-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.12.0 bug fix and security update
Advisory ID:       RHSA-2022:7399-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7399
Issue date:        2023-01-17
CVE Names:         CVE-2021-4235 CVE-2021-22570 CVE-2021-38561 
                   CVE-2022-1705 CVE-2022-2879 CVE-2022-2880 
                   CVE-2022-2995 CVE-2022-3162 CVE-2022-3172 
                   CVE-2022-3259 CVE-2022-3466 CVE-2022-21698 
                   CVE-2022-24302 CVE-2022-27664 CVE-2022-30631 
                   CVE-2022-32148 CVE-2022-32189 CVE-2022-32190 
                   CVE-2022-41316 CVE-2022-41715 CVE-2022-42010 
                   CVE-2022-42011 CVE-2022-42012 CVE-2022-42898 
                   CVE-2023-0296 
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.12.0 is now available with
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container
Platform 4.12.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container
Platform 4.12.0. See the following advisory for the RPM packages for this
release:

https://access.redhat.com/errata/RHSA-2022:7398

Space precludes documenting all of the container images in this advisory.
See the following Release Notes documentation, which will be updated
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

Security Fix(es):

* golang: out-of-bounds read in golang.org/x/text/language leads to DoS
(CVE-2021-38561)
* golang: net/http: improper sanitization of Transfer-Encoding header
(CVE-2022-1705)
* golang: archive/tar: unbounded memory consumption when reading headers
(CVE-2022-2879)
* golang: net/http/httputil: ReverseProxy should not forward unparseable
query parameters (CVE-2022-2880)
* prometheus/client_golang: Denial of service using
InstrumentHandlerCounter (CVE-2022-21698)
* golang: net/http/httputil: NewSingleHostReverseProxy - omit
X-Forwarded-For not working (CVE-2022-32148)
* golang: net/url: JoinPath does not strip relative path components in all
circumstances (CVE-2022-32190)
* vault: insufficient certificate revocation list checking (CVE-2022-41316)
* golang: regexp/syntax: limit memory used by parsing regexps
(CVE-2022-41715)
* openshift: etcd grpc-proxy vulnerable to The Birthday attack against
64-bit block cipher (CVE-2023-0296)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s)
listed in the References section.

3. Solution:

See the following documentation, which will be updated shortly for this
release, for important instructions on how to upgrade your cluster and
fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

You may download the oc tool and use it to inspect release image metadata
for x86_64, s390x, ppc64le, aarch64 architectures.

The image digests may be found at
https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags

The sha values for the release are:

(For x86_64 architecture)
The image digest is
sha256:4c5a7e26d707780be6466ddc9591865beb2e3baa5556432d23e8d57966a2dd18

(For s390x architecture)
The image digest is
sha256:ab70750be4fadf5a525141ae32a8577c91dd19f1d6e582a6824339c938216ec0

(For ppc64le architecture)
The image digest is
sha256:5a5943dea60b40f73ecee685b12fff1d65cc8bfe946f762fdfe862969483ddbb

(For aarch64 architecture)
The image digest is
sha256:cb34667519d1cfd8eedf0fb27e14b7b7e6209323b86977bfaadf91da012d179d

All OpenShift Container Platform 4.12 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift Console
or the CLI oc command. Instructions for upgrading a cluster are available
at
https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

1843043 - Config api resource has a terrible description
1876933 - No useful message after hitting volume attachment limit
1879980 - oc adm groups prune  cannot find the groups present in ldap and finishes to delete all of them
1894268 - SDN to OVN migration problem due to overlap with "Join network"
1896533 - network operator degraded due to additionalNetwork in non-existent namespace
1904106 - Graphs in dev console shouldn't go below 0
1917662 - oc exec cmd run executed file in azure file volume return 139 or exec failed: container_linux.go:366: starting container process caused: interrupted system call
1924017 - [OCPonRHV] [Workers only] Special configuration for High Performance VMs is not implemented for worker nodes
1944065 - [VPA] recommender is logging errors for pods with init containers
1944365 - openstack: missing validation for apiVIP and ingressVIP
1951835 - CVO should propagate ClusterOperator's Degraded to ClusterVersion's Failing during install
1951901 - incorrect Worker nodes number calculated when nodes have both master and worker role
1957709 - Creation of LoadBalancer service (Openstack Lbaas) take too much to be ready when creating IngressControllers with endpointPublishingStrategy=LoadBalancerService
1962502 - The route generated from ingress is still admitted after updating the spec.ingressClassName to mismatch
1977660 - the pod events show error codes when crio recreate the missing symlinks
1997396 - No alerts have triggered for CPU and Memory limit with Cluster Autoscaler
2000276 - EncryptionStateControllerDegraded: failed to get converged static pod revision
2000552 - must-gather should collect ALL apiservices
2000554 - must-gather should collect webhooks service namespaces
2001027 - ClusterAutoscaler with balanceSimilarNodeGroups does not scale even across MachineSet
2001211 - Resource usage measurement data display the concatenation of English and translation sentence fragments on utilization section  when moving the mouse over each resource usage chart in Developer->Project
2001409 - All critical alerts should have links to a runbook
2006378 - improve check that verifies task permissions in vsphere
2006611 - CVO resolves the version takes a long time sometimes when upgrading via `--to-image`
2010365 - OpenShift Alerting Rules Style-Guide Compliance
2010375 - OpenShift Alerting Rules Style-Guide Compliance
2018481 - [osp][octavia lb] Route shard not consistently served in a LoadBalancerService type IngressController
2021297 - Dynamic Plugins: Console isn't honoring declared `@console/pluginAPI` dependency
2022328 - kube-controller unpublishing volume after maxWaitForUnmountDuration leaves block devices on node in a inconsistent state
2023443 - Console plugin SDK build passes even if there are errors in one of its dist packages
2028474 - [OCPonRHV] Remove clustername length limitation(metadata name)
2030406 - Dynamic plugin demo nav outputs incorrect markup that doesn't conform to the Console navigation which uses the PatternFly Navigation component
2033167 - oc extract ?to option doesn?t create the target directory if it?s not present
2033499 - Populate acceptedRisks on Recommended=False updates for conditional edges
2034883 - MCO does not sync kubeAPIServerServingCAData to controllerconfig if there are not ready nodes
2037329 - [UI] MultiClusterHub details after it's creation starts flickers, disappears and appears back (happened twice)
2039411 - Monitoring operator reports unavailable=true while one Prometheus pod is ready
2040612 - crio umask sometimes set to 0000
2043518 - Better message in the CMO degraded/unavailable conditions when pods can't be scheduled
2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter
2046335 - ETCD Operator goes degraded when a second internal node ip is added
2048349 - Service CA Operator does not reconcile for spec.loglevel changes in ServiceCA CRD
2048789 - broken toolbox in OCP 4.10 with non-default image
2049591 - [RFE] Toolbox - make sure we are running on the latest image?
2052662 - Opening Insights popup crashes the page
2055247 - [Azure] Fail to create master nodes with dcasv5 /dcadsv5 -series Confidential Virtual Machine
2055620 - ImageStreamChange triggers using annotations does not work
2056387 - [IPI on Alibabacloud][RHEL scaleup] new RHEL worker were not added into the backend of Ingress SLB automatically
2056888 - [Secondary Scheduler] - Version number incorrect in secondary scheduler operator bundle
2057637 - default VolumeSnapshotClass created by the csi-driver-manila-operator does not contain secrets
2057972 - Extra space is in the translation text(Chinese) of 'Create rolebinding' and 'replicate rolebinding'
2059125 - The oc binary for mac arm64 can?t be executed
2059599 - [ibm]Lots of info message from ibmcsidriver/identity.go:83 displayed in the log ibm-vpc-block-csi-node/iks-vpc-block-node-driver
2060068 - machine-api-provider-aws creates EC2 instances with the default security group when no matching security group is found
2060079 - Re-think kubeproxy_sync_proxy_rules_duration_seconds_bucket alerts
2061947 - IBM Cloud: Uninstall does not succeed when there is nothing to clean up
2062579 - [IBMCloud] Provide invalid profile machine stuck in "Provisioning" phase
2063764 - Operators - OperatorHub : i18n misses
2065192 - GCP - Less privileged service accounts are created with Service Account User role
2065727 - Scaling down an hypershift cluster ends with BMH shutdown and in maintenance mode
2066560 - two router pods are in ContainerCreating status when tried to patch ingress-operator with custom error code pages directly
2067059 - No topologySpreadConstraints shown in `oc describe resource`
2067323 - [sig-network-edge][Conformance][Area:Networking][Feature:Router] The HAProxy router should pass the gRPC interoperability tests [Suite:openshift/conformance/parallel/minimal]
2068910 - After node re-created, some ovn annotations are not found for the node and due to that pod is in crashloop
2070562 - Base64 data value for  java keystore secret changing automatically, when we edit it from the console and saving it without doing any changes
2071792 - Non-kubeadmin user will not have access to openshift-config ns to pull secret/CM for adding private HCR in a namespace
2073617 - [IBM] allowedTopologies in SC causes scheduling to fail when region is empty
2075107 - Heading mismatch of CloudShellDrawer & Fullscreen
2075607 - [4.10] IBM VPC operator needs e2e csi tests for ibmcloud
2077933 - Kube controller manager does not handle new configurations available in the cloud provider OpenStack
2078691 - [OVN] Node to service traffic is blocked if service is "internalTrafficPolicy: Local" even backed pod is on the same node
2078727 - [IBM] Volume is not provisioned when storageclass Region is provided but without zone info
2079214 - modal text goes outside of modal boundary and doesn't have scroll bar
2079249 - list pages in pipelines is taking more time to load when there are too many items
2079679 - [bz-monitoring][invariant] alert/Watchdog must have no gaps or changes
2079690 - [RH OCP 4.9] Affinity definition YAML shows difference in web console
2080260 - 404 not found when create Image Manifest Vulnerability on Operator "Container Security"
2080449 - [Azure-file CSI Driver] Read/Write permission denied for non-admin user on azure file csi provisioned volume with fsType=ext4,ext3,ext2,xfs
2081674 - Developer add page create a new project modal redirects to admin project page after creation
2081734 - metal3-dnsmasq: workers are not provisioned during the cluster installation when BootMacAddress is not provided lower-case
2082395 - Private cluster installer on Azure asking for baseDomainResourceGroup even when it has nothing to do with basedomain as mentioned in documentation.
2082588 - [RFE] Add new Azure instance types to the official "tested/supported" list
2082599 - retry logic should have an upper bound on the number of failed attempts
2082773 - [AWS-EBS-CSI-driver-Operator] Generic ephemeral volumes online resize Filesystem type volume stucked at file system resize phase
2083041 - Updating externalTrafficPolicy=cluster to externalTrafficPolicy=local doesn't work
2083226 - alertmanager-main pods failing to start due to startupprobe timeout
2084453 - Edit PodDisruptionBudget page sometimes takes user to not synced YAML view
2084471 - Capital letters in install-config.yaml .platform.baremetal.hosts[].name cause bootkube errors
2084504 - can not silent platform alert from developer console
2085390 - machine-controller is case sensitive which can lead to false/positive errors
2086231 - Install Shared Resource CSI Driver Webhook
2086887 - DNS occasionally unavailable after large scale up operation
2087032 - Operator-sdk "run bundle" "run bundleup-grade" can't support proxy env
2087679 - EgressQoSes not gathered for debugging purposes
2087981 - PowerOnVM_Task is deprecated use PowerOnMultiVM_Task for DRS ClusterRecommendation
2088033 - Clear text password/secret in operator pod
2088583 - libguestfs: error: download: /boot/loader/entries/ostree-1-rhcos.conf: No such file or directory
2089199 - etcd Dashboard should be removed on guest cluster of hypershift
2089221 - Could not de-select a Git Secret in add and edit forms
2089402 - BuildConfig throws error when using a label with a / in it
2089807 - Many errors when powering off a master
2089950 - Upgrade fails with message Cluster operator console is not available
2090135 - [upstream] Operator-sdk run bundle offer the wrong error message
2090836 - Bootstrap node should honor http proxy
2090988 - ReplicaSet prometheus-operator-admission-webhook has timed out progressing
2091102 - Name of workload get changed, when project and image stream gets changed on edit deployment page of the workload.
2091109 - Add to application dropdown options are not visible on application-grouping sidebar action dropdown.
2091238 - NetworkPolicies: ovnkube-master pods crashing due to panic: "invalid memory address or nil pointer dereference"
2091545 - Namespace value is missing on the list when selecting "All namespaces" for operators
2091555 - Sort function doesn't work on "Namespaces" column on  operator details page
2091573 - Input values in Instantiate Template are disappeared randomly in the developer console
2091864 - Registry Pod don't have "securityContext.runAsNonRoot=true" config that generated by run bundle
2092319 - [Firefox] multi-line node status formatting issue
2092731 - Give more clear information  when `oc adm release new` without the --keep-manifest-list opotion  for the manifestlist imagestream YAML
2092920 - Dependent tasks in Pipeline chart linked incorrectly
2093016 - [azure disk] add metric and alert to help identify cascading test failures
2093040 - unable to start `toolbox` on RHCOS using `podman` 4.0
2093046 - must-gather debug pods are missing priority class
2093440 - [sig-arch][Early] Managed cluster should start all core operators  - NodeCADaemonControllerDegraded: failed to update object
2093826 - Pods with OVN hardware offloading enabled interface fail to start
2093852 - Affinity rule created in console deployment for single-replica infrastructure
2093892 - no api_key_file field in AlertmanagerConfig, but error message complains it
2094012 - Listing secrets in all namespaces with a specific labelSelector does not work properly
2094068 - No runbook created for NorthboundStale alert
2094101 - `podman` dumping core on RHCOS 4.11 + RHEL 8.6 on `aarch64`
2094174 - ReleaseAccepted=False keeps complaining about the update cannot be verified after the upgrade is cleared
2094240 - MachineConfigPool details page should use consistent word for resume updating
2094362 - Duplicate prometheus rules for API SLOs after upgrade
2094462 - DeleteACLsFromPortGroupOps doesn't actually have any UUIDs set, so it deletes nothing and complains
2094502 - Creating an MCH instance does not work via blue button
2094558 - MetalLB: Creating ip address pool and community CR through webconsole the words like addresses and communities are truncated
2094716 - Unable to install a fully air gapped OCP 4.10 cluster in AWS using IPI
2094783 - storageclass should not be created for unsupported vsphere version
2094865 - INIT container stuck forever
2095323 - Openshift on OpenStack does not honor machineNetwork setting with multiple networks
2095623 - [rebase v1.24]  [sig-storage] In-tree Volumes [Driver: azure-file] tests fail
2095708 - oc adm inspect throws out erorr "the server doesn't have a resource type "egressfirewalls" for all operators
2095852 - Unable to create Network Policies: error: unexpectedly found multiple equivalent ACLs (arp v/s arp||nd) (ns_netpol1 v/s ns_netpol2)
2097026 - Administration - Cluster Settings - Cluster Operators : Filter menu values are in English
2097073 - etcdExcessiveDatabaseGrowth should not use increase() around gauge metrics
2097221 - [OVN HWOL] Avoid masked access to ct_label to allow offloading of ECMP symmetric reply and load balanced traffic
2097243 - NodeIP is used instead of EgressIP
2097431 - Degraded=True noise with: UpgradeBackupControllerDegraded: unable to retrieve cluster version, no completed update was found in cluster version status history
2097557 - can not upgrade. Incorrect reading of olm.maxOpenShiftVersion
2097691 - [vsphere] failed to create cluster if datacenter is embedded in a Folder
2097701 - MetaLLB: Validation  unable to create BGPPeers with spec.peerASN  Value in OCP 4.10
2097785 - Ensure OSUpdateStaged gets sent to the API server before rebooting
2098053 - Add a e2e test to validate address mismatch between pod address family and external gw family
2098054 - The control plane should tag AWS security groups at creation
2098072 - [vsphere] update install-config description for diskType
2098124 - [Kubernetes] [ISCSI] ipv6 single stack cluster could not get SCSI server host number
2098234 - Local Update Server link 404
2098299 - install-config: Strict unmarshalling conflicts with new fields
2099401 - [IBMCloud] Client does not set region endpoint for InstallConfig
2099664 - MachineConfigPool is not getting updated
2099795 - README file for helm charts coded in Chinese shows messy characters when viewing in developer perspective.
2099864 - vmware-vsphere-csi-driver-controller can't use host port error on e2e-vsphere-serial
2099939 - enabled UWM alertmanager only, user project AlertmanagerConfig is not loaded to UWM alertmanager or platform alertmanager
2099945 - [OVN] bonding fails after active-backup fail-over and reboot,  kargs static IP
2099991 - pass the "--quiet" option via the buildconfig for s2i
2100166 - heterogeneous arch: oc adm extract encodes arch specific release payload pullspec rather than the manifestlisted pullspec
2100220 - Completed pods may not be correctly cleaned up
2100249 - Revert Bug 2082599: add upper bound to number of failed attempts
2100312 - should use the same value for AlertRelabelConfig with oc explain
2100334 - Event sources do not show up until KnativeServing is installed
2100342 - Operator-sdk run bundle offer the wrong error message
2100472 - TechPreview feature is not enabled, but find "failed to list *v1alpha1.AlertingRule: alertingrules.monitoring.openshift.io is forbidden" in cmo logs
2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS
2100640 - "Show operands in all namespaces" radio group font size is too large.
2100702 - No need to pass to-image-base for `oc adm release new` command when use --from-release
2100708 - Print the dup choose image message is noisy
2100774 - In the Deploy Image form Image name from external registry field Required text is not red as other fields
2100843 - Selecting add connector context menu option opens the side panel of the node
2100845 - MetalLB:  matchExpressions used in CR like L2Advertisement allow duplicate entries
2100852 - worker-user-data secret couldn't be synced up from openshift-mahcine-api to openshift-cluster-api
2100860 - Users can't silence alerts from the dev console when dedicated UWM Alertmanager is deployed
2100882 - downloading govc is impacted by github rate limiting
2100918 - Add debug logging to TestIngressOperatorCacheIsNotGlobal
2100923 - [SSO] Deleting secondary scheduler CR does not delete the corresponding deployment
2101157 - OVS-Configure doesn't iterate connection names containing spaces correctly
2101343 - topolvm-controller get into CrashLoopBackOff few minutes after install
2101357 - catalog-operator fatal error: concurrent map writes
2101444 - kube-apiserver-operator should raise an alert when there is a Pod Security admission violation
2101511 - [4.12] Tag new ironic packages when we have builds
2101520 - csi-snapshot-controller-operator occasionally establishes an unusual number of watch requests
2101622 - Drain happens before other image-registry pod is ready to service requests, causing disruption
2101645 - [Cluster storage Operator] DefaultStorageClassController report fake message "No default StorageClass for this platform" on azure and openstack
2101736 - Finalizers can't be removed for machines
2101843 - pv fails to recycle with PodSecurity error
2101878 - Route status isn't always getting cleared with routeSelector updates
2101880 - [cloud-credential-operator]container has runAsNonRoot and image will run as root
2101885 - The bash completion doesn't work for get subcommand
2101992 - [Azure] IP address release: After deleting and recreating egressIP object, egress traffic was intermittently broke for about 1 minute
2102004 - 4.10 to 4.11 update: Degraded node: unexpected on-disk state: mode mismatch for file: "/etc/crio/crio.conf.d/01-ctrcfg-pidsLimit"; expected: -rw-r--r--/420/0644; received: ----------/0/0
2102098 - [OSD] There is no error message shown on node label edit modal
2102109 - co/node-tuning: Waiting for 15/72 Profiles to be applied
2102228 - Update rhcos.json in installer to point at new CDN
2102269 - The base image is still 4.10 for operator-sdk
2102324 - GCP: Panic when unknown region AND machinesets specified in install config
2102341 - [UI] ODF operator icon is missing on the Installed Operators page
2102344 - [SSO] sso operator cannot be upgraded from 1.0.0 to 1.0.1 or 1.1
2102371 - Openshift-Ansible RHEL 8 CI update
2102383 - Kube controllers crash when nodes are shut off in OpenStack
2102450 - Kernel parm needs to be added when a pao performance profile is applied, rcutree.kthread_prio=11
2102632 - a shorter cluster name leads to Uninstall fails with Observed a panic: runtime.boundsError
2102673 - FRR start race condition
2102676 - Updates / config metrics are not available in 4.11
2102766 - OCP 4.12 Using RHCOS 411.84
2103061 - [4.12] Backport Prow CI improvements from master
2103090 - Storage - StorageClasses - Create StorageClass - Provisioner: Upon selection of Provisoner i18n misses
2103126 - must-gather namespace should have ?privileged? warn and audit pod security labels besides enforce
2103144 - [IPv6] apiVIP and ingressVIP non-equality validation doesn't account for synonyms
2103178 - disabling ipv6 router advertisements using "all" does not disable it on secondary interfaces
2103224 - Sidebar perspective dropdown switcher has different background color and incorrect border color when in dark theme mode
2103236 - GCP: Error message for insufficient permissions needs to be improved
2103283 - In CI 4.10 HAProxy must-gather takes longer than 10 minutes
2103590 - [HyperShift] Election timeouts on OVNKube masters for Hypershift guests post statefulset recreation
2103668 - ovnkube-node pod fails to start - unable to add OVN masquerade route to host, error: failed to add route for subnet - after upgrading to 4.10
2103680 - Setting disableNetworkDiagnostics: true does not persist when network-operator pod gets re-created
2103725 - Carry HAProxy patch 'BUG/MEDIUM: h2: match absolute-path not path-absolute for :path'
2103786 - MCP upgrades can stall waiting for master node reboots since MCC no longer gets drained
2103940 - kube-controller-manager operator 4.11.0-rc.0 degraded on disabled monitoring stack
2103972 - Pipelines (Multi-column table) column titles are not aligned with the column content (input fields) starting with 4.9
2103981 - Topology resource sidebar shows all Builds and should show just the last n
2104275 - Supermicro server FirmwareSchema CR does not contain allowable_values, attribute_type and read_only flag
2104337 - Remove `yq` curls from CI steps
2104373 - [AWS] CCM cannot work on Commercial Cloud Services (C2S) Top Secret Region
2104481 - PROXY protocol is not configurable for "private" endpoint publishing strategy
2104503 - Update ose-machine-config-operator images to be consistent with ART
2104549 - telemeter golangci-lint outdated blocking ART PRs that update to Go1.18
2104578 - Installer creates unnecessary master_ingress_cluster_policy_controller security group rule
2104619 - Upgrade from 4.11.0-rc0 -> 4.11.0-rc.1 failed. rpm-ostree status shows No space left on device
2104642 - Add a validation webhook for Nutanix machine provider spec in Machine API Operator
2104784 - Some EgressIP was not correctly assigned to the egress node under some condition
2104803 - lr-policy-list for EgressIP was lost after scale down the test pods
2104953 - Reintroduce kube1.24 for SDN
2105003 - e2e-metal-ipi-ovn-dualstack failure: Timed out waiting for node count (5) to equal or exceed machine count (6).
2105045 - OLM updates namespace labels even if they haven't changed
2105071 - container-selinux: Mostly-confined containers which create their own user and mount namespaces can't mount overlay filesystems
2105123 - Tuned overwriting IRQBALANCE_BANNED_CPUS
2105165 - [IPI-IBMCloud] explain installconfig.platform.ibmcloud.resourceGroupName need update
2105303 - Specify the namespace and the index entry along with the chart url to get the chart details
2105325 - [oc adm release] extraction of the installer against a manifestlisted payload referenced by tag leads to a bad release image reference
2105328 - crud/other-routes.spec.ts Cypress test failing at a high rate in CI
2105341 - Bootstrap Gather Fails when cluster.tfvars.json is not available in Azure
2105344 - Console app pod action provider extension is incorrectly defined
2105399 - [SSO] secondary scheduler CR instance does not get updated when SSO is upgraded from 1.0.1 to 1.1.0
2105706 - Race condition with pendingCloudPrivateIPConfigsOps in EgressIP code
2105909 - OLM create-namespace.spec.ts e2e test fails always
2105918 - Install Helm chart form doesn't allow the user select a specific version
2105933 - OKD: update FCOS to latest stable
2105967 - Add E2E test case for Telco Friendly workload specific API
2105996 - Broken assign error display for cloudprivateipconfig
2106044 - etcd backup seems to not be triggered in 4.10.18-->4.10.20 upgrade
2106055 - vSphere defaults to SecureBoot on; breaks installation of out-of-tree drivers
2106061 - [4.12] Bootimage bump tracker
2106086 - IngressController spec.tuningOptions.healthCheckInterval validation allows invalid values such as "0abc"
2106298 - unix domain socket mode is broken when specified as ovn database transport method
2106366 - ProjectHelmChartRepository form doesn't allow the user to make a difference between name and displayname
2106372 - TypeError while creating NodeObservability Run under NodeObservability Operator
2106377 - ProjectHelmChartRepository display name (spec.name) is not used in Helm Charts catalog
2106378 - Spoke BMH stuck ?provisioning? after changing a BIOS attribute via the converged workflow
2106403 - Nutanix: the e2e-nutanix-operator webhooks test suite does not support provider Nutanix
2106444 - EgressnodeIP update need special logic to handle creation errors
2106449 - openshift4/ose-operator-registry image is vulnerable to multiple CVEs
2106476 - Order of config attributes are not maintained during conversion of PT4l from ptpconfig to ptp4l.0.config file
2106667 - UPI: Install playbooks don't honour platform.openstack.externalDNS
2106733 - Machine Controller stuck with Terminated Instances while Provisioning on AWS
2106770 - metallb greenwave tests failure
2106803 - E2E: intermittent failure is seen on tests for devfile
2106805 - Spec flag not overriding defaults in headless cypress tests
2106862 - After ovnkube-node restart, external traffic policy local no longer works
2106866 - Test Flake - Using OLM descriptor components successfully creates operand using form
2106935 - kubernetes-nmstate-operator fails to install with error "no channel heads (entries not replaced by another entry) found in channel"
2107043 - HTTPS_PROXY ENV missing in some CSI driver operators
2107068 - etcd-metrics container is flooding logs
2107113 - Adding SSH keys for core user post-install creates .ssh folder owned by root
2107178 - Bond CNI: Failed to recreate pod with active-active bond: Failed to attached links to bond: Failed to set link: net2 MASTER, master index used: 4, error: bad address
2107241 - [OCPonRHV] CSI provisioned disks are effectively preallocated due to go-ovirt-client setting Provisioned and Initial size of the disk to the same value
2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
2107469 - Confusing subtitle in Create Service Binding modal when the target is already known
2107513 - [SSO] 1.0.1 csv is pulling in secondary-scheduler-operator-container-v1.1-5
2107558 - When deploying via the web ui, the namespace is always openshift-operators
2107566 - [GCP] create gcpcluster get error
2107578 - Power VS machine Processor is always defaulted to 0.5
2107999 - [GCP] capg-controller-manager report panic after creating machineset and machine stuck in Provisioning
2108033 - remove ovn-kubernetes dependency on arping executable file
2108054 - Report alert when upstream CSI driver is found
2108222 - Missing spec.cpu.offlined field in v1 API
2108307 - oc debug node should set hostIPC to true
2108317 - Fix two issues in hybrid overlay
2108320 - rpm-ostreed: start limit hit easily
2108473 - [vSphere CSI driver operator] CSI controller pod restarting constantly
2108551 - [CI Watcher] Bulk Import e2e test flaking at a high rate
2108647 - [azure] Standard_D2s_v3 as worker failed by ?accelerated networking not supported on instance type?
2108708 - Ingress operator creates a "default" ingresscontroller on HyperShift
2108858 - cluster-version operator should clear (pod) securityContext when the manifest does not set the property
2109045 - ovn-k needs kubernetes 1.24 bump
2109056 - Bring avoidbuggyips back
2109059 - Reply to arp requests on interfaces with no ip
2109152 - Kube-apiserver was down and could not recover
2109258 - Legacy machine deletion annotation is not respected
2109374 - ClusterVersion availableUpdates is stale: PromQL conditional risks vs. slow/stuck Thanos
2109388 - [AWS] s3 GetBucketPolicy permission is missing in installer validation
2109469 - Code cleanup: Don't call useServiceLevelTitle hook in the JSX
2109502 - Prerelease report bug link should be updated to JIRA instead of Bugzilla
2109511 - Failed PipelineRun logs text is not visible in light mode
2109538 - Nutanix platform validations run at `create manifests` stage
2109697 - Migrate openshift-ansible to ansible-core
2109800 - [IBMCloud] context deadline exceeded for kube-scheduler targets
2109854 - Max unavailable and Max surge have inaccurate description
2109945 - HyperShift: ovnkube-node not able to connect to sbdb
2109963 - Master node in SchedulingDisabled after upgrade from 4.10.24 -> 4.11.0-rc.4
2109965 - oci hook Low-latency-hooks causing high container creation times under platform cpu load
2109967 - failed to apply dns nncp on vSphere/OpenStack platform
2110281 - daemon: Drop tuneableFCOSArgsAllowlist
2110321 - Workloads list page has different PDB action items from details page when All Projects selected
2110501 - [Upgrade]deployment openshift-machine-api/machine-api-operator has a replica failure FailedCreate
2110525 - Form/YAML form errors stay around
2110590 - Upgrade failing because restrictive scc is injected into version pod
2110617 - Split the route controllers out from OCM
2110629 - openshift-controller-manager(-operator) namespace should clear run-level annotations
2110722 - openshift-tests: allow -f to match tests for any test suite
2110927 - Edit YAML page shows unexpected zero (0) and doesn't clear errors anymore
2111151 - Cannot delete a Machine if a VM got stuck in ERROR
2111165 - Project auth cache is fully invalidated on changes to namespaces and namespaced RBAC
2111205 - console-plugin-demo build failing in CI
2111467 - Node internal DNS address is not set for machine
2111474 - Fetch internal IPs of vms from dhcp server
2111534 - [OVNK] Conntrack Rules are removed before the service rules/flows
2111537 - oc image info ignores --output for multiarch image
2111586 - Export OVS metrics
2111686 - [OKD/nanokube] Different NPE when using console with a nanokube cluster
2111733 - pod cannot access kubernetes service
2111817 - rpm-ostreed start timeout on nodes with medium/high load
2111842 - vSphere test failure: [Serial] [sig-auth][Feature:OAuthServer] [RequestHeaders] [IdP] test RequestHeaders IdP [Suite:openshift/conformance/serial]
2111878 - Azure EgressIP gives up reconciling with No matching nodes found when updating the same egressip consecutively
2111972 - openshift-machine-api namespace runlevel label should be set to empty string
2111979 - openshift-controller-manager-operator NS runlevel needs to be set to emptystring
2111984 - OpenShift controller manager needs permissions to get/create/update leases for leader election
2112086 - [hybrid-overlay] AWS EC2 metadata service not available in host's vNIC for Windows
2112146 - [CI watcher] Create pod sample fail because of a restricted pod security admission policy
2112237 - [ Cluster storage Operator 4.x(10/11/12) ] DefaultStorageClassController report fake message "No default StorageClass for this platform" on Alicloud, IBM, Nutanix
2112481 - Synced editor forms have incorrect and inconsistent visual display
2112812 - [OCP 4.10] Developer catalog fails to load (on a fully disconnected cluster and on a disconnected cluster with proxy)
2112862 - Namespace CRUD integration test is failing
2112934 - The oc adm inspect ns/[namespace_name] command is not collecting the servicemonitors in the namespace
2113936 - Fix e2e tests for [reboots][machine_config_labels] (tsc=nowatchdog)
2113977 - Fix pod stuck in termination state when mount fails or gets skipped after kubelet restart
2114009 - [4.12 Alicloud Snapshot] taking more time(4min+) to make snapshot content with ready status and (volume/snapshot content) getting created in default Resource group id
2114488 - Monitoring Alert decorator in Topology color is grey instead of red
2114506 - olm e2e failing when capabilities are disabled
2114721 - telemeter-client pod does not use the updated pull secret when it is changed
2114754 - "gather bootstrap" creates unexpected folder "serial-log-bundle-<timestamp>" beyond "log-bundle-<timestamp>.tar.gz"
2114779 - Node Tuning Operator(NTO) - OCP upgrade failed due to node-tuning CO still progressing
2114834 - Failure when creating Floating IP for load-balancer
2114968 - 4.12-nightly payloads blocked by metal jobs failing with "Still creating ..." when creating nodes
2115308 - Kube API server operator should not update replicas when Machine/Node is being removed
2115347 - 03279843 | Sev 3 | Negative regex matchers for alertmanager silences not properly parsed or read by console
2115358 - control-plane-machine-set-operator pod got panic when create cpms on a single zone deployment
2115479 - ovnkube direct-lists pods on a node when the node object changes
2115522 - Strange padding in new Helm Chart Repository table row
2115527 - ServiceAccounts PATCH noise leads to Secret leakage
2115528 - bump bootimage to include latest rpm-ostree
2115638 - CPMS cannot trigger RollingUpdate when adding failure domain
2115684 - Gather ODF CephCluster resource status
2115790 - [4.12] Bootimage bump tracker
2115799 - CI failing tests: Perform actions on knative service and revision knative service menu options
2115802 - Minor test fixes related to getting updated profile and checking kubeletconfiguration
2115814 - Issues with samples in a disconnected cluster in OCP 4.9
2115899 - BuildConfig form: Docker image repository should be just called Image registry
2116382 - Setting a telemeter proxy in the cluster-monitoring-config config map does not work as expected
2116415 - CI failing tests: Event tab in build details page
2116460 - percpu  Memory leak CRIO due to no garbage collection in /run/crio/exits for exited containers
2116547 - phyc2sys config will be automatically added to ptpconfigs even if it is not included in user PGT
2116715 - remove dead code from openshift-controller-manager
2116973 - Multiple navigation items displaying as active
2116982 - multus-admission-controller in openshift-multus has 2 replicas on SNO
2117033 - Cluster-version operator ClusterOperator checks are unecessarily slow on update
2117142 - Update the permission for Project Helm Chart Repository
2117235 - separate route controllers to a new command
2117255 - Failed to dump flows for flow sync, stderr: "ovs-ofctl: br-ext is not a bridge or a socket"
2117310 - [OVN] New pods unable to establish TCP connections and get constant timeouts causing application downtime
2117387 - vsphere: installer for vsphere does not have steal clock accounting enabled
2117423 - Backport:  https://github.com/openshift/kubernetes/pull/1295
2117439 - change controlplanemachineset machineType to other type trigger RollingUpdate cause cluster error
2117474 - ccoctl panics while trying to create a secret from credential request which does not have providerspec within it
2117524 - openshift-ingress-operator with mTLS does not download CRL
2117569 - kube-controller-manager needs to stop watching all events
2117595 - Upgrade golangci-lint to 1.47.3 in image-customization-controller
2117602 - LocalVolume does support by-path volumes
2117646 - Changing `spec.host` field on any of routes in the openshift-console namespace wont trigger sync loop
2117738 - Plugin page error boundary message is not cleared after leaving page
2117749 - Bump to latest k8s.io 1.24 release
2117822 - oc adm release extract should handle ccoctl
2118286 - KCMO should not be dependent on monitoring stack
2118318 - kube-controller-manager resource quota controller needs to stop watching all events
2118550 - [capi] azure and vsphere image in payload
2118563 - [OSP][SDN] The displayed IP Capacity is not consistent with port allowed maximum addresses
2118625 - [Nutanix] ccoctl panics if nutanix credentials source file and openshift credentials requests files are in the same directory
2124668 - CVE-2022-32190 golang: net/url: JoinPath does not strip relative path components in all circumstances
2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers
2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
2135339 - CVE-2022-41316 vault: insufficient certificate revocation list checking
2161287 - CVE-2023-0296 openshift: etcd grpc-proxy vulnerable to The Birthday attack against 64-bit block cipher

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-1000 - Allow scale-down of unhealthy member when it doesn't violate quorum
OCPBUGS-1004 - The error message of "opm alpha render-veneer semver" is not correct
OCPBUGS-1017 - Can't cancel login when using multi-cluster
OCPBUGS-1029 - Developer catalog fails to load
OCPBUGS-1038 - Whereabouts reconciliation should be launched by the CNO when using a conflist
OCPBUGS-1044 - There's an issue with node-exporter pods running when using a bare metal AMD EPYC setup
OCPBUGS-1049 - Pod security policy change breaks cluster-ingress-operator's TestCanaryRoute E2E tests
OCPBUGS-1067 - [vsphere-CSI-Driver-Operator] The storageclass "thin-csi" could not be re-created after deleting 
OCPBUGS-1068 - Correct namespace for SimpleContentAccessNotAvailable
OCPBUGS-1069 - Update ODC owners
OCPBUGS-1076 - CNO in HyperShift management cluster is reconciling ovn-kubemaster in Hosted Control Plane namespace.
OCPBUGS-1080 - It's not possible to share BMC secrets between BareMetalHosts
OCPBUGS-1083 - e2e-aws-ovn-serial fails because of OVNKubernetesControllerDisconnectedSouthboundDatabase
OCPBUGS-1105 - Import a Devfile on a disconnected cluster with a proxy doesn?t work
OCPBUGS-1106 - Devfile Catalog and Import a Devfile on a fully disconnected cluster should fail directly instead of timeout after 30sec
OCPBUGS-1132 - e2e: perfprof: unbreak the e2e-gcp PAO lane
OCPBUGS-122 - Error: open /etc/nsswitch.conf: permission denied and Error: open ./db-609956243: permission denied
OCPBUGS-1226 - OpenStack UPI scripts do not create server group for Computes
OCPBUGS-1227 - Node events create unnecessary CPU load
OCPBUGS-1231 - base image can't be fetched in a disconnected environment
OCPBUGS-1234 - AWS tagging limit hit issue when trying to add more than 10 tags
OCPBUGS-1237 - e2e-gcp-builds is permafailing
OCPBUGS-1244 - Add PowerVS region mon01 to installer
OCPBUGS-1247 - AWS Control Plane machine set are breaking single node clusters
OCPBUGS-1256 - [CI-Watcher] e2e issue with tests: Using OLM descriptor components. Using OLM descriptor components deletes operand
OCPBUGS-1257 - Keepalived health check causes unnecessary VIP flapping when HAProxy is healthy
OCPBUGS-1263 - cri-o should report the stage of container and pod creation it's stuck at
OCPBUGS-1268 - HelmChartRepositories has no action menu if the default repo is disabled
OCPBUGS-1274 - machine-api-termination-handler Pods don't launch on tainted spot instances
OCPBUGS-1290 - Update Kafka Sink text description
OCPBUGS-1318 - Dual stack cluster fails on installation when multi-path routing entries exist
OCPBUGS-1321 - node_exporter collects metrics for "virtual" network interfaces
OCPBUGS-1324 - Clusters with a custom osImage cannot be upgraded
OCPBUGS-1329 - etcd and kube-apiserver pods get restarted due to failed liveness probes while deleting/re-creating pods on SNO
OCPBUGS-1351 - health_statuses_insights metrics is showing disabled rules in "total"
OCPBUGS-1353 -  ETCD Operator goes degraded when a second internal node ip is added 
OCPBUGS-1361 - Expect more detail info when report vSphere privilege alert 
OCPBUGS-1364 - Improve prometheus-adapter consistency
OCPBUGS-1402 - panic in cvo pod
OCPBUGS-1409 - E2E: intermittent failure is seen on tests for devfile
OCPBUGS-1416 - ODC add-page e2e tests doesn't pass (outdated checks)
OCPBUGS-1417 - Disconnected Openshift cluster on AWS having problem with manual egress IP assignment
OCPBUGS-1421 - Document how to use RWX vSphere volumes
OCPBUGS-1429 - get updated rpm-ostree in 4.12 bootimages
OCPBUGS-1434 - Downstream Autoscaling Eviction Annotation to OCP 4.12
OCPBUGS-1437 - OLM Reports ResolutionFailed when there are multiple upgrade paths between channel entries
OCPBUGS-1456 - Cluster operator-related tests failing on techpreview because of "platform-operators-aggregated"
OCPBUGS-1470 - i18n: Incorrect plural for maxUnavailable pod count
OCPBUGS-1479 - PDB list page should only show Create Pod button to user has sufficient permission
OCPBUGS-1482 - Can't install clusters with schedulable masters
OCPBUGS-1484 - Remove policy/v1beta1 in 4.11 and later
OCPBUGS-1489 - [vsphere] one vm folder is not deleted when destroying ocp cluster configured region/zone
OCPBUGS-1498 - e2e: performance: Verify kernel param rcutree.kthread
OCPBUGS-1502 - PodNetworkConnectivityCheck gatherer reads too much data into memory
OCPBUGS-1503 - configure-ovs.sh fails on unrelated, invalid connection files (non-existing interfaces)
OCPBUGS-1505 - Booting live ISO: /dev/sr0 already mounted or mount point busy
OCPBUGS-1512 - [OCP 4.12] Fix generate script in CBO
OCPBUGS-1515 -  Join network CIDR not accept v6InternalSubnet fdxx::/48
OCPBUGS-1522 - Regular user cannot open the debug container from pods they created
OCPBUGS-1533 - sdn rebase to 1.25
OCPBUGS-1549 - DNS operator does not reconcile the openshift-dns namespace
OCPBUGS-1554 - Bump cluster-ingress-operator to k8s 1.25
OCPBUGS-1558 - Bump cluster-dns-operator to k8s 1.25
OCPBUGS-1569 - OBC and OB option showing twice to user of a Project on Console
OCPBUGS-1570 - Event Sources not shown in topology
OCPBUGS-1616 - masters unavailable & mco degraded in bootstrap techpreview jobs
OCPBUGS-1621 - The CSV of the operator does not have timestamp 
OCPBUGS-1629 - Facing issue while configuring egress IP pool in OCP cluster which uses STS
OCPBUGS-1636 - The platform-operators-aggregated cannot be created after enabling TechPreviewNoUpgrade
OCPBUGS-1641 -  irqbalance: add unit to clear the cpu ban list
OCPBUGS-1645 - CPMS should handle clusters where Masters are not indexed from 0
OCPBUGS-165 - Spike in pod-latency graph observed due to ovnkube-master restarts
OCPBUGS-1677 - CI: Backend unit tests fails because devfile registry was updated (fix assertion)
OCPBUGS-1678 - CI: Backend unit tests fails because devfile registry was updated (mock response)
OCPBUGS-169 - Console e2e tests broken due to pod security admission controller
OCPBUGS-1698 - [vsphere] Installer get panic error when no setting platform.vsphere.failureDomains.topology.networks
OCPBUGS-1705 - OVN-Kubernetes master crashing due to too long ACL names during upgrade
OCPBUGS-1708 - console.openshift.io/use-i18n false in v1alpha API is converted to "" in the v1 APi, which is not a valid value for the enum type declared in the code.?
OCPBUGS-171 - VirtualMediaViaExternalNetwork is broken with virtual media TLS
OCPBUGS-1717 - Image registry panics while deploying OCP in me-central-1 AWS region
OCPBUGS-1718 - prometheus-k8s-0 ends in CrashLoopBackOff with evel=error err="opening storage failed: /prometheus/chunks_head/000002: invalid magic number 0" on SNO after hard reboot tests
OCPBUGS-1730 - Bump openshift-router to k8s 1.25
OCPBUGS-1731 - Rebase CoreDNS to 1.10.0, based on k8s 1.25
OCPBUGS-1736 - cncc crashloop in proxy deployments
OCPBUGS-1746 - Update the Github App events and permissions
OCPBUGS-1776 - Duplicate "Getting Started" notification will show on Search page for normal user
OCPBUGS-1789 - Users can't silence alerts from the dev console when dedicated UWM Alertmanager is deployed
OCPBUGS-1799 - Ironic API proxy pods crash loop if IPv6 is used
OCPBUGS-180 - Name of "Role" should keep pace with the name in CLI 
OCPBUGS-1806 - OCP cluster install on baremetal fails when hostname of master nodes does not include the text "master" (take 2)
OCPBUGS-1810 - must gather for gather_ingress_node_firewall breaks with permission issues
OCPBUGS-1824 - Systemd service been deactivated in limited network environment
OCPBUGS-1825 - Ingress Node Firewall rule becomes non-functional when daemons and controller manager deployment are re-deployed
OCPBUGS-1827 - knative service e2e tests are failing
OCPBUGS-183 - Log line numbers overlap with cut-off rule when number is too big
OCPBUGS-1831 - failed to run command in pod with network-tools script pod-run-netns-command locally
OCPBUGS-184 - [OCP web console]  Wrong message "404: Not found" while the user selects an installed operator and navigates from operator hub to installed operator page.
OCPBUGS-1853 - [OVNK] ARP doesn't exist for v6: https://github.com/j-keck/arping/ 
OCPBUGS-1856 - [IBMCloud]  install private cluster need manually add a rule to the security group for *sg-kube-api-lb
OCPBUGS-1877 - download 'aliyun'
OCPBUGS-1880 - Openshift version upgrade cause multiple worker go in draining node 
OCPBUGS-1881 - [vSphere] cluster destroy get stuck if vm have not tag attached
OCPBUGS-1896 - [CORS-2260] "create install-config" got error 'credentialsMode: Forbidden: environmental authentication is only supported with Manual credentials mode'
OCPBUGS-1900 - Bootstrap error in SNO installation
OCPBUGS-1904 - CSI driver operators are degraded without "CSISnapshot" capability
OCPBUGS-1912 - downstream `opm alpha diff` moving to `oc-mirror`
OCPBUGS-1913 - Agent Installer: Do not fail on deprecated apiVip and ingressVip values
OCPBUGS-1916 - Workloads list page has different HPA action items from details page when All Projects selected
OCPBUGS-193 - Kebab menu not working properly for helm repository
OCPBUGS-194 - Layout for API Explorer page is incorrect
OCPBUGS-1941 - [4.12] Bootimage bump tracker
OCPBUGS-1949 - kube-controller log gatherer should limit number of bytes read
OCPBUGS-1950 - Devfile samples (in Developer Catalog) link doesn't include the current selected namespace
OCPBUGS-1962 - Controller and speakers are not created with tolerations  effect is NoScheduleNoSchedule and tolerationSeconds is set 10
OCPBUGS-1979 - Update openshift/etcd Go version to 1.16
OCPBUGS-198 - Kuryr-Controller Restarting on KuryrPort with missing pod
OCPBUGS-1992 - [osp][octavia lb] failing to create floating IP for external LB
OCPBUGS-1994 - Unrevert needed for jsonnet deps update PR
OCPBUGS-2004 - egressip healthcheck through GRPC on dualstack cluster only uses v6 address when trying to re-connect to egressIP node
OCPBUGS-2009 - User should be warned that MetalLB controller pod config node affinity cannot have weight 0
OCPBUGS-2010 - [noop][4.12] ironic clear_job_queue and reset_idrac pending issues
OCPBUGS-2029 - proxy config in installconfig fails to be applied
OCPBUGS-2052 - [4.12] boot sequence override request fails with Base.1.8.PropertyNotWritable on Lenovo SE450
OCPBUGS-2063 - List pages in pipelines is taking more time to load when there are too many items
OCPBUGS-2071 - revert "force cert rotation every couple days for development" in 4.12
OCPBUGS-2075 - Do not show notification switch for the alert rule which have no alerts associated
OCPBUGS-2076 - CI AWS CCM cluster install failure
OCPBUGS-2079 - systemReserved:ephemeral-storage in KubeletConfig doesn't work as expected
OCPBUGS-208 - Race condition when creating / deleting mac_address_pairs
OCPBUGS-2086 - Detect failure to prepare installation
OCPBUGS-2100 - Alert icon color is black in the Topology list view 
OCPBUGS-2102 - Resource quota e2e tests fails after latest changes to master
OCPBUGS-212 - co/kube-controller-manager degraded: GarbageCollectorDegraded: error fetching rules: Get "https://thanos-querier.openshift-monitoring.svc:9091/api/v1/rules": dial tcp 172.30.153.28:9091: connect: cannot assign requested address
OCPBUGS-2122 - machine-config-daemon failed to update the OS for cluster running behind proxy
OCPBUGS-2125 - CVO skips reconciling the installed optional resources in the 4.11 to 4.12 upgrade
OCPBUGS-2138 - Get OSImageURL override related metric data available in telemetry
OCPBUGS-2151 - machine-api-operator degraded during 3+1 deployment due to minimum worker replica count is 2
OCPBUGS-2152 - RHCOS VM fails to boot on IBM Power (ppc64le) - 4.12
OCPBUGS-2155 - Etcd scaling test was mistakenly added to the parallel suite
OCPBUGS-2157 - Documentation for cleaning crio produces kubelet errors
OCPBUGS-2158 - Track changes of serviceAccountIssuer in operator status
OCPBUGS-216 - kuryr-controller timing out liveness probe
OCPBUGS-2167 - Workload hints feature breaks backwards compatibility
OCPBUGS-2175 - Windows to linux networking broken since downstream OVN merge
OCPBUGS-2181 - e2e tests: Installs Red Hat Integration - 3scale operator test is failing due to change of Operator name
OCPBUGS-2195 - NPE on visiting topology for ns which got deleted
OCPBUGS-2197 - [upgrade 4.11.z to 4.12 nightly] rpm-ostree update via container failed
OCPBUGS-2219 - ConsolePlugin CRs cannot be garbage collected due to missing spec.i18n.loadType value
OCPBUGS-2223 - Default catalogSources are not updated to 4.12
OCPBUGS-2227 - VPA Operator not enabled in 4.12
OCPBUGS-224 - Missing  $SEARCH domain in /etc/resolve.conf for OCP v4.9.31 cluster 
OCPBUGS-2249 - Conditional gatherer cluster_version_matches issues
OCPBUGS-2262 - [gcp][CORS-1774] "platform.gcp.publicDNSZone" and "platform.gcp.privateDNSZone" should be for existing DNS zones
OCPBUGS-2265 - Allow passing documentation links for alerts
OCPBUGS-2269 - "error: No enabled repositories" on upgrade with kernelType: realtime enabled
OCPBUGS-2301 - [gcp][CORS-1774] with "createFirewallRules: Enabled", after successful "create cluster" and then "destroy cluster", the created firewall-rules in the shared VPC are not deleted
OCPBUGS-2316 - Ingress-node-Firewall:Mixing ICMP v4 and v6 config causes a panic
OCPBUGS-2322 - Kuryr does not accept application credentials
OCPBUGS-2325 - Add e2e test cases for INF spec.ingress
OCPBUGS-2327 - Add validation for releaseImage and mirror
OCPBUGS-2328 - Panic observed: runtime error: index out of range
OCPBUGS-2330 - events.events.k8s.io is forbidden: User "system:serviceaccount:openshift-kube-descheduler-operator:openshift-descheduler-operand" cannot create resource "events" in API group "events.k8s.io" in the namespace "e2e-test-default-b6y9atnu-jxz6p"
OCPBUGS-2334 - NE-956: Configurable LB Source Ranges breaks TestScopeChange
OCPBUGS-2338 - Confusing error messages when missing VIPs
OCPBUGS-2340 - OnDelete update strategy cannot work when master machines are not index as 0, 1, 2
OCPBUGS-2346 - Remove namespace and name from gathered DVO metrics
OCPBUGS-2354 - co/storage is not available due to csi driver not have proxy setting on ibm cloud
OCPBUGS-236 - custom ingress-controller can't be deleted
OCPBUGS-2360 - [IPI on Baremetal] ipv6 support issue in metal3-httpd
OCPBUGS-2362 - OVN-K alerts must be set to the correct severity level
OCPBUGS-2369 - NPE on topology if creates a k8s svc and KSVC which has no metadata in template
OCPBUGS-2372 - Duplicate addresses when the controller is restarted
OCPBUGS-2373 - When changing a lb service to another type, the freed ip is not reused
OCPBUGS-238 - ReEnable e2e tests for knative
OCPBUGS-2396 - FIPS jobs are broken after images rebuilt with golang 1.19
OCPBUGS-2435 - Nil-pointer dereference in TestRouterCompressionOperation on e2e-gcp-operator
OCPBUGS-2436 - Installer fails to create ingress.config.openshift.io/cluster on AWS because of missing spec.loadBalancer.platform.aws.type
OCPBUGS-2437 - Clusters with large numbers of CSVs can cause crashloop, block upgrades
OCPBUGS-2438 - Help popovers cause error on Observe > Alerting pages
OCPBUGS-2446 - Control Plane Machine Set does not expose errors
OCPBUGS-2455 - Pods and PDBs list page just reports 'Not found' when no Pod/PDB
OCPBUGS-246 - Incorrect retry cause false positive in CNF tests
OCPBUGS-2469 - ControlPlaneMachineSets are not included in must-gathers
OCPBUGS-2478 - i18n translation missing in "Remove component node from application" modal
OCPBUGS-2495 - 'oc login' should be robust in the face of gather failures
OCPBUGS-2508 - Worker creation fails within provider networks (as primary and secondary)
OCPBUGS-2512 - apiserver pods cannot reach etcd on single node IPv6 cluster: transport: authentication handshake failed: x509: certificate is valid for ::1, 127.0.0.1, ::1, fd69::2, not 2620:52:0:198::10"
OCPBUGS-2558 - [RFE] Add new Azure instance types to the official "tested/supported" list
OCPBUGS-256 - intra namespace allow network policy doesn't work after applying ingress&egress deny all network policy
OCPBUGS-2592 - CVO hot-loops on Deployment manifests
OCPBUGS-262 - downloading govc is impacted by github rate limiting
OCPBUGS-2621 - Enable TechPreview cause cluster error on single node cluster
OCPBUGS-2635 - Ingress operator degraded during 3+1 deployment due to insufficient worker nodes
OCPBUGS-2638 - Switch libvirt VM's to vnc graphic mode
OCPBUGS-2651 - Pipeline Run nodes should show focus border
OCPBUGS-2654 - Console OLM Integration Tests Reference Operator Not Present in 4.12 Certified Operators CatalogSource
OCPBUGS-2656 - VPA E2Es fail due to CSV name mismatch
OCPBUGS-268 - vsphere: installer for vsphere does not have steal clock accounting enabled
OCPBUGS-270 - Dev Catalog taking too much time to load in a complete disconnected cluster
OCPBUGS-2726 - Descheduler SoftTopologyAndDuplicates uses Stategy RemovePodsViolatingTopologySpreadConstraint which has invalid mapping
OCPBUGS-2741 - CPMS failureDomains is not keep consistent with master machines on heterogeneous cluster after upgrade from 4.11 to 4.12
OCPBUGS-2757 - rebase should handle idempotency
OCPBUGS-2774 - [AWS][GCP] the new created nodes are not added to load balancer
OCPBUGS-2775 - After added/removed label from a namespace, one stats of "route_metrics_controller_routes_per_shard" in Observe >> Metrics page aren't correct
OCPBUGS-2779 - Import: Advanced option sentence is splited into two parts and headlines has no padding
OCPBUGS-2803 - Project auth cache sync blocks list handler
OCPBUGS-2822 - [4.12] EFS csi controller&driver pod are CrashLoopBackOff due to csi-driver container is not running on arm.
OCPBUGS-2826 - ovnkube-trace: ofproto/trace fails for IPv6
OCPBUGS-2837 - Excessive debug logs
OCPBUGS-2848 - Routes per shard metric inaccurate if using matchExpression
OCPBUGS-2854 - Controlplanmachineset couldn't be created after deleting a machineset
OCPBUGS-2874 - Add Capacity button does not exist after upgrade OCP version [OCP4.11->OCP4.12]
OCPBUGS-2896 - Refactor retry logic into a separate pkg
OCPBUGS-2909 - Invalid documentation link in knative-plugin README
OCPBUGS-2915 - InsightsRecommendationActive should link cluster-specific page
OCPBUGS-2918 - Update Prometheus Alerts
OCPBUGS-2927 - CI jobs are failing with: admission webhook "validation.csi.vsphere.vmware.com" denied the request
OCPBUGS-2974 - administrator console, monitoring-alertmanager-edit user list or create silence, "Observe - Alerting - Silences" page is pending
OCPBUGS-2975 - PTP 4.12 - PTP - AMQ HTTP on event caused ptp stopped working after fresh deployment
OCPBUGS-2979 - [4.12] automatic replacement of an unhealthy member machine
OCPBUGS-2984 - [RFE] 4.12 Azure DiskEncryptionSet static validation does not support upper-case letters
OCPBUGS-2995 - [4.12] Unable to gather OpenStack console logs since kernel cmd line has no console args
OCPBUGS-2997 - [4.12] Bootimage bump tracker
OCPBUGS-2998 - OCP 4.12 Driver Toolkit (DTK) mismatch in kernel package and node kernel versions
OCPBUGS-3003 - Ignore non-ready endpoints when processing endpointslices
OCPBUGS-3019 - Ingress node firewall pod 's events container on the node causing pod in CrashLoopBackOff state when sctp module is loaded on node
OCPBUGS-302 - openshift-install gather bootstrap panics
OCPBUGS-3022 - GCP: missing multiple regions
OCPBUGS-3028 - panic in WaitForBootstrapComplete
OCPBUGS-3035 - 4.12 backport: Multiple extra manifests in the same file are not applied correctly
OCPBUGS-3037 - [apiserver-auth] default SCC restricted allow volumes don't have "ephemeral" caused deployment with Generic Ephemeral Volumes stuck at Pending
OCPBUGS-305 - Cluster-version operator ClusterOperator checks are unecessarily slow on update
OCPBUGS-3055 - 4.12 backport: Wait-for install-complete  did not exit upon completion.
OCPBUGS-3071 - [4.12][AWS] curl network Loadbalancer always get "Connection time out"
OCPBUGS-3075 - [4.12] ovn-k network policy races
OCPBUGS-3080 - [4.12] RPS hook only sets the first queue, but there are now many
OCPBUGS-3081 - monitor not working with UDP lb when externalTrafficPolicy: Local
OCPBUGS-3094 - [4.12] The control plane should tag AWS security groups at creation
OCPBUGS-3111 - metal3 pod crashloops on OKD in BareMetal IPI or assisted-installer bare metal installations
OCPBUGS-3115 - [2117255] Failed to dump flows for flow sync, stderr: "ovs-ofctl: br-ext is not a bridge or a socket"
OCPBUGS-3175 - CIRO unable to detect swift when it speaks HTTP2
OCPBUGS-3177 - RHCOS 4.12/s390x kdump is failling, disable test
OCPBUGS-3179 - Regression in ptp-operator conformance tests
OCPBUGS-3194 - [4.12.z backport][4.8][OVN] RHEL 7.9 DHCP worker ovs-configuration fails 
OCPBUGS-3204 - Permission denied when write data to mounted gcp filestore volume instance
OCPBUGS-3208 - [4.12] SCOS build fails due to pinned kernel
OCPBUGS-3249 - CVE-2022-27191 ose-installer-container: golang: crash in a golang.org/x/crypto/ssh server [openshift-4]
OCPBUGS-3263 - The terraform binaries shipped by the installer are not statically linked
OCPBUGS-3265 - Console shouldn't try to install dynamic plugins if permissions aren't available
OCPBUGS-3276 - Pin down dependencies on CMO release 4.12
OCPBUGS-3279 - Service-ca controller exits immediately with an error on sigterm
OCPBUGS-3281 - OCP 4.10.33 uses a weak 3DES cipher in the VMWare CSI Operator for communication and provides no method to disable it
OCPBUGS-3289 - [IBMCloud] Worker machines unreachable during initial bring up
OCPBUGS-3293 - WriteRequestBodies audit profile records routes/status events at RequestResponse level
OCPBUGS-3297 - Bugfix in privileged-daemonset and better dependencies
OCPBUGS-3306 - Agent installer does not support dualstack VIPs
OCPBUGS-3307 - [gcp] when the optional Service Usage API is disabled, IPI installation cannot succeed
OCPBUGS-3311 - [alibabacloud] IPI installation failed with master nodes being NotReady and CCM error "alicloud: unable to split instanceid and region from providerID"
OCPBUGS-3333 - Console should be using v1 apiVersion for ConsolePlugin model
OCPBUGS-3340 - Environment cannot find Python
OCPBUGS-3343 - [vsphere] installation fails when setting user-defined folder in failure domain
OCPBUGS-3346 - [perf/scale] libovsdb builds transaction logs but throws them away
OCPBUGS-3348 - 4.12: When adding nodes, the overlapped node-subnet can be allocated.
OCPBUGS-3352 - ClusterVersionRecommendedUpdate condition blocks explicitly allowed upgrade which is not in the available updates
OCPBUGS-3359 - Revert BUILD-407
OCPBUGS-3363 - openshift-ingress-operator with mTLS does not download CRL
OCPBUGS-3366 - Disconnected cluster installation fails with pull secret must contain auth for "registry.ci.openshift.org" 
OCPBUGS-3378 - [OVN]Sometimes after reboot egress node, egress IP cannot be applied anymore.
OCPBUGS-3379 - [release-4.12] CephCluster and StorageCluster resources use the same paths
OCPBUGS-3390 - [release-4.12] 4.11 SNOs fail to complete install because of "failed to get pod annotation: timed out waiting for annotations: context deadline exceeded"
OCPBUGS-3397 - Avoid re-metric'ing the pods that are already setup when ovnkube-master disrupts/reinitializes/restarts/goes through leader election
OCPBUGS-3398 - 4.12 backport: Unable to configure cluster-wide proxy
OCPBUGS-3406 - [gcp][CORS-1774] with both "id" and "project" specified for "privateDNSZone", it seems installer doesn't horner "project"
OCPBUGS-3425 - [release-4.12] Azure Disk CSI Driver Operator gets degraded without "CSISnapshot" capability
OCPBUGS-3428 - [4.12] Skip broken [sig-devex][Feature:ImageEcosystem] tests
OCPBUGS-3436 - domain 24 missing from phc2sys options
OCPBUGS-3437 - cloud-network-config-controller not using proxy settings of the management cluster
OCPBUGS-3442 - Datastore name is too long
OCPBUGS-3443 - [4.12] Descheduler pod is OOM killed when using descheduler-operator profiles on big clusters
OCPBUGS-3455 - track `rhcos-4.12` branch for fedora-coreos-config submodule
OCPBUGS-3459 - Installer does not always add router CA to kubeconfig
OCPBUGS-346 - Failed to create volumesnapshotcontent for gcp-filestore-csi-driver-operator
OCPBUGS-3464 - IBM operator needs deployment manifest fixes
OCPBUGS-3468 - Disable check_pkt_length in OVN-K for OvS Hardware Offload Cases
OCPBUGS-3479 - [4.12] Baremetal Provisioning fails on HP Gen9 systems due to eTag handling
OCPBUGS-3483 - Minor test fixes related to getting updated profile and checking kubeletconfiguration
OCPBUGS-3493 - [Ingress Node Firewall Operator] [Web Console] Allow user to override namespace where the operator is installed, currently user can install it only in openshift-operators ns
OCPBUGS-3503 - CRD-based and openshift-apiserver-based Route validation/defaulting must use the shared implementation
OCPBUGS-3504 - [4.12] Incorrect network configuration in worker node with two interfaces
OCPBUGS-3510 - Update cluster-authentication-operator not to go degraded without console
OCPBUGS-3515 - Need validation rule for supported arch
OCPBUGS-3519 - Assisted service should always use first matching mirror for release image
OCPBUGS-3520 - Install ends in preparing-failed due to container-images-available validation
OCPBUGS-3523 - Operator attempts to render both GA and Tech Preview API Extensions
OCPBUGS-3557 - [4.12] provisioning of baremetal nodes fails when using multipath device as rootDeviceHints
OCPBUGS-3571 - Placeholder bug for OCP 4.12.0 metadata release
OCPBUGS-3639 - The architecture field in sig image definition for hyperVGeneration V1 needs to match rhcos_image architecture
OCPBUGS-364 -  Update ose-baremetal-installer images to be consistent with ART
OCPBUGS-3650 - EUS upgrade stuck on worker pool update: error running skopeo inspect --no-tags
OCPBUGS-3651 - DaemonSet "/openshift-network-diagnostics/network-check-target" is not available
OCPBUGS-3658 - OVN-Kubernetes should not send IPs with leading zeros to OVN
OCPBUGS-3663 - don't enforce PSa in 4.12
OCPBUGS-3694 - [4.12] Router e2e: drop template.openshift.io apigroup dependency
OCPBUGS-3696 - Surface ClusterVersion RetrievedUpdates condition messages
OCPBUGS-3700 - [osp][octavia lb] NodePort allocation cannot be disabled for LB type svcs
OCPBUGS-3754 - Create Alertmanager silence form does not explain the new "Negative matcher" option
OCPBUGS-3763 - PTP operator: Use priority class node critical
OCPBUGS-3770 - cvo pod crashloop during bootstrap: featuregates: connection refused
OCPBUGS-3772 - Default for spec.to.weight missing from Route CRD schema
OCPBUGS-3774 - Unable to use application credentials for Cinder CSI after OpenStack credentials update
OCPBUGS-3780 - Route CRD validation behavior must be the same as openshift-apiserver behavior
OCPBUGS-3786 - Should show information on page if the upgrade to a target version doesn't take effect.
OCPBUGS-3798 - [4.12] Bump OVS control plane to get "ovsdb/transaction.c: Refactor assess_weak_refs."
OCPBUGS-3811 - Automation Offline CPUs Test cases
OCPBUGS-3824 - [4.12] Ipsec pods restart due to liveness probes fail in cluster with more than 150 +
OCPBUGS-3837 - service account token secret reference
OCPBUGS-384 - GCP Filestore csi operator has wrong spec.description in csv files
OCPBUGS-3841 - Remove flowcontrol/v1beta1 release manifests in 4.12 and later
OCPBUGS-3851 - [4.12][Dual Stack] ovn-ipsec crashlooping due to cert signing issues
OCPBUGS-3871 - Container networking pods cannot be access hosted network pods on another node in ipv6 single stack cluster
OCPBUGS-3874 - masters repeatedly losing connection to API and going NotReady
OCPBUGS-3875 - Route CRD host-assignment behavior must be the same as openshift-apiserver behavior
OCPBUGS-3878 - RouteTargetReference missing default for "weight" in Route CRD v1 schema
OCPBUGS-3881 - Revert Catalog PSA decisions for 4.12
OCPBUGS-3884 - [Ingress Node Firewall] Change the logo used for ingress node firewall operator
OCPBUGS-3889 - Egress router POD creation is failing while using openshift-sdn network plugin
OCPBUGS-3890 - [ibmcloud] unclear error msg when zones is not match with the Subnets in BYON install
OCPBUGS-3899 - [2035720] [IPI on Alibabacloud] deploying a private cluster by 'publish: Internal' failed due to 'dns_public_record'
OCPBUGS-392 - Setting disableNetworkDiagnostics: true does not persist when network-operator pod gets re-created
OCPBUGS-3927 - "Error loading" when normal user check operands on All namespaces
OCPBUGS-3930 - Local Storage Operator (LSO) not available in OperatorHub for OCP 4.12 on Z ec.5 and rc.0 builds
OCPBUGS-3944 - Handle 0600 kubeconfig
OCPBUGS-3956 - CNO reporting incorrect status
OCPBUGS-3958 - [4.12] Use kernel-rt from ose repo
OCPBUGS-3966 - must-gather namespace should have ?privileged? warn and audit pod security labels besides enforce
OCPBUGS-4001 - fix operator naming convention 
OCPBUGS-4004 - Consistent e2e test failure:Events.Events: event view displays created pod
OCPBUGS-4013 - On Make Serverless page, to change values of the inputs minpod, maxpod and concurrency fields, we need to click the ? + ? or ? - ', it can't be changed by typing in it.
OCPBUGS-4035 - Topology gets stuck loading
OCPBUGS-4040 - Authentication operator doesn't respond to console being enabled
OCPBUGS-4043 - [2109965] oci hook Low-latency-hooks causing high container creation times under platform cpu load
OCPBUGS-4048 - Prometheus doesn't reload TLS certificate and key files on disk
OCPBUGS-4063 - Fails to deprovision cluster when swift omits 'content-type'
OCPBUGS-4064 - Install failure in create-cluster-and-infraenv.service
OCPBUGS-4068 - Shouldn't need to put host data in platform baremetal section in installconfig
OCPBUGS-407 - [2116382] Setting a telemeter proxy in the cluster-monitoring-config config map does not work as expected
OCPBUGS-4083 - CCM not able to remove a LB in ERROR state
OCPBUGS-4097 - [IPI-BareMetal]: Dual stack deployment failed on BootStrap stage  
OCPBUGS-4098 - [4.12] Egress IP Health Check Is Not Compatible With VF (Hardware Backed) Management Port
OCPBUGS-4112 - Remove autoscaling/v2beta2 in 4.12 and later
OCPBUGS-4116 - Re-enable pipeline CI tests
OCPBUGS-4117 - Re-enable serverless CI tests
OCPBUGS-4118 - Kube-State-metrics pod fails to start due to panic
OCPBUGS-4121 - [SNO] csi-snapshot-controller CO is degraded when upgrade from 4.12 to 4.13 and reports permissions issue. 
OCPBUGS-416 - [IBMCloud] The udevadm utility is missing in the IBM Cloud VPC block storage IPI image
OCPBUGS-418 - [OCP web console]  Search result doesn't clear when user clears name filter in one-shot for any resources
OCPBUGS-4183 - Upgrades from 4.11.9 to latest 4.12.x Nightly builds do not succeed
OCPBUGS-4189 - Route CRD vs. OCP defaulting disparity
OCPBUGS-4193 - [4.12] etcd failure: failed to make etcd client for endpoints [https://[2620:52:0:1eb:367x:5axx:xxx:xxx]:2379]: context deadline exceeded 
OCPBUGS-4195 - PTP 4.12 Regression - CLOCK REALTIME status is locked when physical interface is down
OCPBUGS-4199 - route-controller-manager not creating routes in 4.12
OCPBUGS-421 - Disconnected IPI OCP 4.10.22 cluster install on baremetal fails when hostname of master nodes does not include the text "master
OCPBUGS-4218 - highperformance irq balancing support causes the /etc/sysconfig/irqbalance to slowly grow unbounded
OCPBUGS-4223 - Fix tuning plugin vlan handling
OCPBUGS-4230 - CNCC: Wrong log format for Azure locking
OCPBUGS-4234 - Updating ose-cloud-network-config-controller images to be consistent with ART
OCPBUGS-4235 - Updating ose-cloud-network-config-controller images to be consistent with ART
OCPBUGS-4250 - Backport PodNetworkConnectivityCheck for must-gather
OCPBUGS-4251 - HyperShift control plane operators have wrong priorityClass
OCPBUGS-426 - [OSP][OVN]unable to create logical router policy for egressIP after update duplicate IP to uniq one
OCPBUGS-428 - Insights Operator should collect helm upgrade and uninstall metric
OCPBUGS-4286 - [4.12] ovn-kubernetes ovnkube-master containers crashlooping after 4.11.0-0.okd-2022-10-15-073651 update
OCPBUGS-4292 - Backport specify resources.requests for operator pod
OCPBUGS-4299 - Backport Specify resources.requests for operator pod
OCPBUGS-4303 - Backport Specify resources.requests for operator pod
OCPBUGS-4308 - sanitize agent-gather output
OCPBUGS-431 - Nutanix platform validations run at `create manifests` stage
OCPBUGS-4311 - [4.12] Improve ironic logging configuration in metal3
OCPBUGS-4339 - oc get dc fails when AllRequestBodies audit-profile is set in apiserver
OCPBUGS-4342 - The storage account for the CoreOS image is publicly accessible when deploying fully private cluster on Azure
OCPBUGS-435 - Dropdown items on storageclass creation page need i18n support
OCPBUGS-4356 - Reply packet for DNS conversation to service IP uses pod IP as source
OCPBUGS-4361 - [release-4.12] bp ovnkube-trace changes to 4.12
OCPBUGS-4362 - Hard eviction thresholds is different with k8s default when PAO is enabled
OCPBUGS-4365 - `oc-mirror` will hit error when use docker without namespace for OCI format mirror
OCPBUGS-4366 - Update Kubernetes to 1.25.4
OCPBUGS-4369 - Update Cluster Sample Operator dependencies and libraries for OCP 4.13
OCPBUGS-4379 - apply retry logic to ovnk-node controllers
OCPBUGS-4383 - Don't log in iterateRetryResources when there are no retry entries
OCPBUGS-439 - DVO gatherer relies on the namespace name
OCPBUGS-4397 - Route/v1 defaulting for target kind and termination must be sharable between openshift-apiserver and kube-apiserver
OCPBUGS-4399 - Adding back SKIP_INTERFACES
OCPBUGS-4407 - Update Cluster Sample Operator dependencies and libraries for OCP 4.13
OCPBUGS-4414 - [OCI feature] registries.conf support in oc mirror
OCPBUGS-4421 - Dockerfile for building ironic-image for OKD does not take into account variant scos
OCPBUGS-4422 - Implement LIST call chunking in openshift-sdn
OCPBUGS-4431 - KubePodNotReady - Increase Tolerance During Master Node Restarts
OCPBUGS-4453 - metal-ipi upgrade success rate dropped 30+% in last week
OCPBUGS-4458 - Node Terminal tab results in error
OCPBUGS-4478 - Backport: Guard Pod Hostnames Too Long and Truncated Down Into Collisions With Other Masters
OCPBUGS-4479 - [4.12] Dockerfile for building ironic-image for OKD does not take into account variant scos
OCPBUGS-4484 - `oc-mirror` will hit error when use docker without namespace for OCI format mirror
OCPBUGS-4488 - Prometheus and Alertmanager incorrect ExternalURL configured
OCPBUGS-4489 - Prometheus continuously restarts due to slow WAL replay
OCPBUGS-4499 - CSR are generated with incorrect Subject Alternate Names
OCPBUGS-4503 - [4.12] [OVNK] Add support for service session affinity timeout
OCPBUGS-4504 - Default to floating automaticRestart for new GCP instances
OCPBUGS-4505 - [4.12] Pod stuck in containerCreating state when the node on which it is running is Terminated
OCPBUGS-451 - Show Git icon in repository link in details page should be based on the git provider
OCPBUGS-4526 - hypershift: csi-snapshot-controller uses wrong kubeconfig
OCPBUGS-4527 - hypershift: aws-ebs-csi-driver-operator uses wrong kubeconfig
OCPBUGS-4533 - [release-4.12] OVNK: NAT issue for packets exceeding check_pkt_larger() for NodePort services that route to hostNetworked pods
OCPBUGS-454 - [vsphere] update install-config description for diskType
OCPBUGS-4544 - Remove debug level logging on openshift-config-operator
OCPBUGS-4547 - CVE-2021-38561 ose-installer-container: golang: out-of-bounds read in golang.org/x/text/language leads to DoS [openshift-4]
OCPBUGS-4554 - [4.12] OVN silently failing in case of a stuck pod
OCPBUGS-456 - [4.12] update all ironic related packages to latest bugfix
OCPBUGS-4599 - Bump samples operator k8s dep to 1.25.2 for 4.12
OCPBUGS-4601 - `oc-mirror` does not work as expected relative path for OCI format copy 
OCPBUGS-4627 - doc link in PrometheusDataPersistenceNotConfigured message is 4.8
OCPBUGS-4637 - Support RHOBS monitoring for HyperShift in CNO
OCPBUGS-4649 - No indication of early installation failures
OCPBUGS-4653 - [4.12] Fixes for RHCOS 9 based on RHEL 9.0
OCPBUGS-4660 - Debug log messages missing from output and Info messages malformed
OCPBUGS-4667 - vsphere-hostname should check that /etc/hostname is not empty
OCPBUGS-4681 - [release-4.12] remove unnecessary RBAC in KCM
OCPBUGS-4686 - Removal of detection of host kubelet kubeconfig breaks IBM Cloud ROKS
OCPBUGS-469 - OVN master trying to deleteLogicalPort for object which is already gone
OCPBUGS-4696 - [4.12] SNO not able to bring up Provisioning resource in 4.11.17
OCPBUGS-4698 - Some nmstate validations are skipped when NM config is in agent-config.yaml
OCPBUGS-4721 - GCP: missing me-west1 region
OCPBUGS-4760 - [4.12] Network Policy executes duplicate transactions for every pod update
OCPBUGS-4763 - Revert Catalog PSA decisions for 4.13 (Marketplace)
OCPBUGS-4766 - limit cluster-policy-controller RBAC permissions
OCPBUGS-4779 - Update openshift/builder release-4.12 to go1.19
OCPBUGS-478 - ironic-machine-os-downloader image is missing virt-* tools in OCP 4.12 nightlies
OCPBUGS-4783 - [4.12] egressIP annotations not present on OpenShift on Openstack multiAZ installation
OCPBUGS-4784 - [4.12] egressIP annotation including two interfaces when multiple networks
OCPBUGS-4789 - [OCP 4.12] ironic container images have old packages
OCPBUGS-4796 - OLM generates invalid component selector labels
OCPBUGS-4803 - Update formatting with gofmt for go1.19
OCPBUGS-4805 - Empty/missing node-sizing SYSTEM_RESERVED_ES parameter can result in kubelet not starting
OCPBUGS-4808 - Use shared library in admission to default Routes served via CRD
OCPBUGS-4837 - [4.12] Pod LSP missing from PortGroup
OCPBUGS-4840 - [4.12] The property TransferProtocolType is required for VirtualMedia.InsertMedia
OCPBUGS-4847 - OnDelete update strategy create two replace machines when deleting a master machine
OCPBUGS-4869 - AWS Deprovision Fails with unrecognized elastic load balancing resource type listener 
OCPBUGS-4884 - [4.12] Pods completed + deleted may leak
OCPBUGS-4897 - Developer Topology always blanks with large contents when first rendering
OCPBUGS-4911 - [Azure]Availability Set will be created when vmSize is invalid in a region which has zones
OCPBUGS-4943 - Need to wait longer for VM to obtain IP from DHCP
OCPBUGS-4951 - OLM K8s Dependencies should be at 1.25
OCPBUGS-4962 - openshift-install agent wait-for install-complete errors out before the cluster installation completes
OCPBUGS-498 - Update console operator vendor with latest openshift/api
OCPBUGS-499 - ClusterOperator Conditions Update on Reordering
OCPBUGS-5019 - Fails to deprovision cluster when swift omits 'content-type' and there are empty containers
OCPBUGS-505 - Input box aria-label and name wrong for editing PDB inside Deployments
OCPBUGS-5067 - [4.12] coreos-installer output not available in the logs
OCPBUGS-5072 - [4.12] ironic-proxy daemonset not deleted when provisioningNetwork is changed from Disabled to Managed/Unmanaged
OCPBUGS-5100 - virtual media provisioning fails when iLO Ironic driver is used
OCPBUGS-514 - [OCPonRHV] CSI provisioned disks are effectively preallocated due to go-ovirt-client setting Provisioned and Initial size of the disk to the same value
OCPBUGS-5143 - provisioning on ilo4-virtualmedia BMC driver fails with error: "Creating vfat image failed: Unexpected error while running command"
OCPBUGS-5156 - [release-4.12] Azure: unable to configure EgressIP if an ASG is set
OCPBUGS-5185 - Dev Sandbox clusters uses clusterType OSD and there is no way to enforce DEVSANDBOX
OCPBUGS-519 - publicIP is allowed in Azure disconnected installation for machines
OCPBUGS-5190 - Installer - provisioning interface on master node not getting ipv4 dhcp ip address from bootstrap dhcp server on OCP IPI BareMetal install
OCPBUGS-5191 - Add support for API version v1beta1 for knativeServing and knativeEventing
OCPBUGS-523 - Plugin page error boundary message is not cleared after leaving page
OCPBUGS-525 - Prerelease report bug link should be updated to JIRA instead of Bugzilla
OCPBUGS-5253 - Missing 'ImageContentSourcePolicy' and 'CatalogSource' in the oci fbc feature implementation
OCPBUGS-527 - Misleading error message when lacking assets to create the installation image
OCPBUGS-5289 - Multus: Interface name contains an invalid character / [ocp 4.12]
OCPBUGS-533 - member loses rights after some other user login
OCPBUGS-5384 - Old AWS boot images vs. 4.12: unknown provider 'ec2'
OCPBUGS-5387 - EUS upgrade: rpm-ostree clean up timeout was reached
OCPBUGS-540 - Input values in Instantiate Template are disappeared randomly in the developer console
OCPBUGS-5417 - Upgrade from 4.11 to  4.12 with Windows machine workers (Spot Instances) failing due to: hcnCreateEndpoint failed in Win32: The object already exists.
OCPBUGS-5442 - Placeholder bug for OCP 4.12.0 microshift release
OCPBUGS-5444 - Reported vSphere Connection status is misleading
OCPBUGS-5455 - Baremetal host data is still sometimes required
OCPBUGS-5474 - [4.12]Default CatalogSource aren't created in restricted mode
OCPBUGS-548 - The application dropdown menu uses a custom component with a configuration to favorite applications, similar to the Project selection menu, but is inconsistent in the way it looks and behaves.
OCPBUGS-561 - [4.12] Bootimage bump tracker
OCPBUGS-569 - CVO History Pruner is non-functional, letting history length above MaxHistory
OCPBUGS-575 - The lacking securityContext.seccompProfile.type of OLM deployments is blocking OCP upgrade to 4.12
OCPBUGS-576 - unbound router_id variable while creating event
OCPBUGS-585 - Tuned overwriting IRQBALANCE_BANNED_CPUS
OCPBUGS-595 - Kubelet cannot be started on worker nodes after upgrade to OCP 4.11 (RHCOS 8.6) when custom SELinux policies are applied
OCPBUGS-613 - oc adm inspect --rotated-pod-logs not working properly for static pods
OCPBUGS-617 - oc-mirror does not mirror arm64 OCP release payload
OCPBUGS-643 - catsrc is not ready due to "compute digest: compute hash: write tar: open /tmp/cache/cache: permission denied"
OCPBUGS-650 - "opm alpha render-veneer semver" raise error when no "Candidate" in config yaml
OCPBUGS-651 - CBO gets confused by Terminating ports when a master fails
OCPBUGS-670 - Prefer local dns does not work expectedly on OCPv4.12
OCPBUGS-675 - panic in etcdcli
OCPBUGS-69 - No event log was emitted when egressIP exceeds capacity limit for cloud providers with SDN plugin
OCPBUGS-690 - [2112237] [ Cluster storage Operator 4.x(10/11/12) ] DefaultStorageClassController report fake message "No default StorageClass for this platform" on Alicloud, IBM, Nutanix
OCPBUGS-705 - vSphere privilege checking failing when providing user-defined folder and/or resource pool
OCPBUGS-706 - [IBMCloud] e2e-ibmcloud-ipi-ibmcloud-gather-resources fails
OCPBUGS-716 - EventsRecorder nonstandard / log only
OCPBUGS-717 - Inquiries from customers regarding the EOL of Python 3.7.
OCPBUGS-718 - Inefficient use of SG rules when creating Service LBs leads to scale issues
OCPBUGS-722 - Undiagnosed panic detected in pod: openshift-controller-manager-operator_openshift-controller-manager-operator invalid memory address or nil pointer dereference
OCPBUGS-729 - vsphere privilege check fails on vsphere6.7 u3 as missing privilege "InventoryService.Tagging.ObjectAttachable" 
OCPBUGS-745 - [4.12] Supermicro server FirmwareSchema CR does not contain allowable_values, attribute_type and read_only flag
OCPBUGS-753 - dns-default pod missing "target.workload.openshift.io/management:" annotation
OCPBUGS-766 - Missing the instance-type/region/zone labels in Machine CRs
OCPBUGS-78 - Uninstalled operator can't be reinstalled if it included a conversion webhook
OCPBUGS-785 - Bump documentationBaseURL to 4.12
OCPBUGS-800 - Name of workload get changed, when project and image stream gets changed on reloading the form on the edit deployment page of the workload
OCPBUGS-819 - [ExtDNS] Invalid TXT records for wildcard domains on Azure
OCPBUGS-825 - Available=False with no reason
OCPBUGS-850 - Dockerfile: provide full URL to CentOS stream image 
OCPBUGS-852 - oc debug requires a user to create a namespace with specific security labels
OCPBUGS-853 - openshift-ingress-operator is failing to update router-certs because "Too long: must have at most 1048576 bytes" message
OCPBUGS-858 - package-server-manager does not migrate packageserver CSV from v0.17.0 to v0.18.3 on OCP 4.8 -> 4.9 upgrade
OCPBUGS-861 - Rebase openshift/etcd 4.12 onto v3.5.5
OCPBUGS-864 - ClusterOperator Conditions Update on Reordering
OCPBUGS-867 - package-server-manager does not stomp on changes made to packgeserver CSV
OCPBUGS-869 - Change 'OpenShift Managed (Azure)' to 'Azure Red Hat OpenShift' for Azure support case link
OCPBUGS-872 - provisioning interface on master node not getting ipv4 dhcp ip address from bootstrap dhcp server on OCP IPI BareMetal install
OCPBUGS-884 - Update RHCOS release browser url
OCPBUGS-889 - 4.12 installer is pointing at stable-4.11 channel
OCPBUGS-917 - create egressqos with wrong syntax/value rules success
OCPBUGS-926 - [vsphere-problem-detector] report privilege missing when using pre-existing folder and/or resource pool with ReadOnly permission
OCPBUGS-927 - Azure install fails in CI: Error: error creating/updating Private DNS Zone Virtual network link 
OCPBUGS-929 - The help message of "opm alpha render-graph" is not correct
OCPBUGS-939 - Flaky CI: Object.verifyTopologyPage timeout after importing a Devfile
OCPBUGS-943 - Could not import Devfile after testing a non-Devfile version
OCPBUGS-944 - CI failure due to pod security in manila
OCPBUGS-946 - Warnings in storage cluster operator PowerVS CSI driver deployment 
OCPBUGS-954 - [2087981] PowerOnVM_Task is deprecated use PowerOnMultiVM_Task for DRS ClusterRecommendation
OCPBUGS-959 - Born in 4.1 and 4.2 clusters have 'openshift.io/run-level: 1' uncleared
OCPBUGS-963 - [OCPonOpenstack] Remove clustername length limitation
OCPBUGS-967 - Panic in test:  [sig-network] IngressClass [Feature:Ingress] should prevent Ingress creation if more than 1 IngressClass marked as default [Serial] [Suite:openshift/conformance/serial] 
OCPBUGS-977 - SR-IOV MutiNetworkPolicy: Rules are not removed after disabling multinetworkpolicy
OCPBUGS-978 - leases not gracefully released in OCM
OCPBUGS-985 - Metal serial tests are failing on webhook admission about provisioningDHCPRange
OCPBUGS-987 - Whereabouts should allow non default interfaces to Pod IP list
OCPBUGS-990 - HyperShift 4.12 jobs fail to install csi-snapshot-controller-operator
OCPBUGS-999 - aws driver toolkit jobs are permafailing

6. References:

https://access.redhat.com/security/cve/CVE-2021-4235
https://access.redhat.com/security/cve/CVE-2021-22570
https://access.redhat.com/security/cve/CVE-2021-38561
https://access.redhat.com/security/cve/CVE-2022-1705
https://access.redhat.com/security/cve/CVE-2022-2879
https://access.redhat.com/security/cve/CVE-2022-2880
https://access.redhat.com/security/cve/CVE-2022-2995
https://access.redhat.com/security/cve/CVE-2022-3162
https://access.redhat.com/security/cve/CVE-2022-3172
https://access.redhat.com/security/cve/CVE-2022-3259
https://access.redhat.com/security/cve/CVE-2022-3466
https://access.redhat.com/security/cve/CVE-2022-21698
https://access.redhat.com/security/cve/CVE-2022-24302
https://access.redhat.com/security/cve/CVE-2022-27664
https://access.redhat.com/security/cve/CVE-2022-30631
https://access.redhat.com/security/cve/CVE-2022-32148
https://access.redhat.com/security/cve/CVE-2022-32189
https://access.redhat.com/security/cve/CVE-2022-32190
https://access.redhat.com/security/cve/CVE-2022-41316
https://access.redhat.com/security/cve/CVE-2022-41715
https://access.redhat.com/security/cve/CVE-2022-42010
https://access.redhat.com/security/cve/CVE-2022-42011
https://access.redhat.com/security/cve/CVE-2022-42012
https://access.redhat.com/security/cve/CVE-2022-42898
https://access.redhat.com/security/cve/CVE-2023-0296
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY8cih9zjgjWX9erEAQiIYQ//X7Lt5e0g8KIXbD6sX0PYCogFU5JFv+Jb
JFhm235UL7vKT3tiwFMpGCW32SGmEa/qMfyvKtSoIrN847JHYQWFz1fOAqKC1fxs
OqE99PPhjKeJ0a10OXtcQPaQwkXJIYxVpbInHdVjdPh88FtYVgIgR8zUjlcrMFIh
tJLW6A7c26i/Njc2I2I/edPbb39jeygc4ZJIqekGgaQbu15dyIEa8GKGQ66Hy7tp
r48TT7bXRsOdaxeiz7tFpVZDRdA4k3ktXveBPo1TKA8TG78ior1jIBdoS6DHniyC
EAl09ilLgKa3rkuoLtmp6PIe5b95m0xgfUtanJSBK9sI3+yzlz3ITRkVKbSfXRnd
CFfb5lJB8ul2p9/f+ZAFc29HQdNS8ohU/NZ/7Ij34d5Xvh0pob62yg8LF444ZOGZ
KpP1T6o1JbW2IsVFO9kmAztDAk94VqKLD608EsnC1P3VWEBF9qBenCTITlqQM/Oa
H9LUNUGj0A2LS7j0GK0344bII0W65MKfcPIQ+SCyOTgVfxzlDspQEVhR1HoepxuG
eUcicIFWYcaJ7jUTdHcLfwewiCr8hdx2v1F/6UQmuBpgA5bNJkGvjRgh1YwGUcJU
VrGt6Nl647UKLzwCbLxDjQSDbwr+K+kJhqCd+umNz5iPuRYurcDemALy+HLy9Gid
1ZZ25YS8Xvk=
=oXLl
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce