RHBA-2020:2445 - Bug Fix Advisory

Topic

Red Hat OpenShift Container Platform release 4.4.8 is now available with
updates to packages and images that fix several bugs.

Description

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container
Platform 4.4.8. See the following advisory for the RPM packages for this
release:

https://access.redhat.com/errata/RHBA-2020:2444

Space precludes documenting all of the container images in this advisory.
See the following Release Notes documentation, which will be updated
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.4/release_notes/ocp-4-4-release-notes.html

You may download the oc tool and use it to inspect release image metadata
as follows:

$ oc adm release info quay.io/openshift-release-dev/ocp-release:4.4.8-x86_64

The image digest is sha256:26760772b0128f11b3c3c13eeebf1238cf9b86ea5377808febdd14d4d00a2c31

All OpenShift Container Platform 4.4 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.4/updating/updating-cluster-between-minor.html#understanding-upgrade-channels_updating-cluster-between-minor.

Solution

For OpenShift Container Platform 4.4 see the following documentation, which
will be updated shortly for release 4.4.8, for important instructions on
how to upgrade your cluster and fully apply this asynchronous errata
update:

https://docs.openshift.com/container-platform/4.4/release_notes/ocp-4-4-release-notes.html

Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.4/updating/updating-cluster-cli.html.

Affected Products

• Red Hat OpenShift Container Platform 4.4 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform 4.4 for RHEL 7 x86_64

Fixes

• BZ - 1806780 - Cannot mirror a local release to a remote registry
• BZ - 1808338 - [DR]backup failure: cp: cannot stat '/etc/kubernetes/manifests/etcd-member.yaml': No such file or directory
• BZ - 1810364 - Monitoring Dashboards: JS warning when rendering empty table cells
• BZ - 1814099 - [scale] enable monitor-all to reduce load on southbound database
• BZ - 1814393 - [4.4] Pods stuck in terminating after e2e run
• BZ - 1820274 - Conformance: "should set Forwarded headers appropriately" router test fails on OVN
• BZ - 1821638 - [oVirt] Add OS type to ovirt template
• BZ - 1823608 - cluster etcd operator status reporting needs to be more human readable
• BZ - 1823622 - [4.4] - Authentication operator is spamming message change events
• BZ - 1824092 - [Feature:Machines][Serial] Managed cluster should [Top Level] [Feature:Machines][Serial] Managed cluster should grow and decrease when scaling different machineSets simultaneously [Suite:openshift/conformance/serial] : e2e-azure-serial-4.4
• BZ - 1824935 - Console operator inverts logic for picking up the default-ingress-cert
• BZ - 1825313 - [4.4] Possible error loss in GCS driver
• BZ - 1825975 - DeploymentConfigs absent in the inventory section of Dashboard
• BZ - 1826069 - Rate limiting on Azure
• BZ - 1826503 - Visual tweaks to console embedded OperatorHub
• BZ - 1826922 - Openshift 4.4 Baremetal IPI install fails using external DHCP server on provisioning network
• BZ - 1827197 - Pod log pages do not have a query parameter for selected container
• BZ - 1827539 - Port 22623 will negotiate down to TLS1.1 on master and bootstrap nodes.
• BZ - 1827746 - Subscription list page uses the default list page instead of a custom list page
• BZ - 1828253 - Add workload badge/name to monitoring dashboard when navigating to it from the Side Panel monitoring tab
• BZ - 1829063 - SecurityContextConstraints doesn't appear in search page resource dropdown
• BZ - 1829938 - [IPI baremetal]: machine api tries to fallback incorrectly to config map for dhcp_range
• BZ - 1831008 - Manual procedure "Recovering from expired control plane certificates" results in "Unable to connect to the server: x509: certificate signed by unknown authority"
• BZ - 1831019 - cluster-svcat-apiserver-operator Upgradeable should point to OpenShift documentation
• BZ - 1831027 - cluster-svcat-controller-manager-operator Upgradeable should point to OpenShift documentation
• BZ - 1832140 - [4.4] image registry operator keeps creating new storage accounts on Azure
• BZ - 1832762 - OpenShift API Server must use an image with golang 1.13 for local development
• BZ - 1833288 - Kibana OAuth HTTP 500 error - x509: certificate signed by unknown authority
• BZ - 1833359 - 4.4 CSRs are not approved on private AWS cluster deployment
• BZ - 1834194 - upgrade from 4.1 -> 4.2 -> 4.3 -> 4.4 upgrade failed at waitForControllerConfigToBeCompleted
• BZ - 1835739 - Support 'oc adm node drain' without --ignore-daemonsets=true --delete-local-data=true flags
• BZ - 1835995 - s390x/ppc64le: Failed to upgrade Cluster from 4.2.29 to 4.3.18: unable to sync: open /opt/openshift/operator/ocp-s390x: no such file or directory
• BZ - 1836270 - [BM IPI] etcd containers not started on master after restoring to previous state
• BZ - 1836905 - failed: couldn't find queue operatorname for event: {update }
• BZ - 1836982 - AWS: installer is leaving unused network ranges when it shouldn't
• BZ - 1837630 - cluster-etcd-operator: TLS certs should be signed for 3 years not 10
• BZ - 1837675 - "oc adm release mirror" should create the configmap yaml for image signatures for use by restricted-network clusters
• BZ - 1838781 - EtcdMembersDegraded false alarms
• BZ - 1838810 - the read-only CR cannot be reconciled after removing the root cloud creds
• BZ - 1838815 - Accessing Yaml tab throws error on Safari browser
• BZ - 1838885 - GCP: the resources are created with identifier prefix that removes almost all context of cluster name
• BZ - 1839107 - openshift-sdn node can permanently NetNamespaces when LIST times out
• BZ - 1839894 - Docs: Add chmod/perm information for CA cert
• BZ - 1840215 - [4.4] openshift-sdn does not update egress IPs on the node due to deadlock
• BZ - 1840445 - Console crashed on "CouchbaseCluster" details view - TypeError: (n || []).map is not a function
• BZ - 1840458 - Applying "ctrcfg" causes cri-o to fail to upgrade a cluster
• BZ - 1840639 - [sriov][4.4.z] sriov config daemon pod restarted due to panic
• BZ - 1840647 - Package server stays in state "catalog source was removed" and cannot be updated
• BZ - 1840857 - openshift-apiserver doesn't live reload extension-apiserver-authentication trust
• BZ - 1840887 - OCS 4.3 Installation fails when using OCS 4.4-rc2 registry bundle
• BZ - 1840954 - Clicking on task gives white window
• BZ - 1841042 - [sriov] SriovNetworkNodePolicy change cause api-access timeout: client timeout Client.Timeout exceeded while awaiting headers
• BZ - 1841063 - Long waiting timeouts while applying a policy
• BZ - 1841185 - [sig-devex][Feature:ImageEcosystem][python][Slow] hot deploy for openshift python image Django example should work with hot deploy [Suite:openshift] fails
• BZ - 1841493 - [Kuryr] LB sgs are left behind upon LB deletion
• BZ - 1841507 - [4.4.z]Authentication Opertator Degraded in multitenant mode (IngressStateEndpoints_UnhealthyAddresses)
• BZ - 1841930 - libvirt: add yq to the libvirt ci image
• BZ - 1842378 - [Kuryr][UPI on OSP] security group failed to deleted due to same name conflict
• BZ - 1842442 - openshift authentication operator is in a crashbackoffloop
• BZ - 1842517 - Release image builds of elasticsearch are broken
• BZ - 1842560 - Improve APIServerError condition name many degraded clusters report
• BZ - 1843732 - [RHOCP4.4] Unable to upgrade OCP4.3.19 to OCP4.4 in disconnected env: CVO enters reconciling mode without applying any manifests in update mode
• BZ - 1843943 - openshift-kube-proxy pods are crashing when upgrading from 4.3.8 to 4.3.10

CVEs

• CVE-2020-8616
• CVE-2020-8617
• CVE-2020-10722
• CVE-2020-10723
• CVE-2020-10724
• CVE-2020-10749
• CVE-2020-11008
• CVE-2020-11619
• CVE-2020-11620

References

(none)