Back to index
Download the installer for your operating system or run
oc adm release extract --tools quay.io/openshift-release-dev/ocp-release:4.14.43-x86_64 Team Approvals:
Tests:
Blocking jobs Informing jobs Upgrades from:
Untested upgrades:
4.13.23 ,
4.13.24 ,
4.13.25 ,
4.13.26 ,
4.13.27 ,
4.13.28 ,
4.13.29 ,
4.13.31 ,
4.13.32 ,
4.13.33 ,
4.13.35 ,
4.13.36 ,
4.13.37 ,
4.13.38 ,
4.13.39 ,
4.13.40 ,
4.13.41 ,
4.13.42 ,
4.13.44 ,
4.13.45 ,
4.13.46 ,
4.13.48 ,
4.13.49 ,
4.13.50 ,
4.13.51 ,
4.14.10 ,
4.14.11 ,
4.14.12 ,
4.14.13 ,
4.14.14 ,
4.14.15 ,
4.14.16 ,
4.14.17 ,
4.14.18 ,
4.14.19 ,
4.14.20 ,
4.14.21 ,
4.14.22 ,
4.14.23 ,
4.14.24 ,
4.14.25 ,
4.14.26 ,
4.14.28 ,
4.14.29 ,
4.14.3 ,
4.14.30 ,
4.14.31 ,
4.14.32 ,
4.14.33 ,
4.14.34 ,
4.14.35 ,
4.14.36 ,
4.14.38 ,
4.14.39 ,
4.14.4 ,
4.14.5 ,
4.14.6 ,
4.14.8 ,
4.14.9 Upgrades to:
Loading changelog, this may take a while ...
Changes from 4.14.2
Created: 2024-12-13 04:54:05 +0000 UTC
Image Digest: sha256:c770c1a6f546e4b730490ad9cc366fb2e0596c470aa295589f1ca9d80784f0c9
Components
Rebuilt images without code change
OCPBUGS-21217 : CVE-2023-39325 ose-cluster-samples-operator-container:golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) #539
Full changelog
manage-security-groups: Only add SGs to LB members (#2455) #2455
Fix protocol case mismatch (tcp vs TCP) (#2320) #2320
Get IP addresses of neutron subports (#2306) #2306
Make manage-security-groups work with OVN (#2291) #2291
Delete sgs on reconfiguration (#2305) #2305
Optimize applyNodeSecurityGroupIDForLB()
(#2293) #2293
Remove unused manila code (#2299) #2299
Use instanceIDFromProviderID()
function (#2302) #2302
Remove filtering by device_owner. (#2304) #2304
Allocate array capacity in advance (#2297) #2297
Corrected the grammar (#2301) #2301
Delete unused SG rules with manage-security-groups (#2287) #2287
Improved the grammar in sidecarcompatibility.md (#2292) #2292
Added comments and arranged the variable names (#2290) #2290
occm cinder-csi securityContext (#2286) #2286
fixed Grammatical mistakes in barbican-kms-plugin (#2289) #2289
efactors and enhances the codebase of the cinder csi plugin (#2288) #2288
Wait for LB to be ACTIVE on HM update (#2280) #2280
(barbican-kms-plugin)Refactor and enhance Barbican KMS plugin codebase. (#2278) #2278
Fixed the typo in the load balancing section in the README (#2232) #2232
Fix image tag in manila csi e2e test (#2244) #2244
enable secret injection and common annotations (#2264) #2264
Update to gophercloud 1.4.0 (#2265) #2265
Replace call to Nova os-interfaces with direct Neutron call (#2250) #2250
add secret enabled option (#2239) #2239
Fix CSI spec versions (#2254) #2254
LoadBalancers: Remove dead SG code (#2248) #2248
Make ensureSecurityRule()
safely idempotent (#2249) #2249
shrink image, remove unnecessary utils (#2233) (#2238) #2233
Doc: update statement about neutron lbaas removeal (#2236) #2236
add environment variable for timeout (#2235) #2235
Increase timeout for LB to get to ACTIVE state (#2223) #2223
Ignore proxies when calling Nova Metadata (#2218) #2218
add priorityClassName to openstack-cloud-controller-manager helm chart (#2210) #2210
Do not default Octavia provider to “octavia” (#2208) #2208
retry ubuntu image download on temp error (#2507) #2507
update k8s.io/kubernetes to v1.27.8 in go.mod (#2497) #2497
fix: octavia tlsContainerRef validation for barbican secrets (#2460) #2460
Full changelog
OCPBUGS-44279 : Configure OAuth https proxy to dial cloud endpoints directly #5067
NO-JIRA: chore(deps): update squidfunk/mkdocs-material docker tag to v9.5.45 (release-4.14) #5162
NO-JIRA: chore(deps): update konflux references (release-4.14) #5145
NO-JIRA: chore(deps): update konflux references (release-4.14) #5121
NO-JIRA: chore(deps): update registry.access.redhat.com/ubi9-minimal docker tag to v9.5-1731518200 (release-4.14) #5105
NO-JIRA: Update Konflux references (release-4.14) #5100
chore(deps): update konflux references (release-4.14) #5076
NO-JIRA: chore(deps): update konflux references (release-4.14) #5055
NO-JIRA: chore(deps): update squidfunk/mkdocs-material docker tag to v9.5.44 (release-4.14) #5056
NO-JIRA: Update Konflux references to fedcfe0 (release-4.14) #5043
chore(deps): update konflux references (release-4.14) #5026
chore(deps): update squidfunk/mkdocs-material docker tag to v9.5.43 (release-4.14) #5021
chore(deps): update konflux references to f53fe54 (release-4.14) #5020
NO-JIRA: Update Konflux references (release-4.14) #5011
OCPBUGS-41701 : cmd: report server version, supported OCP #4718
NO-JIRA: chore(deps): update konflux references (release-4.14) #4975
OCPBUGS-43688 : Use guest DNS resolution in Konnectivity HTTPS proxy by default #4964
chore(deps): update konflux references (release-4.14) #4953
NO-JIRA: chore(deps): update squidfunk/mkdocs-material docker tag to v9.5.42 (release-4.14) #4948
OCPBUGS-43368 : Let payload generation pick the release for the NodePool #4913
NO-JIRA: chore(deps): update konflux references (release-4.14) #4934
NO-JIRA: chore(deps): update konflux references to 66f551f (release-4.14) #4924
NO-JIRA: chore(deps): update squidfunk/mkdocs-material docker tag to v9.5.41 (release-4.14) #4917
NO-JIRA: chore(deps): update konflux references to 674e70f (release-4.14) #4910
NO-JIRA: chore(deps): update konflux references (release-4.14) #4898
NO-JIRA: chore(deps): update squidfunk/mkdocs-material docker tag to v9.5.40 (release-4.14) #4879
NO-JIRA: chore(deps): update konflux references to 37b9187 (release-4.14 #4851
OCPBUGS-42533 : enable audit log for oauth-openshift #4822
chore(deps): update registry.access.redhat.com/ubi9/go-toolset docker tag to v1.21.13 (release-4.14) #4794
NO-JIRA: chore(deps): update squidfunk/mkdocs-material docker tag to v9.5.39 (release-4.14) #4828
NO-JIRA: chore(deps): update konflux references (release-4.14) #4813
NO-JIRA: chore(deps): update squidfunk/mkdocs-material docker tag to v9.5.38 (release-4.14) #4805
NO-JIRA: chore(deps): update squidfunk/mkdocs-material docker tag to v9 (release-4.14) #4788
chore(deps): update registry.access.redhat.com/ubi9-minimal docker tag to v9.4-1227.1726694542 (release-4.14) #4758
chore(deps): update squidfunk/mkdocs-material docker tag to v8.5.11 (release-4.14) #4784
OCPBUGS-41374 : CPO oauth idp converter: resolve names before dialing #4763
NO-JIRA: chore(deps): update konflux references to 5ac9b24 (release-4.14) #4783
chore(deps): update konflux references to 2c3426a (release-4.14) #4773
NO-JIRA: chore(deps): update konflux references (release-4.14) #4757
OCPBUGS-42221 : Make guest cluster components use the correct KAS port #4753
OCPBUGS-38060 : Add HTTP konnectivity proxy to OAuth server #4498
OCPBUGS-38066 : [release-4.14] Use HTTP proxy for ingress controller #4724
NO-JIRA: Security fixes for openshift-ci-security job #4752
OCPBUGS-42184 : copy image-registry AdditionalTrustedCA configmap into HC openshift-config #4747
OCPBUGS-41506 : fix: bump google.golang.org/protobuf #4687
HOSTEDCP-1957 : bump go-jose version #4698
OCPBUGS-39378 : Set KCM node monitor grace period #4659
chore(deps): update konflux references (release-4.14) #4683
OCPBUGS-39183 : fix: bump github.com/IBM/go-sdk-core/v5 #4626
NO-JIRA: Add PodDisruptionBudget for router deployment #4692
NO-JIRA: Revert “Merge pull request #4661 from jparrill/bp-4.14/OCPBUGS-24308” #4667
NO-JIRA: PDB backports #4661
NO-JIRA: Konflux migration 4.14 #4648
OCPBUGS-39230 : set proxy envvars on aws CCM #4638
OCPBUGS-38791 : Let the CPO oidc check resolve through data plane #4617
NO-JIRA: Flaky cert validation test #4633
HOSTEDCP-1897 : [release-4.14] Allow setting Kube APIServer maximum requests in flight #4553
OCPBUGS-37076 : Fixed audit-logs sigterm failing to terminate gracefully #4369
OCPBUGS-38624 : remove weak ciphers from security profile #4575
OCPBUGS-37173 : Add newline after TLS certs referenced by image.config #4471
OCPBUGS-37172 : OCPBUGS-35899: Doubled machineHealthCheck timeout on Agent and None #4490
OCPBUGS-36944 : [release-4.14] Add HTTP(s) konnectivity proxy and use it with OpenShift APIServer #4360
HOSTEDCP-1795 , HOSTEDCP-1796 : Customize the self-generated cert validity and rotation #4473
OCPBUGS-37175 : Delete IDMS in dataplane once HCP ICS field is removed #4472
NO-JIRA: Konflux mce-2.4 pipeline fixes #4464
NO-JIRA: [release-4.14] OCPBUGS-36297: kubevirt-csi-driver: Pass infra kubeconfig in case of external infra #4288
NO-JIRA: [release-4.14] test/e2e: remove api budget checks #4438
NO-JIRA: chore(deps): update registry.access.redhat.com/ubi9/go-toolset docker tag to v1.21.11-2 (release-4.14) - abandoned #4363
NO-JIRA: Update registry.access.redhat.com/ubi9/go-toolset Docker tag to v1.21.10-1.1719562237 (release-4.14) - abandoned #4326
NO-JIRA: Update registry.access.redhat.com/ubi9-minimal Docker tag to v9.4-1134 (release-4.14) - abandoned #4325
OCPBUGS-36518 : Run haproxy to connect to kas from data plane if noproxy settings contain kas #4315
OCPBUGS-36159 : Generate default worker security group rules based on machineCIDR #4270
OCPBUGS-35549 : Restrict image registry overrides to control plane component #4223
OCPBUGS-35365 : fix router on 4.14 y-stream upgrade #4205
NO-JIRA: chore(deps): update konflux references (release-4.14) #4257
OCPBUGS-35401 : Fix disconnected metadata inspection for nodepool #4208
OCPBUGS-35482 : Add TrustedBundles to OAS container #4216
OCPBUGS-35290 : [release-4.14] Backport etcd defrag #4189
NO-JIRA: chore(deps): update konflux references (release-4.14) #4248
OCPBUGS-35183 : add AWS STS URL to OIDC provider audiences #4179
NO-JIRA: hack: make the e2e script generic #4201
chore(deps): update konflux references to 2be7c9c (release-4.14) #4225
NO-JIRA: Update Konflux references to 1025001 (release-4.14) #4181
NO-JIRA: chore(deps): update konflux references (release-4.14) #4168
OCPBUGS-34856 : [release-4.14] OCPBUGS-34855: Add new permission required in CAPA #4149
NO-JIRA: test/e2e: fix prometheus serviceaccount handling against 4.16+ #4159
NO-JIRA: chore(deps): update rhtap references (release-4.14) #4112
NO-JIRA: chore(deps): update rhtap references to 9aec3ae (release-4.14) #4073
NO-JIRA: Remove CLI inspection of release image #4061
OCPBUGS-33713 : Reconcile over ICSP/IDMS #4059
NO-JIRA: chore(deps): update rhtap references to 7cd8020 (release-4.14) #4065
OCPBUGS-33844 : Fix disconnected metadata inspection #4049
OCPBUGS-33843 : Recycler-pod image now points to the OCP Payload reference #4048
NO-JIRA: chore(deps): update rhtap references (release-4.14) #4040
HOSTEDCP-1480 : Update TLS cert hash creation with sha512 #4025
NO-JIRA: Update RHTAP references (release-4.14) #3995
HOSTEDCP-1552 : Update RHTAP tekton files for 0.3 -> 0.4 migration #3958
OCPBUGS-33105 : [release-4.14] remove PrivateIngressController cleanup #3960
OCPBUGS-32471 : Fix ICSP and IDMS inclusion as registriesOverrides #3912
NO-JIRA: chore(deps): update rhtap references (release-4.14) #3920
OCPBUGS-32221 : Added support for OLM Disable default sources on HC creation #3882
NO-JIRA: chore(deps): update rhtap references (release-4.14) #3903
NO-JIRA: [4.14] [e2e test framework] Add a flag to add an annotation to Hosted Cluster #3905
HOSTEDCP-1526 : [release-4.14] Support additional node selectors for request serving nodes #3898
chore(deps): update rhtap references (release-4.14) #3888
NO-JIRA: Update RHTAP references (release-4.14) #3874
NO-JIRA: chore(deps): update rhtap references (release-4.14) #3869
NO-JIRA: chore(deps): update rhtap references (release-4.14) #3858
NO-JIRA: Update RHTAP references (release-4.14) #3836
OCPBUGS-31657 : disable http2 for ignition server and proxy #3831
OCPBUGS-31605 : inject built-in MCP selector for KubeletConfigs and ContainerRuntimeConfigs #3826
HOSTEDCP-1322 : NodeUpgradeType defaulted by provider #3822
NO-JIRA: Update RHTAP references (release-4.14) #3813
OCPBUGS-31417 : honor HC image configuration #3806
OCPBUGS-23914 : Added OLMCatalogPlacement option to the CLI #3229
OCPBUGS-30211 : set Konnectivity cipher suites #3679
chore(deps): update rhtap references (release-4.14) #3792
OCPBUGS-31048 : [4.15] HCP deletion can get stuck if CPO is unable to delete the default worker security group #3771
HOSTEDCP-1488 : Use regionalized STS endpoints in AWS #3756
NO-JIRA: Update RHTAP references (release-4.14) #3755
chore(deps): update rhtap references (release-4.14) #3739
OCPBUGS-30596 : Bump golang.org/x/net to version v0.17.0 #3711
NO-JIRA: chore(deps): update rhtap references (release-4.14) #3706
NO-JIRA: chore(deps): update rhtap references (release-4.14) #3676
NO-JIRA: Update RHTAP references (release-4.14) #3672
NO-JIRA: chore(deps): update rhtap references (release-4.14) #3651
OCPBUGS-29782 : use 2040 for apiserver svc in IBM provider #3594
”[release-4.14] OCPBUGS-29259: Fix default release image lookup” #3550
NO-JIRA: chore(deps): update rhtap references (release-4.14) #3620
NO-JIRA: chore(deps): update rhtap references (release-4.14) #3625
OCPBUGS-29094 : Make ControllerAvailabilityPolicy immutable #3534
NO-JIRA: chore(deps): update rhtap references (release-4.14) #3604
NO-JIRA: Update RHTAP references (release-4.14) #3591
NO-JIRA: Update RHTAP references (release-4.14) #3519
NO-JIRA: Approvers update #3580
MULTIARCH-4084 : Reduce the policy access scope to specific instance #3530
OCPBUGS-29206 : Add GC knobs for KAS #3543
OCPBUGS-29187 : node spread anti-affinity for HA HCP #3541
OCPBUGS-19956 , OCPBUGS-28984 , OCPBUGS-28985 , OCPBUGS-28986 , OCPBUGS-29000 : Support Disconnected HCP #3520
OCPBUGS-29030 : Add ValidatingAdmissionPolicy to KAS config #3524
HOSTEDCP-1272 : Added CLI support to create DualStack clusters using default values #3514
OCPBUGS-28238 : consider HCP upgradeable if CVO has no upgradable condition #3468
OCPBUGS-26526 : Documented to disable UWM telemetry writer in disconnected envs #3389
OCPBUGS-26526 : Disable UWM Telemetry writer when telemeter-client cm not exists #3388
OCPBUGS-27072 : Apply Scheduling Configuration for kCCM #3418
NO-JIRA: Update RHTAP references (release-4.14) #3509
OCPBUGS-20180 , OCPBUGS-20547 : Added network validations #3096
OCPBUGS-23997 : add watch for HCP pullsecret to HCCO #3265
OCPBUGS-28249 : Required RBAC for network-node-identity is not created when hosted cluster networkType is set to Other. #3485
NO-JIRA: Update RHTAP references (release-4.14) #3447
OCPBUGS-24315 : Add prestop to konnectiviy server #3268
OCPBUGS-24307 : Set shutdown-delay-duration to 15s #3264
OCPBUGS-21795 : change trusted bundle volume mount for CPO #3102
OCPBUGS-25217 : Konnectivity agent update strategy #3308
OCPBUGS-26574 : Set new condition on SG deletion. #3398
Update RHTAP references (release-4.14) #3402
Update RHTAP references (release-4.14) #3383
OCPBUGS-22360 : Validate accessTokenInactivityTimeout >= 300s #3175
OCPBUGS-23936 : Use correct kubeconfig in CCM and remove CCMs access t… #3232
OCPBUGS-12720 : Updating hypershift images to be consistent with ART #2467
OCPBUGS-24627 : unset ServiceAccount on ignition-server-proxy #3295
[Release 4.14] OCPBUGS-24556: Fix a bug on deletion of a hostedcluster #3290
OCPBUGS-24269 : add CLI oauthclient #3272
OCPBUGS-23569 : Added IPFamilyPolicy to services exposed at the HCP in DualStack mode #3224
HOSTEDCP-1318 : external OIDC enablement #3261
OCPBUGS-23747 : Added brackets to IPv6 KAS address on kubeconfig #3228
OCPBUGS-24063 : fix(cpo): Set restart annotation on network-node-identity #3248
release-4.14, HOSTEDCP-1315: Improve NodePool CPU arch & platform check #3236
OCPBUGS-22676 : Make the OLMCatalogPlacement field immutable #3143
OCPBUGS-23558 : Let router use svc ips 4.14 #3221
OCPBUGS-19678 : Remove cluster name validation from HCC #3040
”[release-4.14] CNV-35326: unsupported escape hatch mechanism custom HS/KV vms” #3202
OCPBUGS-23027 : Configure HSTS for kube-apiserver #3169
NO-JIRA: chore(deps): update rhtap references (release-4.14) #3085
OCPBUGS-23142 : adding permission to CNO RBAC Calico path for network-node-identity deploy #3182
OCPBUGS-22295 : Added brackets to the kubeconfig server address when IPv6 #3117
Full changelog
“OCPBUGS-29792: [release-4.14] Address CVE-2024-1725: Restrict access to infrastructure PVCs by requiring matching infraClusterLabels on tenant PVCs” #34
Full changelog
Correct 4.16 owners file (#100) #100
Added METRIC_TEST_IMAGE var (#88) #88
Update the k8s dependencies to 1.27.7 (#82) #82
Full changelog
Bump version to include v5.11.0 of go-git (#822) #822
Fix to ensure operator not found error exits with correct status (#797) #797
OCPBUGS-28871 : Capability to override default channel (#749) (#790) #749
OCPBUGS-19429 : Fix cross EUS channel upgrade path calculation (#769) #769
OCPBUGS-23327 : Fix MirrorToDisk of oci catalogs in hidden folders (#766) #766
skipping prune failure if manifest not found (#735) #735
Full changelog
Source code for this page located on github