upgrade OCP version [OCP4.11->OCP4.12] OCPBUGS-3172 - Console shouldn't try to install dynamic plugins if permissions aren't available OCPBUGS-3180 - Regression in ptp-operator conformance tests OCPBUGS-3186 - [ibmcloud] unclear error msg when zones is not match with the Subnets in BYON install OCPBUGS-3192 - [4.8][OVN] RHEL 7.9 DHCP worker ovs-configuration fails OCPBUGS-3195 - Service-ca controller exits immediately with an error on sigterm OCPBUGS-3206 - [sdn2ovn] Migration failed in vsphere cluster OCPBUGS-3207 - SCOS build fails due to pinned kernel OCPBUGS-3214 - Installer does not always add router CA to kubeconfig OCPBUGS-3228 - Broken secret created while starting a Pipeline OCPBUGS-3235 - Topology gets stuck loading OCPBUGS-3245 - ovn-kubernetes ovnkube-master containers crashlooping after 4.11.0-0.okd-2022-10-15-073651 update OCPBUGS-3248 - CVE-2022-27191 ose-installer-container: golang: crash in a golang.org/x/crypto/ssh server [openshift-4] OCPBUGS-3253 - No warning when using wait-for vs. agent wait-for commands OCPBUGS-3272 - Unhealthy Readiness probe failed message failing CI when ovnkube DBs are still coming up OCPBUGS-3275 - No-op: Unable to retrieve machine from node "xxx": expecting one machine for node xxx got: [] OCPBUGS-3277 - Install failure in create-cluster-and-infraenv.service OCPBUGS-3278 - Shouldn't need to put host data in platform baremetal section in installconfig OCPBUGS-3280 - Install ends in preparing-failed due to container-images-available validation OCPBUGS-3283 - remove unnecessary RBAC in KCM OCPBUGS-3292 - DaemonSet "/openshift-network-diagnostics/network-check-target" is not available OCPBUGS-3314 - 'gitlab.secretReference' disappears when the buildconfig is edited on ?From View? OCPBUGS-3316 - Branch name should sanitised to match actual github branch name in repository plr list OCPBUGS-3320 - New master will be created if add duplicated failuredomains in controlplanemachineset OCPBUGS-3331 - Update dependencies in CMO release 4.13 OCPBUGS-3334 - Console should be using v1 apiVersion for ConsolePlugin model OCPBUGS-3337 - revert "force cert rotation every couple days for development" in 4.12 OCPBUGS-3338 - Environment cannot find Python OCPBUGS-3358 - Revert BUILD-407 OCPBUGS-3372 - error message is too generic when creating a silence with end time before start OCPBUGS-3373 - cluster-monitoring-view user can not list servicemonitors on "Observe -> Targets" page OCPBUGS-3377 - CephCluster and StorageCluster resources use the same paths OCPBUGS-3381 - Make ovnkube-trace work on hypershift deployments OCPBUGS-3382 - Unable to configure cluster-wide proxy OCPBUGS-3391 - seccomp profile unshare.json missing from nodes OCPBUGS-3395 - Event Source is visible without even creating knative-eventing and knative-serving. OCPBUGS-3404 - IngressController.spec.nodePlacement.nodeSelector.matchExpressions does not work OCPBUGS-3414 - Missing 'ImageContentSourcePolicy' and 'CatalogSource' in the oci fbc feature implementation OCPBUGS-3424 - Azure Disk CSI Driver Operator gets degraded without "CSISnapshot" capability OCPBUGS-3426 - Update Cluster Sample Operator dependencies and libraries for OCP 4.13 OCPBUGS-3427 - Skip broken [sig-devex][Feature:ImageEcosystem] tests OCPBUGS-3438 - cloud-network-config-controller not using proxy settings of the management cluster OCPBUGS-3440 - Authentication operator doesn't respond to console being enabled OCPBUGS-3441 - Update cluster-authentication-operator not to go degraded without console OCPBUGS-3444 - [4.13] Descheduler pod is OOM killed when using descheduler-operator profiles on big clusters OCPBUGS-3456 - track `rhcos-4.12` branch for fedora-coreos-config submodule OCPBUGS-3458 - Surface ClusterVersion RetrievedUpdates condition messages OCPBUGS-3465 - IBM operator needs deployment manifest fixes OCPBUGS-3473 - Allow listing crio and kernel versions in machine-os components OCPBUGS-3476 - Show Tag label and tag name if tag is detected in repository PipelineRun list and details page OCPBUGS-3480 - Baremetal Provisioning fails on HP Gen9 systems due to eTag handling OCPBUGS-3499 - Route CRD validation behavior must be the same as openshift-apiserver behavior OCPBUGS-3501 - Route CRD host-assignment behavior must be the same as openshift-apiserver behavior OCPBUGS-3502 - CRD-based and openshift-apiserver-based Route validation/defaulting must use the shared implementation OCPBUGS-3508 - masters repeatedly losing connection to API and going NotReady OCPBUGS-3524 - The storage account for the CoreOS image is publicly accessible when deploying fully private cluster on Azure OCPBUGS-3526 - oc fails to extract layers that set xattr on Darwin OCPBUGS-3539 - [OVN-provider]loadBalancer svc with monitors not working OCPBUGS-3612 - [IPI] Baremetal ovs-configure.sh script fails to start secondary bridge br-ex1 OCPBUGS-3621 - EUS upgrade stuck on worker pool update: error running skopeo inspect --no-tags OCPBUGS-3648 - Container security operator Image Manifest Vulnerabilities encounters runtime errors under some circumstances OCPBUGS-3659 - Expose AzureDisk metrics port over HTTPS OCPBUGS-3662 - don't enforce PSa in 4.12 OCPBUGS-3667 - PTP 4.12 Regression - CLOCK REALTIME status is locked when physical interface is down OCPBUGS-3668 - 4.12.0-rc.0 fails to deploy on VMware IPI OCPBUGS-3676 - After node's reboot some pods fail to start - deleteLogicalPort failed for pod cannot delete GR SNAT for pod OCPBUGS-3693 - Router e2e: drop template.openshift.io apigroup dependency OCPBUGS-3709 - Special characters in subject name breaks prefilling role binding form OCPBUGS-3713 - [vsphere-problem-detector] fully qualified username must be used when checking permissions OCPBUGS-3714 - 'oc adm upgrade ...' should expose ClusterVersion Failing=True OCPBUGS-3739 - Pod stuck in containerCreating state when the node on which it is running is Terminated OCPBUGS-3744 - Egress router POD creation is failing while using openshift-sdn network plugin OCPBUGS-3755 - Create Alertmanager silence form does not explain the new "Negative matcher" option OCPBUGS-3761 - Consistent e2e test failure:Events.Events: event view displays created pod OCPBUGS-3765 - [RFE] Add kernel-rpm-macros to DTK image OCPBUGS-3771 - contrib/multicluster-environment.sh needs to be updated to work with ACM cluster proxy OCPBUGS-3776 - Manage columns tooltip remains displayed after dialog is closed OCPBUGS-3777 - [Dual Stack] ovn-ipsec crashlooping due to cert signing issues OCPBUGS-3797 - [4.13] Bump OVS control plane to get "ovsdb/transaction.c: Refactor assess_weak_refs." OCPBUGS-3822 - Cluster-admin cannot know whether operator is fully deleted or not after normal user trigger "Delete CSV" OCPBUGS-3827 - CCM not able to remove a LB in ERROR state OCPBUGS-3877 - RouteTargetReference missing default for "weight" in Route CRD v1 schema OCPBUGS-3880 - [Ingress Node Firewall] Change the logo used for ingress node firewall operator OCPBUGS-3883 - Hosted ovnkubernetes pods are not being spread among workers evenly OCPBUGS-3896 - Console nav toggle button reports expanded in both expanded and not expanded states OCPBUGS-3904 - Delete/Add a failureDomain in CPMS to trigger update cannot work right on GCP OCPBUGS-3909 - Node is degraded when a machine config deploys a unit with content and mask=true OCPBUGS-3916 - expr for SDNPodNotReady is wrong due to there is not node label for kube_pod_status_ready OCPBUGS-3919 - Azure: unable to configure EgressIP if an ASG is set OCPBUGS-3921 - Openshift-install bootstrap operation cannot find a cloud defined in clouds.yaml in the current directory OCPBUGS-3923 - [CI] cluster-monitoring-operator produces more watch requests than expected OCPBUGS-3924 - Remove autoscaling/v2beta2 in 4.12 and later OCPBUGS-3929 - Use flowcontrol/v1beta2 for apf manifests in 4.13 OCPBUGS-3931 - When all extensions are installed, "libkadm5" rpm package is duplicated in the `rpm -q` command OCPBUGS-3933 - Fails to deprovision cluster when swift omits 'content-type' OCPBUGS-3945 - Handle 0600 kubeconfig OCPBUGS-3951 - Dynamic plugin extensions disappear from the UI when a codeRef fails to load OCPBUGS-3960 - Use kernel-rt from ose repo OCPBUGS-3965 - must-gather namespace should have ?privileged? warn and audit pod security labels besides enforce OCPBUGS-3973 - [SNO] csi-snapshot-controller CO is degraded when upgrade from 4.12 to 4.13 and reports permissions issue. OCPBUGS-3974 - CIRO panics when suspended flag is nil OCPBUGS-3975 - "Failed to open directory, disabling udev device properties" in node-exporter logs OCPBUGS-3978 - AWS EBS CSI driver operator is degraded without "CSISnapshot" capability OCPBUGS-3985 - Allow PSa enforcement in 4.13 by using featuresets OCPBUGS-3987 - Some nmstate validations are skipped when NM config is in agent-config.yaml OCPBUGS-3990 - HyperShift control plane operators have wrong priorityClass OCPBUGS-3993 - egressIP annotation including two interfaces when multiple networks OCPBUGS-4000 - fix operator naming convention OCPBUGS-4008 - Console deployment does not roll out when managed cluster configmap is updated OCPBUGS-4012 - Disabled Serverless add actions should not be displayed in topology menu OCPBUGS-4026 - Endless rerender loop and a stuck browser on the add and topology page when SBO is installed OCPBUGS-4047 - [CI-Watcher] e2e test flake: Create key/value secrets Validate a key/value secret OCPBUGS-4049 - MCO reconcile fails if user replace the pull secret to empty one OCPBUGS-4052 - [ALBO] OpenShift Load Balancer Operator does not properly support cluster wide proxy OCPBUGS-4054 - cluster-ingress-operator's configurable-route controller's startup is noisy OCPBUGS-4089 - Kube-State-metrics pod fails to start due to panic OCPBUGS-4090 - OCP on OSP - Image registry is deployed with cinder instead of swift storage backend OCPBUGS-4101 - Empty/missing node-sizing SYSTEM_RESERVED_ES parameter can result in kubelet not starting OCPBUGS-4110 - Form footer buttons are misaligned in web terminal form OCPBUGS-4119 - Random SYN drops in OVS bridges of OVN-Kubernetes OCPBUGS-4166 - Update Cluster Sample Operator dependencies and libraries for OCP 4.13 OCPBUGS-4168 - Prometheus continuously restarts due to slow WAL replay OCPBUGS-4173 - vsphere-problem-detector should re-check passwords after change OCPBUGS-4181 - Prometheus and Alertmanager incorrect ExternalURL configured OCPBUGS-4184 - Use mTLS authentication for all monitoring components instead of bearer token OCPBUGS-4203 - Unnecessary padding around alert atop debug pod terminal OCPBUGS-4206 - getContainerStateValue contains incorrectly internationalized text OCPBUGS-4207 - Remove debug level logging on openshift-config-operator OCPBUGS-4219 - Add runbook link to PrometheusRuleFailures OCPBUGS-4225 - [4.13] boot sequence override request fails with Base.1.8.PropertyNotWritable on Lenovo SE450 OCPBUGS-4232 - CNCC: Wrong log format for Azure locking OCPBUGS-4245 - L2 does not work if a metallb is not able to listen to arp requests on a single interface OCPBUGS-4252 - Node Terminal tab results in error OCPBUGS-4253 - Add PodNetworkConnectivityCheck for must-gather OCPBUGS-4266 - crio.service should use a more safe restart policy to provide recoverability against concurrency issues OCPBUGS-4279 - Custom Victory-Core components in monitoring ui code causing build issues OCPBUGS-4280 - Return 0 when `oc import-image` failed OCPBUGS-4282 - [IR-269]Can't pull sub-manifest image using imagestream of manifest list OCPBUGS-4291 - [OVN]Sometimes after reboot egress node, egress IP cannot be applied anymore. OCPBUGS-4293 - Specify resources.requests for operator pod OCPBUGS-4298 - Specify resources.requests for operator pod OCPBUGS-4302 - Specify resources.requests for operator pod OCPBUGS-4305 - [4.13] Improve ironic logging configuration in metal3 OCPBUGS-4317 - [IBM][4.13][Snapshot] restore size in snapshot is not the same size of pvc request size OCPBUGS-4328 - Update installer images to be consistent with ART OCPBUGS-434 - After FIPS enabled in S390X, ingress controller in degraded state OCPBUGS-4343 - Use flowcontrol/v1beta3 for apf manifests in 4.13 OCPBUGS-4347 - set TLS cipher suites in Kube RBAC sidecars OCPBUGS-4350 - CNO in HyperShift reports upgrade complete in clusteroperator prematurely OCPBUGS-4352 - [RHOCP] HPA shows different API versions in web console OCPBUGS-4357 - Bump samples operator k8s dep to 1.25.2 OCPBUGS-4359 - cluster-dns-operator corrupts /etc/hosts when fs full OCPBUGS-4367 - Debug log messages missing from output and Info messages malformed OCPBUGS-4377 - Service name search ability while creating the Route from console OCPBUGS-4401 - limit cluster-policy-controller RBAC permissions OCPBUGS-4411 - ovnkube node pod crashed after converting to a dual-stack cluster network OCPBUGS-4417 - ip-reconciler removes the overlappingrangeipreservations whether the pod is alive or not OCPBUGS-4425 - Egress FW ACL rules are invalid in dualstack mode OCPBUGS-4447 - [MetalLB Operator] The CSV needs an update to reflect the correct version of operator OCPBUGS-446 - Cannot Add a project from DevConsole in airgap mode using git importing OCPBUGS-4483 - apply retry logic to ovnk-node controllers OCPBUGS-4490 - hypershift: csi-snapshot-controller uses wrong kubeconfig OCPBUGS-4491 - hypershift: aws-ebs-csi-driver-operator uses wrong kubeconfig OCPBUGS-4492 - [4.13] The property TransferProtocolType is required for VirtualMedia.InsertMedia OCPBUGS-4502 - [4.13] [OVNK] Add support for service session affinity timeout OCPBUGS-4516 - `oc-mirror` does not work as expected relative path for OCI format copy OCPBUGS-4517 - Better to detail the --command-os of mac for `oc adm release extract` command OCPBUGS-4521 - all kubelet targets are down after a few hours OCPBUGS-4524 - Hold lock when deleting completed pod during update event OCPBUGS-4525 - Don't log in iterateRetryResources when there are no retry entries OCPBUGS-4535 - There is no 4.13 gcp-filestore-csi-driver-operator version for test OCPBUGS-4536 - Image registry panics while deploying OCP in eu-south-2 AWS region OCPBUGS-4537 - Image registry panics while deploying OCP in eu-central-2 AWS region OCPBUGS-4538 - Image registry panics while deploying OCP in ap-south-2 AWS region OCPBUGS-4541 - Azure: remove deprecated ADAL OCPBUGS-4546 - CVE-2021-38561 ose-installer-container: golang: out-of-bounds read in golang.org/x/text/language leads to DoS [openshift-4] OCPBUGS-4549 - Azure: replace deprecated AD Graph API OCPBUGS-4550 - [CI] console-operator produces more watch requests than expected OCPBUGS-4571 - The operator recommended namespace is incorrect after change installation mode to "A specific namespace on the cluster" OCPBUGS-4574 - Machine stuck in no phase when creating in a nonexistent zone and stuck in Deleting when deleting on GCP OCPBUGS-463 - OVN-Kubernetes should not send IPs with leading zeros to OVN OCPBUGS-4630 - Bump documentationBaseURL to 4.13 OCPBUGS-4635 - [OCP 4.13] ironic container images have old packages OCPBUGS-4638 - Support RHOBS monitoring for HyperShift in CNO OCPBUGS-4652 - Fixes for RHCOS 9 based on RHEL 9.0 OCPBUGS-4654 - Azure: UPI: Fix storage arm template to work with Galleries and MAO OCPBUGS-4659 - Network Policy executes duplicate transactions for every pod update OCPBUGS-4684 - In DeploymentConfig both the Form view and Yaml view are not in sync OCPBUGS-4689 - SNO not able to bring up Provisioning resource in 4.11.17 OCPBUGS-4691 - Topology sidebar actions doesn't show the latest resource data OCPBUGS-4692 - PTP operator: Use priority class node critical OCPBUGS-4700 - read-only update UX: confusing "Update blocked" pop-up OCPBUGS-4701 - read-only update UX: confusing "Control plane is hosted" banner OCPBUGS-4703 - Router can migrate to use LivenessProbe.TerminationGracePeriodSeconds OCPBUGS-4712 - ironic-proxy daemonset not deleted when provisioningNetwork is changed from Disabled to Managed/Unmanaged OCPBUGS-4724 - [4.13] egressIP annotations not present on OpenShift on Openstack multiAZ installation OCPBUGS-4725 - mapi_machinehealthcheck_short_circuit not properly reconciling causing MachineHealthCheckUnterminatedShortCircuit alert to fire OCPBUGS-4746 - Removal of detection of host kubelet kubeconfig breaks IBM Cloud ROKS OCPBUGS-4756 - OLM generates invalid component selector labels OCPBUGS-4757 - Revert Catalog PSA decisions for 4.13 (OLM) OCPBUGS-4758 - Revert Catalog PSA decisions for 4.13 (Marketplace) OCPBUGS-4769 - Old AWS boot images vs. 4.12: unknown provider 'ec2' OCPBUGS-4780 - Update openshift/builder release-4.13 to go1.19 OCPBUGS-4781 - Get Helm Release seems to be using List Releases api OCPBUGS-4793 - CMO may generate Kubernetes events with a wrong object reference OCPBUGS-4802 - Update formatting with gofmt for go1.19 OCPBUGS-4825 - Pods completed + deleted may leak OCPBUGS-4827 - Ingress Controller is missing a required AWS resource permission for SC2S region us-isob-east-1 OCPBUGS-4873 - openshift-marketplace namespace missing "audit-version" and "warn-version" PSA label OCPBUGS-4874 - Baremetal host data is still sometimes required OCPBUGS-4883 - Default Git type to other info alert should get remove after changing the git type OCPBUGS-4894 - Disabled Serverless add actions should not be displayed for Knative Service OCPBUGS-4899 - coreos-installer output not available in the logs OCPBUGS-4900 - Volume limits test broken on AWS and GCP TechPreview clusters OCPBUGS-4906 - Cross-namespace template processing is not being tested OCPBUGS-4909 - Can't reach own service when egress netpol are enabled OCPBUGS-4913 - Need to wait longer for VM to obtain IP from DHCP OCPBUGS-4941 - Fails to deprovision cluster when swift omits 'content-type' and there are empty containers OCPBUGS-4950 - OLM K8s Dependencies should be at 1.25 OCPBUGS-4954 - [IBMCloud] COS Reclamation prevents ResourceGroup cleanup OCPBUGS-4955 - Bundle Unpacker Using "Always" ImagePullPolicy for digests OCPBUGS-4969 - ROSA Machinepool EgressIP Labels Not Discovered OCPBUGS-4975 - Missing translation in ceph storage plugin OCPBUGS-4986 - precondition: Do not claim warnings would have blocked OCPBUGS-4997 - Agent ISO does not respect proxy settings OCPBUGS-5001 - MachineConfigControllerPausedPoolKubeletCA should have a working runbook URI OCPBUGS-501 - oc get dc fails when AllRequestBodies audit-profile is set in apiserver OCPBUGS-5010 - Should always delete the must-gather pod when run the must-gather OCPBUGS-5016 - Editing Pipeline in the ocp console to get information error OCPBUGS-5018 - Upgrade from 4.11 to 4.12 with Windows machine workers (Spot Instances) failing due to: hcnCreateEndpoint failed in Win32: The object already exists. OCPBUGS-5036 - Cloud Controller Managers do not react to changes in configuration leading to assorted errors OCPBUGS-5045 - unit test data race with egress ip tests OCPBUGS-5068 - [4.13] virtual media provisioning fails when iLO Ironic driver is used OCPBUGS-5073 - Connection reset by peer issue with SSL OAuth Proxy when route objects are created more than 80. OCPBUGS-5079 - [CI Watcher] pull-ci-openshift-console-master-e2e-gcp-console jobs: Process did not finish before 4h0m0s timeout OCPBUGS-5085 - Should only show the selected catalog when after apply the ICSP and catalogsource OCPBUGS-5101 - [GCP] [capi] Deletion of cluster is happening , it shouldn't be allowed OCPBUGS-5116 - machine.openshift.io API is not supported in Machine API webhooks OCPBUGS-512 - Permission denied when write data to mounted gcp filestore volume instance OCPBUGS-5124 - kubernetes-nmstate does not pass CVP tests in 4.12 OCPBUGS-5136 - provisioning on ilo4-virtualmedia BMC driver fails with error: "Creating vfat image failed: Unexpected error while running command" OCPBUGS-5140 - [alibabacloud] IPI install got bootstrap failure and without any node ready, due to enforced EIP bandwidth 5 Mbit/s OCPBUGS-5151 - Installer - provisioning interface on master node not getting ipv4 dhcp ip address from bootstrap dhcp server on OCP IPI BareMetal install OCPBUGS-5164 - Add support for API version v1beta1 for knativeServing and knativeEventing OCPBUGS-5165 - Dev Sandbox clusters uses clusterType OSD and there is no way to enforce DEVSANDBOX OCPBUGS-5182 - [azure] Fail to create master node with vm size in family ECIADSv5 and ECIASv5 OCPBUGS-5184 - [azure] Fail to create master node with vm size in standardNVSv4Family OCPBUGS-5188 - Wrong message in MCCDrainError alert OCPBUGS-5234 - [azure] Azure Stack Hub (wwt) UPI installation failed to scale up worker nodes using machinesets OCPBUGS-5235 - mapi_instance_create_failed metric cannot work when set acceleratedNetworking: true on Azure OCPBUGS-5269 - remove unnecessary RBAC in KCM: file removal OCPBUGS-5275 - remove unnecessary RBAC in OCM OCPBUGS-5287 - Bug with Red Hat Integration - 3scale - Managed Application Services causes operator-install-single-namespace.spec.ts to fail OCPBUGS-5292 - Multus: Interface name contains an invalid character / [ocp 4.13] OCPBUGS-5300 - WriteRequestBodies audit profile records routes/status events at RequestResponse level OCPBUGS-5306 - One old machine stuck in Deleting and many co get degraded when doing master replacement on the cluster with OVN network OCPBUGS-5346 - Reported vSphere Connection status is misleading OCPBUGS-5347 - Clusteroperator Available condition is updated every 2 mins when operator is disabled OCPBUGS-5353 - Dashboard graph should not be stacked - Kubernetes / Compute Resources / Pod Dashboard OCPBUGS-5410 - [AWS-EBS-CSI-Driver] provision volume using customer kms key couldn't restore its snapshot successfully OCPBUGS-5423 - openshift-marketplace pods cause PodSecurityViolation alert to fire OCPBUGS-5428 - Many plugin SDK extension docs are missing descriptions OCPBUGS-5432 - Downstream Operator-SDK v1.25.1 to OCP 4.13 OCPBUGS-5458 - wal: max entry size limit exceeded OCPBUGS-5465 - Context Deadline exceeded when PTP service is disabled from the switch OCPBUGS-5466 - Default CatalogSource aren't always reverted to default settings OCPBUGS-5492 - CI "[Feature:bond] should create a pod with bond interface" fail for MTU migration jobs OCPBUGS-5497 - MCDRebootError alarm disappears after 15 minutes OCPBUGS-5498 - Host inventory quick start for OCP OCPBUGS-5505 - Upgradeability check is throttled too much and with unnecessary non-determinism OCPBUGS-5508 - Report topology usage in vSphere environment via telemetry OCPBUGS-5517 - [Azure/ARO] Update Azure SDK to v63.1.0+incompatible OCPBUGS-5520 - MCDPivotError alert fires due temporary transient failures OCPBUGS-5523 - Catalog, fatal error: concurrent map read and map write OCPBUGS-5524 - Disable vsphere intree tests that exercise multiple tests OCPBUGS-5534 - [UI] When OCP and ODF are upgraded, refresh web console pop-up doesn't appear after ODF upgrade resulting in dashboard crash OCPBUGS-5540 - Typo in WTO for Milliseconds OCPBUGS-5542 - Project dropdown order is not as smart as project list page order OCPBUGS-5546 - Machine API Provider Azure should not modify the Machine spec OCPBUGS-5547 - Webhook Secret (1 of 2) is not removed when Knative Service is deleted OCPBUGS-5559 - add default noProxy config for Azure OCPBUGS-5733 - [Openshift Pipelines] Description of parameters are not shown in pipelinerun description page OCPBUGS-5734 - Azure: VIP 168.63.129.16 should be noProxy to all clouds except Public OCPBUGS-5736 - The main section of the page will keep loading after normal user login OCPBUGS-5759 - Deletion of BYOH Windows node hangs in Ready,SchedulingDisabled OCPBUGS-5802 - update sprig to v3 in cno OCPBUGS-5836 - Incorrect redirection when user try to download windows oc binary OCPBUGS-5842 - executes /host/usr/bin/oc OCPBUGS-5851 - [CI-Watcher]: Using OLM descriptor components deletes operand OCPBUGS-5873 - etcd_object_counts is deprecated and replaced with apiserver_storage_objects, causing "etcd Object Count" dashboard to only show OpenShift resources OCPBUGS-5888 - Failed to install 4.13 ocp on SNO with "error during syncRequiredMachineConfigPools" OCPBUGS-5891 - oc-mirror heads-only does not work with target name OCPBUGS-5903 - gather default ingress controller definition OCPBUGS-5922 - [2047299 Jira placeholder] nodeport not reachable port connection timeout OCPBUGS-5939 - revert "force cert rotation every couple days for development" in 4.13 OCPBUGS-5948 - Runtime error using API Explorer with AdmissionReview resource OCPBUGS-5949 - oc --icsp mapping scope does not match openshift icsp mapping scope OCPBUGS-5959 - [4.13] Bootimage bump tracker OCPBUGS-5988 - Degraded etcd on assisted-installer installation- bootstrap etcd is not removed properly OCPBUGS-5991 - Kube APIServer panics in admission controller OCPBUGS-5997 - Add Git Repository form shows empty permission content and non-working help link until a git url is entered OCPBUGS-6004 - apiserver pods cannot reach etcd on single node IPv6 cluster: transport: authentication handshake failed: x509: certificate is valid for ::1, 127.0.0.1, ::1, fd69::2, not 2620:52:0:198::10" OCPBUGS-6011 - openshift-client package has wrong version of kubectl bundled OCPBUGS-6018 - The MCO can generate a rendered config with old KubeletConfig contents, blocking upgrades OCPBUGS-6026 - cannot change /etc folder ownership inside pod OCPBUGS-6033 - metallb 4.12.0-202301042354 (OCP 4.12) refers to external image OCPBUGS-6049 - Do not show UpdateInProgress when status is Failing OCPBUGS-6053 - `availableUpdates: null` results in run-time error on Cluster Settings page OCPBUGS-6055 - thanos-ruler-user-workload-1 pod is getting repeatedly re-created after upgrade do 4.10.41 OCPBUGS-6063 - PVs(vmdk) get deleted when scaling down machineSet with vSphere IPI OCPBUGS-6089 - Unnecessary event reprocessing OCPBUGS-6092 - ovs-configuration.service fails - Error: Connection activation failed: No suitable device found for this connection OCPBUGS-6097 - CVO hotloops on ImageStream and logs the information incorrectly OCPBUGS-6098 - Show Git icon and URL in repository link in PLR details page should be based on the git provider OCPBUGS-6101 - Daemonset is not upgraded after operator upgrade OCPBUGS-6175 - Image registry Operator does not use Proxy when connecting to openstack OCPBUGS-6185 - Update 4.13 ose-cluster-config-operator image to be consistent with ART OCPBUGS-6187 - Update 4.13 openshift-state-metrics image to be consistent with ART OCPBUGS-6189 - Update 4.13 ose-cluster-authentication-operator image to be consistent with ART OCPBUGS-6191 - Update 4.13 ose-network-metrics-daemon image to be consistent with ART OCPBUGS-6197 - Update 4.13 ose-openshift-apiserver image to be consistent with ART OCPBUGS-6201 - Update 4.13 openshift-enterprise-pod image to be consistent with ART OCPBUGS-6202 - Update 4.13 ose-cluster-kube-apiserver-operator image to be consistent with ART OCPBUGS-6213 - Update 4.13 ose-machine-config-operator image to be consistent with ART OCPBUGS-6222 - Update 4.13 ose-alibaba-cloud-csi-driver image to be consistent with ART OCPBUGS-6228 - Update 4.13 coredns image to be consistent with ART OCPBUGS-6231 - Update 4.13 ose-kube-storage-version-migrator image to be consistent with ART OCPBUGS-6232 - Update 4.13 marketplace-operator image to be consistent with ART OCPBUGS-6233 - Update 4.13 ose-cluster-openshift-apiserver-operator image to be consistent with ART OCPBUGS-6234 - Update 4.13 ose-cluster-bootstrap image to be consistent with ART OCPBUGS-6235 - Update 4.13 cluster-network-operator image to be consistent with ART OCPBUGS-6238 - Update 4.13 oauth-server image to be consistent with ART OCPBUGS-6240 - Update 4.13 ose-cluster-kube-storage-version-migrator-operator image to be consistent with ART OCPBUGS-6241 - Update 4.13 operator-lifecycle-manager image to be consistent with ART OCPBUGS-6247 - Update 4.13 ose-cluster-ingress-operator image to be consistent with ART OCPBUGS-6262 - Add more logs to "oc extract" in mco-first boot service OCPBUGS-6265 - When installing SNO with bootstrap in place it takes CVO 6 minutes to acquire the leader lease OCPBUGS-6270 - Irrelevant vsphere platform data is required OCPBUGS-6272 - E2E tests: Entire pipeline flow from Builder page Start the pipeline with workspace OCPBUGS-631 - machineconfig service is failed to start because Podman storage gets corrupted OCPBUGS-6486 - Image upload fails when installing cluster OCPBUGS-6503 - admin ack test nondeterministically does a check post-upgrade OCPBUGS-6504 - IPI Baremetal Master Node in DualStack getting fd69:: address randomly, OVN CrashLoopBackOff OCPBUGS-6507 - Don't retry network policy peer pods if ips couldn't be fetched OCPBUGS-6577 - Node-exporter NodeFilesystemAlmostOutOfSpace alert exception needed OCPBUGS-6610 - Developer - Topology : 'Filter by resource' drop-down i18n misses OCPBUGS-6621 - Image registry panics while deploying OCP in ap-southeast-4 AWS region OCPBUGS-6624 - Issue deploying the master node with IPI OCPBUGS-6634 - Let the console able to build on other architectures and compatible with prow builds OCPBUGS-6646 - Ingress node firewall CI is broken with latest OCPBUGS-6647 - User Preferences - Applications : Resource type drop-down i18n misses OCPBUGS-6651 - Nodes unready in PublicAndPrivate / Private Hypershift setups behind a proxy OCPBUGS-6660 - Uninstall Operator? modal instructions always reference optional checkbox OCPBUGS-6663 - Platform baremetal warnings during create image when fields not defined OCPBUGS-6682 - [OVN] ovs-configuration vSphere vmxnet3 allmulti workaround is now permanent OCPBUGS-6698 - Fix conflict error message in cluster-ingress-operator's ensureNodePortService OCPBUGS-6700 - Cluster-ingress-operator's updateIngressClass function logs success message when error OCPBUGS-6701 - The ingress-operator spuriously updates ingressClass on startup OCPBUGS-6714 - Traffic from egress IPs was interrupted after Cluster patch to Openshift 4.10.46 OCPBUGS-672 - Redhat-operators are failing regularly due to startup probe timing out which in turn increases CPU/Mem usage on Master nodes OCPBUGS-6722 - s390x: failed to generate asset "Image": multiple "disk" artifacts found OCPBUGS-6730 - Pod latency spikes are observed when there is a compaction/leadership transfer OCPBUGS-6731 - Gathered Environment variables (HTTP_PROXY/HTTPS_PROXY) may contain sensible information and should be obfuscated OCPBUGS-6741 - opm fails to serve FBC if cachedir not provided OCPBUGS-6757 - Pipeline Repository (Pipeline-as-Code) list page shows an empty Event type column OCPBUGS-6760 - Couldn't update/delete cpms on gcp private cluster OCPBUGS-6762 - Enhance the user experience for the name-filter-input on Metrics target page OCPBUGS-6765 - "Delete dependent objects of this resource" might cause confusions OCPBUGS-6777 - [gcp][CORS-1988] "create manifests" without an existing "install-config.yaml" missing 4 YAML files in "/openshift" which leads to "create cluster" failure OCPBUGS-6781 - gather Machine objects OCPBUGS-6797 - Empty IBMCOS storage config causes operator to crashloop OCPBUGS-6799 - Repositories list does not show the running pipelinerun as last pipelinerun OCPBUGS-6809 - Uploading large layers fails with "blob upload invalid" OCPBUGS-6811 - Update Cluster Sample Operator dependencies and libraries for OCP 4.13 OCPBUGS-6821 - Update NTO images to be consistent with ART OCPBUGS-6832 - Include openshift_apps_deploymentconfigs_strategy_total to recent_metrics OCPBUGS-6893 - Dev console doesn't finish loading for users with limited access OCPBUGS-6902 - 4.13-e2e-metal-ipi-upgrade-ovn-ipv6 on permafail OCPBUGS-6917 - MultinetworkPolicy: unknown service runtime.v1alpha2.RuntimeService OCPBUGS-6925 - Update OWNERS_ALIASES in release-4.13 branch OCPBUGS-6945 - OS Release reports incorrect version ID OCPBUGS-6953 - ovnkube-master panic nil deref OCPBUGS-6955 - panic in an ovnkube-master pod OCPBUGS-6962 - 'agent_installer' invoker not showing up in telemetry OCPBUGS-6977 - pod-identity-webhook replicas=2 is failing single node jobs OCPBUGS-6978 - Index violation on IGMP_Group during upgrade from 4.12.0 to 4.12.1 OCPBUGS-6994 - All Clusters perspective is not activated automatically when ACM is installed OCPBUGS-702 - The caBundle field of alertmanagerconfigs.monitoring.coreos.com crd is getting removed OCPBUGS-7031 - Pipelines repository list and creation form doesn't show Tech Preview status OCPBUGS-7090 - Add to navigation button in search result does nothing OCPBUGS-7102 - OLM downstream utest fails due to new release-XX+1 branch creation OCPBUGS-7106 - network-tools needs to be updated to give ovn-k master leader info OCPBUGS-7118 - OCP 4.12 does not support launching SGX enclaves OCPBUGS-7144 - On mobile screens, At pipeline details page the info alert on metrics tab is not showing correctly OCPBUGS-7149 - IPv6 multinode spoke no moving from rebooting/configuring stage OCPBUGS-7173 - [OVN] DHCP timeouts on Azure arm64, install fails OCPBUGS-7180 - [4.13] Bootimage bump tracker OCPBUGS-7186 - [gcp][CORS-2424] with "secureBoot" enabled, after deleting control-plane machine, the new machine is created with "enableSecureBoot" being False unexpectedly OCPBUGS-7195 - [CI-Watcher] e2e issue with tests: Create Samples Page Timeout Error OCPBUGS-7199 - [CI-Watcher] e2e issue with tests: Interacting with CatalogSource page OCPBUGS-7204 - Manifests generated to multiple "results-xxx" folders when using the oci feature with OCI and nonOCI catalogs OCPBUGS-7207 - MTU migration configuration is cleaned up prematurely while in progress OCPBUGS-723 - ClusterResourceQuota values are not reflecting. OCPBUGS-7268 - [4.13] Modify the PSa pod extractor to mutate pod controller pod specs OCPBUGS-7284 - Hypershift failing new SCC conformance tests OCPBUGS-7291 - ptp keeps trying to start phc2sys even if it's configured as empty string in phc2sysOpts OCPBUGS-7293 - RHCOS 9.2 Failing to Bootstrap on Metal, OpenStack, vSphere (all baremetal runtime platforms) OCPBUGS-7300 - aws-ebs-csi-driver-operator crash loops with HC proxy configured OCPBUGS-7301 - Not possible to use certain start addresses in whereabouts IPv6 range [Backport 4.13] OCPBUGS-7308 - Download kubeconfig for ServiceAccount returns error OCPBUGS-7354 - Installation failed on Azure SDN as network is degraded OCPBUGS-7356 - Default channel on OCP 4.13 should be stable-4.13 OCPBUGS-7359 - [Azure] Replace master failed as new master did not add into lb backend OCPBUGS-736 - Kuryr uses default MTU for service network OCPBUGS-7366 - [gcp] New machine stuck in Provisioning when delete one zone from cpms on gcp with customer vpc OCPBUGS-7372 - fail early on missing node status envs OCPBUGS-7374 - set default timeouts in etcdcli OCPBUGS-7391 - Monitoring operator long delay reconciling extension-apiserver-authentication OCPBUGS-7399 - In the Edit application mode, the name of the added pipeline is not displayed anymore OCPBUGS-7408 - AzureDisk CSI driver does not compile with cachito OCPBUGS-7412 - gomod dependencies failures in 4.13-4.14 container builds OCPBUGS-7417 - gomod dependencies failures in 4.13-4.14 container builds OCPBUGS-7418 - Default values for Scaling fields is not set in Create Serverless function form OCPBUGS-7419 - CVO delay when setting clusterversion available status to true OCPBUGS-7421 - Missing i18n key for PAC section in Git import form OCPBUGS-7424 - Bump cluster-ingress-operator to k8s APIs v0.26.1 OCPBUGS-7427 - dynamic-demo-plugin.spec.ts requires 10 minutes of unnecessary wait time OCPBUGS-7438 - Egress service does not handle invalid nodeSelectors correctly OCPBUGS-7482 - Fix handling of single failure-domain (non-tagged) deployments in vsphere OCPBUGS-7483 - Hypershift installs on "platform: none" are broken OCPBUGS-7488 - test flake: should not reconcile SC when state is Unmanaged OCPBUGS-7495 - Platform type is ignored OCPBUGS-7517 - Helm page crashes on old releases with a new Secret OCPBUGS-7519 - NFS Storage Tests trigger Kernel Panic on Azure and Metal OCPBUGS-7523 - Add new AWS regions for ROSA OCPBUGS-7542 - Bump router to k8s APIs v0.26.1 OCPBUGS-7555 - Enable default sysctls for kubelet OCPBUGS-7558 - Rebase coredns to 1.10.1 OCPBUGS-7563 - vSphere install can't complete with out-of-tree CCM OCPBUGS-7579 - [azure] failed to parse client certificate when using certificate-based Service Principal with passpharse OCPBUGS-7611 - PTPOperator config transportHost with AMQ is not detected OCPBUGS-7616 - vSphere multiple in-tree test failures (non-zonal) OCPBUGS-7617 - Azure Disk volume is taking time to attach/detach OCPBUGS-7622 - vSphere UPI jobs failing with 'Managed cluster should have machine resources' OCPBUGS-7648 - Bump cluster-dns-operator to k8s APIs v0.26.1 OCPBUGS-7689 - Project Admin is able to Label project with empty string in RHOCP 4 OCPBUGS-7696 - [ Azure ]not able to deploy machine with publicIp:true OCPBUGS-7707 - /etc/NetworkManager/dispatcher.d needs to be relabeled during pivot from 8.6 to 9.2 OCPBUGS-7719 - Update to 4.13.0-ec.3 stuck on leaked MachineConfig OCPBUGS-7729 - Remove ETCD liviness probe. OCPBUGS-7731 - Need to cancel threads when agent-tui timeout is stopped OCPBUGS-7733 - Afterburn fails on AWS/GCP clusters born in OCP 4.1/4.2 OCPBUGS-7743 - SNO upgrade from 4.12 to 4.13 rhel9.2 is broken cause of dnsmasq default config OCPBUGS-7750 - fix gofmt check issue in network-metrics-daemon OCPBUGS-7754 - ART having trouble building olm images OCPBUGS-7774 - RawCNIConfig is printed in byte representation on failure, not human readable OCPBUGS-7785 - migrate to using Lease for leader election OCPBUGS-7806 - add "nfs-export" under PV details page OCPBUGS-7809 - sg3_utils package is missing in the assisted-installer-agent Docker file OCPBUGS-781 - ironic-proxy is using a deprecated field to fetch cluster VIP OCPBUGS-7833 - Storage tests failing in no-capabilities job OCPBUGS-7837 - hypershift: aws-ebs-csi-driver-operator uses guest cluster proxy causing PV provisioning failure OCPBUGS-7860 - [azure] message is unclear when missing clientCertificatePassword in osServicePrincipal.json OCPBUGS-7876 - [Descheduler] Enabling LifeCycleUtilization to test namespace filtering does not work OCPBUGS-7879 - Devfile isn't be processed correctly on 'Add from git repo' OCPBUGS-7896 - MCO should not add keepalived pod manifests in case of VSPHERE UPI OCPBUGS-7899 - ODF Monitor pods failing to be bounded because timeout issue with thin-csi SC OCPBUGS-7903 - Pool degraded with error: rpm-ostree kargs: signal: terminated OCPBUGS-7909 - Baremetal runtime prepender creates /etc/resolv.conf mode 0600 and bad selinux context OCPBUGS-794 - OLM version rule is not clear OCPBUGS-7940 - apiserver panics in admission controller OCPBUGS-7943 - AzureFile CSI driver does not compile with cachito OCPBUGS-7970 - [E2E] Always close the filter dropdown in listPage.filter.by OCPBUGS-799 - Reply packet for DNS conversation to service IP uses pod IP as source OCPBUGS-8066 - Create Serverless Function form breaks if Pipeline Operator is not installed OCPBUGS-8086 - Visual issues with listing items OCPBUGS-8243 - [release 4.13] Gather Monitoring pods' Persistent Volumes OCPBUGS-8308 - Bump openshift/kubernetes to 1.26.2 OCPBUGS-8312 - IPI on Power VS clusters cannot deploy MCO OCPBUGS-8326 - Azure cloud provider should use Kubernetes 1.26 dependencies OCPBUGS-8341 - Unable to set capabilities with agent installer based installation OCPBUGS-8342 - create cluster-manifests fails when imageContentSources is missing OCPBUGS-8353 - PXE support is incomplete OCPBUGS-8381 - Console shows x509 error when requesting token from oauth endpoint OCPBUGS-8401 - Bump openshift/origin to kube 1.26.2 OCPBUGS-8424 - ControlPlaneMachineSet: Machine's Node should be Ready to consider the Machine Ready OCPBUGS-8445 - cgroups default setting in OCP 4.13 generates extra MachineConfig OCPBUGS-8463 - OpenStack Failure domains as 4.13 TechPreview OCPBUGS-8471 - [4.13] egress firewall only createas 1 acl for long namespace names OCPBUGS-8475 - TestBoundTokenSignerController causes unrecoverable disruption in e2e-gcp-operator CI job OCPBUGS-8481 - CAPI rebases 4.13 backports OCPBUGS-8490 - agent-tui: display additional checks only when primary check fails OCPBUGS-8498 - aws-ebs-csi-driver-operator ServiceAccount does not include the HCP pull-secret in its imagePullSecrets OCPBUGS-8505 - [4.13] egress firewall acls are deleted on restart OCPBUGS-8511 - [4.13+ ONLY] Don't use port 80 in bootstrap IPI bare metal OCPBUGS-855 - When setting allowedRegistries urls the openshift-samples operator is degraded OCPBUGS-859 - monitor not working with UDP lb when externalTrafficPolicy: Local OCPBUGS-860 - CSR are generated with incorrect Subject Alternate Names OCPBUGS-8699 - Metal IPI Install Rate Below 90% OCPBUGS-8701 - `oc patch project` not working with OCP 4.12 OCPBUGS-8702 - OKD SCOS: remove workaround for rpm-ostree auth OCPBUGS-8703 - fails to switch to kernel-rt with rhel 9.2 OCPBUGS-8710 - [4.13] don't enforce PSa in 4.13 OCPBUGS-8712 - AES-GCM encryption at rest is not supported by kube-apiserver-operator OCPBUGS-8719 - Allow the user to scroll the content of the agent-tui details view OCPBUGS-8741 - [4.13] Pods in same deployment will have different ability to query services in same namespace from one another; ocp 4.10 OCPBUGS-8742 - Origin tests should not specify `readyz` as the health check path OCPBUGS-881 - fail to create install-config.yaml as apiVIP and ingressVIP are not in machine networks OCPBUGS-8941 - Introduce tooltips for contextual information OCPBUGS-904 - Alerts from MCO are missing namespace OCPBUGS-9079 - ICMP fragmentation needed sent to pods behind a service don't seem to reach the pods OCPBUGS-91 - [ExtDNS] New TXT record breaks downward compatibility by retroactively limiting record length OCPBUGS-9132 - WebSCale: ovn logical router polices incorrect/l3 gw config not updated after IP change OCPBUGS-9185 - Pod latency spikes are observed when there is a compaction/leadership transfer OCPBUGS-9233 - ConsoleQuickStart {{copy}} and {{execute}} features do not work in some cases OCPBUGS-931 - [osp][octavia lb] NodePort allocation cannot be disabled for LB type svcs OCPBUGS-9338 - editor toggle radio input doesn't have distinguishable attributes OCPBUGS-9389 - Detach code in vsphere csi driver is failing OCPBUGS-948 - OLM sets invalid SCC label on its namespaces OCPBUGS-95 - NMstate removes egressip in OpenShift cluster with SDN plugin OCPBUGS-9913 - bacport tests for PDBUnhealthyPodEvictionPolicy as Tech Preview OCPBUGS-9924 - Remove unsupported warning in oc-mirror when using the --skip-pruning flag OCPBUGS-9926 - Enable node healthz server for ovnk in CNO OCPBUGS-9951 - fails to reconcile to RT kernel on interrupted updates OCPBUGS-9957 - Garbage collect grafana-dashboard-etcd OCPBUGS-996 - Control Plane Machine Set Operator OnDelete update should cause an error when more than one machine is ready in an index OCPBUGS-9963 - Better to change the error information more clearly to help understand OCPBUGS-9968 - Operands running management side missing affinity, tolerations, node selector and priority rules than the operator 6. References: https://access.redhat.com/security/cve/CVE-2021-4235 https://access.redhat.com/security/cve/CVE-2021-4238 https://access.redhat.com/security/cve/CVE-2021-20329 https://access.redhat.com/security/cve/CVE-2021-38561 https://access.redhat.com/security/cve/CVE-2021-43519 https://access.redhat.com/security/cve/CVE-2021-44964 https://access.redhat.com/security/cve/CVE-2022-1271 https://access.redhat.com/security/cve/CVE-2022-1586 https://access.redhat.com/security/cve/CVE-2022-1587 https://access.redhat.com/security/cve/CVE-2022-1785 https://access.redhat.com/security/cve/CVE-2022-1897 https://access.redhat.com/security/cve/CVE-2022-1927 https://access.redhat.com/security/cve/CVE-2022-2509 https://access.redhat.com/security/cve/CVE-2022-2990 https://access.redhat.com/security/cve/CVE-2022-3080 https://access.redhat.com/security/cve/CVE-2022-3259 https://access.redhat.com/security/cve/CVE-2022-4203 https://access.redhat.com/security/cve/CVE-2022-4304 https://access.redhat.com/security/cve/CVE-2022-4450 https://access.redhat.com/security/cve/CVE-2022-21698 https://access.redhat.com/security/cve/CVE-2022-23525 https://access.redhat.com/security/cve/CVE-2022-23526 https://access.redhat.com/security/cve/CVE-2022-26280 https://access.redhat.com/security/cve/CVE-2022-27191 https://access.redhat.com/security/cve/CVE-2022-29154 https://access.redhat.com/security/cve/CVE-2022-29824 https://access.redhat.com/security/cve/CVE-2022-34903 https://access.redhat.com/security/cve/CVE-2022-38023 https://access.redhat.com/security/cve/CVE-2022-38177 https://access.redhat.com/security/cve/CVE-2022-38178 https://access.redhat.com/security/cve/CVE-2022-40674 https://access.redhat.com/security/cve/CVE-2022-41316 https://access.redhat.com/security/cve/CVE-2022-41717 https://access.redhat.com/security/cve/CVE-2022-41721 https://access.redhat.com/security/cve/CVE-2022-41723 https://access.redhat.com/security/cve/CVE-2022-41724 https://access.redhat.com/security/cve/CVE-2022-41725 https://access.redhat.com/security/cve/CVE-2022-42010 https://access.redhat.com/security/cve/CVE-2022-42011 https://access.redhat.com/security/cve/CVE-2022-42012 https://access.redhat.com/security/cve/CVE-2022-42898 https://access.redhat.com/security/cve/CVE-2022-42919 https://access.redhat.com/security/cve/CVE-2022-46146 https://access.redhat.com/security/cve/CVE-2022-47629 https://access.redhat.com/security/cve/CVE-2023-0056 https://access.redhat.com/security/cve/CVE-2023-0215 https://access.redhat.com/security/cve/CVE-2023-0216 https://access.redhat.com/security/cve/CVE-2023-0217 https://access.redhat.com/security/cve/CVE-2023-0229 https://access.redhat.com/security/cve/CVE-2023-0286 https://access.redhat.com/security/cve/CVE-2023-0361 https://access.redhat.com/security/cve/CVE-2023-0401 https://access.redhat.com/security/cve/CVE-2023-0620 https://access.redhat.com/security/cve/CVE-2023-0665 https://access.redhat.com/security/cve/CVE-2023-0778 https://access.redhat.com/security/cve/CVE-2023-25000 https://access.redhat.com/security/cve/CVE-2023-25165 https://access.redhat.com/security/cve/CVE-2023-25173 https://access.redhat.com/security/cve/CVE-2023-25577 https://access.redhat.com/security/cve/CVE-2023-25725 https://access.redhat.com/security/cve/CVE-2023-25809 https://access.redhat.com/security/cve/CVE-2023-27561 https://access.redhat.com/security/cve/CVE-2023-28642 https://access.redhat.com/security/cve/CVE-2023-30570 https://access.redhat.com/security/cve/CVE-2023-30841 https://access.redhat.com/security/updates/classification/#important https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZGVrhNzjgjWX9erEAQjD7BAAihZ8nlrasEU8QISGjHMUkUXKPHgV6LlZ IT2h0MLam8ICSCDdZ8PUVXhWP+CTTIYYdpEPTaIdKdB16iecRXm2ML8GtQ38zSjC LpCB4NUmAdoH91FbT2oazgrCgg+2hizfufLYk/8nNm9yVR0zT5kZbuXMFZH/PbCb dYYyRsXsNt4+MpaWGf1q3jS7OX8l5UXbfO+nnKHWoow5/PeclygxFbRclr7o62Dy tnfgs+OwbroI6L0nohsUTk4Es1koyD8FaGdo28ViLcgVH1VDhBqzHXSAe1P+XmAc PSG6slSRIrgJpARfN8OEI89wfI+ttyqEi4yAdoKjCo/pbshhLw3JZQcavmQc8XEK o1afTtx0XFHJsAdZRjvq+7zExqnDANRLbtkkYG2gYuc8LgGmh6P0ZlhxQFMS3f/T cTLSLaP6XSnHQaJyc0kqULHcWBZRzepcIDPYkmTCbCVCwLjXuIoF6eMQvo7eRXCy 4qN3nT0+M90jWxf/uQzo9NpeWFB7y2cccHMvaPzZ8cAAxpwM3Rphutu9lzRfJCl8 TMincIMIFq3vLmrfxHX5YOKfgH/Kjc06TbtnzxtucFQVNFxyKIWKgJB/hl1mGDTJ 8cibppoX+mLmUirPuu+5JwaAmq7skX5HKX3r3t8sajmij17nS2Ff8q52ZLgdZQ6H XbiJN3SZj5U= =WGO2 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce