RHBA-2019:1866 - Bug Fix Advisory

Topic

Red Hat OpenShift Container Platform release 4.1.8 is now available with
updates to packages and images that fix several bugs and add enhancements.

Description

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.1.8. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHBA-2019:1865

This update fixes the following bugs:

• The Marketplace Operator did not properly define related resources. The must-gather tool requires a `RelatedObjects` field in the `ClusterOperator` CR to be populated with `ObjectReferences` of the resources associated with the operator. As a result, the must-gather tool was not able to gather enough information about the Marketplace Operator. Now, the `RelatedObjects` field is populated with the Operator's namespace and the `OperatorSource/CatalogSourceConfig/Catalogsource` resources. The must-gather tool is now able to gather adequate information about the Marketplace Operator. (BZ#1717509)
• The `openshift.io/image-signature-import` controller was previously limited to importing three signatures. This limit has been increased and signatures are imported correctly. (BZ#1722569)
• In AWS environments, the order of the list of internal IP addresses was not preserved when a secondary IP address was added. As a result, the node would not be able to communicate to the API server. Now, the merge algorithm for IP addresses has been corrected to not re-order the IP addresses and adding a secondary IP address does not interfere with node communication. (BZ#1729276)
• Prometheus metrics for ElasticSearch were unavailable after an update to the Prometheus plugin was performed. As a result, users were denied access to metrics. SAR configuration has now been added to the authentication change, and now the multi-tenant plugin executes SAR and allows access to the ElasticSearch metrics. (BZ#1731006)

This update includes the following enhancements:

• A resource request was added to the node-ca pod. The pod now requires minimal guarantees about the amount of CPU and memory it will receive. (BZ#1721685)

Space precludes documenting all of the container images in this advisory.
See the following Release Notes documentation, which will be updated
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.1/release_notes/ocp-4-1-rel ease-notes.html

You may download the oc tool and use it to inspect release image metadata
as follows:

$ oc adm release info quay.io/openshift-release-dev/ocp-release:4.1.8

The image digest is sha256:3ea2648231035c1a65e8d91fa818bb225a2815bc0d6abfc35063a11eaba8659f

All OpenShift Container Platform 4.1 users are advised to upgrade to these
updated packages and images.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For OpenShift Container Platform 4.1 see the following documentation, which
will be updated shortly for release 4.1.8, for important instructions on
how to upgrade your cluster and fully apply this asynchronous errata
update:

https://docs.openshift.com/container-platform/4.1/release_notes/ocp-4-1-release-notes.html

Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.1/updating/updating-cluster-cli.html.

Affected Products

• Red Hat OpenShift Container Platform 4.1 for RHEL 7 x86_64

Fixes

• BZ - 1677398 - Grafana dashboard unreachable
• BZ - 1717509 - Marketplace operator does not properly define related resources
• BZ - 1719454 - must-gather does not collect all non-core CRs in the given namespace
• BZ - 1721685 - node-ca pod is missing resource requests
• BZ - 1722569 - [4.1] Increase the limit on the number of signatures in openshift.io/image-signature-import controller
• BZ - 1726828 - Update tox test environment vars
• BZ - 1729100 - [backport 4.1.z] relatedObjects in clusteroperator authentication references non-existent authentication-operator namespace
• BZ - 1729243 - machine-controller does not wait for nodes to drain
• BZ - 1729276 - Using AWS when a secondary IP address is added the order of the list of InternalIPs is not preserved.
• BZ - 1730407 - [4.1] Write tests for TLS Keys in Registry Routes
• BZ - 1731006 - Prometheus metrics for ES are unavailable after plugin update to 5.6.13.6
• BZ - 1731068 - Update the OWNER file on the 4.1 branch to allow Vibhav and Akram to be approvers
• BZ - 1732199 - Placeholder bug for OCP 4.1.0 image release

CVEs

• CVE-2018-12116
• CVE-2018-12121
• CVE-2018-12122
• CVE-2018-12123
• CVE-2018-20834
• CVE-2019-2745
• CVE-2019-2762
• CVE-2019-2769
• CVE-2019-2786
• CVE-2019-2816
• CVE-2019-2818
• CVE-2019-2821
• CVE-2019-2842
• CVE-2019-5737
• CVE-2019-12384

References

(none)