Back to index 
Download the installer  for your operating system or run 
oc adm release extract --tools quay.io/openshift-release-dev/ocp-release:4.14.58-x86_64 Team Approvals: 
Tests:
Blocking jobs Informing jobs Upgrades from:
Untested upgrades: 
4.13.23 , 
4.13.24 , 
4.13.25 , 
4.13.26 , 
4.13.27 , 
4.13.28 , 
4.13.29 , 
4.13.30 , 
4.13.31 , 
4.13.32 , 
4.13.33 , 
4.13.34 , 
4.13.35 , 
4.13.36 , 
4.13.37 , 
4.13.38 , 
4.13.39 , 
4.13.40 , 
4.13.41 , 
4.13.42 , 
4.13.43 , 
4.13.44 , 
4.13.45 , 
4.13.48 , 
4.13.49 , 
4.13.50 , 
4.13.52 , 
4.13.53 , 
4.13.54 , 
4.13.55 , 
4.13.56 , 
4.13.58 , 
4.14.10 , 
4.14.11 , 
4.14.13 , 
4.14.14 , 
4.14.15 , 
4.14.16 , 
4.14.17 , 
4.14.18 , 
4.14.19 , 
4.14.20 , 
4.14.21 , 
4.14.22 , 
4.14.23 , 
4.14.24 , 
4.14.25 , 
4.14.26 , 
4.14.27 , 
4.14.28 , 
4.14.29 , 
4.14.3 , 
4.14.30 , 
4.14.31 , 
4.14.32 , 
4.14.33 , 
4.14.34 , 
4.14.35 , 
4.14.36 , 
4.14.37 , 
4.14.38 , 
4.14.39 , 
4.14.4 , 
4.14.40 , 
4.14.42 , 
4.14.43 , 
4.14.44 , 
4.14.45 , 
4.14.46 , 
4.14.48 , 
4.14.49 , 
4.14.5 , 
4.14.50 , 
4.14.51 , 
4.14.52 , 
4.14.53 , 
4.14.54 , 
4.14.6 , 
4.14.8 , 
4.14.9 Loading changelog, this may take a while ...
Changes from 4.14.7  
Created: 2025-10-23 18:04:30 +0000 UTC
Image Digest: sha256:3f2d4bc82096d5d4d5655e9182b65cdfcf2f33d0f22d07e2fa21c6b3a6132421
Components 
Rebuilt images without code change 
e2e:performance: decode to valid kubeletconfig object (#1276) #1276  
Fix context deadlines in ExecCommandOnPod() (#1272) #1272  
OCPBUGS-44506 : Drop sched_migration_cost_ns setting (#1215) #1215 OCPBUGS-44283 : right-hand-side profile_dirs take precedence (#1210) #1210 OCPBUGS-42567 : Add cluster-wide proxy env file (#1176) #1176 TuneD prior to kubelet in one-shot mode (#1137) #1137  
OCPBUGS-37754 : Remove tuned/rendered object (#1133) #1133 OCPBUGS-37734 : Backport fix for OCPBUGS-36355 (#1126) #1126 OCPBUGS-33929 : Negative net interface name does not reduce queues (#1074) #1074 Add a ‘.snyk’ to silence static code analysis warnings (#1002) #1002  
OCPBUGS-30153 : fix rendering extra ctrcfgs (#978) #978 fix extra-reboot on upgrade with paused mcp worker (#1053) #1053  
OCPBUGS-31694 : E2E: Workload hints test cases fixes (#1012) (#1052) #1012 Systemd processes not being moved to cpuset/systemd.slice fix (#1040) #1040  
Reduce number of reboots in offline tests (#1035) #1035  
OCPBUGS-30507 : Add performance real time tuned template (#984) (#1025) #984 Report duplicate priority only for multiple matching profiles (#1018) #1018  
Scheduler plugin: ignore IRQs (#1023) #1023  
irqbalance: set banned cpus list to 0 (#994) #994  
OCPBUGS-18640 : [release-4.14][manual] backport performance profile owner reference ehnancements (#989) #989 rps: fail silently when rps application failed (#901) #901  
OCPBUGS-25982 : E2E: Add tests for Dynamic ovs pinning (#904) (#913) #904 OCPBUGS-26003 : E2E: PPC Test cases (#905) #905 Make MC names deterministic (#903) #903  
OCPBUGS-25671 : rps: fix mask update for SR-IOV devices (#891) #891 OCPBUGS-18640 : Fix Racing Machine Configs and add Day 0 Support (#854) (#871) #854 Full changelog  
OCPBUGS-61176 : Add missing service network DNS entries to KAS cert #6742 OCPBUGS-57321 : Add validation to avoid conflicts between KubeAPIServer and NamedCertificates SANs #6231 #6252 OCPBUGS-55936 : [release-4.14] Add konnectivity-proxy sidecar to openshift-oauth… #6129 CNTRLPLANE-921 : Konflux build pipeline service account migration #6080 CNTRLPLANE-921 : Konflux build pipeline service account migration #6085 OCPBUGS-51802 : Fix golang crypto dependency go.mod replacement #5996 OCPBUGS-53899 : bump golang-jwt v4 #5909 OCPBUGS-53433 : Prevent IgnitionServer from flooding the API server with patch requests #5878 OCPBUGS-51731 , OCPBUGS-51802 : Bump dependencies to OCP fork in backports #5899 Red Hat Konflux update control-plane-operator-4-14 #5953  
ART-11792 : update go mod dependency for konflux #5921 OCPBUGS-53314 : Fix IsIPv4 function identifying also addresses instead of CIDRs #5867 OCPBUGS-45559 : Add Network Policies for Konnectivity server and Ignition server proxy #5816 NO-JIRA: chore(deps): update squidfunk/mkdocs-material docker tag to v9.6.6 #5730  
NO-JIRA: chore(deps): update dependency mkdocs-material to v9.6.6 #5725  
chore(deps): update dependency mkdocs-mermaid2-plugin to v0.6.0 #5687  
NO-JIRA: chore(deps): update squidfunk/mkdocs-material docker tag to v9.6.5 #5681  
NO-JIRA: chore(deps): update dependency mkdocs-material to v9 #5688  
OCPBUGS-50700 : add region to AWS creds passed to operators managed by CPO #5668 NO-JIRA:  Red Hat Konflux update control-plane-operator-4-14 #5339  
OCPBUGS-47630 : Separate CPO containerfiles #5619 NO-JIRA: chore(deps): update squidfunk/mkdocs-material docker tag to v9.6.4 #5538  
NO-JIRA: chore(deps): update squidfunk/mkdocs-material docker tag to v9.6.1 #5537  
OCPBUGS-49405 : add ValidIDPConfiguration condition to report IDP config issues #5520 NO-JIRA: chore: update konflux references & bump up go version to 1.20 #5517  
NO-JIRA: Update squidfunk/mkdocs-material Docker tag to v9.5.50 (release-4.14) #5444  
NO-JIRA: Update dependency mkdocs-material to v8.5.11 (release-4.14) #5430  
NO-JIRA: [release-4.14] Bump golang.org/x/crypto and golang.org/x/net #5372  
NO-JIRA: Update dependency mkdocs-glightbox to v0.4.0 (release-4.14) #5331  
NO-JIRA: Update dependency mkdocs to v1.6.1 (release-4.14) #5330  
NO-JIRA: chore(deps): update squidfunk/mkdocs-material docker tag to v9.5.49 (release-4.14) - abandoned #5308  
OCPBUGS-44279 : Configure OAuth https proxy to dial cloud endpoints directly #5067 NO-JIRA: chore(deps): update squidfunk/mkdocs-material docker tag to v9.5.45 (release-4.14) #5162  
NO-JIRA: chore(deps): update konflux references (release-4.14) #5145  
NO-JIRA: chore(deps): update konflux references (release-4.14) #5121  
NO-JIRA: chore(deps): update registry.access.redhat.com/ubi9-minimal docker tag to v9.5-1731518200 (release-4.14) #5105  
NO-JIRA: Update Konflux references (release-4.14) #5100  
chore(deps): update konflux references (release-4.14) #5076  
NO-JIRA: chore(deps): update konflux references (release-4.14) #5055  
NO-JIRA: chore(deps): update squidfunk/mkdocs-material docker tag to v9.5.44 (release-4.14) #5056  
NO-JIRA: Update Konflux references to fedcfe0 (release-4.14) #5043  
chore(deps): update konflux references (release-4.14) #5026  
chore(deps): update squidfunk/mkdocs-material docker tag to v9.5.43 (release-4.14) #5021  
chore(deps): update konflux references to f53fe54 (release-4.14) #5020  
NO-JIRA: Update Konflux references (release-4.14) #5011  
OCPBUGS-41701 : cmd: report server version, supported OCP #4718 NO-JIRA: chore(deps): update konflux references (release-4.14) #4975  
OCPBUGS-43688 : Use guest DNS resolution in Konnectivity HTTPS proxy by default #4964 chore(deps): update konflux references (release-4.14) #4953  
NO-JIRA: chore(deps): update squidfunk/mkdocs-material docker tag to v9.5.42 (release-4.14) #4948  
OCPBUGS-43368 : Let payload generation pick the release for the NodePool #4913 NO-JIRA: chore(deps): update konflux references (release-4.14) #4934  
NO-JIRA: chore(deps): update konflux references to 66f551f (release-4.14) #4924  
NO-JIRA: chore(deps): update squidfunk/mkdocs-material docker tag to v9.5.41 (release-4.14) #4917  
NO-JIRA: chore(deps): update konflux references to 674e70f (release-4.14) #4910  
NO-JIRA: chore(deps): update konflux references (release-4.14) #4898  
NO-JIRA: chore(deps): update squidfunk/mkdocs-material docker tag to v9.5.40 (release-4.14) #4879  
NO-JIRA: chore(deps): update konflux references to 37b9187 (release-4.14 #4851  
OCPBUGS-42533 : enable audit log for oauth-openshift #4822 chore(deps): update registry.access.redhat.com/ubi9/go-toolset docker tag to v1.21.13 (release-4.14) #4794  
NO-JIRA: chore(deps): update squidfunk/mkdocs-material docker tag to v9.5.39 (release-4.14) #4828  
NO-JIRA: chore(deps): update konflux references (release-4.14) #4813  
NO-JIRA: chore(deps): update squidfunk/mkdocs-material docker tag to v9.5.38 (release-4.14) #4805  
NO-JIRA: chore(deps): update squidfunk/mkdocs-material docker tag to v9 (release-4.14) #4788  
chore(deps): update registry.access.redhat.com/ubi9-minimal docker tag to v9.4-1227.1726694542 (release-4.14) #4758  
chore(deps): update squidfunk/mkdocs-material docker tag to v8.5.11 (release-4.14) #4784  
OCPBUGS-41374 : CPO oauth idp converter: resolve names before dialing #4763 NO-JIRA: chore(deps): update konflux references to 5ac9b24 (release-4.14) #4783  
chore(deps): update konflux references to 2c3426a (release-4.14) #4773  
NO-JIRA: chore(deps): update konflux references (release-4.14) #4757  
OCPBUGS-42221 : Make guest cluster components use the correct KAS port #4753 OCPBUGS-38060 : Add HTTP konnectivity proxy to OAuth server #4498 OCPBUGS-38066 : [release-4.14] Use HTTP proxy for ingress controller #4724 NO-JIRA: Security fixes for openshift-ci-security job #4752  
OCPBUGS-42184 : copy image-registry AdditionalTrustedCA configmap into HC openshift-config #4747 OCPBUGS-41506 : fix: bump google.golang.org/protobuf #4687 HOSTEDCP-1957 : bump go-jose version #4698 OCPBUGS-39378 : Set KCM node monitor grace period #4659 chore(deps): update konflux references (release-4.14) #4683  
OCPBUGS-39183 : fix: bump github.com/IBM/go-sdk-core/v5 #4626 NO-JIRA: Add PodDisruptionBudget for router deployment #4692  
NO-JIRA: Revert “Merge pull request #4661 from jparrill/bp-4.14/OCPBUGS-24308” #4667  
NO-JIRA: PDB backports #4661  
NO-JIRA: Konflux migration 4.14 #4648  
OCPBUGS-39230 : set proxy envvars on aws CCM #4638 OCPBUGS-38791 : Let the CPO oidc check resolve through data plane #4617 NO-JIRA: Flaky cert validation test #4633  
HOSTEDCP-1897 : [release-4.14] Allow setting Kube APIServer maximum requests in flight #4553 OCPBUGS-37076 : Fixed audit-logs sigterm failing to terminate gracefully #4369 OCPBUGS-38624 : remove weak ciphers from security profile #4575 OCPBUGS-37173 : Add newline after TLS certs referenced by image.config #4471 OCPBUGS-37172 : OCPBUGS-35899: Doubled machineHealthCheck timeout on Agent and None #4490 OCPBUGS-36944 : [release-4.14] Add HTTP(s) konnectivity proxy and use it with OpenShift APIServer #4360 HOSTEDCP-1795 , HOSTEDCP-1796 : Customize the self-generated cert validity and rotation #4473 OCPBUGS-37175 : Delete IDMS in dataplane once HCP ICS field is removed #4472 NO-JIRA: Konflux mce-2.4 pipeline fixes #4464  
NO-JIRA: [release-4.14] OCPBUGS-36297: kubevirt-csi-driver: Pass infra kubeconfig in case of external infra #4288  
NO-JIRA: [release-4.14] test/e2e: remove api budget checks #4438  
NO-JIRA: chore(deps): update registry.access.redhat.com/ubi9/go-toolset docker tag to v1.21.11-2 (release-4.14) - abandoned #4363  
NO-JIRA: Update registry.access.redhat.com/ubi9/go-toolset Docker tag to v1.21.10-1.1719562237 (release-4.14) - abandoned #4326  
NO-JIRA: Update registry.access.redhat.com/ubi9-minimal Docker tag to v9.4-1134 (release-4.14) - abandoned #4325  
OCPBUGS-36518 : Run haproxy to connect to kas from data plane if noproxy settings contain kas #4315 OCPBUGS-36159 : Generate default worker security group rules based on machineCIDR #4270 OCPBUGS-35549 : Restrict image registry overrides to control plane component #4223 OCPBUGS-35365 : fix router on 4.14 y-stream upgrade #4205 NO-JIRA: chore(deps): update konflux references (release-4.14) #4257  
OCPBUGS-35401 : Fix disconnected metadata inspection for nodepool #4208 OCPBUGS-35482 : Add TrustedBundles to OAS container #4216 OCPBUGS-35290 : [release-4.14] Backport etcd defrag #4189 NO-JIRA: chore(deps): update konflux references (release-4.14) #4248  
OCPBUGS-35183 : add AWS STS URL to OIDC provider audiences #4179 NO-JIRA: hack: make the e2e script generic #4201  
chore(deps): update konflux references to 2be7c9c (release-4.14) #4225  
NO-JIRA: Update Konflux references to 1025001 (release-4.14) #4181  
NO-JIRA: chore(deps): update konflux references (release-4.14) #4168  
OCPBUGS-34856 : [release-4.14] OCPBUGS-34855: Add new permission required in CAPA #4149 NO-JIRA: test/e2e: fix prometheus serviceaccount handling against 4.16+ #4159  
NO-JIRA: chore(deps): update rhtap references (release-4.14) #4112  
NO-JIRA: chore(deps): update rhtap references to 9aec3ae (release-4.14) #4073  
NO-JIRA: Remove CLI inspection of release image #4061  
OCPBUGS-33713 : Reconcile over ICSP/IDMS #4059 NO-JIRA: chore(deps): update rhtap references to 7cd8020 (release-4.14) #4065  
OCPBUGS-33844 : Fix disconnected metadata inspection #4049 OCPBUGS-33843 : Recycler-pod image now points to the OCP Payload reference #4048 NO-JIRA: chore(deps): update rhtap references (release-4.14) #4040  
HOSTEDCP-1480 : Update TLS cert hash creation with sha512 #4025 NO-JIRA:  Update RHTAP references (release-4.14) #3995  
HOSTEDCP-1552 : Update RHTAP tekton files for 0.3 -> 0.4 migration #3958 OCPBUGS-33105 : [release-4.14] remove PrivateIngressController cleanup #3960 OCPBUGS-32471 : Fix ICSP and IDMS inclusion as registriesOverrides #3912 NO-JIRA: chore(deps): update rhtap references (release-4.14) #3920  
OCPBUGS-32221 : Added support for OLM Disable default sources on HC creation #3882 NO-JIRA: chore(deps): update rhtap references (release-4.14) #3903  
NO-JIRA: [4.14] [e2e test framework] Add a flag to add an annotation to Hosted Cluster #3905  
HOSTEDCP-1526 : [release-4.14] Support additional node selectors for request serving nodes #3898 chore(deps): update rhtap references (release-4.14) #3888  
NO-JIRA: Update RHTAP references (release-4.14) #3874  
NO-JIRA: chore(deps): update rhtap references (release-4.14) #3869  
NO-JIRA: chore(deps): update rhtap references (release-4.14) #3858  
NO-JIRA: Update RHTAP references (release-4.14) #3836  
OCPBUGS-31657 : disable http2 for ignition server and proxy #3831 OCPBUGS-31605 : inject built-in MCP selector for KubeletConfigs and ContainerRuntimeConfigs #3826 HOSTEDCP-1322 : NodeUpgradeType defaulted by provider #3822 NO-JIRA: Update RHTAP references (release-4.14) #3813  
OCPBUGS-31417 : honor HC image configuration #3806 OCPBUGS-23914 : Added OLMCatalogPlacement option to the CLI #3229 OCPBUGS-30211 : set Konnectivity cipher suites #3679 chore(deps): update rhtap references (release-4.14) #3792  
OCPBUGS-31048 : [4.15] HCP deletion can get stuck if CPO is unable to delete the default worker security group #3771 HOSTEDCP-1488 : Use regionalized STS endpoints in AWS #3756 NO-JIRA: Update RHTAP references (release-4.14) #3755  
chore(deps): update rhtap references (release-4.14) #3739  
OCPBUGS-30596 : Bump golang.org/x/net to version v0.17.0 #3711 NO-JIRA: chore(deps): update rhtap references (release-4.14) #3706  
NO-JIRA: chore(deps): update rhtap references (release-4.14) #3676  
NO-JIRA: Update RHTAP references (release-4.14) #3672  
NO-JIRA: chore(deps): update rhtap references (release-4.14) #3651  
OCPBUGS-29782 : use 2040 for apiserver svc in IBM provider #3594 ”[release-4.14] OCPBUGS-29259: Fix default release image lookup” #3550  
NO-JIRA: chore(deps): update rhtap references (release-4.14) #3620  
NO-JIRA: chore(deps): update rhtap references (release-4.14) #3625  
OCPBUGS-29094 : Make ControllerAvailabilityPolicy immutable #3534 NO-JIRA: chore(deps): update rhtap references (release-4.14) #3604  
NO-JIRA: Update RHTAP references (release-4.14) #3591  
NO-JIRA: Update RHTAP references (release-4.14) #3519  
NO-JIRA: Approvers update #3580  
MULTIARCH-4084 : Reduce the policy access scope to specific instance #3530 OCPBUGS-29206 : Add GC knobs for KAS #3543 OCPBUGS-29187 : node spread anti-affinity for HA HCP #3541 OCPBUGS-19956 , OCPBUGS-28984 , OCPBUGS-28985 , OCPBUGS-28986 , OCPBUGS-29000 : Support Disconnected HCP #3520 OCPBUGS-29030 : Add ValidatingAdmissionPolicy to KAS config #3524 HOSTEDCP-1272 : Added CLI support to create DualStack clusters using default values #3514 OCPBUGS-28238 : consider HCP upgradeable if CVO has no upgradable condition #3468 OCPBUGS-26526 : Documented to disable UWM telemetry writer in disconnected envs #3389 OCPBUGS-26526 : Disable UWM Telemetry writer when telemeter-client cm not exists #3388 OCPBUGS-27072 : Apply Scheduling Configuration for kCCM #3418 NO-JIRA: Update RHTAP references (release-4.14) #3509  
OCPBUGS-20180 , OCPBUGS-20547 : Added network validations #3096 OCPBUGS-23997 : add watch for HCP pullsecret to HCCO #3265 OCPBUGS-28249 : Required RBAC for network-node-identity is not created when hosted cluster networkType is set to Other. #3485 NO-JIRA: Update RHTAP references (release-4.14) #3447  
OCPBUGS-24315 : Add prestop to konnectiviy server #3268 OCPBUGS-24307 : Set shutdown-delay-duration to 15s #3264 OCPBUGS-21795 : change trusted bundle volume mount for CPO #3102 OCPBUGS-25217 : Konnectivity agent update strategy #3308 OCPBUGS-26574 : Set new condition on SG deletion. #3398 Update RHTAP references (release-4.14) #3402  
Update RHTAP references (release-4.14) #3383  
OCPBUGS-22360 : Validate accessTokenInactivityTimeout >= 300s #3175 OCPBUGS-23936 : Use correct kubeconfig in CCM and remove CCMs access t… #3232 OCPBUGS-12720 : Updating hypershift images to be consistent with ART #2467 OCPBUGS-24627 : unset ServiceAccount on ignition-server-proxy #3295 Full changelog  
Ignore previous status when disabling alerts (#1059) #1059  
OCPBUGS-45044 : insightsoperator.operator.openshift.io resource is create-only (#1058) #1058 Add haproxy metric (#999) #999  
Add missing permission for GatherClusterIngressCertificates (#984) #984  
OCPBUGS-37673 : Ingress controller related certificates’ validate dates gathering (#976) #976 OCPBUGS-36475 : properly encode the URL for the advisor links (#962) #962 OCPBUGS-36380 : Collect aggregated Prometheus Alertmanager instances (#960) #960 OCPBUGS-33193 : anonymization - externalIP can be nil (#931) (#933) #931 OCPBUGS-31975 : bump golang.org/x/net version (#926) #926 OCPBUGS-32343 : fix error message when the data processing was not successful (#833) (#928) #833 Add linting recommendations (#904) #904  
gather etcd_server_slow metrics (#902) #902  
Full changelog  
“OCPBUGS-29792: [release-4.14] Address CVE-2024-1725: Restrict access to infrastructure PVCs by requiring matching infraClusterLabels on tenant PVCs” #34  
Full changelog  
changes the owners file (#1013) #1013  
OCPBUGS-48513 : e2e: use same version of crane as in go.mod (#1023) #1023 Bump version to include v5.11.0 of go-git (#822) #822  
Fix to ensure operator not found error exits with correct status (#797) #797  
OCPBUGS-28871 : Capability to override default channel (#749) (#790) #749 OCPBUGS-19429 : Fix cross EUS channel upgrade path calculation (#769) #769 OCPBUGS-23327 : Fix MirrorToDisk of oci catalogs in hidden folders (#766) #766 Full changelog  
: OCPBUGS-27680,OCPBUGS-27595: UPSTREAM: <carry>: Update go-git to v5.11.0 #73  
And 1 elided commits (e.g. from squash or rebase merges) 
Full changelog  
Source code for this page located on github