4.17.50

Download the installer for your operating system or run

oc adm release extract --tools quay.io/openshift-release-dev/ocp-release:4.17.50-x86_64

Team Approvals:

Accepted
- QE

Tests:

Blocking jobs
- upgrade Succeeded (1 retries) periodic-ci-openshift-release-main-stable-4.y-e2e-aws-ovn-upgrade
- upgrade-minor Succeeded periodic-ci-openshift-release-main-stable-4.y-e2e-aws-ovn-upgrade
Informing jobs
- aws-ovn-serial Succeeded periodic-ci-openshift-release-main-nightly-4.17-e2e-aws-ovn-serial
- aws-ovn-upgrade-4.17-micro Succeeded periodic-ci-openshift-release-main-ci-4.17-e2e-aws-ovn-upgrade
- aws-ovn-upgrade-micro Succeeded periodic-ci-openshift-release-main-ci-4.17-e2e-aws-ovn-upgrade
- azure-ovn-upgrade-4.17-micro Succeeded periodic-ci-openshift-release-main-ci-4.17-e2e-azure-ovn-upgrade
- fips-scan Succeeded periodic-ci-openshift-release-main-nightly-4.17-fips-payload-scan
- gcp-ovn-rt-upgrade-4.17-minor Succeeded (1 retries) periodic-ci-openshift-release-main-ci-4.17-upgrade-from-stable-4.16-e2e-gcp-ovn-rt-upgrade
- hypershift-ovn-conformance-4.17 Succeeded periodic-ci-openshift-hypershift-release-4.17-periodics-e2e-aws-ovn-conformance
- metal-ipi-ovn-bm Succeeded periodic-ci-openshift-release-main-nightly-4.17-e2e-metal-ipi-ovn-bm
- metal-ipi-ovn-ipv6 Succeeded periodic-ci-openshift-release-main-nightly-4.17-e2e-metal-ipi-ovn-ipv6

Upgrades from:

Untested upgrades: 4.16.11, 4.16.12, 4.16.13, 4.16.14, 4.16.15, 4.16.16, 4.16.17, 4.16.18, 4.16.19, 4.16.20, 4.16.21, 4.16.23, 4.16.25, 4.16.26, 4.16.27, 4.16.28, 4.16.29, 4.16.30, 4.16.32, 4.16.33, 4.16.34, 4.16.35, 4.16.36, 4.16.37, 4.16.38, 4.16.39, 4.16.40, 4.16.41, 4.16.42, 4.16.44, 4.16.45, 4.16.46, 4.16.48, 4.16.49, 4.16.50, 4.16.51, 4.16.52, 4.16.53, 4.16.54, 4.17.10, 4.17.11, 4.17.12, 4.17.13, 4.17.14, 4.17.15, 4.17.16, 4.17.17, 4.17.18, 4.17.19, 4.17.21, 4.17.22, 4.17.23, 4.17.24, 4.17.25, 4.17.26, 4.17.28, 4.17.29, 4.17.3, 4.17.30, 4.17.31, 4.17.32, 4.17.33, 4.17.34, 4.17.35, 4.17.36, 4.17.37, 4.17.38, 4.17.39, 4.17.4, 4.17.41, 4.17.42, 4.17.43, 4.17.44, 4.17.45, 4.17.46, 4.17.5, 4.17.6, 4.17.7, 4.17.8, 4.17.9

4.17.49 (changes) - S S S F F S
4.17.48 (changes) - Failed
4.17.47 (changes) - Success
4.17.40 (changes) - Success
4.17.27 (changes) - Success
4.17.20 (changes) - Success
4.17.2 (changes) - Success
4.17.1 (changes) - Success
4.17.0 - Failed
4.16.57 (changes) - Failed Success
4.16.56 (changes) - Success
4.16.55 (changes) - Success
4.16.47 (changes) - Failed
4.16.43 (changes) - Failed
4.16.24 (changes) - Success
4.16.10 (changes) - Success
4.16.9 (changes) - Failed
4.16.8 (changes) - Failed
4.16.0-0.nightly-2026-02-24-151311 (changes) - Failed Success

Upgrades to:

Loading changelog, this may take a while ...

Changes from 4.17.0

Created: 2026-02-27 00:10:51 +0000 UTC

Image Digest: sha256:fffcbd70f5251c30d23bdcc87900e3eaf8b3ae4945a29618c26277669b453b1d

Components

Kubectl upgraded from 1.30.2 to 1.30.5
Kubernetes upgraded from 1.30.4 to 1.30.14
Kubernetes Tests upgraded from 1.30.0 to 1.30.14
Red Hat Enterprise Linux CoreOS upgraded from 417.94.202409121747-0 to 417.94.202602251654-0 (diff)

FeatureGate Changes

FeatureGate	Default Hypershift	Default SelfManagedHA	DevPreviewNoUpgrade Hypershift	DevPreviewNoUpgrade SelfManagedHA	TechPreviewNoUpgrade Hypershift	TechPreviewNoUpgrade SelfManagedHA
StreamingCollectionEncodingToJSON (0 tests)	Enabled (New)	Enabled (New)	Enabled (New)	Enabled (New)	Enabled (New)	Enabled (New)
StreamingCollectionEncodingToProtobuf (0 tests)	Enabled (New)	Enabled (New)	Enabled (New)	Enabled (New)	Enabled (New)	Enabled (New)

New images

gcp-workload-identity-federation-webhook git 08579e9f sha256:4f75baed8e721e80321ae2c11969ea681b77d082462811f8fb76e7f5d59edef5

Removed images

ovirt-machine-controllers

Rebuilt images without code change

aws-ebs-csi-driver git 2bb5b316 sha256:adfdd4d49d50e0036e1370fb053d10fbb0cec8fd06ce2fc394cb377691c5dc6d
azure-cluster-api-controllers git d359bfe5 sha256:26f8ab1e8ae77916c537c09c4fa3db1afaf09f5d277e1e55fab2fdf9219b60ce
azure-disk-csi-driver git a544f30b sha256:a865b7d34ac21738ce72d3842390a19802ca6fa8727c2a6b99f64e0958e99d40
azure-file-csi-driver git 9f4c38c2 sha256:d6adf4ead994113f5119194ea67ace17d84b1aeb3d8ac5de7c66b3b8df24e894
cluster-capi-controllers git 77ef4fc5 sha256:95f31108170fb4fa1a122fe6a800f05f7d6b875ecc98e5ab9c553f89a0170fbf
cluster-csi-snapshot-controller-operator git ffba005b sha256:1b304eae1056c3593775993e367e469a957179e118a6f8844378dd018a46f102
cluster-olm-operator git e31b7775 sha256:1a0f8a7d49e49a95ab21cd40337a5b395404aeeaa416018c3483d40f874342f7
cluster-policy-controller git 7209e90d sha256:640f302d82c67acdeb2c661bde55b266fa99e30ee542d34a0242b63b23034cbb
csi-driver-shared-resource-operator git c095a1f2 sha256:634f64a67abf46aad47bba1602318cebc8da5173af85a4aa9764291687908617
csi-external-attacher git c3fe8e2e sha256:adefd6ab96adbc931c88213c3618b594f18bc000e6ea7dcec155ff9432bc6615
csi-external-provisioner git fe460e56 sha256:f2934c3a342867bcf638642cc9f413d557e2c541d5f5623f858c2726a412b5f7
driver-toolkit git 859518f6 sha256:d7a101256b23eb8e7952ef943c63bacc41b099243a1eaa078f3f92b2683ac2f7
egress-router-cni git 3193a756 sha256:274c07d9e670efe09f08f56e851857c63f22de7604a74c3ba07be81a5fb7e724
gcp-cloud-controller-manager git 8ce997d7 sha256:0743e3124b243ce7be4cc0a0c797ac69e53d40e3e995f0299d6b7986b20eaf08
gcp-cluster-api-controllers git 9c561f2d sha256:0db611b429c7f0c0d172be3f2ed0bbaaf7766102f978711b90dbf1b8dca995d3
gcp-pd-csi-driver-operator git c23b064f sha256:e4c93d506d81888b1849753bb5d649f9ab6a1830210237d3e0377f09c202c25d
ibm-cloud-controller-manager git ad8f7eb0 sha256:c784e40521f1e8c3d3f35631fbf08308b070548c0f60f6e12603d1ee7be3d7cd
keepalived-ipfailover git e3879e9e sha256:02756b68014d85cc80a723fb3aae6adac4923c877ad559757efa4414c01d9490
kube-state-metrics git 462e63f6 sha256:a1309bfb7149dae293769d938be725eb844635b2f6431cf2f56f15fa25f8a0af
libvirt-machine-controllers git a336f0b5 sha256:980585040470619dc58909ad3daf38139974518be900e6c2165e87a59ffe1d09
multus-route-override-cni git 391c1b03 sha256:09f2a75dc4827e32b7e5c796978b04101a222f31c168bab8074b4c184694801b
nutanix-cloud-controller-manager git c9f6cd1f sha256:0f4ce660f76b45ad486b6afd3f965e047b2dfad8d479f5c502db33d462f4852f
openstack-cinder-csi-driver-operator git f89b6dbc sha256:dafdcb60c6da9fd9e567fbf5fbaaa4df15a704a412464d87c0a112d60d09ac90
ovirt-csi-driver git 1db726a9 sha256:3f71a5160cdb479ecc84c319c8a5041127c6c6e761544ec5d95560ed99ee7f5b
powervs-block-csi-driver git aaa6afa9 sha256:ed7949eeedbf729af7a0c1c0ad1cef0a00b358056a2b9fdd64e5e10a7309d7b6
powervs-block-csi-driver-operator git f6f037c5 sha256:3ec0291746609be26c900737bcbd1e549fc8dc81b621acdfe5752bfff0fb0c1c
powervs-cloud-controller-manager git bd3d72e5 sha256:86c0bb731c82dba8c7006153a851cb0601de56995251ba1ac7c4a5e1c931c934
rhel-coreos sha256:b4995c1a252cf38f93f131b71835160c035b4391945700423e93563dc69a0b7e
rhel-coreos-extensions sha256:ac8a3195ce4529501dff83158374a12eff22e0b14ad013a432d991b48a2f44e6

agent-installer-api-server

NO-ISSUE: pin gotestsum to v1.12.3 (#8017) #8017
OCPBUGS-58634, OCPBUGS-58639: Bump glog to v1.2.5 in release-4.17 (#7895) #7895
OCPBUGS-47627: dnsmasq service on OCP SNO fails to read /etc/resolv.conf file during system startup (#7724) #7724
OCPBUGS-51230: Revert go-jose from v4.0.5 to v0.3.04 (#7605) #7605
OCPBUGS-51230: Bump github.com/go-jose/go-jose/v4 to v4.0.5 in release-4.17 (#7574) #7574
OCPBUGS-54402: Bump go-jwt to 4.5.2 to fix CVE-30204 (#7484) #7484
OCPBUGS-48390: Bump moby from v26.0.0 to v27.2.1 (#7188) #7188
MGMT-19537: Bump golang.org/x/net to 0.33.0 (#7129) #7129
OCPBUGS-42525: Disable pprof for agent-based installer (#6897) #6897
OCPBUGS-43020: Update go-jose to v2.6.3 to mitigate CVE-2024-28180 (#6892) #6892
Updating ose-agent-installer-api-server-container image to be consistent with ART for 4.17 (#6709) #6709
OCPBUGS-42569: Libraries bump to mitigate CVE-2024-27289 (#6832) #6832
MGMT-17805: Fix MCO reboot error for s390x (#6727) #6727
OCPBUGS-36577: Switch to github.com/docker/distribution/reference to mitigate CVE-2024-3727 (#6750) #6750
Full changelog

agent-installer-csr-approver, agent-installer-orchestrator

OCPBUGS-58649: Bump glog pkg to 1.2.4 (#1182) #1182
Updating ose-agent-installer-csr-approver-container image to be consistent with ART for 4.17 (#1088) #1088
Updating ose-agent-installer-orchestrator-container image to be consistent with ART for 4.17 (#1087) #1087
OCPBUGS-53719: Bump jwt to 4.5.2 in release-4.17 (#1086) #1086
abi: let the bootstrap waiting for workers before rebooting (#1028) #1028
OCPBUGS-47493: MGMT-19537: Bump golang.org/x/net to 0.33.0 (#989) #989
OCPBUGS-44904: Rhcos fails to reboot for skip mco reboot on s390x (#942) #942
OCPBUGS-38466: Allow controller to continue when assisted-service (#918) #918
OCPBUGS-43023: Pick up latest CVE changes by bumping service (#919) #919
OCPBUGS-42156: Switch to github.com/docker/distribution/reference to Mitigate CVE-2024-3727 (#904) #904
Full changelog

agent-installer-node-agent

OCPBUGS-58654, OCPBUGS-58659: Bump glog to v1.2.5 in release-4.17 (#1070) #1070
OCPBUGS-52994: Update to latest ghw version (#986) #986
Updating ose-agent-installer-node-agent-container image to be consistent with ART for 4.17 (#798) #798
OCPBUGS-53711: Bump jwt to 4.5.2 in release-4.17 (#964) #964
NO-ISSUE: Increase image pull timeout during install (#922) #922
MGMT-19537: Bump golang.org/x/net to 0.33.0 (#873) #873
OCPBUGS-43024: Pick up latest CVE changes by bumping service (#805) #805
OCPBUGS-42157: Switch to github.com/docker/distribution/reference to Mitigate CVE-2024-3727 (#783) #783
Full changelog

agent-installer-utils

OCPBUGS-68141: bump github.com/sirupsen/logrus to v1.9.3 #238
append .0 to go.mod version #110
Full changelog

apiserver-network-proxy

append .0 to go.mod version #82
Full changelog

aws-cloud-controller-manager

append .0 to go.mod version #109
Full changelog

aws-cluster-api-controllers

OCPBUGS-61940: UPSTREAM <carry>: revert: Only tag NetworkInterfaces in RunInstances if IAM Allows It #571
OCPBUGS-58669, OCPBUGS-58674: bump github.com/golang/glog to v1.2.5 #559
OCPBUGS-53727: bump to github.com/golang-jwt/jwt/v4@v4.5.2 #546
OCPBUGS-51309: UPSTREAM: 5339: Bump glog for recent fixes #539
OCPBUGS-43921: OSD-25934: Only tag NetworkInterfaces in RunInstances if IAM Allows It #528
Full changelog

aws-ebs-csi-driver-operator, azure-disk-csi-driver-operator, azure-file-csi-driver-operator

OCPBUGS-64704: Use 127.0.0.1 for healtz http-endpoints #462
OCPBUGS-63557: Add RBAC ClusterRole and Binding for driver node #453
OCPBUGS-62974: Add withCABundleDaemonSetHook() to AWS EFS operator #449
OCPBUGS-60597: Bump library-go to fix assignment to nil map issue #422
OCPBUGS-60470: Backport stale conditions fix #416
OCPBUGS-46512: remove EFS driver metrics #350
OCPBUGS-44974: Set separate secrets for file and disk config on HyperShift #331
OCPBUGS-42949: add tag matching to Azure File storage class #291
OCPBUGS-43789: add ability to control kube rbac proxy container image… #310
OCPBUGS-42997: Correct aws efs csi driver config as removable #296
Full changelog

aws-kms-encryption-provider

OCPBUGS-34314: Updating aws-kms-encryption-provider-container image to be consistent with ART for 4.17 #19
hack: display diff on verify-mod-tidy failure #25
Full changelog

aws-machine-controllers

OCPBUGS-73822: Fix reconciler consistency checks in Update and Exists #167
OCPBUGS-63139: client: re-use a single file for building the session instead of randomly named files #145
OCPBUGS-45186: fix Associate*IpAddress flag when launch EC2 #118
Full changelog

aws-pod-identity-webhook

OCPBUGS-51232: github.com/go-jose/go-jose/v4 v4.0.5 #202
Full changelog

azure-cloud-controller-manager, azure-cloud-node-manager

OCPBUGS-46039: Prevent panic when informer receives cache.DeletedFinalStateUnknown #132
Full changelog

azure-kms-encryption-provider

append .0 to go.mod version #19
OCPBUGS-53495: bump golang-jwt v4 #12
OCPBUGS-34277: Updating azure-kms-encryption-provider-container image to be consistent with ART for 4.17 #7
Full changelog

azure-machine-controllers

OCPBUGS-65954: Set updateDomainCount to one when faultDomainCount is one #176
OCPBUGS-63700: Support datadisks on Stack Hub #168
OCPBUGS-56168: [release-4.17] Update virtualmachines service to armcompute/v5 SDK #146
OCPBUGS-56655: Fix failure when attempting to modify immutable availabilitySet #152
OCPBUGS-55729: Update eviction policy for Spot VMs from Deallocate to Delete #140
OCPBUGS-54393: Re-reconcile machine on NIC provisioning failure #136
OCPBUGS-52359: Remove unused vnet package #130
OCPBUGS-50017: dynamically setting the amount of fault domains #127
Full changelog

azure-workload-identity-webhook

OCPBUGS-53799: github.com/golang-jwt/jwt/v4 v4.5.2 #32
OCPBUGS-51234: github.com/go-jose/go-jose/v4 v4.0.5 #28
Full changelog

baremetal-cluster-api-controllers

ART-13124: Update go.mod to include patch version in go directive #46
OCPBUGS-47049: Bump x/net to 0.33.0 #32
Full changelog

baremetal-installer, installer, installer-altinfra, installer-artifacts

OCPBUGS-74677: [release-4.17] GCP: skip AI zones #10276
OCPBUGS-74555: Azure UPI ARM template: use storageAccountId #10264
OCPBUGS-68142: [4.17] uplift logrus #10167
OCPBUGS-53236: Validation for API and Ingress VIPs when using user-managed load balancer #10047
OCPBUGS-62951: Update the RHCOS 4.17 bootimage metadata #10021
OCPBUGS-62054: Make swift containers removal not fatal for UPI. #9952
OCPBUGS-54599: Update the RHCOS 4.17 bootimage metadata #9902
OCPBUGS-58319: vSphere - remove unit tests using nip.io #9821
OCPBUGS-57293: sort zone slices extracted from map of byo subnets #9778
OCPBUGS-56448: vsphere - check if host is powered down or on standby before uploading template #9726
OCPBUGS-57292: ensure ctrplane nodes can access bootstrap MCS #9775
OCPBUGS-57304: IBI nmstate unit test fix #9777
OCPBUGS-55224: Fix Load balancer IP setup #9675
OCPBUGS-51116: update resolv.conf every time on bootstrap node #9504
OCPBUGS-51210: Fixes panic during GCP tags fetch due to unstable network #9512
OCPBUGS-46375: Allow spaces in the aws tags [release-4.17] #9315
OCPBUGS-54357: IBMCloud: Move to IBM TF openshift fork #9613
OCPBUGS-53378: Remove error logging when determining image arch #9581
OCPBUGS-53459: aws: fix NLB creation in secret regions #9071
OCPBUGS-52961: Remove tmp directory used for agent pxe files #9552
OCPBUGS-43528: Prevent race with provisioning-interface service #9110
OCPBUGS-44058: Log correct hostname for validation status #9162
OCPBUGS-50967: PowerVS: destroy dhcp hack #9494
OCPBUGS-50846: OCPBUGS-50702: [release-4.17] MGMT-19771: Convert IDS to proper IDMS manifest #9470
OCPBUGS-50876: correct typo #9484
OCPBUGS-49975: aws/edge/byovpc: subnets tag kube cluster tag to shared #9445
OCPBUGS-48761: Update RHCOS 4.17 bootimage metadata to 417.94.202501301529-0 #9448
OCPBUGS-49993: Disable IP Forwarding for CAPG Machines #9446
OCPBUGS-41300: Azure: Update SecurityType passed in at Image creation #9409
OCPBUGS-49362: [Nutanix] Installation failed with timeout when uploading images to PC #9406
OCPBUGS-48645: azure: use separate /var to avoid growfs timeouts #9381
OCPBUGS-45340: move GCP zone filtering client-side #9264
OCPBUGS-48257: remove the types which failed by RHEL-59521 and add the new gpu vm type #9354
OCPBUGS-45813: Remove unused variable from ASH arm template 06_workers.json #9285
OCPBUGS-48359: Allow more time for Service Account Creation #9362
OCPBUGS-45344: support additionalNTPSources in node-joiner tool #9265
OCPBUGS-48119: Always set AllowCrossTenantReplication parameter to false #9346
OCPBUGS-46432: Power VS: Create region-zone-sysType hierarchy #9319
OCPBUGS-46360: aws: add ec2:AllocateAddress perm requirement. #9313
no-jira: Collect bootstrap logs when control plane provisioning fails #9308
OCPBUGS-45726: IBMCloud: Add service overrides #9267
OCPBUGS-42117: Remove destroy search for regional target tcp proxies #9025
OCPBUGS-45484: PowerVS: Listen to machineNetwork #9271
OCPBUGS-44848: aws: user right perm for untagging BYO IAM profiles #9228
OCPBUGS-45276: Bump Azure Machine Timeout #9257
ARO-12457: Include bootstrap docker config file in go module #9258
OCPBUGS-43047: fix slice init length #9089
OCPBUGS-43800: pkg/asset/installconfig/azure: send full certifcate chain #9140
CORS-3753: Allow mocking of the Azure client everywhere #9219
OCPBUGS-44611: [release-4.17] capi/aws: set Node Port Service CIDR override #9209
OCPBUGS-44230: Add C4A instance types #9181
OCPBUGS-44231: [release-4.17] capi/aws: bump provider for LB DNS lookup fix #9179
OCPBUGS-44261: Ensure rendezvousIP is checked against host IP #9184
OCPBUGS-43972: Cherrypick oci ccm fix to 4.17 #9152
OCPBUGS-44247: PowerVS: Update 4.17 CAPI ibmcloud to 9b077049 #9182
OCPBUGS-41642: vendor: Update openshift/api to pick up v4.17 capability sets #9013
OCPBUGS-44226: PowerVS: Fix MissingSecurityGroupRules #9175
OCPBUGS-44227: PowerVS: Fix destroy persistent TG #9176
OCPBUGS-44228: PowerVS: Change CAPI verbosity level #9177
OCPBUGS-43846: add chrony.conf file when additional NTP sources are configured #9142
OCPBUGS-43735: Add C4 instance validation #9130
OCPBUGS-43897: Revendor assisted service external platform oci #9147
OCPBUGS-43786: Limit GCP API firewall rule for internal clusters #9138
OCPBUGS-43547: Power VS: Fix incorrect error handling for AddSecurityGroupRule #9112
OCPBUGS-43088: GCP Validate Disk and Instance Type #9091
OCPBUGS-43329: IBMCloud: Handle pagination for subnets #9096
OCPBUGS-42716: Update RHCOS 4.17 bootimage metadata to 417.94.202410090854-0 #9092
OCPBUGS-42806: gather: simplify service regex for analyze #9079
OCPBUGS-42996: Power VS Ensure Metadata populated for CAPI/private cluster case on PowerVS #9086
OCPBUGS-42115: Add validation for gcp disk and instance types #9023
OCPBUGS-42842: add new tested azure instance types detected during QE 4.17 full function test #9080
OCPBUGS-41812: Validate MTU for custom network #9084
OCPBUGS-42794: PowerVS: Add support for persistent Transit Gateways #9078
OCPBUGS-42699: machines: don’t sort mpool zones #9065
OCPBUGS-42483: PowerVS: update capi ibmcloud c6bcd313 for 4.17 #9054
OCPBUGS-39414: OpenStack: Install CI dependencies from rpm #8994
OCPBUGS-42142: Skip private managed zone creation for xpn installs #9033
OCPBUGS-42183: Add GCP N4 Machine Series to tested instances for OCP #9041
OCPBUGS-42126: add tested IBMCloud instance types in 4.17 test #9030
OCPBUGS-42118: Set default release image to 4.17 #9026
OCPBUGS-42116: Remove bindings for XPN installs #9024
OCPBUGS-39409: Fix IPv6 security group rule for schedulable master #8970
OCPBUGS-41622: update RHCOS 4.17 bootimage metadata to 417.94.202409120353-0 #9019
OCPBUGS-42051: Fix integration tests #9018
OCPBUGS-41300: Azure CAPI: Improve handling of security features configured on the MachinePools and OSDisk #9007
OCPBUGS-39286: Fix var_files syntax to work on older version of ansible #8933
OCPBUGS-41896: Add AWS c7g,m7g,r8g to tested instance types #9005
OCPBUGS-41542: Azure CAPI: Update publicAccess for Blob Containers #9006
OCPBUGS-41702: aws: bump capa to fix EIP leak on bootstrap when BYOIP #8991
And 1 elided commits (e.g. from squash or rebase merges)
Full changelog

baremetal-machine-controllers

OCPBUGS-68143: [4.17] uplift logrus #239
OCPBUGS-46646: Bump x/net to 0.33.0 #225
Full changelog

baremetal-operator

OCPBUGS-77185: Unblock BMH direct deletion when detached annotation is present #462
OCPBUGS-53325: BMO can expose any secret via BMCEventSubscription CRD #406
OCPBUGS-42387: Remove dataImage finalizer if BMH is missing #390
OCPBUGS-49701: Handle HFC for non-redfish HW #395
Full changelog

baremetal-runtimecfg

OCPBUGS-71209: Bump logrus version #377
OCPBUGS-60112: Re-add ENABLE_NODEIP_DEBUG env var #363
OCPBUGS-48766: Extend haproxy-monitor fall time #340
Full changelog

cli, cli-artifacts, deployer, tools

OCPBUGS-64615: Help with must-gather scheduling through suggesting preferance of nodes #2150
OCPBUGS-56734: Adding sos.conf file for default sos config into the tools image #2027
OCPBUGS-58091: avoid transfering permissions when copying artifacts from node-joiner pod #2053
OCPBUGS-57446: Use fedora image in unit tests instead of centos #2038
OCPBUGS-49607: Address golang.org/x/* CVEs #1962
OCPBUGS-50984: Add HOST env var in oc debug for sos report collects more #1976
OCPBUGS-49605: Address github.com/docker/docker CVE #1968
OCPBUGS-45344: additional rbac policy rules #1937
OCPBUGS-45517: add retry in case of image pull error #1940
OCPBUGS-44508: Show node-joiner container logs when error occurs #1912
OCPBUGS-44830: Fix newapp unit test failure by using different image #1913
OCPBUGS-43696: Bump k8s dependencies to 1.30.5 #1902
OCPBUGS-41642: vendor: Update openshift/api to pick up the v4.17 capability set #1876
OCPBUGS-42176: Fix copy artifacts for all CPU architectures #1880
OCPBUGS-42721: Update push targets of digest with new appended tags #1892
OCPBUGS-42580: fix outputname flag for node-image create command #1888
OCPBUGS-42164: Check cast result in adm prune deployments to prevent panic #1879
Full changelog

cloud-credential-operator

OCPBUGS-65801: ccoctl azure: retry custom role creation on consistency errors #951
OCPBUGS-65480: ccoctl: use pagination when listing resources in aws #945
OCPBUGS-63549: ccoctl: add public-key-file flag to create-all #939
OCPBUGS-55128: snyk to ignore SNYK-GOLANG-GOLANGORGXNETHTML-9572088 #917
OCPBUGS-60972: ccoctl: aws to use proper issuer url on subsequent runs #908
OCPBUGS-58679: github.com/golang/glog v1.2.5 #892
OCPBUGS-58248: ccoctl: only add owned tag to azure resources on create #883
OCPBUGS-56980: Azure: resolve nil pointer exception when role assignment exists #868
OCPBUGS-54828: Render: configure proxy on bootstrap static pod #863
OCPBUGS-53415: github.com/golang/glog v1.2.4 #842
OCPBUGS-53823: update github.com/golang-jwt/jwt #838
OCPBUGS-51548: Ignore SNYK-GOLANG-GOLANGORGXOAUTH2JWS-8749594 due to not being affected #828
OCPBUGS-51238: github.com/go-jose/go-jose/v4 v4.0.5 #825
OCPBUGS-47071: golang.org/x/net v0.33.0 #804
OCPBUGS-45938: Add AWS region to aws-pod-identity-webhook #799
OCPBUGS-45006: Add retry to ccoctl gcp create functions #793
OCPBUGS-45001: github.com/golang-jwt/jwt/v4 v4.5.1 #787
OCPBUGS-44123: Add GCP pod identity webhook #776
OCPBUGS-43644: Only attempt timed token credentials on supported platforms. #773
OCPBUGS-43335: Update github.com/sirupsen/logrus v1.9.3 #766
Full changelog

cloud-network-config-controller

OCPBUGS-66132: [release-4.17] Fix capacity calculation #194
OCPBUGS-65520: Change the capacity struct from int to ptrOfInt #191
OCPBUGS-56257: Increase API call timeout to 30 second #171
Full changelog

cluster-authentication-operator

OCPBUGS-68150: Update library-go to fix CVE-2025-65637 #840
OCPBUGS-54580: Avoid duplicate OAuth client creation #765
OCPBUGS-43657: audit: do not log requests to /livez #724
OCPBUGS-42784: manifests should not use APIs that are removed in upcoming releases #712
OCPBUGS-42545: when no type is specified, don’t make illegal condition #703
Full changelog

cluster-autoscaler

OCPBUGS-68151: update logrus to version 1.9.3 #398
OCPBUGS-60913: revert openshift replica fix #376
OCPBUGS-60608: fix checkpoint gc of unknown recommenders #371
OCPBUGS-59266: Fix cool down status condition to trigger scale down #362
OCPBUGS-54325: improve replica counting and decrease target size behavior #352
OCPBUGS-48606: UPSTREAM: <carry>: 🐛(metrics) Initialize metrics for autoscaler errors, scale events, and pod evictions #337
OCPBUGS-45147: [release-4.17] VPA: Update OWNERS file #324
Full changelog

cluster-autoscaler-operator

OCPBUGS-45929: set max soft bulk taint count to zero #337
Full changelog

cluster-baremetal-operator

OCPBUGS-63715: Always have a service for ironic-api port #519
OCPBUGS-63666: Allow provisioningIP when network disabled #518
OCPBUGS-61097: Remove webhookport (9447) as HostPort #505
OCPBUGS-54542: Add missing relatedObjects #469
OCPBUGS-41926: SCC-pinning for metal3-baremetal-operator #444
Full changelog

cluster-bootstrap

OCPBUGS-34034: Updating ose-cluster-bootstrap-container image to be consistent with ART for 4.17 #108
Full changelog

cluster-capi-operator

append .0 to go.mod version #314
OCPBUGS-48493: fix: always update clusteroperator status versions when differing #250
OCPBUGS-41576: Use CAPO v0.10 and API v1beta1 #205
Full changelog

cluster-cloud-controller-manager-operator

OCPBUGS-63167: ccm: disable unused secure-serving port and webhook #423
OCPBUGS-60211: Update service selector to match deployment label #406
OCPBUGS-60211: Add Service using common resource templating #407
OCPBUGS-43389: update goimports targets #371
OCPBUGS-41941: IBMCloud: Modify liveness probe for IBM Cloud CCM to use loopback address #365
Full changelog

cluster-config-api

CNTRLPLANE-1981: Promote streaming list encoding to Default #2599
OCPBUGS-71184: Add HTTPKeepAliveTimeout to IngressController API #2639
NO-JIRA: Promote streaming list encoding to Default on Hypershift. #2567
CNTRLPLANE-1611: Add feature gates for StreamingCollectionEncoding #2538
OCPBUGS-57285: Add IPsec API for NAT-T UDP encapsulation support #2363
OCPBUGS-49702: Add IdleConnectionTerminationPolicy field to IngressControllerSpec #2186
OCPBUGS-39130: Added checks to prevent vCenters from changing after install past 1 vCenter #2014
Full changelog

cluster-config-operator

OCPBUGS-75998: Update logrus to 1.9.3 to address CVE-2025-65637 #465
append .0 to go.mod version #441
Full changelog

cluster-control-plane-machine-set-operator

OCPBUGS-44047: relax validation on delete and if failureDomains not configured #330
Full changelog

cluster-dns-operator

OCPBUGS-52497: [release-4.17] Add runbook_url for CoreDNSErrorsHigh #430
Full changelog

cluster-etcd-operator

OCPBUGS-68156: Update logrus to 1.9.3 to address CVE-2025-65637 #1542
OCPBUGS-61337: Vendor latest mixin, including additional and modified alerts for etcdDatabaseQuotaLowSpace #1480
OCPBUGS-60220: add missing ports to svc and pod spec #1461
OCPBUGS-53511: fix CVE-2025-30204 #1414
OCPBUGS-38574: use pooled client for etcd single member health checks #1327
Full changelog

cluster-image-registry-operator

OCPBUGS-53871: bump github.com/golang-jwt/jwt #1218
OCPBUGS-51604: bump golang.org/x/oauth2 #1209
OCPBUGS-51103: ensure that storage names don’t end in dashes #1180
OCPBUGS-43564: fix proxy config and leader election test flakes #1144
OCPBUGS-43350: pkg/storage/azure: also check for auth failure error code on deletion #1139
OCPBUGS-42812: azureclient: stop validating credentials when creating the client #1130
OCPBUGS-42394: pkg/storage/azure: use cluster-api tag key to discover vnet #1125
OCPBUGS-42362: Continuous pull-secret updates / slow initialization on build01 (test platform infrastructure) #1124
Full changelog

cluster-ingress-operator

OCPBUGS-71184: Implement HTTPKeepAliveTimeout tuning option #1335
OCPBUGS-49702: Add e2e tests for IdleConnectionTerminationPolicy #1225
OCPBUGS-49702: Add support for IdleConnectionTerminationPolicy #1223
Full changelog

cluster-kube-apiserver-operator

OCPBUGS-63614: SCC: add hostmount-anyuid-v2 #1954
OCPBUGS-60398: Add missing service ports to apiserver service #1893
OCPBUGS-50516: Increase waitForFallbackDegradedConditionTimeout #1803
OCPBUGS-43657: audit: do not log requests to /livez #1758
OCPBUGS-34310: Updating ose-cluster-kube-apiserver-operator-container image to be consistent with ART for 4.17 #1738
Full changelog

cluster-kube-cluster-api-operator

OCPBUGS-42612: Sync Release 4.17 with UPSTREAM #48
Full changelog

cluster-kube-controller-manager-operator

OCPBUGS-60249: Missing endpoint slices for open ports the operator uses #855
Full changelog

cluster-kube-scheduler-operator

OCPBUGS-68165: deps: Update library-go and logrus to fix a CVE #613
Full changelog

cluster-kube-storage-version-migrator-operator

OCPBUGS-68167: Bump github.com/sirupsen/logrus to 1.9.1 #140
OCPBUGS-46593: “gracefully” shutdown KSVM pod. #123
Full changelog

cluster-machine-approver

OCPBUGS-48155: Fix race condition in CO status controller test #266
OCPBUGS-46429: Filter CSRs by signerName #261
OCPBUGS-45918: Ensure trailing dots on DNS names do not block serving cert auth #256
OCPBUGS-45918: Client internal DNS checks should ignore trailing dot #250
OCPBUGS-43312: Client internal DNS checks should be case insensitive #242
Full changelog

cluster-monitoring-operator

OCPBUGS-64580: Fix KSM deny-list typo #2732
OCPBUGS-63489: Add mcd_local_unsupported_packages metric from MCO to telemetry 4.17 #2725
OCPBUGS-63123: test: remove image registry e2e tests #2715
OCPBUGS-61766: chore(jsonnet): use prometheus_remote_storage_queue_highest_timestamp_seconds in PrometheusRemoteWriteBehind #2672
OCPBUGS-60017: operator: increase wait time till degraded to max 4 times 5m #2634
OCPBUGS-44971: Add new metrics for OpenShift logging telemetry #2526
OCPBUGS-44003: fix(monitoring-plugin): disable emitting nginx version on error pages #2511
OCPBUGS-43690: chore: introduce a config parsing check via a strict unmarshaller for… #2494
OCPBUGS-43788: Add runbook url for TelemeterClientFailures #2507
OCPBUGS-43545: Fix api doc on Thanos Ruler default retention #2501
OCPBUGS-41341: disable user-defined monitoring per object #2458
OCPBUGS-41908: filter alerts sent to Telemeter #2470
Full changelog

cluster-network-operator

OCPBUGS-73799: Tweak iptables-alerter to try to avoid crictl bug #2878
: NO-JIRA: Update CNO reviewers/approvers #2767
OCPBUGS-74348: [release-4.17] fix typo in release annotation for whereabouts-token-watcher deamonset #2888
OCPBUGS-45086: Re-disable metrics server #2579
OCPBUGS-63154: Add drop flows for GARPs #2818
[Release 4.17] OCPBUGS-61765: Update CNO reviewers/approvers #2799
OCPBUGS-58066: [release-4.17]: Manual feature backport of cert rotation for whereabouts #2784
OCPBUGS-57285: Implement IPsec NAT-Traversal encapsulation option #2726
OCPBUGS-55518: iptables-alerter streamlining #2698
OCPBUGS-55033: Add IPv6 NGINX configuration #2689
OCPBUGS-52951: Unexpected Behavior During Cluster Upgrade for the ovn-ipsec-host pods #2654
OCPBUGS-49816: ovn-k, rbac: Enable users read & modify UserDefinedNetwork CRs #2655
OCPBUGS-49961: Update egressfirewall CRD to be consistent with ovn-kubernetes repo #2642
: OCPBUGS-44863: Add nodeslicepool #2574
OCPBUGS-44807: ovn-k, cudn: Add missing permissions to ovnkube-node #2575
OCPBUGS-43714: Skip including default crypto policies to avoid authby issue #2597
OCPBUGS-46146: Remove ip xfrm state when IPsec is disabled #2594
OCPBUGS-44415: Pass transit_switch_subnet options in ovnkube-node pod #2561
OCPBUGS-44807, SDN-4930, SDN-5297: OVN-Kubernetes node RBAC tightening #2568
OCPBUGS-44807, SDN-5297, SDN-5472: bindata, ovn-k: Add ClusterUserDefinedNetwork CRD and RBAC #2566
OCPBUGS-44807, SDN-4930, SDN-5297: ovn-k, udn: Update UserDefinedNetwork CRD #2551
OCPBUGS-44807, SDN-4930, SDN-5297: Adds UDN list/watch to ovnknode rbac #2540
OCPBUGS-44779, SDN-5436: Provide support for user owned IPsec machine configs #2564
OCPBUGS-44330: Add controlplane cli image envar for use with hypershift #2542
OCPBUGS-43343: OCPBUGS-42244: Exporting environment varialbe NODE_CNI for live migration #2536
OCPBUGS-43317: Use CNIConfDir for mounting directory to ovn-ipsec-host pod #2533
OCPBUGS-39300: rebase openshift/api for openshift-sdn removal [4.17] #2477
OCPBUGS-39121: Live migration: report network overlap via live_migration_blocked metric #2483
OCPBUGS-42260: Configure narrowing=yes for IPsec connections #2510
Full changelog

cluster-node-tuning-operator

OCPBUGS-63504: Do not cause kubelet failed dependency by ocp-tuned-one-shot.service #1418
And 20 elided commits (e.g. from squash or rebase merges)
Full changelog

cluster-openshift-apiserver-operator

OCPBUGS-43657: audit: do not log requests to /livez #599
Full changelog

cluster-openshift-controller-manager-operator

OCPBUGS-47770: Add team members to the OWNERS file #375
Full changelog

cluster-samples-operator

OCPBUGS-63515: references to github.com/sclorg/django-ex.git now also refer to the branch #658
OCPBUGS-55800: only update LastTransitionTime if operator status change #640
OCPBUGS-55795: Adding filter to clusterOperatorInformerEventHandler #639
OCPBUGS-55894: Samples Operator should sort failing image imports #641
OCPBUGS-55042: Adding mutex to func createSamples on handler.go #632
OCPBUGS-54362: add rhdmalone to owners #619
OCPBUGS-48786: add shannon and aroyoredhat as owners #595
OCPBUGS-39120: Sync the non-OKD assets from master to release-4.17 #577
OKD-225: remove only the EOL CentOS 7 images #575
Full changelog

cluster-storage-operator

OCPBUGS-41160: Move metrics to vsphere driver #633
OCPBUGS-52222: fix Vsphere cluster Storage operator in Unavailable state #560
OCPBUGS-44997: Fix PodStartupStorageOperationsFailing alert #543
OCPBUGS-43794: add ability to control kube rbac proxy container image on controlplane #529
OCPBUGS-43112: assets: shared-resource: hypershift: add pull-secret to operator SA #520
Full changelog

cluster-update-keys

NO-ISSUE: Updating ose-cluster-update-keys-container image to be consistent with ART for 4.17 #79
Full changelog

cluster-version-operator

OCPBUGS-58451: Failing=Unknown upon long CO updating #1212
OCPBUGS-50589: Set openshift.io/required-scc: privileged annotation in version pods #1154
OCPBUGS-39558: Filter out shallowly UpdateEffectNone errors from a MultipleErrors message in the Failing condition #1114
OCPBUGS-45328: deps: bump golang.org/x/net to 0.31.0 #1117
OCPBUGS-43586: Upgradeable=False should not block a 4.(y+1).z to 4.(y+1).z’ retarget #1095
OCPBUGS-41642: vendor: Update openshift/api to pick up the v4.17 capability sets #1087
And 1 elided commits (e.g. from squash or rebase merges)
Full changelog

configmap-reloader

append .0 to go.mod version #70
Full changelog

console

NO-JIRA: Bump builder image to v29 #15994
OCPBUGS-74452: Bump lodash to latest #15966
OCPBUGS-69403: Disallowed Pipelines-plugin Pipelines navigation section #15849
OCPBUGS-65933: Preserve URL in perspective switch + remove dev console folks from reviewers #15762
OCPBUGS-64942: Expose prometheus tenancy label path as a proxy #15710
OCPBUGS-64599: Remove required flag from ‘console.flag/model’ pipelines-plugin extension #15665
OCPBUGS-62631: /auth/error?error=missing_state&error_type=auth is showing blank page #15554
OCPBUGS-63212: switch to dev perspective for /dev-monitoring #15614
OCPBUGS-63397: fix bug where Roles list was displaying invalid data f… #15627
OCPBUGS-62282: Fix desync of console and variable namespace #15545
OCPBUGS-44154: bump dompurify to latest #15590
OCPBUGS-61737: Remove ancient X-XSS-Protection header #15494
OCPBUGS-54241: VolumeSnapshots are not displayed in OpenShift Web Console #15465
OCPBUGS-59747: OpenShift console PVC clone cannot use B as the unit #15324
NO-JIRA: Increase the timeout on the cypress test #15420
OCPBUGS-58365: change ‘/metrics/usage’ endpoint to ‘/api/metrics/usage’ #15271
OCPBUGS-59544: Secret key with binary file changes when edited via Console #15301
OCPBUGS-59784: Update the golang.org/x/crypto/ssh to 0.31.0 in the openshift-console image #15329
OCPBUGS-58337: Tolerate unknown fields in Infrastructur… #15236
OCPBUGS-59492: Cannot read properties of undefined (reading ‘node-role.kubernetes.io/master’) error while accessing node logs from console #15294
OCPBUGS-59879: add data-test attrs to console plugins … #15338
OCPBUGS-59510: Not able to launch terminal window from OCP web console due to console plugin conflicts #15297
OCPBUGS-59265: fix bug where / in console.tab/horizontalNav href brea… #15270
OCPBUGS-58318: Implement sessions in openshift authenticator #15238
OCPBUGS-58224: Add the ability to launch multiple modals with useModal hook #15222
OCPBUGS-58378: Cannot read properties of undefined (reading ‘filter’) error while accessing nodes from console. #15241
OCPBUGS-57835: Add flags in console static plugin for all the components of this epic #15192
OCPBUGS-57932: Fix TypeError Cannot read properties of null (reading ‘metadata’) #15197
OCPBUGS-57182: Fix ‘/metrics’ endpoint token review to handle interna… #15154
OCPBUGS-56895: HorizontalPodAutoscalers via console require CPU resource limit even though HPAs use requests for scaling #15108
OCPBUGS-57095: Add all files to vendor regardless of gitignore #15132
OCPBUGS-57114: Debug pod logs are not accessible when debugging a node via OpenShift Console #15142
OCPBUGS-56975: Sample segment sessions #15114
OCPBUGS-56844: Enable knative tests #14387
OCPBUGS-56375: remove 60 day alert from cluster update modal #15062
OCPBUGS-55924: Fetching taskRuns in PLR details page using PLR UID also #15029
OCPBUGS-55756: update the Deployment pod on change in imageStream #15022
OCPBUGS-56238: Remove the devconsole backend common internet proxy and replace it with dedicated ones #15049
OCPBUGS-55447: Authenticate user token in openshift Authenticate func #15010
OCPBUGS-55415: fix bug where operator appears twice #15002
OCPBUGS-55202: Do not load CSRs if user does not have permissions #14985
OCPBUGS-52999: Pipeline visualisation shows all tasks as Failed and after that goes to Running state #14862
OCPBUGS-53168: Remove logoutOpenShift method call #14883
OCPBUGS-51277: Fix JSON annotation parsing issue and harden related code #14795
OCPBUGS-53086: Update the monitoring topic used by the console team #14871
OCPBUGS-52205: Show Observe section without PROMETHEUS and MONITORING flags #14811
OCPBUGS-51292: fix run time error when no completed version exists #14796
OCPBUGS-51126: Fix alert rule link to alert in dev perspective #14785
OCPBUGS-49795: ‘create a Project’ button on Getting started page doesn’t work #14714
OCPBUGS-39602: Set default build option as BUILDS for Builder Image sample #14241
OCPBUGS-45740: Fix Function Import: An error occurred Cannot read properties of undefined (reading ‘filter’) #14595
OCPBUGS-45625: use default StorageClass for ServerlessFunction pipelineVolumeClaimTemplate #14589
OCPBUGS-41596: No need to supply ‘User workload notifications’ option on ‘User Preference’ page for normal user #14265
OCPBUGS-44220: disable flaking and change pre-condition test for knative e2e #14467
OCPBUGS-43751: Added token to proxy header #14430
OCPBUGS-48161: ERROR in search tool: Cannot read properties of undefined (reading ‘state’) #14667
OCPBUGS-48227: fix navigation from non-General User Preference tab to… #14674
OCPBUGS-41672: Update vendor imports to include all PatternFly components #14272
OCPBUGS-46344: OCP web console show pod status as Init:0/1 after using Native sidecars #14616
OCPBUGS-47497: Getting Oh no, something went wrong error when trying to install operator. #14645
OCPBUGS-43673: Disable GQL introspection #14640
OCPBUGS-45949: ReRun of Resolver based PipelineRuns fails from UI #14605
OCPBUGS-45954: Fixed capitalization in OpenShift Lightspeed #14607
OCPBUGS-45948: ImagePullSecret getting duplicated when editing DeploymentConfig in Form View #14604
OCPBUGS-45667: Do not pass CSV name to operand list page when an exen… #14591
OCPBUGS-46000: The description and name for GCP Pool ID is not consist #14611
OCPBUGS-42558: Plugins that use very old PF4 dropdown or menu components with grouped items have bullets and padding that needs to be removed. #14344
OCPBUGS-44656: update ConditionalUpdates release type #14505
OCPBUGS-43888: While accessing the node terminal from UI observed ‘Warning alert:Admission Webhook Warning` #14444
OCPBUGS-43441: fix table combination #14546
OCPBUGS-44169: use TaskRuns results.tekton.dev/record annotation to get the logs #14538
OCPBUGS-44873: Unable to remove finally tasks in pipeline builder mode #14527
OCPBUGS-42791: Add missing pipelines plugin name to known plugins #14377
OCPBUGS-44699: Add multiline support to template instantiation #14508
OCPBUGS-44183: Remove ClusterTask dependency in console from Pipelines 1.17 #14512
OCPBUGS-44764: Add IBM Block Storage CSI driver support for RWX #14517
OCPBUGS-43795: While upgrading the cluster from UI observed Warning alert:Admission Webhook Warning #14433
OCPBUGS-44722: include external labels so silenced alerts not displayed in notifications #14511
OCPBUGS-44358: BuildConfig form breaks on manually enter the Git URL #14478
OCPBUGS-43073: Telemetry userPreference results in empty nodes output to the DOM #14392
OCPBUGS-44587: Start last run do not work in buildConfig details page #14499
OCPBUGS-44586: Collapse/Expand Feature Added, Removal Option Removed in Version 4.16 #14498
OCPBUGS-44450: Don’t request user settings configmap if no user has been loaded. #14482
OCPBUGS-44479: conditionally display MachineConfig details page Confi… #14488
OCPBUGS-43878: Add flag to hide the pipelines-plugin pipeline builder extensions #14457
OCPBUGS-42824: remove axios as it is no longer in use #14381
OCPBUGS-42955: Enabling topology e2e tests on CI #14402
OCPBUGS-43009: Project is “Undefined” on “VolumeSnapshot” create page #14389
OCPBUGS-42607: add role exclusion to avoid unexpected triggering the namespace menu #14351
OCPBUGS-42606: make createdBy mandatory and auto fill with the current user #14352
OCPBUGS-42585: Red Hat Camel K Operator installation via cli #14346
OCPBUGS-42299: Increase login flow state paramater length/entropy #14318
OCPBUGS-42391: change “Partial cluster update” to “Control plane onl… #14323
OCPBUGS-42380: Allow operators to enable monitoring by default #14316
OCPBUGS-42060: Console crashes when ssh is selected in add secret for starting a pipeline run #14301
OCPBUGS-42223: restore Spotlight removal on next click #14314
OCPBUGS-39181: add Create button to Console plugins tab #14220
OCPBUGS-39091: update Events ChipGroup to use integrated close #14211
OCPBUGS-38563: do not directly mutate links in useMemo #14159
OCPBUGS-41685: Topology screen crashes when completed pod is selected #14276
OCPBUGS-41482: Unit Tests for the new Ask Lightspeed Button #14249
OCPBUGS-39601: Console user settings resources misses ownerRef, removing a user results in remaining data #14240
And 3 elided commits (e.g. from squash or rebase merges)
Full changelog

console-operator

OCPBUGS-60298: Update downloads deployment configuration to use master node selector #1033
OCPBUGS-45302: console/status: set initial value of Message field #943
OCPBUGS-46390: Dont disable console when authConfig type is set to None #951
Full changelog

container-networking-plugins, containernetworking-plugins-microshift

OCPBUGS-68135: Bump logrus to v1.9.1 #224
OCPBUGS-55622: Check error returned by ipv6 SettleAddresses #187
Full changelog

coredns

OCPBUGS-62825: UPSTREAM: 7083 and 6836: Fix failing TestZoneExternalCNAMELookupWithProxy #155
append .0 to go.mod version #135
Full changelog

csi-driver-manila, openstack-cinder-csi-driver, openstack-cloud-controller-manager

OCPBUGS-68209: fix CVE-2025-65637 #357
OCPBUGS-58839: CARRY: don’t ignore json files #340
OCPBUGS-52416: Merge https://github.com/kubernetes/cloud-provider-openstack:release-1.30 into release-4.17 #319
OCPBUGS-43427: Merge https://github.com/kubernetes/cloud-provider-openstack:release-1.30 into release-4.17 #314
OCPBUGS-43427: Merge https://github.com/kubernetes/cloud-provider-openstack:release-1.30 into release-4.17 #302
Full changelog

csi-driver-manila-operator

OCPBUGS-38457: Add missing healthchecks #240
Full changelog

csi-driver-nfs

append .0 to go.mod version #156
Full changelog

csi-driver-shared-resource, csi-driver-shared-resource-webhook

append .0 to go.mod version #372
OCPBUGS-34217: Updating ose-csi-driver-shared-resource-container image to be consistent with ART for 4.17 #188
OCPBUGS-44510: Updating ose-csi-driver-shared-resource-webhook-container image to be consistent with ART for 4.17 #233
Full changelog

csi-external-resizer

OCPBUGS-62466: Requeue PVC over PV creation #175
Full changelog

csi-external-snapshotter, csi-snapshot-controller, csi-snapshot-validation-webhook

OCPBUGS-60449: UPSTREAM: 1238: Snapshot Controller startup should not LIST all volumesnapshots #184
Full changelog

csi-livenessprobe

append .0 to go.mod version #73
Full changelog

csi-node-driver-registrar

OCPBUGS-63682: update log level verbosity to not clutter logs #90
append .0 to go.mod version #80
Full changelog

docker-builder

OCPBUGS-66988: bump buildah to 1.37.7 to fix CVE-2025-52881 #499
OCPBUGS-65816: BuildConfig inline Dockerfile fails with heredoc syntax #488
OCPBUGS-57939: S2I build cpu limits observed by assemble are limited to 1 cpu #474
OCPBUGS-53075: Upgraded Kubernetes dependency from 1.28.2 to 1.30.2 #465
OCPBUGS-42894: buildah dependency bump to 1.37.6 #452
OCPBUGS-33889: Updating openshift-enterprise-builder-container image to be consistent with ART for 4.17 #393
OCPBUGS-47768: Add team members to the OWNERS file #423
OCPBUGS-47712: skipping some unit tests to avoid failures as they are duplicate #421
Full changelog

docker-registry

OCPBUGS-60090: bump docker distribution to fix purgeuploads panic #440
OCPBUGS-53655: bump jwt and oauth dependencies #431
OCPBUGS-49695: bump docker distribution #422
Full changelog

etcd

DOWNSTREAM: <carry>: OCPBUGS-53447: fix a compaction induce latency issue #321
ETCD-714: Rebase etcd 3.5.18 openshift 4.17 #310
NO-ISSUE: Add support for cachi2 based deps #297
OCPBUGS-42680: Rebase etcd 3.5.16 openshift 4.17 #291
NO-JIRA: use golang 1.22 image #286
Full changelog

gcp-machine-controllers

OCPBUGS-53037: Disable shielded VMs for non-UEFI disks #115
OCPBUGS-48064: Refactor exists() to handle gcp API change #105
OCPBUGS-46082: update a2 gpu detection logic to be dynamic #100
OCPBUGS-43738: Add c4a instance as arm type #95
Full changelog

gcp-pd-csi-driver

OCPBUGS-68186: Update logrus to 1.9.3 #90
Full changelog

haproxy-router

OCPBUGS-49390: Reject All CA-Signed Certs Using SHA1 #650
OCPBUGS-49702: Add support for IdleCloseTerminationPolicy #652
Full changelog

hyperkube, pod

OCPBUGS-68132, OCPBUGS-68190: CVE-2025-65637 - bump github.com/sirupsen/logrus to v1.9.3 #2573
OCPBUGS-72531: Skip E2e: attach on previously attached volumes should work #2566
OCPBUGS-65695: Fix Concurrentmap Iteration #2520
OCPBUGS-63460: UPSTREAM: <carry>: backporting fix for concurrent map iteration and write #2456 #2496
CNTRLPLANE-1611: Backport StreamingCollectionEncoding for JSON and protobuf #2486
OCPBUGS-61584: UPSTREAM: <carry>: Don’t retry storage calls with side effects. #2458
OCPBUGS-60552: [4.17] podresources: list: use active pods #2426
4.17: OCPBUGS-60998: scheduler: Improve CSILimits plugin accuracy by using VolumeAttachments #2434
OCPBUGS-57888: Bump k8s api to 1.30.14 #2355
OCPBUGS-57196: UPSTREAM: 130047: adjusting loopback certificate validity in kube-apiserver #2328
OCPBUGS-57289: kubelet: fix a stall on startup from waiting too long for a stat call #2206
OCPBUGS-55269: Bump k8s api to 1.30.12 #2280
OCPBUGS-53016: Bump k8s api to 1.30.11 #2250
OCPBUGS-51006: Bump k8s api to 1.30.10 #2210
OCPBUGS-49905: Bump k8s api to 1.30.9 #2198
: OCPBUGS-46364: Fix grace period used for immediate evictions #2164
OCPBUGS-46002: Bump k8s api to 1.30.7 #2160
OCPBUGS-39318: UPSTREAM: 126994: Add required FieldManager for validatingadmissionpolicy e2e #2070
OCPBUGS-43820: UPSTREAM: <carry>: kubelet/cm: fix bug where kubelet restarts from missing cpuset cgroup #2126
OCPBUGS-44897: Backport format library to enable usage in 4.18 #2140
OCPBUGS-44512: Bump k8s api to 1.30.6 #2134
OCPBUGS-42427: UPSTREAM: 125398: Fix issue with scheduler failing on hostname mismatch #2097
OCPBUGS-42640: Unrevert Bump k8s api to 1.30.5” #2107
OCPBUGS-42640: Revert #2089 “OCPBUGS-42167: Bump k8s api to 1.30.5” #2100
OCPBUGS-42167: Bump k8s api to 1.30.5 #2089
OCPBUGS-42019: UPSTREAM: <drop>: bump(github.com/openshift/apiserver-library-go) #2087
Full changelog

hypershift

OCPBUGS-74230, OCPBUGS-74294: [release-4.17] Support proxy authentication when user/pass is included in URL #7568
fix: OCPBUGS-72956: Fix Konflux EC voilation, update deprecated base … #7457
OCPBUGS-69865: test: remove unit tests that depend on network communication [release-4.17] #7411
OCPBUGS-57123: Add support for registry root entry only in the IDMS/ICSP #6230
CNTRLPLANE-1903: Migrate 4.17 pipelines to use common pipeline #7215
OCPBUGS-63639: [release-4.17] fix(konnectivity): resolve circular dependency causing DNS timeouts and excessive retries #7112
OCPBUGS-64604: Update DNS names for ovn-kubernetes cp metrics #7150
OCPBUGS-63370: fix: Make the hypershift CLI binary FIPS-compliant #7094
CNTRLPLANE-1425: feat(konflux): tag MCE HO images with latest #6838
OCPBUGS-57143: [release-4.17] HCP payload doesn’t respect multiple mirrors #6771
OCPBUGS-61290: Update KCM node monitor grace period #6760
OCPBUGS-61208: use common MCE konflux pipeline #6749
OCPBUGS-60149: [release-4.17] Always compress and encode payload in token secret for inplace upgrades #6740
OCPBUGS-61101: Use system trust bundle in CPO IDP https client #6735
OCPBUGS-60921: konflux for hcp-cli #6699
CNTRLPLANE-1204: HO MCE change to hermetic ta build #6653
CNTRLPLANE-1230: Move CPO pipeline to hermetic builds #6598
CNTRLPLANE-936: fix(tekton): drop multiarch builds on PR #6224
OCPBUGS-57432: Add proxy variables for the MCD Pod #6258
CNTRLPLANE-918: Konflux build pipeline service account migration #6088
CNTRLPLANE-918: Konflux build pipeline service account migration #6083
OCPBUGS-55723: Don’t check if olm images exist if guest cluster #6115
OCPBUGS-55500, RHOCPPRIO-433: Add validation to avoid conflicts between KubeAPIServer and NamedCertificates SANs #6098
OCPBUGS-51808: Fix golang crypto dependency go.mod replacement #5993
OCPBUGS-54841: Add konnectivity-proxy sidecar to openshift-oauth-apiserver #6017
OCPBUGS-53323: Handle multiple mirror entries for source #5894
OCPBUGS-54631: Sync RBAC for attaching volumes on VM level #5997
NO-JIRA: update konflux references #5479
OCPBUGS-53903: bump golang-jwt v4 and v5 #5906
NO-JIRA: Red Hat Konflux update control-plane-operator-4-17 #5959
ART-11792: update go mod dependency for konflux #5920
OCPBUGS-51737, OCPBUGS-51808: Bump dependencies to OCP fork in backports #5900
OCPBUGS-48439: kubevirt, Don’t break on hostname NodePort.Address #5394
OCPBUGS-51240: bump go-jose #5863
OCPBUGS-52657: Make managed-trust-bundle optional #5794
OCPBUGS-52425: [release-4.17] refactor aws identity health check into new controller #5772
OCPBUGS-46340: change plaform to platform #5562
OCPBUGS-51339: [release-4.17] Fix IsProgressing condition in HostedClusters #5712
OCPBUGS-50697: add region to AWS creds passed to operators managed by CPO #5671
OCPBUGS-51098: 4.17 Add HostedCluster additional trustbundles to konnectivity-https-proxy #5675
NO-JIRA: Update dependency mkdocs-material to v9.6.5 #5682
OCPBUGS-50596: Honor proxy vars in the util insecure http client #5605
OCPBUGS-49828: Duplicate hostDevices.name when hostDevices.deviceName has multiple types. #5558
OCPBUGS-48487, OCPBUGS-48488, OCPBUGS-48490: Fix IPv6 Disconnected HCP deployments #5402
OCPBUGS-47533: Prevent IgnitionServer from flooding the API server with patch requests #5332
NO-JIRA: Update dependency mkdocs-material to v9.6.3 #5590
OCPBUGS-45268: Reconcile proxy CA bundle into hosted cluster #5228
OCPBUGS-46465: Consistently look up and dial cloud API hostnames #5302
NO-JIRA: Update dependency mkdocs-material to v9.6.1 #5528
OCPBUGS-49638: fix overwriting PKI operator HCP conditions #5504
OCPBUGS-46440: Allow ARM64 arch deployment on Agent platform #5296
OCPBUGS-48170: fix disconnected via CLI #5465
OCPBUGS-38810: nodepoolcontroller: List() PerformanceProfile status per NodePool #4585
NO-JIRA: Update dependency mkdocs-mermaid2-plugin to v1.2.1 (release-4.17) #5428
NO-JIRA: Update dependency mkdocs-material to v9.5.50 (release-4.17) #5427
OCPBUGS-44927: Add multi-arch validation for HC/NodePool compatibility #5238
NO-JIRA: [release-4.17] Bump golang.org/x/crypto and golang.org/x/net #5368
NO-JIRA: Update Konflux references (release-4.17) #5329
OCPBUGS-46412: Separate CPO containerfiles #5285
NO-JIRA: chore(deps): update konflux references (release-4.17) #5289
NO-JIRA: chore(deps): update dependency mkdocs to v1.6.1 (release-4.17) #5290
OCPBUGS-44114: Add external kas address to no proxy skip list #5028
NO-JIRA: Red Hat Konflux update hypershift-release-mce-28 #5174
NO-JIRA: chore(deps): update konflux references (release-4.17) #5249
OCPBUGS-44630: Use ingress role in private link controller for DNS operations #5142
NO-JIRA: chore(deps): update konflux references (release-4.17) #5183
NO-JIRA: chore(deps): update konflux references (release-4.17) #5154
NO-JIRA: chore(deps): update konflux references (release-4.17) #5144
OCPBUGS-44184: dont use registryOverrides on kube rbac proxy image be… #5033
NO-JIRA: chore(deps): update konflux references (release-4.17) #5113
OCPBUGS-43929: Return the right tagReference on Catalogs ImageStream #4993
OCPBUGS-44276: Configure OAuth https proxy to dial cloud endpoints directly #5070
OCPBUGS-44268: Fix order rendering HCP objects #5064
NO-JIRA: Update Konflux references (release-4.17) #5098
chore(deps): update konflux references (release-4.17) #5075
HOSTEDCP-2046: CPO 4.17 tekton builds #5006
NO-JIRA: chore(deps): update konflux references (release-4.17) #5053
NO-JIRA: Update Konflux references to fedcfe0 (release-4.17) #5041
chore(deps): update konflux references (release-4.17) #5023
chore(deps): update konflux references to f53fe54 (release-4.17) #5018
NO-JIRA: Update Konflux references (release-4.17) #5009
OCPBUGS-42879: Add network policies for konnectivity server and ignition server proxy #4865
NO-JIRA: bump catalog operators version #4992
NO-JIRA: chore(deps): update konflux references (release-4.17) #4972
OCPBUGS-43746: add ValidIDPConfiguration condition to report IDP config issues #4969
NO-JIRA: chore(deps): update konflux references (release-4.17) #4958
OCPBUGS-43464: Pass feature flags to clusterpolicy controller #4928
NO-JIRA: chore(deps): update konflux references (release-4.17) #4931
OCPBUGS-42704: Run 2 replicas of active/passive HA components #4843
OCPBUGS-43316: Enforce privileged PSA by default #4834
NO-JIRA: chore(deps): update konflux references (release-4.17) #4921
OCPBUGS-43374: release-4.17 openstack/e2e: re-work nodepool tests #4914
NO-JIRA: chore(deps): update konflux references to 674e70f (release-4.17) #4907
NO-JIRA: chore(deps): update konflux references (release-4.17) #4895
OCPBUGS-43051: Use guest DNS resolution in Konnectivity HTTPS proxy by default #4885
HOSTEDCP-2020: [release-4.17] Add support for SharedVPC #4873
HOSTEDCP-2023: [release-4.17] Split worker and vpc endpoint security groups #4882
OCPBUGS-42974: [release-4.17] Do not send traffic to local audit-webhook through konnectivity #4869
NO-JIRA: Remove EnsurePSANotPrivileged check #4855
OCPBUGS-42714: label routes only when HCP router used #4845
NO-JIRA: chore(deps): update konflux references to 37b9187 (release-4.17) #4854
OCPBUGS-42390: Add Annotation to skip deleting hcp namespace #4792
NO-JIRA: chore(deps): update konflux references (release-4.17) #4812
NO-JIRA: e2e: openstack: fix nil deref in route53 teardown #4810
OCPBUGS-42261: Conditionally manage kubeconfig secrets for DNS and Ingress operators #4764
OCPBUGS-42098: Use KubeClientCABundle for HostedClusterConfigOperator cluster-signer-ca #4736
chore(deps): update konflux references to 5ac9b24 (release-4.17) #4780
OCPBUGS-41552: Let payload generation pick the release for the NodePool #4691
chore(deps): update konflux references to 2c3426a (release-4.17) #4774
NO-JIRA: chore(deps): update konflux references (release-4.17) #4761
NO-JIRA: Security fixes for openshift-ci-security job #4748
NO-JIRA: chore(deps): update konflux references (release-4.17) #4726
HOSTEDCP-1953: bump CCO version #4694
Full changelog

ibm-vpc-block-csi-driver

OCPBUGS-58740: bump github.com/golang/glog to version v1.2.4 #105
OCPBUGS-56062: tech debt: rework vendor patches #90
append .0 to go.mod version #100
OCPBUGS-53911: bump github.com/golang-jwt/jwt/v4 to v4.5.2 #83
Full changelog

ibm-vpc-block-csi-driver-operator

OCPBUGS-58435: [IBM VPC] set offlineExpansion to false in e2e test manifest #146
OCPBUGS-42277: Reorder static resources to create RBAC first #128
Full changelog

ibmcloud-cluster-api-controllers

OCPBUGS-67287: [release-4.17] Fix incomplete vendor/ #139
OCPBUGS-51823: CVE-2025-22869 Update golang.org/x/crypto to patched OpenShift fork #121
OCPBUGS-50566: Fix for CVE-2024-45338 in golang.org/x/net/html in release-4.17 #101
OCPBUGS-44880: Fetch service instance id from spec of IBMPowerVSCluster object while setting provider id #94
OCPBUGS-37369: UPSTREAM: <carry>: Fix go-retryablehttp CVE - 4.17 #86
Full changelog

ibmcloud-machine-controllers

OCPBUGS-52957: IBMCloud: MAPI replacing unhealthy CP nodes #63
OCPBUGS-37379: Bump dependency for CVE #49
Full changelog

insights-operator

OCPBUGS-68193: OCPBUGS-68194: [vuln] Update logrus library to 1.9.3 #1227
OCPBUGS-67008: Add filtering to add other possible pod status to QEMU gatherer #1196
OCPBUGS-66395: QEMU logs are not gathered if there are pending status virt-launcher pods #1194
OCPBUGS-66394: [bugfix] The archive’s records may include files whose names are out of bounds #1193
OCPBUGS-64629: add permissions to gather clusterrole #1170
OCPBUGS-63500: add missing permissions for replicasets and events #1165
AUTH-482: set required-scc for dataGahtering jobs & pods #1049
And 13 elided commits (e.g. from squash or rebase merges)
Full changelog

ironic

OCPBUGS-69792: Bump eventlet version to 0.33.1-7 #761
METAL-1305: Do not use openstack packages #647
OCPBUGS-52292: Fix runlogwatch script #643
OCPBUGS-50673: Install python3-inotify pkg explicitly #640
OCPBUGS-49998: Fix runlogwatch failure if LOG_DIR does not exist #637
OCPBUGS-49822: Drop quiet option of grep to avoid race condition with pipefail #633
OCPBUGS-49756: Use pynotify instead of inotify-tools #631
OCPBUGS-48149: Bump jinja2 to 3.1.5 #622
OCPBUGS-43955, OCPBUGS-43963: Bump python-waitress [4.17] #603
OCPBUGS-42692: Include fixes for CVE-2024-5569 #590
OCPBUGS-42509: Include fix for CVE-2024-47211 #593
Full changelog

ironic-agent

OCPBUGS-69775: Bump eventlet version to 0.33.1-7 #231
OCPBUGS-62490: netutils: Use ethtool ioctl to get permanent mac address #214
OCPBUGS-55680: Delay determining the hostname to put into ignition #185
METAL-1305: Do not use openstack packages #179
OCPBUGS-39013: Bump ironic-lib to fix utf8 decoding issue #155
Full changelog

ironic-machine-os-downloader

append .0 to go.mod version #104
Full changelog

ironic-static-ip-manager

OCPBUGS-49350: Fix subnet validation #47
Full changelog

kube-metrics-server

append .0 to go.mod version #43
: OCPBUGS-46491: Disable HTTP2 #40
Full changelog

kube-proxy

OCPBUGS-68165: deps: Update library-go to fix a CVE #661
OCPBUGS-43807: Revendor to a patched k/k with our prefer-local-DNS hack #640
Full changelog

kube-rbac-proxy

ART-13124: Update go.mod to include patch version in go directive #120
OCPBUGS-42697: protobuf bump [4.17] #112
Full changelog

kube-storage-version-migrator

NO-JIRA: Add DOWNSTREAM_OWNERS (release 4-17). #226
ART-13124: Update go.mod to include patch version in go directive #217
Full changelog

kubevirt-cloud-controller-manager

OCPBUGS-34447: Updating ose-kubevirt-cloud-controller-manager-container image to be consistent with ART for 4.17 #44
Full changelog

kubevirt-csi-driver

OCPBUGS-54631: Ensure volume stays attached through reboots #56
OCPBUGS-44623: During detach don’t return error if VM is not found #50
Full changelog

machine-api-operator

OCPBUGS-57073: Updates GCP CredentialsRequest #1377
OCPBUGS-53036, OCPBUGS-53037: Updates GCP credentials request #1345
OCPBUGS-52576: add image/read permissions #1344
OCPBUGS-52359: Remove unneeded VNet permissions from Azure CredentialsRequest #1337
OCPBUGS-51370: Drop oVirt support #1334
OCPBUGS-43851: vSphere klog initialization preventing verbose log messages #1302
OCPBUGS-42414: Ensure deletion annotation takes priority and oldestPolicy can distinguish longer ages #1293
Full changelog

machine-config-operator

OCPBUGS-77186: Machine-config controller should not log about non-existent pull-secret changes #5679
OCPBUGS-77090: machine-config-daemon: openshift: Exposure of Sensitive Data in Log Files in the Machine Configuration Daemon. [openshift-4] #5678
OCPBUGS-61190: MCO report “failed to list *v1alpha1.MachineOSConfig” when enable TechPreview after upgrading from 4.16 to 4.17 with one mcp paused #5584
OCPBUGS-60112: Enable debug logging for nodeip-configuration #5219
OCPBUGS-62170: Fix - NetworkManager restart or crash renders br-ex unusable #5355
OCPBUGS-66037: Remove –mount directives #5443
OCPBUGS-63154: [release-4.17] Networking: reset ovn-remote config and allow ovnkube controller to set it #5358
OCPBUGS-63540: Add control-plane label for master nodes on legacy clusters #5375
OCPBUGS-63364: Invalid architecture value found in annotation during 4.19 update #5368
OCPBUGS-63055: Recheck generatedByControllerVersion annotation prior to deleting a degraded MC #5346
OCPBUGS-62741: Add /etc/docker/certs.d to template #5335
OCPBUGS-62683: Add mcd_local_unsupported_packages recording rule #5327
OCPBUGS-60890: Race in configure-ovs.sh affects bonding interface configuration. #5267
OCPBUGS-61859: Override NMState service definition #5289
OCPBUGS-59930, OPNET-681: Support migration to NMState #5206
OCPBUGS-56752: Support NODEIP_HINT in IPI deployments too #5080
OCPBUGS-60704: operator: switch out VAP v1beta1 to v1 #5256
OCPBUGS-57084: scope MCD node listers to current node #5107
OCPBUGS-60239: Add workaround fix for static pod race #5231
OCPBUGS-58292: Do not set cpu system reserve below the default value #5157
OCPBUGS-58063: Update desired config in MCN on OCL update #5139
OCPBUGS-56625: Give keepalived container chroot cap #5072
OCPBUGS-58219: Boot image controller should correctly handle marketplace boot images #5151
OCPBUGS-58218: add MachineConfiguration to CO related objects #5150
OCPBUGS-57135: pkg/operator/status: Drop PoolUpdating as an Upgradeable=False condition #5111
OCPBUGS-56901: Fix dynamic-system-reserved-calc.sh when only true parameter is used #5096
OCPBUGS-56976: Boot Image Controller should not degrade when golden configmap is slow to update #5101
OCPBUGS-56990: Only update boot disks during GCP boot image updates #5102
OCPBUGS-56828: daemon: fix ostree-finalize-staged race workaround for package mode RHEL workers #5087
OCPBUGS-52313: Update machine-config-daemon-pull.service to use custom policy for Podman < 4.4.1 #4893
OCPBUGS-56665: Add hot loop detection in the boot image controller #5077
OCPBUGS-56395: error from generateAndValidateRenderedMachineConfig function can be misleading #5060
OCPBUGS-56218: Rewrote TestFirstBootHasSSHKeys e2e test in pure Go #5053
OCPBUGS-55615: MSBIC should not update windows machinesets #5021
OCPBUGS-55490: MCO should fall back to us-east-1 for AWS bootimages if no region specific-AMI exists #5020
OCPBUGS-54830: Make mtu-migration run after wait-for-primary-ip #4989
OCPBUGS-52314: on-prem/resolv-prepender: stop leaking tmp files #4894
OCPBUGS-45989: Do not run resolv-prepender from NM dispatcher #4785
OCPBUGS-52188: ignore mc not found error #4957
OCPBUGS-52951: Add ipsec connect wait service #4930
OCPBUGS-53441: Fixing typos for MachineConfigNode #4936
OCPBUGS-53186: Update ObservedGeneration in KubeletConfig #4919
OCPBUGS-53225: daemon: ensure ostree-finalize-staged is started before rebooting #4920
OCPBUGS-52160: Enforce VIPs to be collocated at the same host #4884
OCPBUGS-52303: Enable nmstate-configuration on all platforms #4891
OCPBUGS-51003: daemon: add nil check for annotation fetching #4862
OCPBUGS-51353: Update cluster-reader ClusterRole permissions #4882
OCPBUGS-50955: create /run/nodeip-configuration before use #4858
OCPBUGS-51334: Update format verbs for alert logs #4880
OCPBUGS-52257: configure-ovs workaround for ovs-if-br-ex bug #4889
OCPBUGS-49973: Update the storage.conf configuration file template #4836
OCPBUGS-49363: Auto-recover from MC with invalid extension #4824
OCPBUGS-49716: MCO CO degrades are stuck on until master pool updates complete #4826
OCPBUGS-49639: Add clarification to invalid maxUnavailable alert #4820
OCPBUGS-47475: Pausing Master MCP results in Alerts #4769
OCPBUGS-47802: OCPBUGS-47801: trying to wait for sub-controllers #4775
OCPBUGS-38292: controller: default to runc when upgrading clusters from 4.17 to 4.18 #4715
OCPBUGS-45918: Remove trailing periods from AWS provided hostnames #4738
OCPBUGS-39223: Do not enable on-prem-resolv-prepender.path for UPI #4572
OCPBUGS-38292: Revert “controller: default to runc when upgrading clusters from 4.17 to 4.18” #4716
OCPBUGS-38292: controller: default to runc when upgrading clusters from 4.17 to 4.18 #4635
OCPBUGS-44561: Disable tx chksum for driver IDPF on GCP C3/C4 #4701
MCO-1343: Backport Telemetry to 4.17 #4650
OCPBUGS-43917: Disable ESP offload for OVS attached interfaces #4667
OCPBUGS-43719: Soften haproxy timeout for kubeapi probe #4657
OCPBUGS-42577: openstack: fix non-old systemd compatible unit #4620
OCPBUGS-42108: Do not use ‘restart’ for ‘oneshot’ service #4615
OCPBUGS-42979: Regenerate the rendered MC in use when deleted #4634
OCPBUGS-42677: The MCO does not properly degrade when pools are failing to render a new config #4623
OCPBUGS-42081: Check for kernel arg diff in updateOnClusterBuild #4595
OCPBUGS-41255: Set ESP offloads off in bonds if slaves don’t support them #4598
OCPBUGS-42256: Panic seen in CI job for MCC pod #4603
OCPBUGS-42200: MCPs report wrong number of nodes when we move nodes from one custom MCP to another custom MCP #4602
OCPBUGS-41357: Enable the use of Linux Bridge as the ovs default port connection #4567
OCPBUGS-41686: MCPs with RHEL nodes are degraded when a userCA bundle is added to the cluster #4580
Full changelog

machine-image-customization-controller

OCPBUGS-68192: [4.17] Uplift logrus #152
append .0 to go.mod version #135
Full changelog

machine-os-images

OCPBUGS-54146: Change rhcos release browser url #56
Full changelog

metallb-frr

OCPBUGS-55021: Backport DynamicASN #92
OCPBUGS-55344: OpenShift Only: TEMPORARY: pin FRR version to known working rpm #89
OCPBUGS-44111: Use metrics for readiness/liveness probes #77
Full changelog

monitoring-plugin

OCPBUGS-70290: Manual cherry pick qs vulnerability 4 17 #747
OCPBUGS-64942: Use tenancy access to metric lables #639
OU-1058: Don’t show TP button in non-administrator #637
OCPBUGS-62282: align dev and admin persective tab names #602
OCPBUGS-62282: add missing translation string #587
OCPBUGS-61891: feat: add alerting rules tab to dev console #538
OCPBUGS-59399: Fix “Export as CSV” #468
OCPBUGS-54211: fix issue preventing dev silences from loading #374
OU-724: remove deleted image #377
OCPBUGS-51117: Fix overview links #357
OCPBUGS-44394: remove unused package and upgrade vulnerable dependency #271
OCPBUGS-43238: upgrade dynamic plugin sdk to remove vulnerable dependencies 4.17 #216
OCPBUGS-42408: fix path-to-regexp dependency #196
Full changelog

multus-admission-controller

OCPBUGS-58770: Update the github.com/golang/glog module to v1.2.4 #102
append .0 to go.mod version #97
Full changelog

multus-cni, multus-cni-microshift

OCPBUGS-43391: Update net-attach-def client library to 1.7.5 for cri-o functionality [backport 4.17] #257
OCPBUGS-47471: adds getcontext (backport 4.17) #260
Full changelog

multus-networkpolicy

append .0 to go.mod version #71
Full changelog

multus-whereabouts-ipam-cni

OCPBUGS-73728: Update tag on ci-operator.yaml file #395
OCPBUGS-70256: Prevent accidental IP deallocation in statefulsets #393
OCPBUGS-55617: Fixes leftover podref issue #364
OCPBUGS-48745: [Release-4.17]Kubeconfig loop #334
Full changelog

must-gather

OCPBUGS-60607: Separate resources with comma to fix malformed inspect #504
NO-JIRA: append .0 to go.mod version #492
OCPBUGS-48068: Update owners #452
OCPBUGS-46281: Support gathering IPsec data #467
OCPBUGS-42835: Removes reference to gather_multus_logs in 4.17 #459
OCPBUGS-42964: Collect etcd object count #453
OCPBUGS-42958: Gather OSUS data #443
OCPBUGS-42835: [Release-4.17] Network logs collection: skip unready nodes #445
Full changelog

network-interface-bond-cni

OCPBUGS-59620: Bump github.com/containernetworking/plugins from to 1.7.1 #83
NO-JIRA: Add ci-operator file #82
Full changelog

network-metrics-daemon

append .0 to go.mod version #105
And 4 elided commits (e.g. from squash or rebase merges)
Full changelog

network-tools

append .0 to go.mod version #148
Full changelog

networking-console-plugin

CNV-76277: Fix name generator with unprofessional names #320
OCPBUGS-60180: Fix ingress details #265
OCPBUGS-60128: Fix requiremenets with no value #260
Add translations 4.17 #239
Add translations scripts #235
OCPBUGS-49758: Fix weight width #208
OCPBUGS-45791: fix path-to-regex CVE #196
OCPBUGS-48704: fix service name #188
OCPBUGS-48267: UI crash accessing a Service in pending state #168
OCPBUGS-46553: fix ports as number instead of strings #169
OCPBUGS-45876: Bump nanoid from 3.3.7 to 3.3.8 #172
OCPBUGS-44140: Bump dompurify from 2.4.9 to 2.5.8 #166
OCPBUGS-44397: OCPBUGS-44679: upgrade packages for cve #141
OCPBUGS-44650: Routes list page shows correct status and location #139
OCPBUGS-44648: Add Route Filter in route list #138
OCPBUGS-43037: hide routes metrics non-admin users #129
OCPBUGS-43065: Routes list sort by status #131
CNV-49305: fix for virt perspective #128
OCPBUGS-42678: OCPBUGS-42352: add service weight #125
OCPBUGS-39390: fix sorting on lists #123
OCPBUGS-42582: fix html in translations #122
OCPBUGS-42581: Route edit form #121
CNV-48190: move title networkpolicies above tabs #120
Fix alert ServiceSelector #111
CNV-47528: Fix key value in selector #110
Revert IPAM (subnets input) #115
OCPBUGS-42248: fix pagination during sorting #109
OCPBUGS-41868: Add destination ca cert #106
Full changelog

nutanix-machine-controllers

OCPBUGS-51859: CVE-2025-22868 #111
OCPBUGS-47267: fixing CVE-2024-45338 #92
OCPBUGS-55728: Fix link-local addresses being added to machine #102
Full changelog

oauth-apiserver

OCPBUGS-66228: UPSTREAM <carry>: bump kubernetes-apiserver to pick up loopback certificate expiration update #157
NO-JIRA: (chore): update OWNERS file #171
OCPBUGS-61584: Bump openshift/kubernetes-apiserver for etcd retry patches. #143
append .0 to go.mod version #133
OCPBUGS-46044: Update dependencies to address CVE-2024-24786 #127
Full changelog

oauth-proxy

OCPBUGS-61445: Update x/crypto to v0.31.0 #334
OCPBUGS-58472: fix e2e tests #327
OCPBUGS-30443: Update dependencies to address CVE-2024-24786 #298
OCPBUGS-46659: Fix oauth-proxy e2e-component tests #303
Full changelog

oauth-server

OCPBUGS-61584: Bump openshift/kubernetes-apiserver for etcd retry patches. #198
append .0 to go.mod version #185
OCPBUGS-44118: escape spaces in oauth callback path #167
OCPBUGS-43587: Fix login path for go1.22 mux pattern matching #162
Full changelog

oc-mirror

Adding r4f4 and Prashanth684 as approvers and removing contributors who are not working with oc-mirror anymore. (#1269) #1269
fixes CVEs upgrading go-git dependency (#1033) #1033
OCPBUGS-47453: Use one of the newer sha256 keys to verify release signatures (#1000) (#1024) #1000
changes the owners file (#1017) #1017
OCPBUGS-48513: e2e: use same version of crane as in go.mod (#1020) #1020
OCPBUGS-37867: Use tag only when image by tag and digest (#911) (#932) #911
Full changelog

openshift-apiserver

OCPBUGS-68208: CVE-2025-65637 - Bump github.com/sirupsen/logrus from v1.9.0 to v1.9.3 [release-4.17] #609
OCPBUGS-74143: pkg/image: conditionally parse raw image manifest #596
OCPBUGS-66229: UPSTREAM <carry>: bump kubernetes-apiserver to pick up loopback certificate expiration update #584
OCPBUGS-63392: Wire dry run option to Image API server operations #565
OCPBUGS-61584: Bump openshift/kubernetes-apiserver for etcd retry patches. #554
OCPBUGS-53382: Skip blocked registry check for registries with mirrors #500
OCPBUGS-58821: Fix image reference in TestImageStreamImportQuayIO #515
append .0 to go.mod version #525
OCPBUGS-49399: prevent panic when no image and error are set #488
OCPBUGS-49399: validate image property isn’t nil before using #489
OCPBUGS-49399: move on to the next digest/tag during failures #487
OCPBUGS-42752: Pass expected type to deploymentconfig/scale object validation. #457
OCPBUGS-42232: fail image import when both image and error are nil #450
Full changelog

openshift-controller-manager

OCPBUGS-61199: legacy image pull secret rollback controller #413
OCPBUGS-57950: ignore error failing to find pull/push secrets #400
OCPBUGS-57480: Set node-pullsecrets volume to read-only to protect image pull credentials #393
OCPBUGS-55826: Empty proxy variables are causing issues during the build #379
OCPBUGS-47769: Add team members to the OWNERS file #357
OCPBUGS-44093: user system:serviceaccount:openshift-infra:serviceaccount-pull-secrets-controller in ns/openshift-infra must not produce too many applies #350
NO-JIRA: cleanup root and app OWNERS #346
OCPBUGS-42362: Continuous pull-secret updates / slow initialization on build01 (test platform infrastructure) #339
Full changelog

openshift-state-metrics

append .0 to go.mod version #124
Full changelog

openstack-cluster-api-controllers

OCPBUGS-44455: Merge https://github.com/kubernetes-sigs/cluster-api-provider-openstack:release-0.10 into release-4.17 #343
append .0 to go.mod version #364
OCPBUGS-44455: Merge https://github.com/kubernetes-sigs/cluster-api-provider-openstack:release-0.10 into release-4.17 #342
OCPBUGS-44959: Makefile changes for merge-bot #340
OCPBUGS-44455: Merge https://github.com/kubernetes-sigs/cluster-api-provider-openstack:release-0.10 into release-4.17 #329
OCPBUGS-43584: Merge https://github.com/kubernetes-sigs/cluster-api-provider-openstack:release-0.10 into release-4.17 #323
Full changelog

openstack-machine-api-provider

OCPBUGS-76793: Fix make test #160
Full changelog

operator-framework-tools, operator-lifecycle-manager, operator-registry

OCPBUGS-76953: Remove the collect-profiles job #1232
OCPBUGS-67301: Fix TOCTOU race condition in ensureInstallPlan (#3682) #1172
OCPBUGS-57092: [release-4.17] e2e stability fixes #1081
OCPBUGS-60791: Add NetworkPolicy as a supported kind #1058
OCPBUGS-57428: reduce cache expiry frequency [release-4.19] #1021
OCPBUGS-59253: Reduce Frequency of Update Requests for Copied CSVs (#3597) #1036
OCPBUGS-57438: operatorgroup: ensure clusterroleselectors in clusterrole aggregation rules are sorted #1025
OCPBUGS-56250: fix(olm): improve error logging for missing olm.managed label (#3558) #1004
OCPBUGS-51226, OCPBUGS-51228, OCPBUGS-51246: (vendor) pin go-jose/v4@v4.0.5 #998
OCPBUGS-53071: add missing pod disruption reasons to isPodDead #982
OCPBUGS-53283: Ensure that PSA label is latest instead of pinning versions #985
OCPBUGS-50829, OCPBUGS-50831, OCPBUGS-50835: CVE-2025-24976 Bump github.com/distribution/distribution/v3 [release-4.17] #968
OCPBUGS-48695: Fix excessive catalog source snapshots cause severe performance regression #956
OCPBUGS-45845: Fix concurrent namespace resolution #944
OCPBUGS-46929, OCPBUGS-46936, OCPBUGS-47316: x/net bump to v0.34.0 [release-4.17] #938
OCPBUGS-46598: catalog-operator: Delete Pods that were evicted (#3459) #922
OCPBUGS-46054: CRD upgrade existing CR validation fix #913
OCPBUGS-44760: fix: call TokenRequest API when service account token secret is missing #898
OCPBUGS-43965: Return an error when the IP status cannot be updated #885
Full changelog

operator-marketplace

OCPBUGS-68212, OCPBUGS-68213: [release-4.17] CVE-2025-65637 fixed in logrus v1.9.3+ #710
OCPBUGS-62219: Remove Expect func so that the test case can use the retry logic #670
OCPBUGS-61036: Update memoryTarget on catalog source pods #663
ART-13124: append .0 to go.mod version #638
OCPBUGS-53179: Ensure that PSA label is latest instead of pinning versions #607
OCPBUGS-49431: Upgrade golang.org/x/net [release-4.17] #585
Full changelog

ovirt-csi-driver-operator

OCPBUGS-68230: Bump github.com/sirupsen/logrus to v1.8.3 #151
Full changelog

ovn-kubernetes, ovn-kubernetes-microshift

CORENET-6055, OCPBUGS-74492: [release-4.17] Dockerfile: Unpin OVN and consume the latest from FDP #2959
[release:4.17] OCPBUGS-71985: Fix conntrack reconciliation to use service port instead of endpoint port #2936
OCPBUGS-71218: [release-4.17] CVE-2025-65637 Bump github.com/sirupsen/logrus to v1.9.1 through indirect dependency conversion (go-controller module) #2905
OCPBUGS-71198: NetPol & MultiNetPol: Process update only when spec fields and/or related annotation are updated #2923
OCPBUGS-68348: Add ricky-rav to OWNERS for release-4.17 #2898
OCPBUGS-65928: Skip Pending pods in EgressIP status #2871
OCPBUGS-65569: [release-4.17]: kubevirt: fix bad release of IPs of live migratable pods #2857
OCPBUGS-64856: Fix stale EIP assignments during failover and controller restart #2850
OCPBUGS-64674: [release-4.17]: Configure sec nic EIPv6 address with NODAD and maximum lifetime #2843
OCPBUGS-63154: Fix EgressIP stale GARP post reboot + pod restart #2807
OCPBUGS-61749: [release-4.17] Fix dnsnameresolver address set #2796
OCPBUGS-60484: Update OWNERS file: Add Patryk/Martin as approvers #2717
OCPBUGS-59381: [release-4.17] Fix default network -> localnet #2667
OCPBUGS-58160: Unpin OVS patch versions, move to ovs 3.5 #2647
OCPBUGS-57109: Fix hybrid overlay node subnets collision with cluster subnets #2620
OCPBUGS-57107: Increase InformerSyncTimeout to 60s #2623
OCPBUGS-56443: Fix predicate for cluster subnet route to gateway router #2578
OCPBUGS-56244: Allow default network pods to reach localnet on the same node #2572
OCPBUGS-52480: Handles unspecified protocol in network policy port #2478
OCPBUGS-54203: Update OVN to FDP25.A.1 24.03.5-40. #2496
OCPBUGS-52409: Change dynamic_neigh_routers to false for the Interconnect topology. #2476
OCPBUGS-50519: kubevirt, localnet: Reduce live migration downtime #2458
OCPBUGS-48777: Fixes unexpected mp0 route removal during start up #2423
OCPBUGS-48828: fixes overzealous deletion of SNAT in egressIP #2425
OCPBUGS-47506: Let OVN-northd bind remote ports #2404
OCPBUGS-45953: bump OVS version to 3.4.0-18 #2393
OCPBUGS-45312: pin libreswan to 4.6-3.el9_0.3 #2384
OCPBUGS-45339: Dockerfile: Update OVN to the 24.03.2-32.el9fdp minor release. #2376
OCPBUGS-43454: Ignore cluster manager topology not managed errors for localnet with no subnets #2362
OCPBUGS-44303: Add hybird overlay pod IPs to the namespace address_set #2340
OCPBUGS-42931: Add static route to the hairpin masquerade IPs to pod #2315
OCPBUGS-39200: Dockerfile: Bump OVS to 3.4.0-1 #2287
OCPBUGS-42940: Fix egress gateway pod cleanup for remote zone pods. #2316
Full changelog

powervs-machine-controllers

OCPBUGS-61204: Use OS_GIT_VERSION in Makefile when found (for Konflux builds) #126
append .0 to go.mod version #117
OCPBUGS-54750: Fix for CVE-2024-51744 in github.com/golang-jwt/jwt/v4 in release-4.17 #113
Full changelog

prom-label-proxy

append .0 to go.mod version #381
Full changelog

prometheus

OCPBUGS-61766: chore: compute highestTimestamp at queryManager level #268
append .0 to go.mod version #258
OCPBUGS-56738: BACKPORT: fix promtool analyze block shows metric name with 0 cardinality #254
OCPBUGS-54941: Scraping: Bump cache iteration after error to avoid false duplicate detection. #249
OCPBUGS-43667: fix(discovery): Handle cache.DeletedFinalStateUnknown in node informers’ DeleteFunc #230
Full changelog

prometheus-alertmanager

OCPBUGS-75885: Include go-verify-deps expected files in gitignore #115
append .0 to go.mod version #102
Full changelog

prometheus-config-reloader, prometheus-operator, prometheus-operator-admission-webhook

OCPBUGS-58408: Fix: One Alertmanager Config failing blocks all others. (#6585) #336
OCPBUGS-48069: fix: validate smtp smarthost and smtp from fields #323
Full changelog

prometheus-node-exporter

append .0 to go.mod version #167
Full changelog

route-controller-manager

OCPBUGS-55943: Added error event for failed ingress to route conversion #60
OCPBUGS-53077: ingress: Reset metrics when ingress is deleted #57
Full changelog

service-ca-operator

OCPBUGS-68220: Update logrus to 1.9.3 to address CVE-2025-65637 #316
Fix for OCPBUGS-68221: CVE-2025-65637 bump github.com/sirupsen/logrus to v1.9.3 #309
append .0 to go.mod version #266
OCPBUGS-34228: Updating ose-service-ca-operator-container image to be consistent with ART for 4.17 #261
Full changelog

telemeter

ART-13124: Update go.mod to include patch version in go directive #562
Full changelog

tests

OCPBUGS-65492: Add imagestream update dryrun test #30479
OCPBUGS-64927: update telemtery limit for 4.17 e2e case #30472
OCPBUGS-64641: Migrate OCP-32383 to upstream #30455
OCPBUGS-63392: Backport pr 29834 to release-4.18 #30408
OCPBUGS-61162: images/tests: Remove rteval #30202
NO-JIRA: Update extended/networking OWNERS #30090
OCPBUGS-57324: Fix bearer token exposure in exit condition as well #29910
OCPBUGS-57888: Bump to Kubernetes v1.30.14 #29983
OCPBUGS-50664: Replace RunHostCmd with Exec function to censor bearer token being exposed #29539
OCPBUGS-56221: aws/edge: prevent test using unschedulable nodes #29792
OCPBUGS-55451: support provider type external #29737
OCPBUGS-55269: Bump to Kubernetes v1.30.12 #29771
OCPBUGS-55498: [build] Ensure Git Clone Does Not Run Privileged #29743
OCPBUGS-54767: Fix egress firewall tests by updating the URL from docs.openshift.com to redhat.com #29660
OCPBUGS-52580: Use payload pullspec for image info test #29588
OCPBUGS-38835: Try also user CA for getting openshift-tests image #29029
OCPBUGS-49411: Add a monitor test to detect concurrent installer pod or static pod #29487
OCPBUGS-48634: Revert “[release-4.17] OCPBUGS-48459, SDN-4930: ovn-k, udn crd e2e: Fix status report consumer assertion” #29453
OCPBUGS-48459, SDN-4930: ovn-k, udn crd e2e: Fix status report consumer assertion #29301
OCPBUGS-48345: Add team members to the OWNERS file for PR approvals #29430
OCPBUGS-48188: Fixing build s2i ruby test data inline with latest ruby version(>=3.0) #29409
: OCPBUGS-48093: fix unit test for compare against string #29405
OCPBUGS-44190: Fix UnexpectedNodeNotReady and UnexpectedNodeUnreachable #29306
OCPBUGS-43576, SDN-4930: Don’t modify pod routes in tests #29250
OCPBUGS-43576, SDN-4930: Set startup probe for UDN tests #29244
OCPBUGS-43576, SDN-4930: UserDefinedPrimaryNetworks: curl the KAPI IP through eth0 #29241
OCPBUGS-44795: fix: adding oslat updates and outputting test results to the artifacts #29193
OCPBUGS-43576, SDN-4930: network_segmentation: allow multiple UDN status conditions #29259
OCPBUGS-44494: removing rteval from the realtime test suite #29194
OCPBUGS-44496: fix: adding in a SNO time override for AWS Metal #29192
OCPBUGS-44062: Adjust createDNSPod() to support hypershift dual-stack test #29254
OCPBUGS-44045: Ignore infra nodes on tap cni tests #29251
OCPBUGS-43569: feat: update to use pullspec image #29207
OCPBUGS-43576: Porting testing for netConfig and UDN and CIDR overlapping tests from upstream #29181
OCPBUGS-39606: Add image registry capability check #29174
OCPBUGS-42814: ruby:3.0-ubi8 => ruby:3.1-ubi8 #29162
OCPBUGS-42336: Fix image ecosystem tests 4.17 #29126
OCPBUGS-41817: Update the NotFound case for CNI plugin to reflect changes #29091
Full changelog

thanos

append .0 to go.mod version #161
Full changelog

vsphere-cloud-controller-manager

OCPBUGS-43432: update check-fmt goimports command #78
Full changelog

vsphere-cluster-api-controllers

OCPBUGS-61652: Fix unit tests #71
Full changelog

vsphere-csi-driver, vsphere-csi-driver-syncer

OCPBUGS-68224: CVE-2025-65637: Bump github.com/sirupsen/logrus to v1.8.3 #157
OCPBUGS-43705: redact sensitive information when logging VCenter config #133
Full changelog

vsphere-csi-driver-operator

OCPBUGS-52207: fix panic when vcenter address is incorrect #295
OCPBUGS-50593: Set reconcile-sync to 10 minute for ListVolume #291
OCPBUGS-49858: Escape backslash in vCenter username #288
OCPBUGS-49685: List only linux nodes #285
OCPBUGS-43778: Fix panic on nil infrastructure Spec.PlatformSpec.VSphere #264
OCPBUGS-42327: Fix the config loading warning #259
OCPBUGS-42007: Remove conditions and controllers #254
OCPBUGS-42006: Add check for vCenter version #253
OCPBUGS-42008: Implement minor quality of life improvements. #255
Full changelog

vsphere-problem-detector

OCPBUGS-61755: Check for number of FailureDomain-s in GetVCenter() #190
Full changelog

View changelog in Markdown or change previous release:

Source code for this page located on github