-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.9.0 bug fix and security update
Advisory ID:       RHSA-2021:3759-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:3759
Issue date:        2021-10-18
CVE Names:         CVE-2021-3121 CVE-2021-26539 CVE-2021-26540 
                   CVE-2021-28092 CVE-2021-28169 CVE-2021-29059 
                   CVE-2021-31525 CVE-2021-32690 CVE-2021-33194 
                   CVE-2021-33195 CVE-2021-33196 CVE-2021-33197 
                   CVE-2021-33198 CVE-2021-34428 CVE-2021-34558 
                   CVE-2021-36980 
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.9.0 is now available with
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container
Platform 4.9.0. See the following advisory for the RPM packages for this
release:

https://access.redhat.com/errata/RHSA-2021:3758

Security Fix(es):

* gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index
validation (CVE-2021-3121)

* sanitize-html: improper handling of internationalized domain name (IDN)
can lead to bypass hostname whitelist validation (CVE-2021-26539)

* sanitize-html: improper validation of hostnames set by the
"allowedIframeHostnames" option can lead to bypass hostname whitelist for
iframe element (CVE-2021-26540)

* nodejs-is-svg: ReDoS via malicious string (CVE-2021-28092)

* nodejs-is-svg: Regular expression denial of service if the application is
provided and checks a crafted invalid SVG string (CVE-2021-29059)

* golang: net/https: panic in ReadRequest and ReadResponse when reading a
very large header (CVE-2021-31525)

* helm: information disclosure vulnerability (CVE-2021-32690)

* golang: x/net/html: infinite loop in ParseFragment (CVE-2021-33194)

* golang: net: lookup functions may return invalid host names
(CVE-2021-33195)

* golang: net/http/httputil: ReverseProxy forwards connection headers if
first one is empty (CVE-2021-33197)

* golang: math/big.Rat: may cause a panic or an unrecoverable fatal error
if passed inputs with very large exponents (CVE-2021-33198)

* golang: crypto/tls: certificate of wrong type is causing TLS client to
panic (CVE-2021-34558)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

This update also fixes several bugs and adds various enhancements.
Documentation for these changes is available from the Release Notes
document linked to in the References section.

You may download the oc tool and use it to inspect release image metadata
as follows:

(For x86_64 architecture)

  $ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.9.0-x86_64

The image digest is
sha256:d262a12de33125907e0b75a5ea34301dd27c4a6bde8295f6b922411f07623e61

(For s390x architecture)

  $ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.9.0-s390x

The image digest is
sha256:d262a12de33125907e0b75a5ea34301dd27c4a6bde8295f6b922411f07623e61

(For ppc64le architecture)

  $ oc adm release info
quay.io/openshift-release-dev/ocp-release:4.9.0-ppc64le

The image digest is
sha256:d262a12de33125907e0b75a5ea34301dd27c4a6bde8295f6b922411f07623e61

All OpenShift Container Platform 4.9 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift Console
or the CLI oc command. Instructions for upgrading a cluster are available
at
https://docs.openshift.com/container-platform/4.9/updating/updating-cluster
- -between-minor.html#understanding-upgrade-channels_updating-cluster-between
- -minor

3. Solution:

For OpenShift Container Platform 4.9 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-rel
ease-notes.html

Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.9/updating/updating-cluster
- -cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

1786835 - oc is crashing while mirroring registry
1856355 - Scrolling of pf4 tables is far less performant than the previous version
1862429 - LocalVolumeSet object can be deleted with in-use PVs. May result in data leak
1868221 - Missing /etc/mtab symlink in CRI-O containers
1882490 - Azure installer misses hyphen in master NIC names
1883378 - Openapi spec is missing for prometheus-adapter aggregated api-resources
1890676 - Cypress:  Fix 'aria-hidden-focus' accesibility violations
1898877 - keepalived consumes 100% of cpu
1903519 - Wrong Ingress to Route conversion for wildcard hostnames
1903632 - After upgrading a customer openshift cluster to 4.6.4 the openshift marketplace pods are in ImagePullBackOff state
1904155 - Graphs on utilization tab don't respect timespan selection
1905326 - kube-apiserver initContainer setup is not requesting required resources: cpu, memory
1905851 - [REF] Create volumesnapshotclass for Manila csi driver by default Storage/Manila CSI Driver
1906315 - "cannot populate chunk **" error in prometheus container logs
1908677 - Reenable [sig-network] SCTP [Feature:SCTP] [LinuxOnly] should create a Pod with SCTP HostPort [Suite:openshift/conformance/parallel] [Suite:k8s]
1908772 - A11y Violation:  Dev Console Nav Menu UL contains non-LI elements
1909058 - [cinder-csi-driver operator] always report fake event continuously in openstack-cinder-csi-driver-operator log
1913618 - Completed pods skew the Quota metrics
1914398 - multus admission controller and metrics daemon running as root
1914414 - SRIOV enablement for Emulex Corporation OneConnect NIC (10df:0720) is not working anymore
1914837 - Machine API Termination Handlers should be tested
1918562 - [cinder-csi-driver-operator] does not detect csi driver work status
1921139 - revert "force cert rotation every couple days for development" in 4.8
1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
1923111 - Install plans permanently fail due to CRD resource modified or similar transient errors
1924695 - Non-ascii passwords are accepted but don't work
1925180 - Deployment creates a huge number of ReplicaSets - image-lookup bits
1925203 - [RFE] [OCPonRHV] - High Performance Mode in OCP on RHV - huge pages, CPU and Numa pinning configuration
1925276 - Double instance create AWS
1925524 - openshift-jenkins-sync plugin does not scale on OCP 4
1928668 - Prometheus is collecting metrics for completed pods
1928816 - When using idrac-virtualmedia, the bios_interface gets set to idrac-wsman
1928856 - OCP Conformance test fails if MachineSet resource type is not present
1928942 - [Assisted-4.7] [Minimal-ISO] [Started image download] "Started image download" event missing important info: Content-Length: and Content-Disposition filename in both API and UI events
1932139 - The downstream darwin/amd64 `opm` binary fails to output the version info
1932323 - CVE-2021-26540 sanitize-html: improper validation of hostnames set by the "allowedIframeHostnames" option can lead to bypass hostname whitelist for iframe element
1932362 - CVE-2021-26539 sanitize-html: improper handling of internationalized domain name (IDN) can lead to bypass hostname whitelist validation
1934443 - Installation of OCP 4.6.13 fails when teaming interface is used with OVNKubernetes
1936408 - [VMware-LSO] pod re-attach time took more then 60 sec.
1936919 - AlertmanagerMembersInconsistent fires too quickly, causing serial-test noise
1937696 - [Assisted-4.7]node/hostnames vs bmh names inconsistency, skipped cluster index in name
1938282 - [4.9] Kuryr won't remove LB members on Endpoints object removal
1939045 - [OCPv4.6] pod to pod communication broken on PFCP procotol over UDP
1939103 - CVE-2021-28092 nodejs-is-svg: ReDoS via malicious string
1940059 - [GSS][RFE] Integrate ceph dashboard with OCS
1941224 - Serial e2e should not complain about the authentication operator going Progressing=True during the "test RequestHeaders IdP" test-case
1942122 - Egress IP iptables rules not added due to iptables: Resource temporarily unavailable
1942164 - [sig-cluster-lifecycle] cluster upgrade should be fast
1942657 - ingress operator stays degraded after privateZone fixed in DNS
1943265 - Negative Memory Utilization for Cluster Compute Resources Dashboard
1943284 - opm index prune will fail if the working directory does not have write permissions
1943334 - [ovnkube] node pod should taint NoSchedule on termination; clear on startup
1943378 - OpenStack machine_controller does not remove boot volumes when reconciler errors
1946178 - [Assisted-4.7] [Staging][OCS] Cluster validation messages improvements
1947005 - cluster-monitoring-view role allows to create alert silences
1947740 - [single-node] "Failed to watch" errors in openshift-state-metrics container
1948089 - openshift-apiserver should not set Available=False APIServicesAvailable on update
1948090 - Storage should not set Available=False APIServices_Error AWSEBSCSIDriverOperatorCRAvailable on update
1948603 - Azure CSI driver does not pass e2e-azure-csi tests
1948607 - vSphere CSI driver does not pass e2e-vsphere-csi tests
1948720 - Spacing issues in Chinese translations
1949497 - apiversion is still policy/v1betal when user creates pdb via oc create command
1949840 - CMO reports unavailable during upgrades
1950173 - Non-fatal: prometheus.env.yaml: no such file or directory
1950534 - OPM fails to deprecate bundles
1951812 - [master] [assisted operator] Assisted Service Postgres crashes msg: "mkdir: cannot create directory '/var/lib/pgsql/data/userdata': Permission denied"
1952101 - Can't re-build index if any bundles have been truncated
1952224 - Some quickly deleted pods are never cleaned up by kubelet after 20m
1952457 - In k8s 1.21 bump '[sig-node] crictl should be able to run crictl on the node' test is disabled
1952737 - [RFE]Users had difficulty distinguishing between “ Supported” and “Provided”
1953063 - Update default AWS instance type in machine-api-operator
1953113 - HAProxy template doesn't allow HSTS header to be case insensitive or include spaces
1953127 - NetworkPolicy tests were mistakenly marked skipped
1953182 - [Azure disk csi driver] volume expansion failed on filesystem resizing
1953185 - [Azure disk csi dirver operator] doesn't use the credential created by CCO
1953674 - [RFE] Add resize to ovirt CSI driver
1954869 - Add necessary priority class to marketplace components
1955192 - ExternalIP feature do not work on ovn-kuberenetes
1955292 - Describe quota output should show units
1955435 - "requestURI":"/apis/user.openshift.io/v1/users/kube:admin" from system:apiserver got code 422
1955586 - ThanosSidecarUnhealthy will never fire if the sidecar is never healthy.
1956081 - kube-apiserver setup fail while installing SNO due to port being used
1956830 - "oc adm top nodes" output give negative numbers
1956836 - AVC denial when setting hostname on GCP using "set-valid-hostname.sh" script
1956879 - authentication errors with "square/go-jose: error in cryptographic primitive" are observed in the CI
1956955 - Services sync causes too many ovn load balancer deletes
1956989 - In k8s 1.21 bump some sig-network tests are disabled due to being permanently broken on e2e-metal-ipi-ovn-ipv6
1957498 - cluster-etcd-operator: policy/v1beta1 PodDisruptionBudget is deprecated in v1.21
1957609 - [aws]Machine tags should have precedence over Infrastructure
1957634 - prometheus-adapter panics on GetNodeMetrics
1957761 - SR-IOV daemon set should meet platform requirements for update strategy that have maxUnavailable update of 10 or 33 percent
1957886 - In k8s 1.21 bump TTLAfterFinished is disabled
1958107 - SR-IOV network operator pods should not run in best-effort QoS
1958154 - Custom AWS user tags limit not supported (openshift/api says max=25), install fails when >=10
1958341 - CVE-2021-31525 golang: net/https: panic in ReadRequest and ReadResponse when reading a very large header
1958375 - Return IPv6 traffic from the application pod is getting dropped when f5 pod is scaled to more than one.
1958376 - [IPI on Azure] unable to install IPI PRIVATE OpenShift cluster in Azure due to organization policies
1958390 - API Services unavailable after upgrade from 4.5.38 to 4.6.27
1958888 - 4.7.6 -> 4.7.9 upgrade: leader election stuck
1959200 - failed to configure pod interface: error while waiting on OVS.Interface.external-ids:ovn-installed for pod: timed out while waiting for OVS port binding
1959290 - openshift-kube-apiserver-operator should not rely on external networking for health check
1959586 - [master] All resources not being cleaned up after clusterdeployment deletion
1959798 - DNAT rules for external IP services wrong in ovn-kubernetes
1959906 - External gateway fails to add duplicate OVN ECMP route
1959957 - After a channel head is deprecated, the channel still exists in the index, but with no installable content = BAD UX
1960101 - CNO: exportNetworkFlows accepts invalid TCP/UDP port numbers
1960152 - Manilacsi becomes degraded even though it is not available with the underlying Openstack
1960455 - Performance Addon Operator fails to install after catalog source becomes ready
1960485 - Cannot use DASD at virtio block device when installing RHCOS on KVM
1960559 - Remove v1beta1 handling code
1960574 - Managed cluster should ensure SR-IOV pods components have system-* priority class associated
1960680 - [SCC] openshift-apiserver degraded when a SCC with high priority is created
1961226 - Can't ssh too IPA on worker nodes
1961757 - ovn-kubernetes: Enable ovn-controller lflow-cache limits (memory and/or size)
1961811 - Creating a configmap for a CA without a trailing newline in source file results in non-working CA verification
1962344 - [SCALE] ovn-controller running up to 30 second poll intervals due to full recompute
1962387 - Upgrade from Openshift 4.5 -> 4.6 Results in Orphaned Address sets
1962414 - ed25519 keys do not work when FIPS is enabled
1962951 - Can't enable column diffs in 4.9
1962957 - [master] Assisted service reports a malformed iso when we fail to download the base iso
1963027 - Upload qcow2 to PVC too small : "Error Uploading Data Request fail with status code 400"
1963132 - Installer: Remove the word 'Northern' from us-east4 (Ashburn, Northern Virginia, USA) to make it consistent
1963232 - CVE-2021-33194 golang: x/net/html: infinite loop in ParseFragment
1963943 - For baremetal clusters, the node->terminal is not available
1964231 - Client certificate used to contact kubelet is not loaded dynamically
1964266 - [RFE] add external-resizer side car container
1964471 - [master] Confusing behavior when multi-node spoke workers present when only controlPlaneAgents specified
1964482 - Ipv6 IP addresses are not accepted for whitelisting
1964540 - CAPO: It's impossible to make port a trunk when it's defined in `ports` field
1964591 - [master] ACM/ZTP with Wan emulation fails to start the agent service
1964623 - [master] File system usage not being logged appropriately
1964786 - Serial console does not load
1964902 - NetworkPolicy Ingress rules table shows confusing text in From column
1964941 - If loading dynamic plugin times out, the UI throws a syntax error
1965074 - [OVN Kubernetes] ovnkube errors observed on 100 node clusters during uperf testing Fatal error: ofport of patch-br-ex_ip-.us-east-2.compute.internal-to-br-int has changed from [] to 2
1965080 - machine-api-operator constantly makes unauthorized AWS calls to DescribeInternetGateways
1965117 - [master] Post making changes to AgentServiceConfig assisted-service operator is not detecting the change and redeploying assisted-service pod
1965263 - [volume snapshot] "oc get volumesnapshotcontent" should display the volumesnapshot namespace info
1965365 - Accessibility - Resource and Events filter select options do not move cursor focus into search input on click, inhibits keyboard navigation
1965562 - recycler-for-nfs-... does not set requests or priorityClassName
1965930 - NetworkPolicy is not translated in Korean or Chinese
1965984 - Console Dashboard performance leads to empty visualizations
1965992 - Gracefully shutdown taking around 6-7 mins (libvirt provider)
1966129 - [4.9] Openshift Installer| UEFI mode | BM hosts have BIOS halted
1966480 - Console-operator's controllers are passed resourceSyncer which is not used (refactoring)
1966485 - [master] Operator-managed assisted Service doesn't wait for CVO to finish before reporting back
1966499 - portworx-operator causes APIRemovedInNextReleaseInUse alert
1966586 - [Assisted-4.7] [Staging] 200 OK returned when setting invalid Base DNS domain using API
1967047 - Console overview section shows operators are upgrading even though it is not actually upgrading.
1967108 - AsyncComponent loader comparison may result in false positive
1967228 - 503 Error page contains license for a vulnerable release of Bootstrap
1967316 - Sweep frontend/public folder for i18n
1967483 - coreos-installer fails to download Ignition (DNS error, failed to lookup address)
1967516 - Incorrect warning message on network type selection
1967527 - CPU spikes not captured in Grafana causing issue to understand HPA behavior
1967621 - Operator fails to install and OLM tries to delete nonexistent catalog  pods under openshift-marketplace/redhat-marketplace
1967658 - OLM: Failure alert message for copied CSV not helpful
1967695 - managedFields is missing in provisioning-configuration json object
1967808 - Readiness "exec" probes causes zombie process on certain container images
1967885 - Creating a VM from the UI on OKD 4.7 fails with "the API version in the data (kubevirt/v1) does not match the expected API version (kubevirt/v1alpha3)"
1967934 - Hide input box of add capacity modal for attached devices mode
1967956 - [master] Assisted-service deployed on an IPv6 cluster installed with proxy: agentclusterinstall shows error pulling an image from quay.
1967979 - Masthead dropdowns options are not accessible via the keyboard
1968043 - [master] backend events generated with wrong namespace for agent
1968124 - [master] [doc] "Mirror Registry Configuration" doc section needs clarification of functionality and limitations
1968125 - [master] [DOCS] AgentServiceConfig examples in operator.md doc should each contain databaseStorage + filesystemStorage
1968324 - [master] Unclear message in case of missing clusterImageSet
1968336 - [master] missing role in agent CRD
1968404 - [master] Wrong Install-config override documentation
1968406 - [master] Misleading error in case of install-config override bad input
1968423 - [master] CR finalizers block resource deletions if the assisted-service POD is not available
1968425 - [master] AgentLabelSelector is required yet not supported
1968448 - [master] KubeAPI CVO progress is not available on CR/conditions only in events.
1968525 - Warning: Encountered two children with the same key in Operator Details page
1968552 - [master] BMAC should wait for an ISO to exist for 1 minute before using it
1968569 - Creating a network policy in OVN-Kubernetes can be very inefficient.
1968570 - [master] Misleading error when ClusterImageSet specifies OpenShift version lower than 4.8
1968572 - Assisted Service does not escape backslash characters on public SSH keys
1969324 - [master] Remove Agent CRD Status fields not needed
1969371 - [AWS] destroyer tried to search resources in other china region.
1969374 - [OSP] Document how to update domain for image registry in version <4.8
1969391 - [master] infra-env condition message isn't informative in case of missing pull secret
1969404 - revert "force cert rotation every couple days for development" in 4.9
1969471 - HAProxy tests in sdn-network-stress job are flaky
1969477 - [master] Assisted service times out on GetNextSteps due to `oc adm release info` taking too long
1969494 - [master] no indication for missing debugInfo in AgentClusterInstall
1969546 - OLM: Scroll shadow in wrong position in operator details modal
1969547 - [master] SNO with AI/operator - kubeconfig secret is not created until the spoke is deployed
1969719 - vsphere-problem-detector cannot connect to vCenter API over https
1969761 - sriov webhook not worked when upgrade from 4.7 to 4.8
1969766 - [master] Empty cluster name on handleEnsureISOErrors log after applying InfraEnv.yaml
1969796 - [master] Updating configmap within AgentServiceConfig is not logged properly
1969902 - OLM fails with 'ResolutionFailed' found more than one head for channel
1969989 - KMS connection details for new storageclass can not be changed in StorageClass creation form after 9 connection details are stored in csi-kms-connection-details configmap
1969998 - [OCP 4.9 tracker] kubelet service fail to load EnvironmentFile due to SELinux denial
1970011 - “managed by” link goes to the incorrect URL (unlike the correct ownerRef link)
1970063 - [master] AgentServiceConfig mirror registry requires both ca-bundle.crt and registries.conf
1970129 - OVS logging in must gather is missing previous logging levels
1970147 - Weak Cipher in openshift-monitoring
1970179 - [4.9] Bootimage bump tracker
1970261 - [master] Add State and StateInfo to DebugInfo in ACI and Agent CRDs
1970270 - [master] Add ProgressInfo to Agent and AgentClusterInstalll CRDs
1970315 - 4.7 -> 4.8 upgrades fail on "[sig-network] pods should successfully create sandboxes by other" for pods which eventually start
1970332 - Page disappears while creating Storage Class for rbd provisioner via UI
1970421 - CVO does not provide a good enough reason to why an upgrade payload pull failed
1970437 - [oVirt] Add guaranteed memory field to oVirt Machine Object
1970466 - Console's OperatorHub leads users to unrelated install plan, if subscription does not have its own
1970604 - Add IDP menu items are not translated
1970910 - Uninstalling kube-descheduler clusterkubedescheduleroperator.4.6.0-202106010807.p0.git.5db84c5 removes some clusterrolebindings
1970962 - Exception inside the Jenkins Master pod
1970980 - Remove usage of i18nKey
1970985 - periodic ci-4.8-upgrade-from-stable-4.7-e2e-*-ovn-upgrade are permafailing on service/ingress disruption
1971032 - Add Sprint 202 Round 2 translations
1971046 - apiserver stops responding during an e2e run (non-graceful shutdown) on GCP
1971162 - Installation failed by enabling OCS from AI because of Virtual_Floppy as HDD listed in UI
1971207 - installer only created one worker node and the install failed
1971332 - oc new-build command does not pick automatic source clone secret in OpenShift 4.7
1971499 - Should not show getting started links when add page customization disabled these entries
1971518 - Cluster deletion misses trunk ports and loop over until timeout
1971532 - Admin project list should not use internal ids as link titles
1971537 - Support cgroups v2 (Podman on Fedora 31+)
1971544 - Event sources in Developer console lists also action and sink kamelets
1971602 - e2e-metal-ipi-upgrade for 4.7 to 4.8 is permafailing
1971624 - [release-4.9] kube-apiserver failed to load SNI cert and key
1971640 - [master] InfraEnv controller should always requeue for backend response HTTP StatusConflict (code 409)
1971690 - Remove "unsupported" tag from ARM 64 oc binary in console
1971715 - [OCP 4.7] "configure-ovs.sh" leaves static ip in old interface
1971738 - Keep /boot RW when kdump is enabled
1971808 - New `local-with-fallback` service annotation does not preserve source IP
1971899 - The ciphers in theTLS profiles for the kubelet, the `oc explain` output don't match  the kubelet.conf file
1972003 - Get invalid date when edit custom time range on monitoring dashboards
1972009 - [REF]Image registry pullthough should support pull image from the mirror registry with auth via imagecontentsourcepolicy
1972011 - Dashboards display different time range when drag&drop on the first dashboard
1972016 - Set a specific time range, but Dashboards display data with a different time range
1972028 - Upgrade is failed when upgrade SNO cluster on gcp platform
1972060 - typo in operators available
1972096 - [master] Domain dummy.com (not belonging to Red Hat) is being used in a default configuration
1972131 - ironic-static-ip-manager container still uses 4.7 base image
1972272 - [master] "baremetalhost.metal3.io/detached" uses boolean value where string is expected
1972287 - [mlx5] traffic from Node port is not offloaded
1972351 - Bump jenkins version to 2.289.1
1972374 - Adopt failure can trigger deprovisioning
1972383 - Using bound SA tokens causes causes failures to /apis/authorization.openshift.io/v1/clusterrolebindings
1972393 - PDB PUT /status is 1/6th of total write load on busy cluster continuously (should be 1/100 or so)
1972514 - add check for accessing traffic from status in ksvc
1972524 - bootstrap vm does not get right configuration for dhcp6
1972525 - [master] clusterDeployments controller should send an event to InfraEnv for backend cluster registration
1972572 - Ironic rhcos downloader re-downloads same image in upgrade process from 4.7 to 4.8
1972582 - [oVirt] Installing with an oVirt network with 2 vnics on the same network causes the installer to not create tfvars and fail with terraform error
1972598 - [master] Install retry per recreating ACI, BMH error status is not cleared
1972678 - Requirements for authenticating kernel modules with X.509
1972682 - DPDK KNI modules need some additional tools
1972684 - [Feature:IPv6DualStack] tests are failing in dualstack
1972747 - Allow Cluster-api-provider-ovirt using auto pinning new namings
1972753 - ironic hardware inspection failed due to NewConnectionError causes bm nodes stuck
1972776 - improve dual-stack install-config validation
1972777 - Unable to edit the default Health check probe values
1972829 - Upgrade tests should fail when ingress is disrupted
1972966 - Virtualization is not available in Home Overview
1972968 - "Add Disk" button should be disabled in common template disks tab
1972977 - The removed ingresscontrollers should not be counted in ingress_controller_conditions metrics
1973005 - authentication operator degraded during 4.7.16 update
1973065 - Editing a Deployment drops annotations
1973076 - [oVirt] CSI driver is not waiting for disk to be OK on creation
1973147 - KubePersistentVolumeFillingUp - False Alert firing for PVCs with volumeMode as block.
1973154 - RHCOS-shipped stalld systemd units do not use SCHED_FIFO to run stalld.
1973160 - Monitoring UI disappear when we query a string
1973200 - remove kubevirt images and references
1973215 - [OVN] EgressIP no longer worked after a cluster upgrade
1973314 - [4.9] Openshift Installer| UEFI mode | BM hosts have BIOS halted
1973315 - [master] Updating ISO URL does not create a correct log entry
1973318 - Image pruner does not use custom tolerations
1973333 - Investigate why strings removed in English files are showing up in langauge files
1973336 - Verify "Only {volumeMode} volume mode is available for {storageClass} with {accessMode} access mode" displays correctly
1973338 - Fix punctuation in string
1973340 - Add Sprint 203 translations
1973423 - Several operators degraded because Failed to create pod sandbox when installing an sts cluster
1973482 - 4.8.0.rc0 upgrade hung, stuck on DNS clusteroperator progressing
1973491 - Node exporter veth optimizations do not work if the network type is OVN
1973525 - machine-config-operator: remove runlevel from kni-infra namespace
1973565 - Dynamic plugin routes should be evaluated before static plugin routes
1973567 - Autoscaler log report error “Failed to watch *v1.CSIDriver”
1973576 - only show annotations.summary field on thanos-ruler Alerts page
1973582 - [upgrade from 4.5 to 4.6] .status.connectionState.address of catsrc certified-operators is not correct
1973643 - oc logs doesn't work with piepeline builds
1973679 - fix ovn-kubernetes NetworkPolicy 4.7->4.8 upgrade issue
1973724 - metal3 Pod cannot download RHCOS images using the provisioning network anymore
1973813 - NodePorts do not work on RHEL 7.9 workers (was "4.7 -> 4.8 upgrade is stuck at Ingress operator Degraded with rhel 7.9 workers")
1974077 - [Assisted-4.8] [Staging][Network Latency] Improve validation message: host with IP not found in inventory
1974083 - [RFE] When branding is not redhat, no need to explicitly mark community support.
1974085 - [Assisted-4.8] [Staging][Network Latency] Worker host IP appear in master validation message
1974237 - 4.7 -> 4.8 upgrades on AWS take longer than expected
1974277 - Tuned net plugin fails to handle net devices with n/a value for a channel
1974312 - linuxptp-daemon: remove not needed run-level 1 label
1974338 - [OCP4.7] maven image doesn't use JAVA_HOME env variable
1974350 - LB endpoint for API becomes unavailable briefly during openshift test suite
1974364 - [must-gather] ovs/ovn database should be exported or dumped, not compacted and copied
1974403 - OVN-Kube Node race occasionally leads to invalid pod IP
1974411 - Installation with multipath parameters in parmfile fails (DNS resolution missing)
1974429 - Requirements for nvidia GPU driver container for driver toolkit
1974453 - coreos-installer failing Execshield
1974501 - [master] Assisted Service Operator should be Infrastructure Operator for Red Hat OpenShift
1974520 - [release-4.9] CI update from 4.7 to 4.8 sticks on: EncryptionMigrationController_Error: EncryptionMigrationControllerDegraded: etcdserver: request timed out
1974567 - vertical-pod-autoscaler-operator: remove runlevel from namespace manual install
1974598 - Sub-optimal cluster destroy strategy
1974603 - clusteroperators table output does omit condition messages
1974611 - In template list, the boot source provider column should be named boot source
1974640 - When installing on AWS, AWS_SHARED_CREDENTIALS_FILE is only obeyed for reading and not for writing credentials
1974651 - dockerv1client tests fail due to unavailability of v1 API on registry-1.docker.io
1974689 - In customize create vm wizard, a warning "no registred model"
1974716 - Using bound SA tokens causes fail to query cluster resource especially in a sts cluster
1974755 - Status defaults were not internationalized
1974758 - aws-serial jobs are failing with false-positive MachineWithNoRunningPhase firing or pending
1974830 - KubeDeploymentReplicasMismatch alert will never fire
1974832 - The monitoring stack should alert when 2 Prometheus pods are scheduled on the same node
1974839 - CVE-2021-29059 nodejs-is-svg: Regular expression denial of service if the application is provided and checks a crafted invalid SVG string
1974967 - Prometheus Memory Usage 50-100% higher on 4.8+ OVN when under load
1974973 - ci-operator cannot import an s390x or a non-amd64 OCP release image
1975016 - OpenStack credentials for Kuryr Controller should be stored in a secret
1975038 - Cannot delete user created vm template
1975042 - Cannot customize windows template boot source
1975133 - Sync ironic containers with latest ironic code
1975157 - (release-4.9) records data size is incorrectly growing when obfuscation is enabled or when there are duplicated records
1975218 - [master] KubeAPI Move conditions consts to CRD types
1975232 - VM Create YAML page 404 error
1975283 - gcp-realtime: e2e test failing [sig-storage] Multi-AZ Cluster Volumes should only be allowed to provision PDs in zones where nodes exist [Suite:openshift/conformance/parallel] [Suite:k8s]
1975296 - machinehealthcheck controller does not consider nodes that still have the external remediation annotation
1975359 - [master] timeout on kubeAPI subsystem test: SNO full install and validate MetaData
1975379 - Console pods are scheduled on single master node
1975383 - No NTP sources defined in a cluster after assisted installation
1975391 - Install Operator description iframe shows double scrollbars when the browser sized is narrowed.
1975392 - Console and downloads pods should have more specific anti-affinity label selectors
1975475 - [aws] terraform may fail when the bootstrap instance profile is not ready
1975478 - CRD extensions.ConsoleNotification CRD.displays YAML editor for modifying the location of ConsoleNotification instance
1975491 - [Assisted-4.8] [Staging][Network latency] host_requirements api should contain network thresholds
1975529 - Production logs are spammed on "Validate Requirements status All host roles must be assigned to enable CNV."
1975539 - [ImageStreams] Remove stale cruft installed by CVO in earlier releases
1975542 - [Insights] Remove stale cruft installed by CVO in earlier releases
1975683 - baremetal-operator fails to build
1975696 - compareOwnerReference should not accept a reference
1975714 - Missing policy-group label on the openshift-console namespace manifest
1975715 - Monitoring dashboard 'Logging/Elasticsearch' isn't accessible on OCP 4.8.
1975779 - image pull keeps failing on upgrade
1975805 - [4.8.0] Install retry per recreating ACI, BMH error status is not cleared
1975820 - There are plugins remained after uninstall operator with multiple plugins enabled
1975824 - Alert InstallPlanStepAppliedWithWarnings does not resolve
1975825 - [v4.8] The `oc compliance fetch-raw` is unable to process results from suite: unexpected EOF
1975831 - Crio is using large amounts of node resources
1975913 - Unable to uncheck the optional workspace checkbox in pipeline builder
1975947 - Add egress ips to anonymizer
1976016 - Azure: Destroy cluster eventually fails when trying to delete a cluster while other resources (not related to the cluster) are present in the resource group
1976072 - Operand details page doesn't render correct format when x-descriptor path has None value
1976112 - batch/v1beta1 CronJob warning appears in image pruner pod when image registry is removed
1976125 - [BM][IPI] redfish inspect fails on nodes with nics where mac="": Expected a MAC address but received .
1976215 - Removed egressIP still shows as EXTERNAL_IP in the NorthBound DB.
1976217 - Chart empty state card different height than other cards on Metrics tab
1976243 - OLM operator index pod for Performance Addon Operator is missing Workload Partitioning Annotation
1976307 - CVO missing ImageStreams manifest delete annotation logic
1976326 - CI failing on firing CertifiedOperatorsCatalogError due to slow livenessProbe responses
1976373 - disable jenkins client plugin test whose Jenkinsfile references master branch openshift/origin artifacts
1976379 - CVO pod skipped by workload partitioning with incorrect error stating cluster is not SNO
1976753 - [sig-devex][Feature:Jenkins][Slow] Jenkins repos e2e openshift using slow openshift pipeline build Sync plugin tests using the ephemeral template expand_more
1976775 - Problematic Deployment creates infinite number Replicasets causing etcd to reach quota limit
1976776 - [master] Change agent's ReadyForInstallation condition into RequirementsMet
1976939 - Interacting with CatalogSource page.Interacting with CatalogSource page renders details about the redhat-operators catalog source
1976983 - [master] [assisted operator][docs] Setting automatedCleaningMode: metadata in BMH is overridden to disabled
1977027 - [oauth-apiserver] Remove stale cruft installed by CVO in earlier releases
1977037 - VNC console stays in Connecting state.
1977054 - [4.9] Unable to authenticate against IDP after upgrade to 4.8-rc.1
1977097 - build cleanup test failing on release-openshift-origin-installer-old-rhcos-e2e-aws-4.7
1977129 - openshift-installer: remove runlevel from openshift-kubevirt-infra namespace
1977279 - When applying the gateway annotation to a gateway pod or to a namespace, the per pod SNAT is not removed
1977330 - Single stack external gateway makes the pod not starting with dual stack clusters
1977346 - Fix obfuscation translation table secret 4.9
1977354 - [master] KUBE-API: Support move agent to different cluster in the same namespace
1977369 - vSphere Machines stuck in deleting phase if associated Node object is deleted
1977377 - [master] Add columns to the Agent CRD list
1977389 - Manila CSI driver is not in must-gather
1977435 - SNO - monitoring operator is not available cause failed: waiting for Alertmanager openshift-monitoring/main
1977444 - KubeAPI docs: Add a getting started guide
1977449 - [master] Fix flaky test: invalid NMState config YAML
1977454 - builds: e2e-proxy tests fail due to Redis security protections
1977595 - pseudo translation missing on OperatorHub page
1977655 - localization issue for volume mode tooltip message
1977753 - (release-4.9] Gather all MachineConfig definitions
1977807 - Prometheus PV is corrupted during CSI migration tests
1977884 - Upgrade from 4.8.0-rc.0 to 4.9.0-0.nightly-2021-06-24-073147 failing with multiple errors
1977920 - Pod fails to run when a custom SCC with a specific set of volumes is used
1977936 - OCS deployment using Multus: UI allows StorageCluster creation with empty public and cluster network in "Internal - Attached Devices" mode
1977972 - Kernel version in /etc/driver-toolkit-release.json not including architecture
1977981 - [External Mode] OpenShift Container Storage Overview does not display any dashboard by default unless specific tab is clicked
1978091 - Cluster Utilization item Network transfer shows 'No datapoints found'
1978137 - ovnkube-trace requires iproute to be installed in the pod
1978144 - CVE-2021-32690 helm: information disclosure vulnerability
1978193 - htpasswd provider for auth is not working as expected and give 401 error when user try to login
1978200 - RHEL 6 template should not be starred by default
1978202 - RHEL 6 template is tagged as "community"
1978213 - OpenStack quota checks inexact when using Kuryr
1978222 - User Management / Users: seeing "Add IdP" button although IdP exists
1978225 - User Management / Users: no progress visible suggesting that IdPs are not instant after configuration
1978268 - Exec probes fail clusterwide after upgrade to cri-o-1.19.2-4.rhaos4.6.git4f7cb5e.el7.x86_64
1978310 - OLM dependencies not fixing version
1978338 - "Prometheus metrics should be available after an upgrade" is panicking
1978340 - packageserver isn't following the OpenShift HA conventions
1978352 - [master] Add machine network cidr to cluster status
1978376 - Should not allow upgrades to 4.9 without admin acknowledgement that apis are being removed
1978403 - Add Sprint 203 Round 2 translations
1978416 - Convert TFunction to Trans component
1978421 - String updates (typos, etc.)
1978425 - Consolidate namespaces in console-app and console-shared plugins
1978429 - Typos in Pipelines Plugin strings
1978435 - SR-IOV doesn't show up in operatorhub for ppc64le
1978627 - When mount source with a long unexist name, the build keeps pending with unclear message
1978629 - [RFE]'oc describe build|buildconfig' should show mount souce info when add Secret Volume Mounts to buildconfig
1978649 - Object Service tab should not be part of OCP Console for ODF Managed Services
1978662 - monitoring operator needs to indicate non-durable data
1978691 - [4.9.0] OPENSHIFT_VERSIONS env var overrides AgentServiceConfig osImages: values
1978724 - Binary secret data isn't properly uploaded by ui
1978739 - [master] Provisioning SNOs bmh is stuck in ready state
1978749 - CVO doesn't honor noProxy while contacting Cincinnati endpoint
1978774 - Cluster-version operator loads proxy config from spec, not status
1978797 - external gateway pod deletes may not clean up ECMP routes
1978829 - ClusterMonitoringOperatorReconciliationErrors is firing during upgrades and should not be
1979009 - Change log message about  EFI not being supported in assisted-installer
1979038 - Installation logs are not gathered from OCP Control planes nodes
1979114 - Cannot create vm from 'With YAML' on CNV 2.6.5 + OCP 4.8
1979116 - Cannot create vm from customize wizard on CNV 2.6.5 + OCP 4.8
1979169 - [docs] Unclear docs in automatedCleaningMode
1979190 - Cannot get guest information on CNV 2.6.5 + OCP 4.8
1979297 - SystemExceedsMemoryReservation prometheusRule manages wrongly hugepage reservation
1979300 - Upgrading from 4.7.11 to 4.8.0: Saw HybridOverlay logical router policies getting created without any existing hybridoverlay configuration
1979352 - Tuned affining containers to house keeping cpus
1979506 - The earlier version bundles that generated by pkgman-to-bundle won't be installed success
1979544 - olm Operator is in CrashLoopBackOff state with error "couldn't cleanup cross-namespace ownerreferences"
1979571 - Process is not terminated in pod terminal in UI.
1979620 - Applying an OLM descriptor to a deeply nested child property then doing the same for a parent property will cause the descriptor for the child to be removed.
1979738 - driver-toolkit gcc install unable to download extract-vmlinux script in ART builds
1979822 - mdns-publisher pods are crashing and restarting often.
1979996 - Dashboards do not support automatic unit transformation for time
1980029 - CI: openstacksdk 0.53 breaks UPI jobs
1980118 - Cannot launch debug container for pods in management workload partition
1980135 - On an IPv6 single stack cluster traffic between master nodes is sent via default gw instead of local subnet
1980187 - [sig-operator] an end user can use OLM can subscribe to the operator failing frequently
1980235 - OAuth proxy version is displayed should be removed.
1980257 - 'You are logged in as a temporary administrative user.' banner is shown for kubeadmin user with crc
1980357 - Getting the alert "V4SubnetAllocationThresholdExceeded" in newly installed cluster, Where subnet allocation is not more then 80%
1980364 - CI not working because Dockerfile references an ImageStream resource which isn't compatible with OLM
1980465 - etcd warning logs misleading
1980531 - additionalHelpActions 'HelpMenu' ConsoleLinks not translated
1980548 - Not all plugins' locales folders are listed in webpack.config.ts
1980658 - metal-ipi jobs are failing because of api server connection errors
1980679 - On a Azure IPI installation MCO fails to create new nodes
1980704 - Web console doesn't list all the registries credentials in a secret
1980753 - 4.7 minimal iso fails to boot
1980781 - NTO-shipped stalld can segfault
1980844 - The  SystemMemoryExceedsReserved alert released in 4.6 seems to trigger on many clusters under load (default increase if possible?)
1980888 - Thanos querier probes are timing out
1980930 - Machine-api-operator is going through leader election even when API rollout takes ~60 sec in SNO
1981055 - ovn-kubernetes-master need to handle 60 seconds downtime of API server gracefully in SNO
1981090 - [IPI baremetal] 'Failed to get the sockets from the old process' error is reported in haproxy logs following haproxy reload
1981272 - When deleting PVC inside PVC page the status in the heading doesn't match the status field
1981399 - protractor tests are not able to run on release-4.8 and master
1981417 - Change OCM links from cloud. to console.redhat.com
1981425 - Update jenkins to 2.289.2
1981465 - Assisted installer wait for ready nodes on bootstrap kube-apiserver though it moved to one of the other masters
1981477 - Unable to attach Vsphere volume shows the error "failed to get canonical path"
1981498 - enhance service-ca injection
1981550 - AWS Elastic IP permissions are incorrectly required
1981639 - Imageregistry bumps out N+1 pods when set replicas to N(N>2) and Y(=workers number) pods are scheduled to different workers, the left pods will keep pending
1981832 - OLM fails with 'ResolutionFailed' found multiple channel heads
1981936 - openshift/builder base images inconsistent with ART
1981957 - Sync plugin v1.0.47 takes a very long time to pick up new builds
1981975 - Master Machine Config Pool degraded at install time
1981999 - [4.9] Bootimage bump tracker
1982046 - CVO gets stuck on resource deletion progress after re-creating the deleted resource
1982052 - [vsphere][upi] OVN vmxnet3 allmulti workaround doesn't apply when vmxnet3 is bonded
1982079 - Resource usage measurement data display the concatenation of English and translation sentence fragments in Cluster utilization of Home->Ovewview when moving the mouse over each resource usage chart
1982090 - Top consumers filter dropdown list is inconsistent with the translation of left menu when click usage data in each Cluster utilization row
1982150 - Add a TechPreviewBadge for Multus
1982153 - Accessibility (and cypress test) issue with empty category on Operator Hub page
1982170 - (release-4.9] Operator operation is not set when updating status
1982274 - OLM should block the OCP 4.8 upgrade to 4.9 when the operator installed with `olm.openShiftMaxVersion` annotation
1982300 - vsphere-problem-detector not showing wrong credentials event/alert on OCP Console
1982376 - Remove PatternFly override fixes now that upstream version include the fix
1982653 - Observe - Alerting - Create silence : time period values are in English
1982659 - Workloads - Jobs : 'Type' column's Value 'Non-parallel' is in English
1982680 - Abort signal is ignored when using safe-k8s-hook.tsx
1982682 - Namespace is not properly passed to k8sCreate
1982692 - Serverless - Eventing - Event Sources - Move sink: incomprehensible japanese sentence
1982727 - Serverless - Eventing - Brokers - Add Trigger : i18n misses
1982736 - Serverless - Eventing - Channels - Add Subscription : appearing Partial translation for fully translated text
1982751 - Serverless - Eventing - Subscriptions - Move Subscription : appearing partial translation
1982765 - Networking - Services - Edit Pod Selector : An incomprehensible Japanese sentence
1982766 - [on-prem] Make ingress keepalived check more tolerant to failures
1982776 - Namespaces - RoleBindings - Edit ClusterRoleBinding subject : An incomprehensible Japanese translation
1982781 - "opm index rm" doesn't remove deprecated bundles
1982868 - 4.8 ManagementCPUsOverride admission plugin blocks 4.7 deployments on empty topology
1982997 - Page header tools - Import YAML : i18n misses
1983032 - User Management - Users - Impersonate User : i18n misses
1983091 - Logic for getting default pull secret incorrect on project page
1983190 - SNO deployment on HPE e910 blades fails because the node always boots from virtualmedia
1983205 - StatefulSet fails to deploy with error Readiness Probe exec failed open /dev/tty failure no such address when .spec.tty is set to true [OCP 4.6.34]
1983220 - A second scroll bar appears on the Node/Pod terminal page when resizing vertically
1983412 - [Assisted-4.8] [Integration][Network validations] "unable to unmarshall host" and "unexpected end of JSON input" errors when booting nodes
1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic
1983612 - When using boot-from-volume "image", InstanceCreate leaks volumes in case machine-controller is rebooted
1983673 - opm may prune bundles from the input
1983693 - Import from YAML shows warning when just pressing enter
1983707 - Import from YAML breaks console when three dash separator at the end
1983788 - Kubelet may start running before CRI-O
1983933 - [oVirt] CSI expansion should work in offline mode
1983975 - BMO fails to start with port conflict
1984030 - Reduce CPU overhead for ignore-listed NICs
1984031 - Create Silence form's "Created by" field is not populated after refreshing the page
1984047 - insight-operator logs a panic when shutdown, triggering panic detections in CI jobs
1984049 - Slow OVN Recovery on SNO
1984156 - Add sprint 204 translations
1984297 - There are spaces before VM description
1984365 - Dashboard Prometheus/Overview can't filter instance by job
1984414 - Excessive resource diff logging during updates
1984449 - [4.9] drop-icmp pod blocks direct SSH access to cluster nodes
1984481 - machine-api couldn't reconcile VMs with  OVNKubernetes network type
1984538 - The openshift-operators namespace should not contain the openshift.io/cluster-monitoring namespace label
1984576 - PROVISIONING_INTERFACE missing from metal3 pod
1984582 - Metal IPI jobs are failing a high percentage of the time
1984608 - kube-scheduler needs to handle 60 seconds downtime of API server gracefully in SNO
1984635 - openshift-config-operator needs to handle 60 seconds downtime of API server gracefully in SNO
1984644 - openshift-service-ca-operator needs to handle 60 seconds downtime of API server gracefully in SNO
1984683 - sdn-controller needs to handle 60 seconds downtime of API server gracefully in SNO
1984736 - [master] ClusterDeployment controller watches all Secrets from all namespaces
1984807 - Move tooltip 'Restore is only enabled for offline virtual machine' to the button when it's disabled
1984942 - ApplyClusterRoleBinding triggers boundsError when adding new subject
1984954 - Normal user cannot create VM because it cannot access v2v-vmware configmap
1985033 - [OVN] [cluster network operator]  Provide the option to configure probe intervals
1985080 - Downloaded log file (All task logs) contains logs of all taskrun in a single line
1985082 - namespace of monitoring rbac rules should not be hardcoded
1985125 - OperatorGroup status is not updated when it has cardinality conflits when targetNamespace is used
1985161 - Some localization issues
1985164 - Regular user cannot restore VM snapshot
1985197 - production builds doesn't load some locales successfully
1985336 - OpenShift SDN doesn't add NOTRACK rule to raw iptables table to prevent vxlan from reaching conntrack
1985366 - CCCMO using unregistered host ports
1985391 - Cluster Proxy not used during installation on OSP
1985447 - KubeAPIErrorBudgetBurn Missing namespace label
1985449 - [Assisted-4.8 ][SaaS] error raised "unable to unmarshal connectivity report for host ID xxxx:unexpected end of JSON input" in Assisted Service Pod log
1985483 - Cleaning a BMH deployed using live ISO results in a TLS failure
1985512 - allow-from-router feature doesn't work on v6 only single stack cluster
1985697 - package-server-manager needs to handle 60 seconds downtime of API server gracefully in SNO
1985711 - Registry image input isn't trimming at the start of input
1985721 - Pencil button is missing at Scheduling and resources requirements fields
1985737 - VM Details page , boot order is missing pencil edit button
1985773 - ptp4l crash when BC is configured
1985795 - OCPonRHV: pvc stuck on pending status when using preallocated storage domain
1985802 - cluster-version-operator needs to handle 60 seconds downtime of API server gracefully in SNO
1985846 - Adding ebs type "gp3" when create storage class from web console
1985850 - Update default value of volumeBindingMode from Immediate to WaitForFirstConsumer when create storageclass from web console
1985852 - The vmware-vsphere-csi-driver-webhook pod runs as “BestEffort” qosClass
1985895 - Order by 'Latest version' doesn't work on CustomResourceDefinitions list page
1985948 - [e2e]sysprep, ssh, tests fail from time to time
1985960 - oVirt 4.8 tests are failing on resize
1985997 - kube-apiserver in SNO must not brick the cluster when a config observer outputs invalid data that would eventually converge towards a running system in HA setup
1985998 - Re-enable 50 tests related to CSI failures
1986001 - Enable back `ResourceQuota should create a ResourceQuota and capture the life of a service`
1986003 - Bump to latest available 1.22.x k8s
1986061 - cluster network operator deploys a service monitor which is never picked up by cluster monitoring operator
1986090 - Cannot delete ClusterAutoscaler CR with foreground deletion
1986127 - UI crash when installing helm chart or right click installed chart in topology
1986129 - OpenShift web console not deployed after installing OCP 4.8.2 using single-node-developer profile
1986139 - The marketplace operator default catalogs need to use the v4.9 tags
1986148 - Bump API for Ingress RequiredHSTSPolicies field
1986174 - SRO should be able to read a complete chart form a ConfigMap.
1986215 - cluster-storage-operator needs to handle API server downtime gracefully in SNO
1986225 - [e2e][automation] add tests for vm snapshot feature
1986228 - Create e2e test for HSTS Feature
1986238 - Supermicro X12 fails to provision using Redfish BM HW Provisioning
1986243 - delete user-workload-monitoring-config configmap, can not find user metrics although no setting for enforcedTargetLimit
1986253 - Automation of Application groupings in topology
1986297 - Windows guest tool is always mounted even it's unchecked
1986306 - Enable back `[sig-cli] Kubectl client kubectl wait should ignore not found error with --for=delete`
1986307 - Enable back Feature:UDPConnectivity and NetworkPolicy tests
1986309 - Update ironic-agent container with latest bugfix code
1986311 - SRO crash when a incorrect chart is applied
1986322 - Update ironic container with latest bugfix code
1986324 - Update ironic-ipa-downloader container with latest bugfix code
1986375 - Avoid CMO being degraded when some nodes aren't available
1986389 - Textarea inside modal can be resized to larger width than modal
1986392 - Kubelet can't find Node after upgrade to external CCM on AWS/OpenStack
1986408 - Add NE-310 HSTS to 4.9
1986418 - kube-storage-version-migrator-operator needs to handle API server downtime gracefully in SNO
1986419 - aws-efs-csi-driver-operator CSV has upstream image references
1986420 - IPI of private cluster on GCP failed due to variable "cluster_public_ip" is not set
1986426 - Fix failing request on creating an ibm flash system via odf wizard
1986427 - rebase d/s metallb-operator to pickup AddressPool update fix and  CI enhancements
1986437 - Bump openshift/api to support ExternalCloudProvider featuregate
1986440 - Bump OVN to ovn21.09-21.09.0-9.el8fdp
1986443 - OVN-kube master may report errors for "transaction failed" when creating logical ports
1986452 - Increase in RSS memory in CRI-O
1986453 - EUS Control loop to check for API server and node versions skew
1986462 - Bug in cluster-baremetal-operator when PreProvisioningOSDownloadURLs are specified in addition to ProvisioningOSDownloadURL
1986464 - Registry pull secret should be sent as base64 string
1986474 - vsphere-syncer build is failing
1986477 - cluster-node-tuning-operator needs to handle API server downtime gracefully in SNO
1986493 - Upload jar files: Java commands are JAVA_ARGS not the purported container command
1986495 - Missing translation in the Edit deployment form
1986501 - Fix bundle image for efs operator
1986540 - Cluster Proxy not used during installation on OSP
1986560 - etcd-operator needs to handle API server downtime gracefully in SNO
1986562 - lastTriggeredImageId is populated in BuildConfig spec
1986565 - [OCP48][WebUI] "How to seal boot source for template usage" link points to /foo
1986575 - Add e2e tests for haproxy timeout variables
1986631 - BuildConfig Environment tab: different errors when the form is not filled completely
1986632 - App Name & Name Values are not getting auto-populated for Deploy Image page in internal image registry
1986650 - Cypress: Globally installs Service Binding Operator operator fails at "Create Operand" step
1986654 - [OCP4.9 Bug] Auto cleaning step in Prepare stage failed
1986656 - [OCP4.9 Bug] Ironic node enters the clean failed state when the target node doesn't have a RAID controller.
1986676 - React Unique key warnings in pipelines and pipeline run details page
1986680 - [knative][flake] Fail to set traffic distribution due to "object has been modified" error
1986685 - panic when opm alpha diff
1986699 - we should take catalogsource into considering when showing Installed tile in OperatorHub catalog
1986704 - missing translation for Kafka Connections nav option
1986707 - CVO log "resource has already been removed" is confusing in a fresh install
1986729 - Event source Sink is not marked as required in create form
1986735 - Monitoring chart range selection does not work on Firefox
1986754 - In Home->Events Dashboard, 'more' and 'Show Less' are hardcodes when the browser set to Chinese language
1986757 - Keepalived fails with Liveness probe failed: command timed out
1986790 - Add disk modal gives error when not selecting storageClass
1986803 - Details page doesn't catch errors which happen on a tab
1986810 - [AUTH-13] oauth-proxy in default OpenShift components might fail to log users in if custom route certificate is configured
1986829 - [AUTH-20] Make prometheus authenticate with a certificate while scraping the cluster's core components metrics
1986833 - Gather Openshift Logging Stack Data
1986936 - Grafana shows wrong label on y-axis of network graphs
1986946 - High ICNI2 application pod creation times
1986971 - [RFE]Password of template is fixed, instead of a parameter
1986981 - Revise Alert Severity in OCP 4.9
1986988 - Pipeline builder workspace info popover is not accessible via keyboard
1986990 - Webhook tests should not use admission registration v1beta1
1987047 - VM console doesn't open to current console type when opened in a new window
1987083 - excludeMastersFromLB in Azure Cloud Config prevents service controller from adding masters
1987108 - Networking issue with vSphere clusters running HW14 and later
1987143 - update resources label for prometheus to 2.28.1
1987152 - [e2e][automation]deploy specific hpp version for tests
1987160 - opm alpha diff fails at headsonly mode
1987169 - Cannot create network attachment definition while operator is installed.
1987171 - When customizing boot source, password is shown in default font
1987192 - Disabled state/condition is not consistent
1987197 - Improve version checking in repository tooling
1987198 - The chart version dropdown says `Select the chart version` even when the dropdown is disabled
1987199 - NO-OP Helm Chart Rollback
1987230 - Operators should not create watch channels very often: bump apirequests upperbounds in 4.9
1987238 - A negative value applied for the "tlsInspectDelay" option caused the router pod to go into crashloop
1987250 - Remove diskEligible check from OCS
1987255 - Azure stack hub does not support zones, azure-cloud-provider crashes horribly on startup
1987279 - installer fails to destroy a cluster with a tagged access-point
1987289 - Epic ODC-5030 - Gherkin Scripts Design
1987344 - Links in help of the Edit Disk point to old documentation
1987845 - OpenStack IPI on provider network enforces unnecessary quotas
1987948 - Add high memory alert to Openshift
1988032 - cluster-autoscaler-operator and machine-api-operator tombstone manifests should contain CVO high-availability annotations
1988092 - Cypress: disable OLM globall install test, duplicate Operand tabs
1988123 - Driver Toolkit ART / OSBS builds are failing because of extract-vmlinux
1988133 - Cypress: enable OLM globall install test, handle multiple csv's crd versions
1988291 - 4.7 -> 4.8 upgrade, node-exporter can't rollout
1988349 - Insights report controller - set the corresponding clusteroperator condition correctly
1988351 - Add new OCM controller pulling periodically SCA certs
1988371 - AWS EBS: Mounting XFS volume clone or restored snapshot to same node failed
1988372 - Azure Disk: Mounting XFS volume clone or restored snapshot to same node failed
1988373 - GCE PD: Mounting XFS volume clone or restored snapshot to same node failed
1988374 - OpenStack Cinder: Mounting XFS volume clone or restored snapshot to same node failed
1988379 - Avoid connection pool full logs
1988424 - Only assign priority class in OCP environment for LSO
1988476 - remove dhclient binary from RHCOS
1988491 - quorum-guard health checks fail to report accurate health reporting
1988576 - Authentication operator fails to become available during upgrade to 4.8.2
1988801 - Router HAProxy backend balance option is blank missing random argument in haproxy.config
1988812 - [e2e][flaky] smoke tests may fail if vm already exist before vmi tests start
1988828 - oc adm must-gather runs successfully for audit logs 2e2 is failing
1988903 - Kms details empty in only MCG deployment
1988904 - Arbiter details not present in ODF wizard
1988905 - External mode deployments fails on parsing json in ODF wizard
1988976 - pkgman-to-bundle will exit with flag "--build-cmd"
1988992 - Worker machine object updated too many times [Azure]
1989005 - router pod is CrashLoopBackOff if configure spec.clientTLS.allowedSubjectPatterns to "*.openshift.com"
1989044 - [ART] Error reconciling Dockerfile for openshift/ose-sriov-network-operator in OCP v4.9
1989051 - Machine API Spot tests should set valid value for maxPrice
1989055 - logins to the web console fail when custom certificate is in use for the OpenShift oauth-server
1989058 - router pod stuck in ContainerCreatin if removed configmap/router-client-ca-crl-default and update spec.clientTLS.clientCertificatePolicy
1989073 - KCM logs an error on startup when using external cloud providers
1989077 - vSphere CSI StorageClass events are repeated pathologically
1989101 - [ovirt] Update owners - csi-driver
1989102 - [ovirt] Update owners - csi-driver-operator
1989122 - rebase openshift/sdn to kube 1.22
1989143 - [e2e][automation] missing file for testing release-4.8
1989158 - re-enable disabled unidling e2e tests
1989215 - [openstack-cinder-csi-driver-operator] csi-liveness-probe is not deployed
1989246 - openshift-network-operator needs to handle API server downtime gracefully in SNO
1989335 - Etcd is degraded after upgrading to 4.9 with message "configmap openshift-config-managed/csr-controller-ca field manager is not valid"
1989342 - containernetworking-plugins: Add dpdk support to host-device plugin
1989391 - `oc adm groups sync` will generate useless data
1989417 - Enable back [sig-cli] oc adm storage-admin
1989423 - Enable back `[sig-network-edge][Conformance][Area:Networking][Feature:Router] The HAProxy router should be able to connect to a service that is idled because a GET on the route will unidle it`
1989431 - fail to "opm alpha diff" bundle image with heads-only mode.
1989440 - OCS Storage Cluster creation Multus network configuration not applied when only Cluster Network is selected
1989454 - Butane 0.13.0 generate MachineConfig object with ignition version 3.3.0 which is not supported in ocp4.9
1989456 - sriov operator cannot be upgraded to 4.9 from 4.8
1989460 - non-head bundle of the channel is included in output of opm alpha diff for heads-only mode
1989461 - kube-apiserver does not use the SO_REUSEPORT properly
1989462 - [v2v] MTV modal string changes
1989496 - typo in ClusterOperatorDegraded alert description part
1989504 - The code logic of channel clear is ambiguous, as well as the help info and output messages
1989505 - Enable back single oc observe test
1989507 - replace configmap with storageprofile
1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names
1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents
1989600 - Registry server RSS and CPU utilization too high during normal operation
1989604 - IBMCLOUD: panic: runtime error: invalid memory address or nil pointer dereference
1989615 - HBO: Every node update triggers "lsp-add" for HBO ports unnecessarily
1989632 - Create EFS filesystem for dynamic provisioning
1989633 - staticpod/installer: backoff should not apply if latestAvailableRevision > targetRevision
1989688 - [SNO] Egress router pod not created in SNO ipv6 single stack cluster
1989694 - Bump OVN to ovn21.09-21.09.0-10.el8fdp
1989704 - Invalid olm.maxOpenShiftVersion properties have unclear/undefined behavior in OLM
1989707 - [Dev Only] Add HPA page shows error screen when you try to create HPA with default values
1989710 - Catalog operator wastes memory by caching complete copied CSVs
1989720 - Descheduler operator should allow configuration of PodLifetime seconds
1989722 - Descheduler operator should allow eviction based on soft topology constraints
1989724 - Descheduler operator should expose options for pods with PVCs and Local Storage
1989728 - Descheduler operator should verify config does not conflict with scheduler
1989734 - Whereabouts fails in 4.9 due to missing RBAC for leases
1989772 - openshift-controller-manager and operator needs to handle API server downtime gracefully in SNO
1989796 - the same bundle is in output of opm alpha diff
1989837 - [Migration] SDN migration rollback failed, stuck in MCO
1989839 - docs packages should not be installed in the ironic containers
1989842 - Console Observe > Metrics / Dashboards: Missing series appear in tooltip with value "0"
1989876 - Dashboards for OCS Storage System not available
1989887 - Metrics not shown in storage system list page under ODF
1989889 - UI crashes when accessing create new operand page
1989896 - CVE-2019-19794 : mdns-publisher uses miekg Go DNS package version < 1.1.25
1989914 - [e2e][flaky] increase timeouts
1989917 - OpenStack inconsistency reports on limits numbers for network quota check
1989961 - CI apiserver downtime calculation isn't quite right
1989973 - openshift-install explain text contains typo: cluster components will assume assume ownership of all resources
1989980 - Worker machine object updated too many times [vsphere]
1990012 - ControllerConfig Infrastructure does not match cluster Infrastructure resource
1990018 - Add Sprint 204 round 2 translations
1990024 - Eligible is misspelled in console-app
1990060 - [Assisted-4.8] Host returns no routes when routing table contains multipart
1990075 - azure-cloud-node-manager DaemonSet should use maxUnavailable: 10%
1990089 - Bundle validation does not fail for a bundle having multiple service account declaration with same name
1990115 - Multus whereabouts assigns duplicate IP addresses to pods when have large number of replicas
1990137 - Fix creation of EFS filesystem
1990140 - Samples operator management Removed failed to contact registry.redhat.io
1990146 - some controllers missing livenessProbe
1990205 - Console: Observe > Dashboards: "Cannot update during an existing state transition (such as within render)..." in browser developer console
1990206 - Incorrect AWS Supported instance type
1990316 - Deployment with virtualmedia fails on HP setup (real bm) - port missing in iso http path
1990432 - Volumes are accidentally deleted along with the machine [vsphere]
1990447 - Worker machine object updated too many times [gcp]
1990493 - [e2e][automation] test for storageProfile settings
1990496 - Cleaning can fail with SSLError "timed out"
1990541 - etcd: golang version should align with product
1990577 - Upgrade Ingress API version
1990601 - AzureDisk CSI driver is not installed by default on Azure Stack Hub
1990603 - [Descheduler] descheduler operator throws an error which reads "key failed with : scheduler.config.openshift.io "cluster" not found"
1990610 - Panic in the cluster-kube-apiserver-operator startup monitor enablement check
1990617 - Update Fedora CoreOS images to latest testing for OKD
1990631 - FailedToDeleteOVNLoadBalancer Error trying to delete the idling OVN LoadBalancer
1990725 - [Kuryr][4.9] KuryrSDNPodNotReady alert is missing the node name in the message
1990732 - Test failures caused by "volumeBindingMode" defaulting to "WaitForFirstConsumer"
1990781 - Large binary pkg/tool/gen-skus-map in Azure Disk repo
1990826 - New non-secure and secure routes without hsts annotation fail to get created in globally enforced hsts domain resources
1990850 - Registry databases that do not store properties as TEXT are not served
1990899 - PrivateIPAddressVersionCannotBeModified errors in CNO tests
1990970 - The development of ccoctl support for IBM left unused debug test binary in the source code
1990975 - ccoctl for IBM does not support not all possible environment variables to pass APIKEY
1990988 - Samples library sync fails container test on php 7.2
1991068 - cluster-etcd-operator: tls ciphers should be checked for validity
1991095 - [External Mode] Dashboard shows incorrect deployment mode
1991316 - namespace should be with openshift as prefix
1991338 - "Network Attachment Definitions" is not able to load by a regular user
1991357 - Fresh installation shows kube-apiserver error NodeInstallerDegraded: 1 nodes are failing on revision 4
1991439 - Some hardcodes are detected at the code level in OpenShift console components
1991507 - [sig-cli] Kubectl client Simple pod should return command exit codes [Suite:openshift/conformance/parallel] [Suite:k8s]
1991508 - ppc64le and s390x CI jobs are failing with exec format errors
1991519 - [e2e][flaky] fix kubevirt hco creation
1991548 - [e2e][automation] add tests for disk preallocation
1991551 - Idle service cannot be waked up
1991566 - [e2e][automation] Disable protractor test in prow
1991662 - OLM Catalog Templating
1991730 - e2e-aws-proxy is failing with "Invalid value: []string{"us-west-2d", "us-west-2b"}: No subnets provided for zones"
1991793 - ECMP routes with invalid next hops still result in OF groups getting programmed
1991814 - "oc adm inspect co storage" returns an error message when there is no openshift-manila-csi-driver ns.
1991860 - Insights Operator panics with invalid memory address or nil pointer dereference" (runtime error: invalid memory address or nil pointer dereference)
1991977 - Kamelet sources shown in openshift-operators in eventsources but in other namespace shows up only if user created IP CR
1992004 - ci/prow/e2e-gcp-console flake "Create Application from git form"
1992013 - ci/prow/e2e-gcp-console flake "Create Application from Devfile.Create Application"
1992016 - Expose kubelet configuration parameters
1992148 - [Azure CSI] cannot deploy Azure Disk on ASH because /etc/kubernetes is read-only fs
1992193 - Race condition in cluster-storage-operator
1992255 - csi-snapshot-controller needs to handle API server downtime gracefully in SNO
1992405 - Sync upstream 1.10.1 downstream
1992463 - OKD: Installation to Libvirt fails due to no space left in /run
1992493 - 3 alerts have no annotations summary and description
1992502 - select storage class dropdown fail when using CNV2.6.5
1992507 - all the alert rules'  annotations "summary" and "description"  should comply with the OpenShift alerting guidelines
1992508 - documentationBaseURL should be updated to 4.9
1992555 - all the alert rules' annotations "summary" and "description" should comply with the OpenShift alerting guidelines
1992557 - failed to start cri-o service due to /usr/libexec/crio/conmon is missing
1992560 - all the alert rules' annotations "summary" and "description" should comply with the OpenShift alerting guidelines
1992591 - 2 different oc binaries are used in the `cli-artifacts` image
1992673 - Failed OCP build of openshift/ose-etcd:v4.9.0
1992677 - OLM upgradeable condition message unclear with MaxOpenShiftVersion set
1992714 - use existing pvc hotplug crashes
1992730 - Dynamic Plugins: localization does not work for plugin
1992820 - [Knative] Event Sources should be under Serverless group together with Channel
1992823 - Cluster autoscaler should use Kubernetes 1.22 dependencies
1992857 - [Azure CSI] Not enough permissions to list config maps in openshift-config ns
1992875 - [Azure CSI] Driver Node controller can't get config from the secret of Azure Stack Hub
1992876 - Gather OKD specific journal logs
1992900 - openshift/kubernetes fails to build on ARM
1992950 - [e2e][automation] create template from wizard
1992974 - Revision/Route list table doesn't have proper alignment/styles in admin perspective
1993002 - The "largestMaxAge" and "smallestMaxAge" in "maxAge" option for HSTS headers accepts negative values
1993007 - e2e tests fail because operator does not delete SriovNetworks
1993055 - node_exporter task, log message wrong
1993078 - Enable Auth config for ironic-api
1993087 - Azure StackHub: cluster-cloud-controller-manager-operator / azure-cloud-controller-manager / azure-cloud-node-manager does not support OCP azure credentials secret format
1993147 - Add aria-label to different OCS dashboard components
1993148 - Monitoring UI doesn't make use of React's memoization features
1993159 - [Azure] Instead of updating the spec actuator updates status twice
1993195 - Testing performance of sync plugin
1993207 - failed to list resource groups: Can not get resource groups without account id in parameter by service id token
1993260 - SRO RBAC error when deploying ping-pong CR
1993286 - Minor OpenShift upgrades blocked when olm.maxOpenShiftVersion = current Y-stream+1 and current Z-stream > 0
1993306 - Flaky e2e  test: Event Sources on default Developer Catalog
1993444 - NFD - cstate detection enabled on s390x
1993757 - OCP 4.8 etcd unhealthy
1993788 - VM creation (customize flow): storage class mismatch between actual SC and "Edit Disk" screen
1993793 - Move CSIDriver from v1beta to v1
1993840 - openshift-samples should not change condition Degraded/Available (upgrades)
1993851 - EFS CSI driver operator does not have an icon
1993886 - operand creation form doesn't render correct format
1993920 - Improve Sysprep helper text
1993922 - The kubeletconfig controller has wrong assumption regarding the number of kubelet configs
1993931 - Storage operators use older kubernetes client
1993934 - Update CSI sidecars
1993955 - [External Mode]  Fix margin issue with Details card on Block and File Page
1993975 - [not user facing][infrastructure] remove kubevirt dependants for dynamic plugin
1993977 - kube-rbac-proxy panic
1993980 - Kubelet regularly freeze control groups causing issues further down
1993999 - Some hardcodes are detected at the code level in OpenShift console components
1994035 - SNO: LSO diskmaker pod using excessive cpu
1994060 - API response for host routes includes misleading family number when IPv6 is enabled
1994069 - [4.9] bump OVN to ovn21.09-21.09.0-13.el8fdp
1994103 - [IBMCLOUD] Needs to have Terraform code converted to steps.
1994113 - local volume tests create lot of events churn
1994139 - k8s 1.22 bump for operator-lifecycle-manager
1994155 - thanos fails to build with latest imagebuilder
1994172 - rhel node does not join cluster conmon validation: invalid conmon path
1994253 - On OKD templates provided by kubevirt provider and supported by red-hat are marked as community templates
1994257 - Audit errors alert not created
1994277 - Changing the memory manager policy via the kubelet config will drop the node to NotReady state
1994410 - When machine creation failed due to validations, error contains "failed to create connection to oVirt API"
1994434 - service account sriov-network-config-daemon disappeared when sriov operator upgrade from 4.8 to 4.9 version
1994439 - Review page of ODF wizard does not follow console guidelines
1994443 - openshift-console operator incorrectly reports Available=false
1994454 - upgrade from 4.6 to 4.7 to 4.8 with mcp worker "paused=true",  crio report "panic: close of closed channel" which lead to a master Node go into Restart loop
1994480 - Cluster Infrastructure owned components should use 1.22 dependencies
1994586 - Create local volume set step says "An error has occurred"
1994613 - disable all CI tests that require IPv6 internet connectivity
1994642 - Update CSI drivers
1994643 - kube-apiserver must not return 404 to garbage collection controller before being ready
1994647 - [ipv6] ovn-nbctl calls to find with nexthop= need quotes for IPv6
1994648 - Resolution failed error condition in Subscription not being removed after resolution error is resolved.
1994707 - cluster-etcd-operator: handle unstarted member condition in status request.
1994857 - [UPGRADE] kube-apiserver is degraded after upgrading to 4.9 with error "configmap openshift-config-managed/csr-controller-ca field manager is not valid"
1994872 - [4.9] oc fail to mirror release payload to local disk
1994891 - NTO: use the latest k8s 1.22 and openshift vendor dependencies
1994927 - Enable back [sig-network] Networking should provide Internet connection for containers using DNS
1994973 - Fix bundle config
1994975 - Next button is enabled when the  flash system endpoint is invalid
1994979 - Fix skipRange
1994981 - Local Storage Operator does not have an  icon
1994986 - etcd check perf causes issues on clusters if run
1994991 - olm.skipRange replacement is noop
1994997 - olm.skipRange substitution is noop in ART builds
1995043 - Two storage systems got created while creating one from UI
1995049 - tech / dev preview badge in search resource dropdown missing styles
1995110 - olm.skipRange is not set
1995116 - Pod logs shows incorrect lines number in the log window top banner
1995148 - Secret key for mangement address is incorrect for flash system
1995198 - OLM tests are failing on aws arm64
1995291 - oc new-app/new-build commands should not mention docker
1995300 - opm validate does not detect cycles in channels
1995325 - Projects page fails to render due to calling more hooks than previous render
1995330 - ovn-kubernetes load-balancer operations are very expensive
1995386 - bz 1990140 fix broke retry on tbr connection test
1995387 - OpenStack 4.8 -> 4.9 upgrade is permafailing periodic-ci-openshift-release-master-ci-4.9-upgrade-from-stable-4.8-e2e-openstack-upgrade
1995468 - Nodes can't resolved IPv4 address in dual stack configuration
1995523 - Pipeline Builder form throws an error when clicked on `Add Task`
1995525 - All storage systems are listed in the details page of a particular storagesystem
1995573 - oc adm certificate approve|deny help shows kubectl in the examples
1995612 - Block pool details page breadcrumb link is not pointing storage system details page
1995614 - "beta.kubernetes.io/os" is deprecated since v1.14
1995653 - upgrade rbac rules to use v1 APIS for LSO
1995655 - 4.9 installer should default ClusterVersion channel to stable-4.9
1995695 - Get insights on series churn during upgrades
1995727 - sync plugin no longer catches build deletes that occur between restarts
1995785 - long living clusters may fail to upgrade because of an invalid conmon path
1995804 - Rewrite carry "UPSTREAM: : create termination events" to lifecycleEvents
1995816 - Reduce cardinality of ovn-kubernetes event handler metrics
1995898 - [Descheduler] - The minKubeVersion should be 1.22
1995901 - Warnings are shown in the browser for Monitoring types
1996031 - cloud-provider-openstack: Merge upstream 1.22 tag
1996032 - cluster-kube-apiserver-operator should not run with pre-release libraries
1996081 - csi-driver-nfs: Merge upstream
1996094 - Missing key errors on containers page
1996097 - [Feature:IPv6DualStack] tests are failing in dualstack after renamed
1996116 - Block pool list page and detail page menu action is not disabled for default pool
1996124 - Add release architecture to openshift-install version
1996139 - make verify target always fails for upstream staging commits
1996156 - UI breaks for topology nodes which doesn't have a SideBar
1996158 - Dynamic Plugins: Unable to add nav sections to admin perspective
1996159 - Dynamic Plugins: Visiting a plugin route directly causes a 404 page to flash briefly
1996212 - Cluster Resource Override Admission needs to be migrated from v1beta1 to v1
1996306 - Build root container image fails to download the kubebuilder 2.3.1 executable successfully in CI
1996501 - Instance types with less than 8GB memory are listed in AWS UPI templates, but they do not meet memory minimum requirement for cluster
1996506 - Fix crd version for SriovNetworkPoolConfig
1996531 - [Assisted-4.8] [Integration] No 80 minutes timeout when SNO cluster is hang on rebooting
1996535 - Project selector flickers on the creation of namespace between current and newly created one
1996539 - error when selecting knative service in topology
1996566 - Manually created invalid Kamelets should be skipped in the eventsources list
1996620 - [SCC] openshift-oauth-apiserver degraded when a SCC with high priority is created
1996622 - The Authorized SSH Key input box fail to fill the SSH key on Advanced page
1996644 - ODF Internal Dashboard Not showing up
1996646 - Ties between competing SCCs may have wrong reasoning in audit logs
1996689 - RestrictedEndpointsAdmission controller needs to restrict EndpointSlices as well
1996718 - KSM flag --node should be --nodes in CMO assets
1996779 - fix racy disk check for vsphere cloud provider
1996783 - cloud-provider-openstack: Bump to Go v1.16 and OCP v4.9
1996785 - Unused rules in CMO
1996792 - Quick search modal missing icons and have unnecessary scrollbar
1996878 - opm does not print sqlite deprecation warnings
1996881 - oc adm catalog mirror does not print sqlite deprecation warnings
1996914 - Failed to get ImpersonateHeaders TypeError: i.a is undefined
1996941 - Monitoring operator is degraded because expected 8 ready pods for "node-exporter" daemonset but got 6 when upgrading windows cluster to 4.9
1997029 - OCS Dashboard should not show when ODF is present
1997034 - Drop high cardinality cAdvisor metrics
1997048 - User can create same domain mapping multiple times
1997050 - CNO panic: runtime error: invalid memory address or nil pointer dereference
1997062 - crio-o: "no space left on device" issue is seen on latest 4.9 builds
1997079 - Custom time range not working
1997102 - Gherkin for observe tab in workload sidebar is not aligned with latest UI
1997108 - react warning loading dev perspective /topology
1997114 - EgressFirewall may fail to be applied due to address_set missing
1997122 - [LocalVolume] provisioning fails silently if device is already claimed
1997131 - Update the pipeline quicksearch with latest desgin
1997135 - Unable to start export if deleted export CR from different window
1997168 - Remove unused variable in parser config file
1997179 - Serverless installation is failing on CI jobs for e2e tests
1997183 - Update Kube dependencies in MCO to 1.22
1997187 - Update analyze script vendor size to 3.5MiB
1997207 - newETCD3Client does not use existing context
1997267 - Add translations from Sprint 205 part 2
1997270 - bump OVN to ovn21.09-21.09.0-15.el8fdp
1997347 - Take etcd backups before minor-version OpenShift updates
1997379 - [e2e][automation] add tests for showing multiple IP address on UI
1997407 - power-of-two balancing feature set "Random" as default balancing for passthrough routes
1997420 - Revert wrong change on api-usage rules
1997422 - Hardcode happens when create VolumeSnapshots
1997438 - Syntax error appears to breaks the ovn egressFirewall policy during the cluster upgrade
1997461 - [UI][LSO] "Local Storage Operator not installed" message statement is not appropriate
1997465 - Fix panic in the LRU cache
1997475 - e2e-agnostic-operator tests fail occasionally after 30 minutes because of timeout
1997482 - Remove mask from behind modal in Pipeline Builder Tekton Hub Integration
1997486 - Node Tuning Operator(NTO) - Missing [sysfs] section in openshift profile
1997507 - Cluster cloud controller manager operator fails to upgrade on a single node cluster
1997528 - instance:etcd_object_counts:sum and cluster:usage:resources:sum use the etcd_object_counts metric which is deprecated
1997596 - UpdateAvailable alert is re-triggered on pod and other label changes
1997655 - React warning when open pipeline list page (with at least one pipeline)
1997657 - Kubelet rejects pods that use resources that should be freed by completed pods
1997787 - Descheduler default for evict pods with PVCs is incorrect
1997790 - Add Azure Stack UPI Templates
1997811 - Marketplace Operator should use k8s 1.21+ dependencies
1997929 - MachineSets list and details page headings should follow same format with other resources
1997972 - CMO dependencies must be pinned for release
1997993 - SNO deployment on HPE e910 blades fails because the node always boots from virtualmedia
1998015 - Observe > Metrics / Dashboards performance: Graph tooltips process all points even if they won't be displayed
1998031 - [bz-openshift-apiserver] clusteroperator/openshift-apiserver should not change condition/Degraded: master nodes drained too quickly
1998047 - Missing UI flags after install creation
1998146 - service VIP did not be removed after remove one node
1998168 - Final Toast has download which is a button and should be an anchor tag
1998207 - Helm upgrade on OpenShift 4.9 failing with schema errors
1998240 - Helm side panel should be consistent with operatorhub and show support URL
1998247 - Tuned configuration fails and does not recover when profile references a not yet existing performance profile configuration
1998311 - Enable Manual Credentials Mode on Azure Stack Hub
1998319 - Dynamic Plugins: dynamic route chunks are not lazy loading
1998347 - Language preference does not reflect on console load
1998364 - Inconsistent react-i18next mocks in unit tests
1998388 - User preference screen shows "Create Namespace" instead of "Create Project"
1998394 - [e2e][automation] add tests for RHEL9 template
1998408 - Git import flow: Dockerfile is detected but file name is not used
1998411 - Name is not autofilled when git URL contains trailing slash
1998413 - Expanding portions of Helm Form overlay section title and include an area which is disconnected
1998423 - upgrade from 4.8.6 to 4.9.0-0.nightly-2021-08-26-164418, blocked by dns upgrade due to FailedCreatePodSandBox for pods
1998431 - AppName & Name are not auto-updated when modifying the Internal registry details in container image page
1998466 - Cloud controller manager fails to upgrade on a single node cluster
1998508 - CNO reports incorrect status during slow/failed install
1998528 - Sync latest upstream bugfixes to OCP ironic container image
1998552 - Enforce OpenShift's defined kubelet version skew policies
1998563 - Column headers don't match content in pod and machine list
1998575 - Insert sample YAML do nothing on BuildConfig and was mistakenly shown when editing a resource
1998587 - BuildConfig form doesn't update app.openshift.io/vcs-uri annotation
1998598 - ptp operator can not enable event publisher sidecar
1998614 - Pod creation failed with CNI request timeout due to stale data in cache.
1998616 - Show fully qualified domain name (FQDN) a Service's page
1998637 - Update ironic-ipa-downloader container with latest tested code & RHEL updates
1998643 - e2e-metal-ipi-virtualmedia and e2e-metal-ipi-ovn-ipv6 are failing to install
1999018 - [ASH] upgrade stuck due to Cluster cloud controller manager deployment strategy error
1999026 - Detect ODF managed services when OCS operator is installed
1999039 - [UI] OpenShift Data Foundation Overview page is showing wrong status of storage system
1999075 - Move the selected workload to the full view in topology canvas
1999093 - Pods list appears to unmount / remount on some updates
1999119 - bump golang version of installer to 1.16
1999131 - [e2e][automation] adjust layout by cypress conventions
1999138 - [CNO] [OVN-K] The network-unavailable taint needs to be from upstream k8s and not ovn-k specific
1999159 - Remove evan from owners
1999168 - Busted VPA graphic in OperatorHub
1999179 - Import from git as Serverless Service creates an incomplete BuildConfig (Secret is missing)
1999185 - ptp config with summary_interval 0 throws parsing error in the log
1999187 - VPA E2E test aws-operator is failing due to use of removed v1beta1 RBAC API
1999210 - [e2e][automation] add tests for VM wizard Cloudinit editor fields
1999225 - Descheduler operator needs new profiles for 4.9
1999266 - Click issue in topology page context menu
1999292 - "System projects" does not align with the docs terminology, which uses "default projects"
1999297 - [Assisted-4.8 ][SaaS] vip-dhcp-allocation mode broken cannot set networking for cluster
1999326 - Automated day-2 configuration deployment for ZTP
1999393 - Form / YAML switch makes unnecessary network calls to save latest editor type
1999397 - Prometheus: data race in the loadWAL function
1999404 - [e2e][automation] add tests for rootdisk validations
1999421 - OKD: revert initial FCOS to 20210626.3.1
1999422 - Missing feature flags for new features
1999577 - RHCOS live ISO can fail to boot in UEFI mode; drops to grub shell
1999593 - SNO: Add e2e test for RT kernel switch
1999614 - Edit D/DC forms should display D/DC name being edited to provide context
1999615 - UI crashes when clicked on the grey background of the topology view if projects dropdown is open
1999627 - Import from git flow doesn't recommend build image when a Dockerfile exists
1999631 - Show advanced Git options is not clickable (again) in new Git import flow
1999648 - Remove remaining Storage Class in console-app
1999656 - pipeline run count chart discrepancies with other chart values
1999658 - E2E test failures due to github rate limiting
1999669 - BackingStore Details Page is breaking
1999674 - Warn users about using deprecated vSphere version
1999719 - last selected tab in topology side panel is not persisted
1999723 - Cannot Select Text with Cursor in QuickSearchModal bar
1999729 - Dynamic Plugin SDK component has wrong spelling
1999823 - Admin web-console should linkify ClusterVersion and ClusterOperator condition messages
1999852 - Bump OVN to ovn21.09-21.09.0-18.el8fdp
1999853 - cluster-storage-operator not honoring the control plane topology setting for the csi driver operator deployment
1999862 - ZTP example 'tuned-performance-patch' policy refers to the wrong tuned profile name
1999879 - Update ansible collections; follow on to 1.10 update.
1999951 - VPA won't operate on pods created by custom controllers
2000108 - Inspecting a chart takes to empty metrics
2000126 - high load on Prometheus using the ptp operator
2000144 - GetBundleForChannel registry endpoint performs significant needless work
2000146 - opm render includes channel metadata in properties when rendering bundles
2000186 - NetworkPolicy: allow from hostnetwork policy and allow from router (policy-group.network.openshift.io/ingress: "") does not work for network plugin openshiftSDN
2000191 - Make durations for CCCMO leader election operations compatible with the OpenShift standards
2000226 - Unable to have multiple charts in one configmap
2000253 - oc edit ptpconfig causes cloudevent sidecar to crash and restart
2000259 - Add Sprint 206 translations
2000294 - report apiversion of esxi host and vcenter server
2000321 - README file on github refers to '{product-title} but should be 'OpenShift'
2000352 - Default OVA import to HW15
2000391 - [e2e][automation] review skipped tests
2000440 - OCS Quick Start should not be shown unless you have proper privileges
2000473 - Observe > Dashboards: Dashboards are sometimes blank (no data loading)
2000491 - Remove TechPreview Badge from Red Hat integration camel K operator
2000492 - Conditional data gathering validation & refactoring
2000499 - If export app toast is not cleared by the user and a new one is triggered then old toast download gives 404
2000576 - Creating a StorageSystem with MCG only deployment is failing
2000584 - `[sig-storage] EmptyDir volumes pod should support memory backed volumes of specified size` is permafailing on OKD 4.9
2000589 - [sig-node] crictl should be able to run crictl on the node
2000590 - Warning on topology context menu right click
2000596 - (release-4.9) Update K8s & OpenShift API dependencies versions
2000607 - Domain mapping movement from one service to another is not intutive
2000608 - static pod startup monitor should log to a log file in addition to stderr
2000633 - Issue with the UI of observer page when screen size is reduced
2000636 - Edit Deployment form drops strategy data when switching type
2000689 - [block-pool-dashbaord] Expandable section in mirroring card is empty when no image for mirroring
2000721 - Bump OVS userland to openvswitch2.16-2.16.0-6.el8fdp
2000726 - ZTP PolicyGen failed to create CRs during synchronization of 1 site
2000768 - Quick Starts provide incorrect guidance when Che/CRW is installed
2000820 - (release-4.9) Gather PodSecurityPolicies names installed in a cluster
2000833 - Wepack warnings about missing types when running dev build
2000873 - Toast shows list style on uploadJar toast and export app toast
2000935 - add volume mode selection in storage creation (external IBM FlashSystem)
2000965 - [e2e][automation] remove login prompt check until it's clearly needed
2001263 - [e2e][automation] create vm from template list and action dropdown
2001288 - Virtualization is not available in Home Overview when CNV version is 2.6.z
2001292 - import vm action is not hidden
2001958 - Cluster becomes degraded if it can't talk to Manila
2001983 - Incorrect StorageCluster CR created and ODF cluster getting installed with 2 Zone OCP cluster
2002196 - Pass down proxy env to operands failed for ansible type operator
2002197 - Pass down proxy env to operands failed for helm type operator
2002200 - Operator-lib proxy block the "ReadProxyVarsFromEnv" for go type operator
2002288 - [4.9] kube-proxy's userspace implementation consumes excessive CPU
2002338 - Bump descheduler to k8s 1.22
2002361 - Missing the ability to set networkType in SiteConfig  during ZTP flow
2002374 - Inexplicably slow kubelet on bootstrap makes installation fail
2002502 - []corev1.EnvVar{} can't be appended to container.env
2002543 - Test: oc adm must-gather runs successfully for audit logs -  fail due to startup log
2002561 - Failing tests: "volumeMode should fail in binding dynamic provisioned PV to PVC"
2003161 - [SCALE] ovnkube CNI: remove ovs flows check
2003197 - CRI-O leaks some children PIDs
2003245 - [4.9] Revert libovsdb client code
2003306 - Rejected pods should be filtered from admission regression
2003545 - Remove openshift:kubevirt-machine-controllers decleration from machine-api
2004137 - ptp/worker custom threshold doesn't change ptp events threshold
2004146 - Need Device plugin configuration for the NIC "needVhostNet" & "isRdma"
2004337 - [4.9] OVN CNI should ensure host veths are removed
2004340 - [4.9] Pod creation failed due to mismatched pod IP address in CNI and OVN
2004568 - Cluster-version operator does not remove unrecognized volume mounts
2004676 - [4.9] Boot option recovery menu prevents image boot
2004712 - TuneD issues with the recent ConfigParser changes.
2004924 - [SNO]ingress/authentication clusteroperator degraded when enable ccm from start
2004961 - output of "crictl inspectp" is not complete
2005108 - removing and recreating static pod manifest leaves pod in error state
2005462 - [4.9] ovn-kube may never attempt to retry a pod creation
2005476 - [4.9] [ICNI2] 'ErrorAddingLogicalPort' failed to handle external GW check: timeout waiting for namespace event
2006145 - 4.8.12 to 4.9 upgrade hung due to cluster-version-operator pod CrashLoopBackOff: error creating clients: invalid configuration: no configuration has been provided, try setting KUBERNETES_MASTER environment variable
2006432 - [4.9] Remove workaround keeping /boot RW for kdump support
2006782 - Missing ZTP ArgoCD Container Image
2006962 - [4.9] OS boot failure "x64 Exception Type 06 - Invalid Opcode Exception"
2007086 - [4.9] Bootimage bump tracker
2007089 - [4.9] Intermittent failure mounting /run/media/iso when booting live ISO from USB stick
2007324 - race condition can cause in cluster-bootstrap can cause crashlooping bootstrap kube-apiserver
2007458 - crio's selinux module has performance improvements when compiled with golang 1.16
2007684 - [4.9.z] PVs remain in Released state for a long time after the claim is deleted
2008619 - ImageStream with RHCOS version tag needed for RHODS GPU support
2008944 - Azure Stack UPI does not have Internal Load Balancer
2009059 - Placeholder bug for OCP 4.9.0 metadata release
2009342 - The serviceAccountIssuer field on Authentication CR is reseted to “” when installation process
2009467 - [4.9] container-selinux should come from rhel8-appstream
2009530 - Deployment upgrade is failing availability check
2009652 - [4.9] Multipath day1 not working on s390x
2009653 - [4.9] Bootimage bump tracker
2009738 - [IPI-on-GCP] 'Install a cluster with nested virtualization enabled' failed due to unable to launch compute instances
2009842 - cannot build extensions on aarch64 because of unavailability of rhel-8-advanced-virt repo
2010066 - [Assisted-4.9][Integration] Unable to generate ISO with error: Failed to fetch base ISO information: NotFound
2010074 - [e2e][automation] CI tests fail because of wrong test cnv version installed
2010372 - Reverts PIE build mode for K8S components
2010486 - SRO package name collision between official and community version
2010529 - [backport 4.9] openshift-gitops operator hooks gets unauthorized (401) errors during jobs executions
2010861 - Failure building EFS operator
2010954 - SRO CSV uses non default category "Drivers and plugins"
2011050 - Storage operator is not available after reboot cluster instances
2011087 - Backport audit log silence change
2011350 - RenderOperatingSystem() returns wrong OS version on OCP 4.7.24
2011701 - Bootkube tries to use oc after cluster bootstrap is done and there is no API
2011815 - Kubelet rejects pods that use resources that should be freed by completed pods
2011951 - [4.9] ClusterVersion Upgradeable=False MultipleReasons should include all messages
2011958 - [4.9] [tracker] Kubelet rejects pods that use resources that should be freed by completed pods
2011961 - [4.9] [tracker] Storage operator is not available after reboot cluster instances
2011985 - SRO bundle references non-existent image
2012008 - APIRemovedInNextReleaseInUse: give exact command in description

5. References:

https://access.redhat.com/security/cve/CVE-2021-3121
https://access.redhat.com/security/cve/CVE-2021-26539
https://access.redhat.com/security/cve/CVE-2021-26540
https://access.redhat.com/security/cve/CVE-2021-28092
https://access.redhat.com/security/cve/CVE-2021-28169
https://access.redhat.com/security/cve/CVE-2021-29059
https://access.redhat.com/security/cve/CVE-2021-31525
https://access.redhat.com/security/cve/CVE-2021-32690
https://access.redhat.com/security/cve/CVE-2021-33194
https://access.redhat.com/security/cve/CVE-2021-33195
https://access.redhat.com/security/cve/CVE-2021-33196
https://access.redhat.com/security/cve/CVE-2021-33197
https://access.redhat.com/security/cve/CVE-2021-33198
https://access.redhat.com/security/cve/CVE-2021-34428
https://access.redhat.com/security/cve/CVE-2021-34558
https://access.redhat.com/security/cve/CVE-2021-36980
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYW2xOdzjgjWX9erEAQhRpg/+NubKYuEEFCd+EYhr16pH3VlbzYBRZAxP
Of5AIOpaqr7Nmij2fg1xokPBaB81PRf1Zh50t6025cr6+WaNggw8ina7YY4uJMKU
t2pV4gKZuT6d2UNytZ9Hqw0H4gG9lSJz3nvjQ1Mb2RNhcAEeA8dk1UWdhUXe122L
hqMLRr1WRkCDQ8z5WIRRWtvgEllWF5IufV+98zIKf5RslGFntETRrBw3OXZJItIS
03gcWNn+8QHoovqpdP5GfCpDSltsbk3I9rGPa7+/WFGWN39DdDRLr0VgbyU1TMxV
ypuqThlfjJAIVTs+mHvtBDJ71REVh8mkDpLLnSnm8iym1ehsuBBqt1jIkPgu2vnr
b1b75K9Y1YoMDLycbU7WcEfSjq8iqfYoVddzwkKSihmjPJeqCsTseOSl00s2HMaT
5DQHyvpwhzIYWw+vSiD2xolRI7j8VH6K3mvWM2aG3GrQNuLSgmd5l3Y115aW01JG
ay1oDXj/k9Y5EeerGDS2IbrZhHRVy6Y5ach2deCBAUmA2gX2yTk88e6/F/WTGLL7
tKWcpu/QQJKg6rcDx7r5+G0aUlHpo7e06uxKwBr+MrCSNFj7TgRlN30ZkNMqrh4P
0v3fPfZdBFAAt6Akb7fxb6Pb+NMlGJF8Pa8RgncWAK7q7hwBlW8cV2x9aRdZnW/I
UhVGDnha+dI=
=BYf6
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce