Back to index
Download the installer for your operating system or run
oc adm release extract --tools quay.io/openshift-release-dev/ocp-release:4.14.58-x86_64 Team Approvals:
Tests:
Blocking jobs Informing jobs Upgrades from:
Untested upgrades:
4.13.23 ,
4.13.24 ,
4.13.25 ,
4.13.26 ,
4.13.27 ,
4.13.28 ,
4.13.29 ,
4.13.30 ,
4.13.31 ,
4.13.32 ,
4.13.33 ,
4.13.34 ,
4.13.35 ,
4.13.36 ,
4.13.37 ,
4.13.38 ,
4.13.39 ,
4.13.40 ,
4.13.41 ,
4.13.42 ,
4.13.43 ,
4.13.44 ,
4.13.45 ,
4.13.48 ,
4.13.49 ,
4.13.50 ,
4.13.52 ,
4.13.53 ,
4.13.54 ,
4.13.55 ,
4.13.56 ,
4.13.58 ,
4.14.10 ,
4.14.11 ,
4.14.13 ,
4.14.14 ,
4.14.15 ,
4.14.16 ,
4.14.17 ,
4.14.18 ,
4.14.19 ,
4.14.20 ,
4.14.21 ,
4.14.22 ,
4.14.23 ,
4.14.24 ,
4.14.25 ,
4.14.26 ,
4.14.27 ,
4.14.28 ,
4.14.29 ,
4.14.3 ,
4.14.30 ,
4.14.31 ,
4.14.32 ,
4.14.33 ,
4.14.34 ,
4.14.35 ,
4.14.36 ,
4.14.37 ,
4.14.38 ,
4.14.39 ,
4.14.4 ,
4.14.40 ,
4.14.42 ,
4.14.43 ,
4.14.44 ,
4.14.45 ,
4.14.46 ,
4.14.48 ,
4.14.49 ,
4.14.5 ,
4.14.50 ,
4.14.51 ,
4.14.52 ,
4.14.53 ,
4.14.54 ,
4.14.6 ,
4.14.8 ,
4.14.9
Loading changelog, this may take a while ...
Changes from 4.14.1
Created: 2025-10-23 18:04:30 +0000 UTC
Image Digest: sha256:3f2d4bc82096d5d4d5655e9182b65cdfcf2f33d0f22d07e2fa21c6b3a6132421
Components
Rebuilt images without code change
e2e:performance: decode to valid kubeletconfig object (#1276) #1276
Fix context deadlines in ExecCommandOnPod() (#1272) #1272
OCPBUGS-44506 : Drop sched_migration_cost_ns setting (#1215) #1215
OCPBUGS-44283 : right-hand-side profile_dirs take precedence (#1210) #1210
OCPBUGS-42567 : Add cluster-wide proxy env file (#1176) #1176
TuneD prior to kubelet in one-shot mode (#1137) #1137
OCPBUGS-37754 : Remove tuned/rendered object (#1133) #1133
OCPBUGS-37734 : Backport fix for OCPBUGS-36355 (#1126) #1126
OCPBUGS-33929 : Negative net interface name does not reduce queues (#1074) #1074
Add a ‘.snyk’ to silence static code analysis warnings (#1002) #1002
OCPBUGS-30153 : fix rendering extra ctrcfgs (#978) #978
fix extra-reboot on upgrade with paused mcp worker (#1053) #1053
OCPBUGS-31694 : E2E: Workload hints test cases fixes (#1012) (#1052) #1012
Systemd processes not being moved to cpuset/systemd.slice fix (#1040) #1040
Reduce number of reboots in offline tests (#1035) #1035
OCPBUGS-30507 : Add performance real time tuned template (#984) (#1025) #984
Report duplicate priority only for multiple matching profiles (#1018) #1018
Scheduler plugin: ignore IRQs (#1023) #1023
irqbalance: set banned cpus list to 0 (#994) #994
OCPBUGS-18640 : [release-4.14][manual] backport performance profile owner reference ehnancements (#989) #989
rps: fail silently when rps application failed (#901) #901
OCPBUGS-25982 : E2E: Add tests for Dynamic ovs pinning (#904) (#913) #904
OCPBUGS-26003 : E2E: PPC Test cases (#905) #905
Make MC names deterministic (#903) #903
OCPBUGS-25671 : rps: fix mask update for SR-IOV devices (#891) #891
OCPBUGS-18640 : Fix Racing Machine Configs and add Day 0 Support (#854) (#871) #854
OCPBUGS-24638 : Do not set default RPS sysctl twice (#880) #880
OCPBUGS-21845 : rps: trigger udev event per queue #832 (#832) #832
OCPBUGS-21845 : e2e:rps: improve logging (#831) #831
render: change dir path (#826) #826
Disable HTTP/2 for webhook and metrics servers (#841) #841
Remove obsolete protocols and weak ciphers (#835) #835
Full changelog
OCPBUGS-61176 : Add missing service network DNS entries to KAS cert #6742
OCPBUGS-57321 : Add validation to avoid conflicts between KubeAPIServer and NamedCertificates SANs #6231 #6252
OCPBUGS-55936 : [release-4.14] Add konnectivity-proxy sidecar to openshift-oauth… #6129
CNTRLPLANE-921 : Konflux build pipeline service account migration #6080
CNTRLPLANE-921 : Konflux build pipeline service account migration #6085
OCPBUGS-51802 : Fix golang crypto dependency go.mod replacement #5996
OCPBUGS-53899 : bump golang-jwt v4 #5909
OCPBUGS-53433 : Prevent IgnitionServer from flooding the API server with patch requests #5878
OCPBUGS-51731 , OCPBUGS-51802 : Bump dependencies to OCP fork in backports #5899
Red Hat Konflux update control-plane-operator-4-14 #5953
ART-11792 : update go mod dependency for konflux #5921
OCPBUGS-53314 : Fix IsIPv4 function identifying also addresses instead of CIDRs #5867
OCPBUGS-45559 : Add Network Policies for Konnectivity server and Ignition server proxy #5816
NO-JIRA: chore(deps): update squidfunk/mkdocs-material docker tag to v9.6.6 #5730
NO-JIRA: chore(deps): update dependency mkdocs-material to v9.6.6 #5725
chore(deps): update dependency mkdocs-mermaid2-plugin to v0.6.0 #5687
NO-JIRA: chore(deps): update squidfunk/mkdocs-material docker tag to v9.6.5 #5681
NO-JIRA: chore(deps): update dependency mkdocs-material to v9 #5688
OCPBUGS-50700 : add region to AWS creds passed to operators managed by CPO #5668
NO-JIRA: Red Hat Konflux update control-plane-operator-4-14 #5339
OCPBUGS-47630 : Separate CPO containerfiles #5619
NO-JIRA: chore(deps): update squidfunk/mkdocs-material docker tag to v9.6.4 #5538
NO-JIRA: chore(deps): update squidfunk/mkdocs-material docker tag to v9.6.1 #5537
OCPBUGS-49405 : add ValidIDPConfiguration condition to report IDP config issues #5520
NO-JIRA: chore: update konflux references & bump up go version to 1.20 #5517
NO-JIRA: Update squidfunk/mkdocs-material Docker tag to v9.5.50 (release-4.14) #5444
NO-JIRA: Update dependency mkdocs-material to v8.5.11 (release-4.14) #5430
NO-JIRA: [release-4.14] Bump golang.org/x/crypto and golang.org/x/net #5372
NO-JIRA: Update dependency mkdocs-glightbox to v0.4.0 (release-4.14) #5331
NO-JIRA: Update dependency mkdocs to v1.6.1 (release-4.14) #5330
NO-JIRA: chore(deps): update squidfunk/mkdocs-material docker tag to v9.5.49 (release-4.14) - abandoned #5308
OCPBUGS-44279 : Configure OAuth https proxy to dial cloud endpoints directly #5067
NO-JIRA: chore(deps): update squidfunk/mkdocs-material docker tag to v9.5.45 (release-4.14) #5162
NO-JIRA: chore(deps): update konflux references (release-4.14) #5145
NO-JIRA: chore(deps): update konflux references (release-4.14) #5121
NO-JIRA: chore(deps): update registry.access.redhat.com/ubi9-minimal docker tag to v9.5-1731518200 (release-4.14) #5105
NO-JIRA: Update Konflux references (release-4.14) #5100
chore(deps): update konflux references (release-4.14) #5076
NO-JIRA: chore(deps): update konflux references (release-4.14) #5055
NO-JIRA: chore(deps): update squidfunk/mkdocs-material docker tag to v9.5.44 (release-4.14) #5056
NO-JIRA: Update Konflux references to fedcfe0 (release-4.14) #5043
chore(deps): update konflux references (release-4.14) #5026
chore(deps): update squidfunk/mkdocs-material docker tag to v9.5.43 (release-4.14) #5021
chore(deps): update konflux references to f53fe54 (release-4.14) #5020
NO-JIRA: Update Konflux references (release-4.14) #5011
OCPBUGS-41701 : cmd: report server version, supported OCP #4718
NO-JIRA: chore(deps): update konflux references (release-4.14) #4975
OCPBUGS-43688 : Use guest DNS resolution in Konnectivity HTTPS proxy by default #4964
chore(deps): update konflux references (release-4.14) #4953
NO-JIRA: chore(deps): update squidfunk/mkdocs-material docker tag to v9.5.42 (release-4.14) #4948
OCPBUGS-43368 : Let payload generation pick the release for the NodePool #4913
NO-JIRA: chore(deps): update konflux references (release-4.14) #4934
NO-JIRA: chore(deps): update konflux references to 66f551f (release-4.14) #4924
NO-JIRA: chore(deps): update squidfunk/mkdocs-material docker tag to v9.5.41 (release-4.14) #4917
NO-JIRA: chore(deps): update konflux references to 674e70f (release-4.14) #4910
NO-JIRA: chore(deps): update konflux references (release-4.14) #4898
NO-JIRA: chore(deps): update squidfunk/mkdocs-material docker tag to v9.5.40 (release-4.14) #4879
NO-JIRA: chore(deps): update konflux references to 37b9187 (release-4.14 #4851
OCPBUGS-42533 : enable audit log for oauth-openshift #4822
chore(deps): update registry.access.redhat.com/ubi9/go-toolset docker tag to v1.21.13 (release-4.14) #4794
NO-JIRA: chore(deps): update squidfunk/mkdocs-material docker tag to v9.5.39 (release-4.14) #4828
NO-JIRA: chore(deps): update konflux references (release-4.14) #4813
NO-JIRA: chore(deps): update squidfunk/mkdocs-material docker tag to v9.5.38 (release-4.14) #4805
NO-JIRA: chore(deps): update squidfunk/mkdocs-material docker tag to v9 (release-4.14) #4788
chore(deps): update registry.access.redhat.com/ubi9-minimal docker tag to v9.4-1227.1726694542 (release-4.14) #4758
chore(deps): update squidfunk/mkdocs-material docker tag to v8.5.11 (release-4.14) #4784
OCPBUGS-41374 : CPO oauth idp converter: resolve names before dialing #4763
NO-JIRA: chore(deps): update konflux references to 5ac9b24 (release-4.14) #4783
chore(deps): update konflux references to 2c3426a (release-4.14) #4773
NO-JIRA: chore(deps): update konflux references (release-4.14) #4757
OCPBUGS-42221 : Make guest cluster components use the correct KAS port #4753
OCPBUGS-38060 : Add HTTP konnectivity proxy to OAuth server #4498
OCPBUGS-38066 : [release-4.14] Use HTTP proxy for ingress controller #4724
NO-JIRA: Security fixes for openshift-ci-security job #4752
OCPBUGS-42184 : copy image-registry AdditionalTrustedCA configmap into HC openshift-config #4747
OCPBUGS-41506 : fix: bump google.golang.org/protobuf #4687
HOSTEDCP-1957 : bump go-jose version #4698
OCPBUGS-39378 : Set KCM node monitor grace period #4659
chore(deps): update konflux references (release-4.14) #4683
OCPBUGS-39183 : fix: bump github.com/IBM/go-sdk-core/v5 #4626
NO-JIRA: Add PodDisruptionBudget for router deployment #4692
NO-JIRA: Revert “Merge pull request #4661 from jparrill/bp-4.14/OCPBUGS-24308” #4667
NO-JIRA: PDB backports #4661
NO-JIRA: Konflux migration 4.14 #4648
OCPBUGS-39230 : set proxy envvars on aws CCM #4638
OCPBUGS-38791 : Let the CPO oidc check resolve through data plane #4617
NO-JIRA: Flaky cert validation test #4633
HOSTEDCP-1897 : [release-4.14] Allow setting Kube APIServer maximum requests in flight #4553
OCPBUGS-37076 : Fixed audit-logs sigterm failing to terminate gracefully #4369
OCPBUGS-38624 : remove weak ciphers from security profile #4575
OCPBUGS-37173 : Add newline after TLS certs referenced by image.config #4471
OCPBUGS-37172 : OCPBUGS-35899: Doubled machineHealthCheck timeout on Agent and None #4490
OCPBUGS-36944 : [release-4.14] Add HTTP(s) konnectivity proxy and use it with OpenShift APIServer #4360
HOSTEDCP-1795 , HOSTEDCP-1796 : Customize the self-generated cert validity and rotation #4473
OCPBUGS-37175 : Delete IDMS in dataplane once HCP ICS field is removed #4472
NO-JIRA: Konflux mce-2.4 pipeline fixes #4464
NO-JIRA: [release-4.14] OCPBUGS-36297: kubevirt-csi-driver: Pass infra kubeconfig in case of external infra #4288
NO-JIRA: [release-4.14] test/e2e: remove api budget checks #4438
NO-JIRA: chore(deps): update registry.access.redhat.com/ubi9/go-toolset docker tag to v1.21.11-2 (release-4.14) - abandoned #4363
NO-JIRA: Update registry.access.redhat.com/ubi9/go-toolset Docker tag to v1.21.10-1.1719562237 (release-4.14) - abandoned #4326
NO-JIRA: Update registry.access.redhat.com/ubi9-minimal Docker tag to v9.4-1134 (release-4.14) - abandoned #4325
OCPBUGS-36518 : Run haproxy to connect to kas from data plane if noproxy settings contain kas #4315
OCPBUGS-36159 : Generate default worker security group rules based on machineCIDR #4270
OCPBUGS-35549 : Restrict image registry overrides to control plane component #4223
OCPBUGS-35365 : fix router on 4.14 y-stream upgrade #4205
NO-JIRA: chore(deps): update konflux references (release-4.14) #4257
OCPBUGS-35401 : Fix disconnected metadata inspection for nodepool #4208
OCPBUGS-35482 : Add TrustedBundles to OAS container #4216
OCPBUGS-35290 : [release-4.14] Backport etcd defrag #4189
NO-JIRA: chore(deps): update konflux references (release-4.14) #4248
OCPBUGS-35183 : add AWS STS URL to OIDC provider audiences #4179
NO-JIRA: hack: make the e2e script generic #4201
chore(deps): update konflux references to 2be7c9c (release-4.14) #4225
NO-JIRA: Update Konflux references to 1025001 (release-4.14) #4181
NO-JIRA: chore(deps): update konflux references (release-4.14) #4168
OCPBUGS-34856 : [release-4.14] OCPBUGS-34855: Add new permission required in CAPA #4149
NO-JIRA: test/e2e: fix prometheus serviceaccount handling against 4.16+ #4159
NO-JIRA: chore(deps): update rhtap references (release-4.14) #4112
NO-JIRA: chore(deps): update rhtap references to 9aec3ae (release-4.14) #4073
NO-JIRA: Remove CLI inspection of release image #4061
OCPBUGS-33713 : Reconcile over ICSP/IDMS #4059
NO-JIRA: chore(deps): update rhtap references to 7cd8020 (release-4.14) #4065
OCPBUGS-33844 : Fix disconnected metadata inspection #4049
OCPBUGS-33843 : Recycler-pod image now points to the OCP Payload reference #4048
NO-JIRA: chore(deps): update rhtap references (release-4.14) #4040
HOSTEDCP-1480 : Update TLS cert hash creation with sha512 #4025
NO-JIRA: Update RHTAP references (release-4.14) #3995
HOSTEDCP-1552 : Update RHTAP tekton files for 0.3 -> 0.4 migration #3958
OCPBUGS-33105 : [release-4.14] remove PrivateIngressController cleanup #3960
OCPBUGS-32471 : Fix ICSP and IDMS inclusion as registriesOverrides #3912
NO-JIRA: chore(deps): update rhtap references (release-4.14) #3920
OCPBUGS-32221 : Added support for OLM Disable default sources on HC creation #3882
NO-JIRA: chore(deps): update rhtap references (release-4.14) #3903
NO-JIRA: [4.14] [e2e test framework] Add a flag to add an annotation to Hosted Cluster #3905
HOSTEDCP-1526 : [release-4.14] Support additional node selectors for request serving nodes #3898
chore(deps): update rhtap references (release-4.14) #3888
NO-JIRA: Update RHTAP references (release-4.14) #3874
NO-JIRA: chore(deps): update rhtap references (release-4.14) #3869
NO-JIRA: chore(deps): update rhtap references (release-4.14) #3858
NO-JIRA: Update RHTAP references (release-4.14) #3836
OCPBUGS-31657 : disable http2 for ignition server and proxy #3831
OCPBUGS-31605 : inject built-in MCP selector for KubeletConfigs and ContainerRuntimeConfigs #3826
HOSTEDCP-1322 : NodeUpgradeType defaulted by provider #3822
NO-JIRA: Update RHTAP references (release-4.14) #3813
OCPBUGS-31417 : honor HC image configuration #3806
OCPBUGS-23914 : Added OLMCatalogPlacement option to the CLI #3229
OCPBUGS-30211 : set Konnectivity cipher suites #3679
chore(deps): update rhtap references (release-4.14) #3792
OCPBUGS-31048 : [4.15] HCP deletion can get stuck if CPO is unable to delete the default worker security group #3771
HOSTEDCP-1488 : Use regionalized STS endpoints in AWS #3756
NO-JIRA: Update RHTAP references (release-4.14) #3755
chore(deps): update rhtap references (release-4.14) #3739
OCPBUGS-30596 : Bump golang.org/x/net to version v0.17.0 #3711
NO-JIRA: chore(deps): update rhtap references (release-4.14) #3706
NO-JIRA: chore(deps): update rhtap references (release-4.14) #3676
NO-JIRA: Update RHTAP references (release-4.14) #3672
NO-JIRA: chore(deps): update rhtap references (release-4.14) #3651
OCPBUGS-29782 : use 2040 for apiserver svc in IBM provider #3594
”[release-4.14] OCPBUGS-29259: Fix default release image lookup” #3550
NO-JIRA: chore(deps): update rhtap references (release-4.14) #3620
NO-JIRA: chore(deps): update rhtap references (release-4.14) #3625
OCPBUGS-29094 : Make ControllerAvailabilityPolicy immutable #3534
NO-JIRA: chore(deps): update rhtap references (release-4.14) #3604
NO-JIRA: Update RHTAP references (release-4.14) #3591
NO-JIRA: Update RHTAP references (release-4.14) #3519
NO-JIRA: Approvers update #3580
MULTIARCH-4084 : Reduce the policy access scope to specific instance #3530
OCPBUGS-29206 : Add GC knobs for KAS #3543
OCPBUGS-29187 : node spread anti-affinity for HA HCP #3541
OCPBUGS-19956 , OCPBUGS-28984 , OCPBUGS-28985 , OCPBUGS-28986 , OCPBUGS-29000 : Support Disconnected HCP #3520
OCPBUGS-29030 : Add ValidatingAdmissionPolicy to KAS config #3524
HOSTEDCP-1272 : Added CLI support to create DualStack clusters using default values #3514
OCPBUGS-28238 : consider HCP upgradeable if CVO has no upgradable condition #3468
OCPBUGS-26526 : Documented to disable UWM telemetry writer in disconnected envs #3389
OCPBUGS-26526 : Disable UWM Telemetry writer when telemeter-client cm not exists #3388
OCPBUGS-27072 : Apply Scheduling Configuration for kCCM #3418
NO-JIRA: Update RHTAP references (release-4.14) #3509
OCPBUGS-20180 , OCPBUGS-20547 : Added network validations #3096
OCPBUGS-23997 : add watch for HCP pullsecret to HCCO #3265
OCPBUGS-28249 : Required RBAC for network-node-identity is not created when hosted cluster networkType is set to Other. #3485
NO-JIRA: Update RHTAP references (release-4.14) #3447
OCPBUGS-24315 : Add prestop to konnectiviy server #3268
OCPBUGS-24307 : Set shutdown-delay-duration to 15s #3264
OCPBUGS-21795 : change trusted bundle volume mount for CPO #3102
OCPBUGS-25217 : Konnectivity agent update strategy #3308
OCPBUGS-26574 : Set new condition on SG deletion. #3398
Update RHTAP references (release-4.14) #3402
Update RHTAP references (release-4.14) #3383
OCPBUGS-22360 : Validate accessTokenInactivityTimeout >= 300s #3175
OCPBUGS-23936 : Use correct kubeconfig in CCM and remove CCMs access t… #3232
OCPBUGS-12720 : Updating hypershift images to be consistent with ART #2467
OCPBUGS-24627 : unset ServiceAccount on ignition-server-proxy #3295
[Release 4.14] OCPBUGS-24556: Fix a bug on deletion of a hostedcluster #3290
OCPBUGS-24269 : add CLI oauthclient #3272
OCPBUGS-23569 : Added IPFamilyPolicy to services exposed at the HCP in DualStack mode #3224
HOSTEDCP-1318 : external OIDC enablement #3261
OCPBUGS-23747 : Added brackets to IPv6 KAS address on kubeconfig #3228
OCPBUGS-24063 : fix(cpo): Set restart annotation on network-node-identity #3248
release-4.14, HOSTEDCP-1315: Improve NodePool CPU arch & platform check #3236
OCPBUGS-22676 : Make the OLMCatalogPlacement field immutable #3143
OCPBUGS-23558 : Let router use svc ips 4.14 #3221
OCPBUGS-19678 : Remove cluster name validation from HCC #3040
”[release-4.14] CNV-35326: unsupported escape hatch mechanism custom HS/KV vms” #3202
OCPBUGS-23027 : Configure HSTS for kube-apiserver #3169
NO-JIRA: chore(deps): update rhtap references (release-4.14) #3085
OCPBUGS-23142 : adding permission to CNO RBAC Calico path for network-node-identity deploy #3182
OCPBUGS-22295 : Added brackets to the kubeconfig server address when IPv6 #3117
OCPBUGS-22690 : Use the same etcd snapshot for all replicas during etcd restore #3146
OCPBUGS-22959 : Update regex validation for nodepool.spec.taints.value #3165
HOSTEDCP-1280 : Adjustment cluster-cidr,service-cidr to support dualstack #3162
OCPBUGS-22898 : Stop exposing kas on 6443 private route service load balancer #3159
OCPBUGS-22898 : Stop defaulting aws private haproxy external port to 6443 #3160
OCPBUGS-19897 : Add konnectivity-proxy container to CNO #3058
OCPBUGS-22379 : Cluster-policy-controller: add missing RBAC for privileged namespaces PSA syncer controller #3131
OCPBUGS-20526 : Align PSA labels on guest cluster namespaces with standalone OCP #3111
Full changelog
“OCPBUGS-29792: [release-4.14] Address CVE-2024-1725: Restrict access to infrastructure PVCs by requiring matching infraClusterLabels on tenant PVCs” #34
Full changelog
changes the owners file (#1013) #1013
OCPBUGS-48513 : e2e: use same version of crane as in go.mod (#1023) #1023
Bump version to include v5.11.0 of go-git (#822) #822
Fix to ensure operator not found error exits with correct status (#797) #797
OCPBUGS-28871 : Capability to override default channel (#749) (#790) #749
OCPBUGS-19429 : Fix cross EUS channel upgrade path calculation (#769) #769
OCPBUGS-23327 : Fix MirrorToDisk of oci catalogs in hidden folders (#766) #766
skipping prune failure if manifest not found (#735) #735
OCPBUGS-21472 : fix: CVE-2023-39325 (#711) #711
Full changelog
: OCPBUGS-27680,OCPBUGS-27595: UPSTREAM: <carry>: Update go-git to v5.11.0 #73
OCPBUGS-23358 : [release-4.14] Address http2 vulnerability #53
And 1 elided commits (e.g. from squash or rebase merges)
Full changelog
Source code for this page located on github