RHBA-2020:0676 - Bug Fix Advisory

Topic

Red Hat OpenShift Container Platform release 4.3.5 is now available with
updates to packages and images that fix several bugs.

Description

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container
Platform 4.3.5. See the following advisory for the RPM packages for this
release:

https://access.redhat.com/errata/RHBA-2020:0675

This update fixes the following bugs among others:

• Serverless resources were listed with the API version v1beta1, which is deprecated. Those resources are now listed as v1. (BZ#1800615)
• During k8 deployment, if images from the external image registry had tags, like `openshift/hello-world:1.0`, the tags were not being applied. This resulted in external images with tags not being imported during deployments. This bug fixes the tagging issue and users are now able to import external images with tags for deployments. (BZ#1804077)

Space precludes documenting all of the container images in this advisory.
See the following Release Notes documentation, which will be updated
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.3/release_notes/ocp-4-3-release-notes.html

You may download the oc tool and use it to inspect release image metadata
as follows:

$ oc adm release info quay.io/openshift-release-dev/ocp-release:4.3.5-x86_64

The image digest is sha256:64320fbf95d968fc6b9863581a92d373bc75f563a13ae1c727af37450579f61a

All OpenShift Container Platform 4.3 users are advised to upgrade to these
updated packages and images.

Solution

Before applying this update, ensure all previously released errata relevant
to your system have been applied.

For OpenShift Container Platform 4.3 see the following documentation, which
will be updated shortly for release 4.3.5, for important instructions on
how to upgrade your cluster and fully apply this asynchronous errata
update:

https://docs.openshift.com/container-platform/4.3/release_notes/ocp-4-3-release-notes.html

Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.3/updating/updating-cluster-cli.html.

Affected Products

• Red Hat OpenShift Container Platform 4.3 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform 4.3 for RHEL 7 x86_64

Fixes

• BZ - 1711606 - Preemption ExecutionPath e2e test fails
• BZ - 1780378 - Missing openapi CRD definitions for oc explain to work
• BZ - 1780657 - Dashboard screen - The gray background doesn't inherently extend to the bottom of browser. [openshift-4.3]
• BZ - 1782558 - 404 not found when selecting edit action for cluster-scoped operands
• BZ - 1784317 - ImportImageErrorsExist keeps true while no import error in openshift-samples clusteroperator.
• BZ - 1785302 - [4.3] Missing openapi CRD definitions for oc explain to work
• BZ - 1785845 - CI: build error: After retrying 2 times, Pull image still failed due to error: unable to retrieve auth token: invalid username/password
• BZ - 1786272 - Pods number for Daemon Set is 0 on project "Workloads" page
• BZ - 1788179 - [4.3.z] Finish Automate rotation of Service CA
• BZ - 1788246 - 404 Not Found when one opens install plan to approve [openshift-4.3]
• BZ - 1789023 - Convert KubeAPILatencyHigh to use anomaly detection
• BZ - 1789084 - node_exporter does not report virt_platform{type="none"}
• BZ - 1789857 - [oc-cli]oc-config command does not work with `--kubeconfig`
• BZ - 1790525 - OCP 4.3 Copying directory in DockerFile BuildConfig raise from 1 second to 10 minutes.
• BZ - 1791200 - Lack of configured alertmanager routes should be surfaced as an alert
• BZ - 1791278 - Kuryr is forcing DNS over TCP even if octavia supports TCP/UDP listeners on the same port
• BZ - 1791346 - Error occurs while removing the second CD-ROM
• BZ - 1791730 - [4.3] ipv6 backports for origin
• BZ - 1791852 - Update License Year for 2020
• BZ - 1792164 - After OCP upgrade, a pod vethXXX interface was not re-added to the bridge br0
• BZ - 1792334 - oc adm must-gather does not gather endpoint resources
• BZ - 1794024 - [4.3] update deps to get k8s.io/client-go informer fix
• BZ - 1794191 - [Multi Arch] cri-o rejects clone calls on s390x
• BZ - 1794495 - Applying "ctrcfg" causes cri-o to fail to start on node reboot
• BZ - 1796461 - [Events page] "Custom Resource" events only show up in "All Resources" type view [openshift-4.3]
• BZ - 1796584 - Image Registry Needs Support for AWS Bahrain Region me-south-1
• BZ - 1796618 - Allow IPv6 CIDRs to be used in install-config
• BZ - 1796913 - operator-lifecycle-manager-packageserver fails to update with OwnerConflict and RequirementsUnknown events
• BZ - 1797026 - [CLI] oc adm catalog build neither support "-a, --registry-config=" flag, nor uses podman registry credentials file
• BZ - 1797655 - In IPv6 bare metal deployment kubelet binds on a VIP instead of the local address
• BZ - 1798170 - baremetal: Remove .template from path in dhcp-dhclient-conf.yaml
• BZ - 1798195 - Login to grafana fails on IPv6 environments
• BZ - 1798344 - [sriov] [backport-4.3]SR-IOV VFs are recreated when sriov-network-config-daemon pod restarts on host for MTU do not be set
• BZ - 1798573 - Imagestreams cannot be imported on an IPv6 AWS cluster because registry.redhat.io is not IPv6 enabled
• BZ - 1798639 - baremetal: IPv6 add dhcp-duid to NetworkManager config
• BZ - 1798805 - bootkube fails on bare metal deployment with IPv6 control plane becase it cannot resolve etcd* records
• BZ - 1798869 - [OSP13withKuryr]Cannot pull image from image registry for no image registry internal address in /etc/hosts
• BZ - 1799393 - LB in error status continuosly created without deleting previous ones
• BZ - 1799401 - Failure updating security group rules from network policy
• BZ - 1800320 - Adding a default pull secret using the UI doesn't link it with the "default" service account [openshift-4.3]
• BZ - 1800331 - cannot impersonate the user group on console [openshift-4.3.z]
• BZ - 1800338 - need to backport changes for adding LB for IBMCloud
• BZ - 1800615 - Serverless resources are listed as v1beta1, instead of v1
• BZ - 1801343 - Host parsing from resolv.conf doesn't handle IPv6 with %zone info
• BZ - 1801638 - On a DHCP6 lease renew, the node gets in NotReady state
• BZ - 1801660 - Some schema data is missing on explore page
• BZ - 1802934 - Cluster-logging-operator couldn't upgrade from 4.3.1 to 4.3.2 due to `olm.skipRange: ‘>=4.2.0 <4.3.0’` in the csv file.
• BZ - 1803145 - fix olm.skip range in elasticsearch-operator for art
• BZ - 1803187 - [IPI baremetal]: map "default" string in hardware profile to baremetal-operator default
• BZ - 1803215 - Local persistent storage operator is unexpectedly removing storageclass annotations
• BZ - 1803265 - local-storage-operator does not update daemonset when new node is added to the selector
• BZ - 1803742 - Improve NodeControllerDegraded condition messages
• BZ - 1803805 - Timeouts are too short for openshift-baremetal-installer and not adjustable.
• BZ - 1803935 - Installed Operators list page show an empty status when status.phase is Installing
• BZ - 1803955 - "Environment" is spelled incorrectly in the "Add Secret to Workload" modal
• BZ - 1804077 - Using Docker images for Applications not possible in Openshift 4.3.0
• BZ - 1804169 - the minKubeVersion should be v1.16.0
• BZ - 1804278 - Workers node deployment on bare metal with IPv6 control plane is blocked because worker nodes CSRs are not automatically approved
• BZ - 1804463 - oc image mirror doesn't mirror manifestlist for single image manifestlists
• BZ - 1805175 - NFD operator not building on golang-1.12
• BZ - 1805410 - ose-operator-registry:v4.3.1-202002032140 unavailable as the base image
• BZ - 1805444 - [4.3] Multus should not cause machine to go not ready when a default SDN is updated
• BZ - 1805726 - [4.3] machineNetwork in noProxy list is flushed by Network-Operator
• BZ - 1805865 - Ensure kube-apiserver advertises the correct IP on bare metal clusters
• BZ - 1806009 - [4.3] update cluster-network-operator for latest ovn-kubernetes
• BZ - 1806020 - [baremetal] NetworkManager does not always set hostname
• BZ - 1806376 - [feature][backport-4.3] support SR-IOV NIC partitioning in SR-IOV Operator
• BZ - 1806634 - kube-apiserver should never use the bootstrap etcd member
• BZ - 1806667 - [4.3] merge latest code to all branches of ovn-kubernetes
• BZ - 1806706 - Can't display images in own namespace
• BZ - 1808004 - On Baremetal platform CRI-O often binds its streaming port on unsuitable addresses
• BZ - 1808284 - [sriov] [backport 4.3]The exist net-attach-def disappeared when created multi sriovnetwork with same netnamespace
• BZ - 1808431 - [4.3] No global tolerations for NodeCA DaemonSet
• BZ - 1809296 - operator panic during gcp install
• BZ - 1809924 - Can't access jenkins webconsole with 403 Forbidden

CVEs

• CVE-2020-1712

References

(none)