Release Notes

This page lists notable changes in OpenShift releases which we find important. Reading release notes for you as a service.

OpenShift 4.20

OpenShift version 4.20 is available since 2025-11-11. This version is based on Kubernetes 1.33 and CRI-O 1.33. The RHCOS image still uses RHEL 9.6 packages. Find the release notes in the upstream documentation at OpenShift Container Platform 4.20 release notes. The Red Hat unveils OpenShift 4.20 blog post is also a valuable resource.

Custom Identity Providers are becoming Generally Available

OpenShift 4.20 now enables direct integration with external OIDC identity providers for issuing auth tokens. This gives more control over the authentication system to the cluster administrators and can simplify user management.

For more information, see the official documentation.

External Secrets Operator becomes Generally Available

The External Secrets Operator is a cluster service that provides lifecycle management for secrets fetched from external secret management systems (such as AWS Secrets Manager, HashiCorp Vault, and Azure Key Vault). The operator provisions, fetches and refreshes the secret within the cluster, ensuring a secure and efficient secrets flow without direct application involvement.

For more information, see the official documentation.

OpenShift AI gains new capabilities

OpenShift Container Platform 4.20 brings several new capabilities to OpenShift AI that improve the scalability of AI workflows, such as simplified deployments of distributed AI workloads (leveraging the LeaderWorkerSet resource), and improved load balancing for distributed inference with llm-d (leveraging the Kubernetes Gateway API Inference Extensions).

For more information, see the official documentation.

Multiple network interface controllers on vSphere clusters becomes Generally Available

For clusters on VMware vSphere, it has been possible since OpenShift 4.18 to set up the cluster with multiple network interface controllers for one node. This feature is now becoming Generally Available.

For more information, see the official documentation.

Linux User Namespace Support becomes Generally Available

Support for deploying pods into Linux user namespaces is now generally available and enabled by default. This feature improves isolation, mitigating security vulnerabilities that one compromised container can pose to other pods and the node itself.

This change includes two new security context constraints, restricted-v3 and nested-container, which are designed for use with user namespaces.

For further information, see the official documentation.

Docker v2 registries become Deprecated

Support for Docker v2 registries will be removed in a future release. At that point, all mirroring operations will require a registry that supports the OCI specification.

Red Hat Marketplace becomes Deprecated

The Red Hat Marketplace index for OLM-based cluster operators is being sunset. Customers using software from the Marketplace should reach out to the software vendor to find out how to migrate away from the Marketplace Operator.

For further information, including a list of affected operators, see Sunset of the Red Hat Marketplace.

Removal of deprecated APIs in Kubernetes 1.33

The following APIs are no longer available in Kubernetes 1.32 and need to be migrated:

  • MutatingWebhookConfiguration needs to be migrated from admissionregistration.k8s.io/v1beta1 to admissionregistration.k8s.io/v1.

  • ValidatingAdmissionPolicy needs to be migrated from admissionregistration.k8s.io/v1beta1 to admissionregistration.k8s.io/v1.

  • ValidatingAdmissionPolicyBinding needs to be migrated from admissionregistration.k8s.io/v1beta1 to admissionregistration.k8s.io/v1.

  • ValidatingWebhookConfiguration needs to be migrated from admissionregistration.k8s.io/v1beta1 to admissionregistration.k8s.io/v1.

    For more information, see APIs removed from Kubernetes 1.33.

OpenShift 4.19

OpenShift version 4.19 is available since 2025-06-17. This version is based on Kubernetes 1.32 and CRI-O 1.32. The RHCOS image uses RHEL 9.6 packages. Find the release notes in the upstream documentation at OpenShift Container Platform 4.19 release notes. The Red Hat unveils OpenShift 4.19 blog post is also a valuable resource.

Routes with externally managed certificates are becoming Generally Available

With this release, OpenShift Container Platform routes can be configured with third-party certificate management solutions, utilizing the .spec.tls.externalCertificate field in the route API. In this way, an externally managed TLS certificate can be referenced through secrets.

For more information, see Creating a route with externally managed certificate.

Gateway API support for configuring cluster ingress traffic is becoming Generally Available

With this release, ingress cluster traffic can be managed using Gateway API resources. Gateway API provides a robust networking solution within the transport layer, L4, and the application layer, L7, for OpenShift Container Platform clusters using a standardized open source ecosystem.

For further information, see Gateway API with OpenShift Container Platform networking.

The Control Plane now supports TLS 1.3 and the Modern TLS security profile

For further information see Configuring the TLS security profile for the control plane.

Customization options for control plane machine names

This release enables specifying a prefix for machine names in the control plane machine set by setting spec.machineNamePrefix in the ControlPlaneMachineSet resource.

For further information see Adding a custom prefix to control plane machine names.

New CLI command to show PVC usage

With 4.19, the oc CLI supports a new admin command to see PVC usage: oc adm top pvc

Major version upgrade for Prometheus

In this release, Prometheus is upgraded from v2 to v3. This incurs some breaking changes that may affect user-managed configuration.

  • The le and quantile labels for classic histograms and summaries are now normalized during ingestion.

    For instance, le="10" is ingested as le="10.0" - as a result, queries that reference these labels as integers may no longer work as intended.

  • Configurations that send alerts to additional Alertmanager instances through additionalAlertmanagerConfigs through the Alertmanager v1 API are no longer supported.

cgroup v1 is removed

With 4.19, support for the deprecated cgroup v1 mode is dropped entirely.

Removal of deprecated APIs in Kubernetes 1.32

The following APIs are no longer available in Kubernetes 1.32 and need to be migrated:

  • FlowSchema needs to be migrated from flowcontrol.apiserver.k8s.io/v1beta3 to flowcontrol.apiserver.k8s.io/v1

  • PriorityLevelConfiguration needs to be migrated from flowcontrol.apiserver.k8s.io/v1beta3 to flowcontrol.apiserver.k8s.io/v1.

    This migration includes one notable change in the spec.limited.nominalConcurrencyShares field, which now only defaults to 30 when unspecified - an explicit value of 0 is left unchanged.

    For more information, see APIs removed from Kubernetes 1.32.