Release Notes

This page lists notable changes in OpenShift releases which we find important. Reading release notes for you as a service.

OpenShift 4.17

OpenShift version 4.17 is available since 2024-10-01. This version is based on Kubernetes 1.30 and CRI-O 1.30. The RHCOS image still uses RHEL 9.4 packages. Find the release notes in the upstream documentation at OpenShift Container Platform 4.17 release notes. The Red Hat OpenShift 4.17: What you need to know blog post is also a valuable resource.

Node disruption policies

The node disruption policies feature has been promoted to GA. A node disruption policy allows you to define the configuration changes that cause a disruption to your cluster, and which changes don’t. This allows you to reduce node downtime when making small machine configuration changes in your cluster.

See Machine Configuration Documentation
OpenShift SDN network plugin removed

The OpenShift SDN network plugin has been removed from the OpenShift Container Platform.

VSHN Managed OpenShift 4 clusters are installed with Cilium, a fully certified and supported 3rd party CNI plugin for OpenShift 4. Therefore VSHN Managed OpenShift clusters aren’t affected by this block.
Validating Admission Policies

Validating Admission Policies are now available in OpenShift 4.17. These policies allow you to validate the incoming requests to the API server.

See Kubernetes Documentation

OpenShift 4.16

OpenShift version 4.16 is available since 2024-06-27. This version is based on Kubernetes 1.29 and CRI-O 1.29. The RHCOS image uses RHEL 9.4 packages. Find the release notes in the upstream documentation at OpenShift Container Platform 4.16 release notes. The Red Hat OpenShift 4.16: What you need to know blog post is also a valuable resource.

OpenShift SDN network plugin blocks future minor upgrades

Clusters which use OpenShift SDN as the network plugin can’t be upgraded past OpenShift 4.16.

VSHN Managed OpenShift 4 clusters are installed with Cilium, a fully certified and supported 3rd party CNI plugin for OpenShift 4. Therefore VSHN Managed OpenShift clusters aren’t affected by this block.
Proxy service for monitoring components changed

This release changes the proxy service for monitoring components from OpenShift OAuth to kube-rbac-proxy.

You may need to grant additional roles or cluster roles for service accounts or users that are accessing monitoring component APIs.
Update to HAProxy 2.8

This OpenShift release uses HProxy 2.8. Starting from this release, the OpenShift ingress HAProxy is configured to disallow SHA-1 certificates.

Both existing and new routes that use SHA-1 certificates will be rejected by and won’t work in OpenShift 4.16.
Legacy service account API token secrets are no longer generated

In previous OpenShift releases, a legacy API token secret was created for each service account to enable access to the integrated OpenShift image registry. Starting with this release, these legacy API token secrets aren’t generated anymore. Instead, each service account’s image pull secret for the integrated image registry uses a bound service account token which is automatically refreshed before it expires.

If you’re using a service account token to access the OpenShift image registry from outside the cluster, you should create a long-lived token for the service account. See the Kubernetes documentation for details.
Linux control groups version 1 (cgroupv1) deprecated

In RHEL 9 and RHCOS 9, the default mode is cgroupv2. In RHEL 10 and RHCOS 10, booting into cgroupv1 won’t be supported anymore. Therefore, cgroupv1 is deprecated in OpenShift 4.16 and later. cgroupv1 will be removed in a future OpenShift Container Platform release.

If you’re running Java applications on VSHN Managed OpenShift, please update to a Java runtime that supports cgroupv2 as soon as possible.
Warning for iptables usage

OpenShift will create event messages for pods still using iptables rules, since iptables support will be removed in RHEL 10 and RHCOS 10. If your software still uses iptables, please make sure to update your software to use nftables or eBPF.

If you are seeing these events for third-party software that isn’t managed by VSHN, please check with your vendor to ensure they will have an nftables or eBPF version available soon.
RWOP with SELinux context mount is generally available

OpenShift 4.16 makes the ReadWriteOncePod access mode for PVs and PVCs generally available. In contrast to RWO where a PVC can be used by many pods on a single node, RWOP PVCs can only be used by a single pod on a single node. For CSI drivers which support RWOP, the SELinux context mount from the pod or container is used to mount the volume directly with the correct SELinux labels. This eliminates the need to recursively relabel the volume and can make pod startup significantly faster.

VSHN Managed OpenShift doesn’t yet support RWOP on all infrastructure providers.
Beta APIs removed from Kubernetes 1.29

Kubernetes removed the following deprecated APIs:

  • FlowSchema API version flowcontrol.apiserver.k8s.io/v1beta2. Migrate to flowcontrol.apiserver.k8s.io/v1

  • PriorityLevelConfiguration API version flowcontrol.apiserver.k8s.io/v1beta2. Migrate to flowcontrol.apiserver.k8s.io/v1.

Monitoring stack replaces prometheus-adapter with metrics-server

This release removes prometheus-adapter and introduces metrics-server to provide the metrics.k8s.io API. This should reduce load on the cluster monitoring Prometheus stack.