# 4.20.17 Created: 2026-03-20 03:43:45 +0000 UTC Image Digest: `sha256:cec4ff75a5cd9304b5ba95abd858cd9483934c55d1d2ea34623d1685ad9795e2` ## Changes from 4.20.16 ### Components * Kubectl 1.33.3 * Kubernetes upgraded from 1.33.8 to 1.33.9 * Kubernetes Tests 1.33.4 * Red Hat Enterprise Linux CoreOS upgraded from 9.6.20260303-1 to 9.6.20260314-0 ### Rebuilt images without code change * [agent-installer-api-server](https://github.com/openshift/assisted-service) git [e07e2c76](https://github.com/openshift/assisted-service/commit/e07e2c76e1431afe13e2c34b3e08e0bb0903201f) `sha256:f3348d2d5a03fcea547d437cdee0a412ae05e92d91c73fd864f06df6d0cf6e7c` * [csi-driver-nfs](https://github.com/openshift/csi-driver-nfs) git [1abaf844](https://github.com/openshift/csi-driver-nfs/commit/1abaf84447384a486a9f9da7cd7b9e53784c8a55) `sha256:7e573786dc8a3102297cdeb8e8df2d3baf09f84e90d23d3df307d119b8c50f1a` * [docker-builder](https://github.com/openshift/builder) git [35afa308](https://github.com/openshift/builder/commit/35afa308e2473046721057112d804334fc4b8217) `sha256:f4c29b8743f133e7480aebbc25971f9357badd3befa9f9487503c39a4bf55f66` * [driver-toolkit](https://github.com/openshift/driver-toolkit) git [9d55fd1a](https://github.com/openshift/driver-toolkit/commit/9d55fd1aaba05830f857132bd149ee3cf18cc20f) `sha256:18e39b1bb67719078fa3ec73db9bc28ebb70f675ecbda63a5b2beed58e833906` * [gcp-pd-csi-driver](https://github.com/openshift/gcp-pd-csi-driver) git [500ab5d3](https://github.com/openshift/gcp-pd-csi-driver/commit/500ab5d31ad382805070c8ae329a9a34163ebc99) `sha256:9215463c548662202ddd125670b45d64f847595ffa540d6fe9cbb3482c5eabe0` * [keepalived-ipfailover](https://github.com/openshift/images) git [bb4535b7](https://github.com/openshift/images/commit/bb4535b7069cab2de0174be29bccccde6d623b4f) `sha256:66bf4a0ba4cbc5c74d13c83255452e5738e34fa7ef1b5966706c5f41d58d161e` * [machine-os-images](https://github.com/openshift/machine-os-images) git [551bb5d7](https://github.com/openshift/machine-os-images/commit/551bb5d75e782e47b83292d883e41bc57df730a4) `sha256:40b444fee41057654328f8d759492125f8ab93f80d937b00bd14f4f1c8426709` * [network-tools](https://github.com/openshift/network-tools) git [26d09174](https://github.com/openshift/network-tools/commit/26d09174cbd92386469e777e3bf49bfa95d035d5) `sha256:bdfe3cf241ac03b5c4003a9f9ee3e6369e4ecc298b9c6c9a7c24c9d938b06b1f` * [openstack-cinder-csi-driver](https://github.com/openshift/cloud-provider-openstack) git [9996d28c](https://github.com/openshift/cloud-provider-openstack/commit/9996d28ce3163cf9a09d77101e81cede914d6c2f) `sha256:3ae7b9aeee5cfbc483740ab12ccfea870058aec11062863bb390798ff3512715` * [powervs-block-csi-driver](https://github.com/openshift/ibm-powervs-block-csi-driver) git [0693fe5d](https://github.com/openshift/ibm-powervs-block-csi-driver/commit/0693fe5dcfab224466fba7a19e614de71f727999) `sha256:fe5541791393041c291dd0d3acb199292e6918b749ece264a9f9665109bd659d` * [rhel-coreos](https://github.com/openshift/os) git [2762e751](https://github.com/openshift/os/commit/2762e75143b49efbebb3c2ac4a22c1835f01d78c) `sha256:786e6279b2a471d8876fc11e20b7ded86158156c2390f3bc63c833ef3b1834a3` * [rhel-coreos-extensions](https://github.com/openshift/os) git [2762e751](https://github.com/openshift/os/commit/2762e75143b49efbebb3c2ac4a22c1835f01d78c) `sha256:2b79040283a916548e331f668c9ceddaf7cec143ea8ae7d23f64983a47a06b92` * [tools](https://github.com/openshift/oc) git [64e778a5](https://github.com/openshift/oc/commit/64e778a55fbcdf295b671a7d4e701e7c8cc3a499) `sha256:c3a5e17391c03393841809dc48498309f0d5f0fceacd7665341a95f87d036fa2` ### [aws-cloud-controller-manager, aws-cluster-api-controllers, aws-ebs-csi-driver, aws-ebs-csi-driver-operator, aws-machine-controllers, aws-pod-identity-webhook, azure-cloud-controller-manager, azure-cloud-node-manager, azure-cluster-api-controllers, azure-disk-csi-driver, azure-disk-csi-driver-operator, azure-file-csi-driver, azure-file-csi-driver-operator, azure-machine-controllers, azure-workload-identity-webhook, hyperkube, ibm-cloud-controller-manager, ibm-vpc-block-csi-driver, ibm-vpc-block-csi-driver-operator, ibmcloud-machine-controllers, ironic, ironic-agent, ironic-machine-os-downloader, ironic-static-ip-manager, kube-proxy, machine-image-customization-controller, nutanix-cloud-controller-manager, nutanix-machine-controllers, pod, vsphere-cloud-controller-manager, vsphere-cluster-api-controllers, vsphere-csi-driver, vsphere-csi-driver-operator, vsphere-csi-driver-syncer, vsphere-problem-detector](https://github.com/openshift/kubernetes/tree/4ef1baeb6786a70898f3842a06e988d9566aa444) * [OCPBUGS-77476](https://issues.redhat.com/browse/OCPBUGS-77476): Rebase v1.33.9 to release-4.20 [#2614](https://github.com/openshift/kubernetes/pull/2614) * [Full changelog](https://github.com/openshift/kubernetes/compare/b96a4039358613f770d20f5e4ce5125f66369521...4ef1baeb6786a70898f3842a06e988d9566aa444) ### [baremetal-installer, installer, installer-artifacts](https://github.com/openshift/installer/tree/07408eb1c797940cc20d659a82b15a2e1ef7595c) * [OCPBUGS-78091](https://issues.redhat.com/browse/OCPBUGS-78091): fix wavelength zone name regex [#10373](https://github.com/openshift/installer/pull/10373) * [Full changelog](https://github.com/openshift/installer/compare/a8ad8d3b8de7ada885b910851314cb2ea05b602d...07408eb1c797940cc20d659a82b15a2e1ef7595c) ### [baremetal-runtimecfg](https://github.com/openshift/baremetal-runtimecfg/tree/50c63b0d5744a830cb828a669ed09982dd46365b) * [OCPBUGS-77170](https://issues.redhat.com/browse/OCPBUGS-77170): Install dbus-tools, needed in pkg/monitor/dnsmasqmonitor.go [#384](https://github.com/openshift/baremetal-runtimecfg/pull/384) * [Full changelog](https://github.com/openshift/baremetal-runtimecfg/compare/6553765e71c7f8d7db120af94473c9c0cb44d453...50c63b0d5744a830cb828a669ed09982dd46365b) ### [cluster-autoscaler](https://github.com/openshift/kubernetes-autoscaler/tree/b4c6c2ffa86f029c0d19abf68344411db0855102) * [OCPBUGS-77506](https://issues.redhat.com/browse/OCPBUGS-77506): Pick upstream commits to Fix VPA recommender concurrent access panic [#407](https://github.com/openshift/kubernetes-autoscaler/pull/407) * [Full changelog](https://github.com/openshift/kubernetes-autoscaler/compare/aaf5a61941b70a3b5792c0541e97356565c9977f...b4c6c2ffa86f029c0d19abf68344411db0855102) ### [cluster-baremetal-operator](https://github.com/openshift/cluster-baremetal-operator/tree/5cc04a88456ead0f8961c6a12e7002ef3e23b0fc) * [OCPBUGS-76340](https://issues.redhat.com/browse/OCPBUGS-76340): Explicitly set the ReadOnlyRootFilesystem flag to false [#555](https://github.com/openshift/cluster-baremetal-operator/pull/555) * [Full changelog](https://github.com/openshift/cluster-baremetal-operator/compare/02e8806855f48956731548fa90e5c644f4e269f1...5cc04a88456ead0f8961c6a12e7002ef3e23b0fc) ### [cluster-etcd-operator](https://github.com/openshift/cluster-etcd-operator/tree/d4171c720f49821e9e578a1bf4c6ce92d569ef13) * [OCPBUGS-78047](https://issues.redhat.com/browse/OCPBUGS-78047): Prefer to remove members where they have another healthy machine in the same failure domain index [#1564](https://github.com/openshift/cluster-etcd-operator/pull/1564) * [Full changelog](https://github.com/openshift/cluster-etcd-operator/compare/cf5fcdeba6032fcb81d1fd05e61c77ad68a9dd6c...d4171c720f49821e9e578a1bf4c6ce92d569ef13) ### [cluster-kube-apiserver-operator](https://github.com/openshift/cluster-kube-apiserver-operator/tree/d0cf9e755d887edf142bcb656c5b6d707a259d9d) * [OCPBUGS-77005](https://issues.redhat.com/browse/OCPBUGS-77005): scc: restricted-v3: Fix runAsUser range [#1948](https://github.com/openshift/cluster-kube-apiserver-operator/pull/1948) * [Full changelog](https://github.com/openshift/cluster-kube-apiserver-operator/compare/f6bb470ca76bd37d533a5366321faa9f478c614a...d0cf9e755d887edf142bcb656c5b6d707a259d9d) ### [cluster-monitoring-operator](https://github.com/openshift/cluster-monitoring-operator/tree/d58e99ade6e2de3436dd0a97e729704731c943bf) * [OCPBUGS-74490](https://issues.redhat.com/browse/OCPBUGS-74490): Include `kube_pod_labels` in minimal profile [#2844](https://github.com/openshift/cluster-monitoring-operator/pull/2844) * [Full changelog](https://github.com/openshift/cluster-monitoring-operator/compare/54af21f673d0f3ef4d5005a52c04ccdd4467e8b5...d58e99ade6e2de3436dd0a97e729704731c943bf) ### [cluster-network-operator](https://github.com/openshift/cluster-network-operator/tree/d1ec37ecb90d74eccc8d8c3e0bc42a8c0fb5ac6a) * [OCPBUGS-77148](https://issues.redhat.com/browse/OCPBUGS-77148): Add config override for openflow-probe [#2918](https://github.com/openshift/cluster-network-operator/pull/2918) * [Full changelog](https://github.com/openshift/cluster-network-operator/compare/6d443d079015388a4966370d200fe040f0754160...d1ec37ecb90d74eccc8d8c3e0bc42a8c0fb5ac6a) ### [cluster-node-tuning-operator](https://github.com/openshift/cluster-node-tuning-operator/tree/b1f1c24b2a97a1691346b3f31e52026c07abc845) * [OCPBUGS-78247](https://issues.redhat.com/browse/OCPBUGS-78247): workloadhints: use IsVM to skip BM-only tests [#1482](https://github.com/openshift/cluster-node-tuning-operator/pull/1482) * [Full changelog](https://github.com/openshift/cluster-node-tuning-operator/compare/601b61fe23b44be64007c238c4299ca1ae594292...b1f1c24b2a97a1691346b3f31e52026c07abc845) ### [console](https://github.com/openshift/console/tree/c5c94d538be79e7569d464aa271fabb9dff781f1) * [OCPBUGS-77951](https://issues.redhat.com/browse/OCPBUGS-77951): Fix infinite recursion in project access form [#16117](https://github.com/openshift/console/pull/16117) * [CONSOLE-5011](https://issues.redhat.com/browse/CONSOLE-5011): migrate to yarn berry [#16070](https://github.com/openshift/console/pull/16070) * [Full changelog](https://github.com/openshift/console/compare/7c86c3d5773b7c9c541f73174e046a7630c212ea...c5c94d538be79e7569d464aa271fabb9dff781f1) ### [console-operator](https://github.com/openshift/console-operator/tree/1bb7f6f4e7851997fd24c5f5aa5be41ea8dd5bd2) * [OCPBUGS-77771](https://issues.redhat.com/browse/OCPBUGS-77771): Add rhel8 and rhel9 oc binaries for Linux OS in CLI downloads [#1122](https://github.com/openshift/console-operator/pull/1122) * [Full changelog](https://github.com/openshift/console-operator/compare/4670807cfebc21af0c8ea84cfe029f3286c130df...1bb7f6f4e7851997fd24c5f5aa5be41ea8dd5bd2) ### [hypershift](https://github.com/openshift/hypershift/tree/2308b45ca94e2cc59c91d672ac75b89addf210c1) * [CNTRLPLANE-2814](https://issues.redhat.com/browse/CNTRLPLANE-2814): feat(aro): Swift support [#7885](https://github.com/openshift/hypershift/pull/7885) * [OCPBUGS-76992](https://issues.redhat.com/browse/OCPBUGS-76992): fix kubevirt, use 100.66.0.0/16 for join subnet [#7733](https://github.com/openshift/hypershift/pull/7733) * [OCPBUGS-78305](https://issues.redhat.com/browse/OCPBUGS-78305): Fix context cancel accumulation in getMirrorFromICSPOrIDMS [#7890](https://github.com/openshift/hypershift/pull/7890) * [OCPBUGS-76324](https://issues.redhat.com/browse/OCPBUGS-76324): feat(updates): enable CVO metrics access with RHOBS monitoring flag [#7660](https://github.com/openshift/hypershift/pull/7660) * [OCPBUGS-77366](https://issues.redhat.com/browse/OCPBUGS-77366): Fix ignition-server pod restarts [#7842](https://github.com/openshift/hypershift/pull/7842) * [Full changelog](https://github.com/openshift/hypershift/compare/7630337d577b66ad01948819ba4d523410ecb97c...2308b45ca94e2cc59c91d672ac75b89addf210c1) ### [kubevirt-csi-driver](https://github.com/openshift/kubevirt-csi-driver/tree/84ce55daf997e1eb20568bef12cd6a6130afebeb) * [OCPBUGS-78371](https://issues.redhat.com/browse/OCPBUGS-78371): Updating ose-kubevirt-csi-driver-container image to be consistent with ART for 4.20 [#78](https://github.com/openshift/kubevirt-csi-driver/pull/78) * [Full changelog](https://github.com/openshift/kubevirt-csi-driver/compare/8b8dd30ecd302e2b260c666702dffb19abf7c1aa...84ce55daf997e1eb20568bef12cd6a6130afebeb) ### [machine-config-operator](https://github.com/openshift/machine-config-operator/tree/662f6899c4461bbd296e149a8badd818e45c1252) * [OCPBUGS-78049](https://issues.redhat.com/browse/OCPBUGS-78049): install/0000_80_machine-config_04_kube_rbac_proxy_config: Consistent terminal newline [#5753](https://github.com/openshift/machine-config-operator/pull/5753) * [OCPBUGS-77883](https://issues.redhat.com/browse/OCPBUGS-77883): Fix failure domain matching during vsphere boot image updates [#5745](https://github.com/openshift/machine-config-operator/pull/5745) * [OCPBUGS-77950](https://issues.redhat.com/browse/OCPBUGS-77950): Update AMI Whitelist [#5748](https://github.com/openshift/machine-config-operator/pull/5748) * [OCPBUGS-77665](https://issues.redhat.com/browse/OCPBUGS-77665): Update AMI Whitelist [#5731](https://github.com/openshift/machine-config-operator/pull/5731) * [Full changelog](https://github.com/openshift/machine-config-operator/compare/47f9080550b29ca0af7c2cfc92633c61ad0ef971...662f6899c4461bbd296e149a8badd818e45c1252) ### [monitoring-plugin](https://github.com/openshift/monitoring-plugin/tree/8887d0cbccb953e16538e70ec2fa46c10dd415cc) * [OCPBUGS-78425](https://issues.redhat.com/browse/OCPBUGS-78425): Updating monitoring-plugin-container image to be consistent with ART for 4.20 [#843](https://github.com/openshift/monitoring-plugin/pull/843) * [OU-1062](https://issues.redhat.com/browse/OU-1062): [release-4.20] feat: mark alert menu active for incidents tab [#826](https://github.com/openshift/monitoring-plugin/pull/826) * [OCPBUGS-76581](https://issues.redhat.com/browse/OCPBUGS-76581): [release-4.20] CVE-2026-25639 openshift4/ose-monitoring-plugin-rhel9: Axios affected by Denial of Service via __proto__ Key in mergeConfig [#796](https://github.com/openshift/monitoring-plugin/pull/796) * NO-JIRA: [release-4.20] e2e-monitoring fixing loop on legacy dashboard [#830](https://github.com/openshift/monitoring-plugin/pull/830) * [Full changelog](https://github.com/openshift/monitoring-plugin/compare/ca82c98666544880cc4442a22aaf9191f1949950...8887d0cbccb953e16538e70ec2fa46c10dd415cc) ### [oc-mirror](https://github.com/openshift/oc-mirror/tree/df9fe9c75eaf35c201e9ef89fb1e76163acbc9d5) * [OCPBUGS-77416](https://issues.redhat.com/browse/OCPBUGS-77416): Fix registriesd "unknown userid" failure for arbitrary UIDs [#1360](https://github.com/openshift/oc-mirror/pull/1360) * [Full changelog](https://github.com/openshift/oc-mirror/compare/db6f0cf3f7cde5d6817ec113c8634102a58dc67e...df9fe9c75eaf35c201e9ef89fb1e76163acbc9d5) ### [operator-framework-tools, operator-lifecycle-manager, operator-registry](https://github.com/openshift/operator-framework-olm/tree/12a261a3702726aaaa339c5d2fceb8b6078ceec8) * [OCPBUGS-77958](https://issues.redhat.com/browse/OCPBUGS-77958): Update NetworkPolicy egress for HyperShift custom API ports [#1253](https://github.com/openshift/operator-framework-olm/pull/1253) * [Full changelog](https://github.com/openshift/operator-framework-olm/compare/9cdde3bd7bf69417ec1a26a4c757f565b0107d0e...12a261a3702726aaaa339c5d2fceb8b6078ceec8) ### [operator-marketplace](https://github.com/operator-framework/operator-marketplace/tree/4ccd56c96839e2389e12bf3f8390a6c062e9b2cf) * [OCPBUGS-77582](https://issues.redhat.com/browse/OCPBUGS-77582): Update NetworkPolicy egress to support HyperShift custom API ports [#730](https://github.com/operator-framework/operator-marketplace/pull/730) * [Full changelog](https://github.com/operator-framework/operator-marketplace/compare/837defb90f7fa1c811806b10dcac5e0952f2d766...4ccd56c96839e2389e12bf3f8390a6c062e9b2cf) ### [ovn-kubernetes, ovn-kubernetes-microshift](https://github.com/openshift/ovn-kubernetes/tree/304bd93419279813366b6a04d7d6f3d1ff464cb1) * [OCPBUGS-77148](https://issues.redhat.com/browse/OCPBUGS-77148): Minimize ACLs by combining ipBlocks into single ACL [#2981](https://github.com/openshift/ovn-kubernetes/pull/2981) * [OCPBUGS-77357](https://issues.redhat.com/browse/OCPBUGS-77357): Clear stale conntrack UDP entries for nodePorts [#3012](https://github.com/openshift/ovn-kubernetes/pull/3012) * [Full changelog](https://github.com/openshift/ovn-kubernetes/compare/238410bc9ec6408baa5f9b9c37f1c1066ac90e45...304bd93419279813366b6a04d7d6f3d1ff464cb1) ### [tests](https://github.com/openshift/origin/tree/4ab35741692eeb470ef2af694942300bd4148a57) * [OCPBUGS-78025](https://issues.redhat.com/browse/OCPBUGS-78025): Skip oauth test for external control plane topology [#30848](https://github.com/openshift/origin/pull/30848) * [OCPBUGS-78084](https://issues.redhat.com/browse/OCPBUGS-78084): Update optimized builds test to use rpm -qa instead of dnf [#30861](https://github.com/openshift/origin/pull/30861) * [OCPBUGS-78084](https://issues.redhat.com/browse/OCPBUGS-78084): Allow test to tolerate running on minimal images [#30853](https://github.com/openshift/origin/pull/30853) * [OCPBUGS-77824](https://issues.redhat.com/browse/OCPBUGS-77824): add the missing namespace from managed openshift [#30837](https://github.com/openshift/origin/pull/30837) * [Full changelog](https://github.com/openshift/origin/compare/3b4f70ad314bf62dfb05876b7b744b43727fc7d7...4ab35741692eeb470ef2af694942300bd4148a57)