# 4.20.0-okd-scos.13

Created: 2025-12-15 05:30:33 +0000 UTC

Image Digest: `sha256:6289527b6936205604c959f15d8a392b1314d0a59814fb363eba21ff30c5a75e`

Promoted from registry.ci.openshift.org/origin/release-scos:4.20.0-0.okd-scos-2025-12-14-182205


## Changes from 4.20.0-okd-scos.8

### Components

* Kubectl 1.33.3
* Kubernetes upgraded from 1.33.5 to 1.33.6
* Kubernetes Tests 1.33.4
* CentOS Stream CoreOS 10.0.20251023-0



### FeatureGate Changes
| FeatureGate | Default<br/>Hypershift | Default<br/>SelfManagedHA | DevPreviewNoUpgrade<br/>Hypershift | DevPreviewNoUpgrade<br/>SelfManagedHA | TechPreviewNoUpgrade<br/>Hypershift | TechPreviewNoUpgrade<br/>SelfManagedHA  |
| :------ | :---: | :---: | :---: | :---: | :---: | :---:  |
| ExternalOIDCWithUIDAndExtraClaimMappings <br/> (5 tests)| Enabled<br/>(Changed)| Enabled<br/>(Changed)| Enabled| Enabled| Enabled| Enabled |
| ExternalOIDC <br/> (9 tests)| Enabled| Enabled<br/>(Changed)| Enabled| Enabled| Enabled| Enabled |


### Rebuilt images without code change

* [cluster-kube-scheduler-operator](https://github.com/openshift/cluster-kube-scheduler-operator) git [58cbd296](https://github.com/openshift/cluster-kube-scheduler-operator/commit/58cbd296eecc61c0871739588ae65af9c05e87a6) `sha256:b9bfbd59e7f5e692935c21488a7106bb66b69c8eb9de5713d788476448b7d0cc`
* [cluster-kube-storage-version-migrator-operator](https://github.com/openshift/cluster-kube-storage-version-migrator-operator) git [5adc1429](https://github.com/openshift/cluster-kube-storage-version-migrator-operator/commit/5adc14299739bc64c8812cbab0b0ff2d12863602) `sha256:b01e5e9dbbbe403323087a7c0b24c3377d896e879dc9074d80a6a7be3a1ac8bf`
* [cluster-openshift-controller-manager-operator](https://github.com/openshift/cluster-openshift-controller-manager-operator) git [aa455c04](https://github.com/openshift/cluster-openshift-controller-manager-operator/commit/aa455c043152123595c2b4f72e02279aad9dd48a) `sha256:de2b50ed9b1a6e95fd3fd68d1bf8567391b88dd6a408eff87e98a6d12ab1d84e`
* [gcp-pd-csi-driver-operator](https://github.com/openshift/gcp-pd-csi-driver-operator) git [e0ad050a](https://github.com/openshift/gcp-pd-csi-driver-operator/commit/e0ad050a84bab669e0f11e080fc4c388ef417bba) `sha256:c19fff77040aec65215e1a8102ee3bd0e5686011507517048067cb1f1bce9e6b`
* [olm-catalogd](https://github.com/openshift/operator-framework-operator-controller) git [3e2401f2](https://github.com/openshift/operator-framework-operator-controller/commit/3e2401f23ef666e8f33789a397d81a7d352b0a33) `sha256:123db214e23dd3965b2c0c7e60a23c1885764aadf6f3744c12b73fa41acf1f24`
* [olm-operator-controller](https://github.com/openshift/operator-framework-operator-controller) git [3e2401f2](https://github.com/openshift/operator-framework-operator-controller/commit/3e2401f23ef666e8f33789a397d81a7d352b0a33) `sha256:b5dcfa62693fdd0d7ca3da4adc812ab0ae21fd57a1cefecbc14360dcb7f47627`
* [ovirt-csi-driver](https://github.com/openshift/ovirt-csi-driver) git [1db726a9](https://github.com/openshift/ovirt-csi-driver/commit/1db726a940d5ec150fd185a215f1368990653082) `sha256:9caf16aa1fc875592fa298bd9533b927856bd38119f34e41ee9e8200ab3a0290`


### [agent-installer-api-server](https://github.com/openshift/assisted-service/tree/43bfecff9fdba24bfa8ce1ffdcb3a7d72b6e6286)

* [OCPBUGS-57606](https://issues.redhat.com/browse/OCPBUGS-57606): Updating ose-agent-installer-api-server-container image to be consist… [#8399](https://github.com/openshift/assisted-service/pull/8399)
* [Full changelog](https://github.com/openshift/assisted-service/compare/4b116f46ca39a4933cab5647e5db44432c752b80...43bfecff9fdba24bfa8ce1ffdcb3a7d72b6e6286)


### [agent-installer-node-agent](https://github.com/openshift/assisted-installer-agent/tree/637327ec40cd1f85ac5d7d4f114a2fae89baa8b0)

* [OCPBUGS-57718](https://issues.redhat.com/browse/OCPBUGS-57718): Update golang images to 1.24 for OpenShift 4.20 [#1194](https://github.com/openshift/assisted-installer-agent/pull/1194)
* [Full changelog](https://github.com/openshift/assisted-installer-agent/compare/62dc63f18f2c4a6a0cf1043710d055fe57f8fa28...637327ec40cd1f85ac5d7d4f114a2fae89baa8b0)


### [agent-installer-utils](https://github.com/openshift/agent-installer-utils/tree/6ce70bd6d29f2f0b72884d3cc896c6bbae258b95)

* [OCPBUGS-66431](https://issues.redhat.com/browse/OCPBUGS-66431): Add Konflux PipelineRun params required by release pipeline [#206](https://github.com/openshift/agent-installer-utils/pull/206)
* [OCPBUGS-66425](https://issues.redhat.com/browse/OCPBUGS-66425): Update quay.io/konflux-ci/konflux-vanguard/task-rpms-signature-scan:0.2 Docker digest to 13cf619 [#186](https://github.com/openshift/agent-installer-utils/pull/186)
* [OCPBUGS-66422](https://issues.redhat.com/browse/OCPBUGS-66422): Update Konflux references [#185](https://github.com/openshift/agent-installer-utils/pull/185)
* [OCPBUGS-66406](https://issues.redhat.com/browse/OCPBUGS-66406): Update Konflux release version to 4.20.6 [#204](https://github.com/openshift/agent-installer-utils/pull/204)
* [OCPBUGS-65715](https://issues.redhat.com/browse/OCPBUGS-65715): Update 4.20 version to 4.20.4 [#196](https://github.com/openshift/agent-installer-utils/pull/196)
* [Full changelog](https://github.com/openshift/agent-installer-utils/compare/f567fb90bcd80834d18cee39ff1d135f6d6dbc50...6ce70bd6d29f2f0b72884d3cc896c6bbae258b95)


### [aws-ebs-csi-driver-operator, azure-disk-csi-driver-operator, azure-file-csi-driver-operator, csi-driver-manila-operator, openstack-cinder-csi-driver-operator](https://github.com/openshift/csi-operator/tree/878ef6cbe06fabf3cb82ad0ca1c1226e03dfef91)

* [OCPBUGS-65895](https://issues.redhat.com/browse/OCPBUGS-65895): allow all-egress for efs operator [#473](https://github.com/openshift/csi-operator/pull/473)
* [OCPBUGS-65686](https://issues.redhat.com/browse/OCPBUGS-65686): Bump gophercloud [#470](https://github.com/openshift/csi-operator/pull/470)
* [Full changelog](https://github.com/openshift/csi-operator/compare/dc35256d52e1ff30cd49f3c6649b5eca370ce03c...878ef6cbe06fabf3cb82ad0ca1c1226e03dfef91)


### [azure-machine-controllers](https://github.com/openshift/machine-api-provider-azure/tree/68db91507ea47f767ee0dc838c08cc371d2ff69f)

* [OCPBUGS-65708](https://issues.redhat.com/browse/OCPBUGS-65708): Set updateDomainCount to one when faultDomainCount is one [#173](https://github.com/openshift/machine-api-provider-azure/pull/173)
* [Full changelog](https://github.com/openshift/machine-api-provider-azure/compare/b1cb6432a0ae47248e126d32fb6012eb1408e833...68db91507ea47f767ee0dc838c08cc371d2ff69f)


### [baremetal-installer, installer, installer-artifacts](https://github.com/openshift/installer/tree/cc82f30cd640577297f66b5df80f0e08c55fd3fa)

* [OCPBUGS-66231](https://issues.redhat.com/browse/OCPBUGS-66231): Use separate tmpfs for ostree checkout on live ISO [#10140](https://github.com/openshift/installer/pull/10140)
* [OCPBUGS-65763](https://issues.redhat.com/browse/OCPBUGS-65763): continue to update 02_storage.json using new property storageAccountId [#10103](https://github.com/openshift/installer/pull/10103)
* [OCPBUGS-66257](https://issues.redhat.com/browse/OCPBUGS-66257): CORS-4249: bump ARO marketplace images [#10142](https://github.com/openshift/installer/pull/10142)
* [OCPBUGS-66207](https://issues.redhat.com/browse/OCPBUGS-66207), [OCPBUGS-66208](https://issues.redhat.com/browse/OCPBUGS-66208): Fix console info for interactive agent installer [#10136](https://github.com/openshift/installer/pull/10136)
* Revert "OCPBUGS-65586: Update the RHCOS 4.20 bootimage metadata to 9.6.202511…" [#10093](https://github.com/openshift/installer/pull/10093)
* [OCPBUGS-65586](https://issues.redhat.com/browse/OCPBUGS-65586): Update the RHCOS 4.20 bootimage metadata to 9.6.202511… [#10084](https://github.com/openshift/installer/pull/10084)
* [OCPBUGS-64924](https://issues.redhat.com/browse/OCPBUGS-64924): Azure UPI ARM template: use storageAccountId [#10069](https://github.com/openshift/installer/pull/10069)
* [OCPBUGS-64595](https://issues.redhat.com/browse/OCPBUGS-64595): Remove pending items on gcp no-op [#10056](https://github.com/openshift/installer/pull/10056)
* [Full changelog](https://github.com/openshift/installer/compare/200070b922dcf6bfd4819d7063f13e14ea296241...cc82f30cd640577297f66b5df80f0e08c55fd3fa)


### [cli, cli-artifacts, deployer, tools](https://github.com/openshift/oc/tree/dc61926008ad5333863dd1ae2902b95aed6dceaa)

* [OCPBUGS-66241](https://issues.redhat.com/browse/OCPBUGS-66241): Fall back to simpler behavior, if setsid,ps,pkill are not installed [#2158](https://github.com/openshift/oc/pull/2158)
* [OCPBUGS-65481](https://issues.redhat.com/browse/OCPBUGS-65481): pkg/cli/admin/upgrade: Tighten force warnings [#2140](https://github.com/openshift/oc/pull/2140)
* [OCPBUGS-65523](https://issues.redhat.com/browse/OCPBUGS-65523): fix(must-gather): do not set node affinity if nodename is set [#2142](https://github.com/openshift/oc/pull/2142)
* [Full changelog](https://github.com/openshift/oc/compare/0581d703b56b153b941022bca4ce3c34de576f3c...dc61926008ad5333863dd1ae2902b95aed6dceaa)


### [cloud-credential-operator](https://github.com/openshift/cloud-credential-operator/tree/0e03b7a0fa39e7da3a4b5a180915adc44c408d08)

* [OCPBUGS-65798](https://issues.redhat.com/browse/OCPBUGS-65798): ccoctl azure: retry custom role creation on consistency errors [#948](https://github.com/openshift/cloud-credential-operator/pull/948)
* [OCPBUGS-63690](https://issues.redhat.com/browse/OCPBUGS-63690): ccoctl: use pagination when listing resources in aws [#941](https://github.com/openshift/cloud-credential-operator/pull/941)
* [Full changelog](https://github.com/openshift/cloud-credential-operator/compare/17948f42adc4fce592908d48730f45d665bcbbba...0e03b7a0fa39e7da3a4b5a180915adc44c408d08)


### [cloud-network-config-controller](https://github.com/openshift/cloud-network-config-controller/tree/d22915bc82993ce11cb3fb97e6ae00602f30549b)

* [OCPBUGS-64742](https://issues.redhat.com/browse/OCPBUGS-64742): Fix capacity calculation [#188](https://github.com/openshift/cloud-network-config-controller/pull/188)
* [Full changelog](https://github.com/openshift/cloud-network-config-controller/compare/a365cf9c9f9f4d0d7841dead5145f7cc59dfac18...d22915bc82993ce11cb3fb97e6ae00602f30549b)


### [cluster-authentication-operator](https://github.com/openshift/cluster-authentication-operator/tree/fb1a9ab21d72903f79a45f916c6443c0709b9b0c)

* [OCPBUGS-66315](https://issues.redhat.com/browse/OCPBUGS-66315): externaloidc: return errors when node statuses cannot be used to determine oidc state [#814](https://github.com/openshift/cluster-authentication-operator/pull/814)
* [OCPBUGS-61896](https://issues.redhat.com/browse/OCPBUGS-61896): set appropriate rolling update settings [#792](https://github.com/openshift/cluster-authentication-operator/pull/792)
* [Full changelog](https://github.com/openshift/cluster-authentication-operator/compare/c9067c2a4902b0afeb3b288c4ff56fa381a1d1e0...fb1a9ab21d72903f79a45f916c6443c0709b9b0c)


### [cluster-autoscaler](https://github.com/openshift/kubernetes-autoscaler/tree/aaf5a61941b70a3b5792c0541e97356565c9977f)

* [OCPBUGS-63675](https://issues.redhat.com/browse/OCPBUGS-63675): update node info processors to include unschedulable nodes [#391](https://github.com/openshift/kubernetes-autoscaler/pull/391)
* [OCPBUGS-63495](https://issues.redhat.com/browse/OCPBUGS-63495): refactor cloud provider options [#387](https://github.com/openshift/kubernetes-autoscaler/pull/387)
* [Full changelog](https://github.com/openshift/kubernetes-autoscaler/compare/d883d0e6dbb74f0839631ebc7a584669f0e955a3...aaf5a61941b70a3b5792c0541e97356565c9977f)


### [cluster-config-api](https://github.com/openshift/api/tree/1cb53e34ca33d020c765093c21c9b7f4502cbea7)

* [OCPBUGS-66204](https://issues.redhat.com/browse/OCPBUGS-66204): Introduce ClosedClientConnectionPolicy to IngressController API [#2609](https://github.com/openshift/api/pull/2609)
* [OCPBUGS-66135](https://issues.redhat.com/browse/OCPBUGS-66135): Add HTTPKeepAliveTimeout to IngressController API [#2607](https://github.com/openshift/api/pull/2607)
* [OCPBUGS-64843](https://issues.redhat.com/browse/OCPBUGS-64843): payload-command: remove authentication CR from hypershift payload [#2573](https://github.com/openshift/api/pull/2573)
* [OCPBUGS-64940](https://issues.redhat.com/browse/OCPBUGS-64940): Promote BYO OIDC features [#2515](https://github.com/openshift/api/pull/2515)
* [Full changelog](https://github.com/openshift/api/compare/41627d81e9c18fbcc3f7ff6de2ba50e0b98435c4...1cb53e34ca33d020c765093c21c9b7f4502cbea7)


### [cluster-etcd-operator](https://github.com/openshift/cluster-etcd-operator/tree/c706661bce28d9f2beb0c1c0037f1481160db396)

* [OCPBUGS-63677](https://issues.redhat.com/browse/OCPBUGS-63677): Backport 1504 1514 release.420 [#1516](https://github.com/openshift/cluster-etcd-operator/pull/1516)
* [Full changelog](https://github.com/openshift/cluster-etcd-operator/compare/0d7067cb286ad4efad5cad9bcff17656ef9827a3...c706661bce28d9f2beb0c1c0037f1481160db396)


### [cluster-ingress-operator](https://github.com/openshift/cluster-ingress-operator/tree/fb7482e49c790206e370494221b7b02dc50bfd84)

* [OCPBUGS-66204](https://issues.redhat.com/browse/OCPBUGS-66204): Implement ClosedClientConnectionPolicy field [#1314](https://github.com/openshift/cluster-ingress-operator/pull/1314)
* [OCPBUGS-65664](https://issues.redhat.com/browse/OCPBUGS-65664): IngressOperator not exposing some metrics for degraded… [#1305](https://github.com/openshift/cluster-ingress-operator/pull/1305)
* [Full changelog](https://github.com/openshift/cluster-ingress-operator/compare/2371120eedb27049160c70859ef9972a7599c7e3...fb7482e49c790206e370494221b7b02dc50bfd84)


### [cluster-kube-apiserver-operator](https://github.com/openshift/cluster-kube-apiserver-operator/tree/974542ae2ef86a631546b3a48fd0da3c2e3b74dd)

* [OCPBUGS-65679](https://issues.redhat.com/browse/OCPBUGS-65679): enable resource v1beta2 api if DynamicResourceAllocation is enabled [#1929](https://github.com/openshift/cluster-kube-apiserver-operator/pull/1929)
* [OCPBUGS-62057](https://issues.redhat.com/browse/OCPBUGS-62057): OpenShift cluster got degraded after rotating the kube-apiserver-service-network-signer cert [#1961](https://github.com/openshift/cluster-kube-apiserver-operator/pull/1961)
* [Full changelog](https://github.com/openshift/cluster-kube-apiserver-operator/compare/263f18b6c9eb82e4aabf586093b2cc711e674e77...974542ae2ef86a631546b3a48fd0da3c2e3b74dd)


### [cluster-network-operator](https://github.com/openshift/cluster-network-operator/tree/698e349cb60e84967bf93345d1b0802dd15ccc1a)

* [OCPBUGS-66412](https://issues.redhat.com/browse/OCPBUGS-66412): Fix whereabouts-token-watcher DaemonSet improvements [#2850](https://github.com/openshift/cluster-network-operator/pull/2850)
* [OCPBUGS-66164](https://issues.redhat.com/browse/OCPBUGS-66164): [release-4.20] CORENET-6465: Remove unneeded logging config from managed ovn-kubernetes [#2838](https://github.com/openshift/cluster-network-operator/pull/2838)
* [OCPBUGS-66162](https://issues.redhat.com/browse/OCPBUGS-66162): [release-4.20] CORENET-6488: Preserve custom resource requests on ovn-control-plane pods [#2835](https://github.com/openshift/cluster-network-operator/pull/2835)
* [OCPBUGS-46422](https://issues.redhat.com/browse/OCPBUGS-46422): Add a ValidatingAdmissionPolicy blocking ServiceCIDR changes [4.20] [#2827](https://github.com/openshift/cluster-network-operator/pull/2827)
* [Full changelog](https://github.com/openshift/cluster-network-operator/compare/1666a71c205071b6d44bfa57c0ebd3f0054fa1cd...698e349cb60e84967bf93345d1b0802dd15ccc1a)


### [console](https://github.com/openshift/console/tree/5f07ad2930130fd041b2114e0eb3f78ad75ad2be)

* [OCPBUGS-67221](https://issues.redhat.com/browse/OCPBUGS-67221): Disallowed Pipelines-plugin Pipelines navigation section [#15833](https://github.com/openshift/console/pull/15833)
* [OCPBUGS-66248](https://issues.redhat.com/browse/OCPBUGS-66248): The number of Quick Starts item is wrong [#15797](https://github.com/openshift/console/pull/15797)
* [OCPBUGS-66206](https://issues.redhat.com/browse/OCPBUGS-66206): Sync YAML editor modal settings [#15787](https://github.com/openshift/console/pull/15787)
* [OCPBUGS-65900](https://issues.redhat.com/browse/OCPBUGS-65900): Fix unnecessary rerenders with pod-connect [#15758](https://github.com/openshift/console/pull/15758)
* [OCPBUGS-61785](https://issues.redhat.com/browse/OCPBUGS-61785): Add validation and type guards on healthHandler calls to prevent errors [#15500](https://github.com/openshift/console/pull/15500)
* [OCPBUGS-65793](https://issues.redhat.com/browse/OCPBUGS-65793): OpenShift Console can only show user name instead of full name as the display name [#15743](https://github.com/openshift/console/pull/15743)
* [OCPBUGS-65949](https://issues.redhat.com/browse/OCPBUGS-65949): Add SDK-webpack 4.20 changelogs [#15768](https://github.com/openshift/console/pull/15768)
* NO-JIRA: Add SDK 4.20 changelogs [#15765](https://github.com/openshift/console/pull/15765)
* [OCPBUGS-65761](https://issues.redhat.com/browse/OCPBUGS-65761): Preserve query string in perspective switch + remove dev console folks from `reviewers` [#15740](https://github.com/openshift/console/pull/15740)
* [OCPBUGS-64861](https://issues.redhat.com/browse/OCPBUGS-64861), [OCPBUGS-64863](https://issues.redhat.com/browse/OCPBUGS-64863): Upgrade Helm to 3.18.5 [#15705](https://github.com/openshift/console/pull/15705)
* [OCPBUGS-64702](https://issues.redhat.com/browse/OCPBUGS-64702): Lack Chinese/Japanese/Korean translations for 'On/Off' switch button on editor setting modal of yaml page. [#15683](https://github.com/openshift/console/pull/15683)
* [OCPBUGS-63125](https://issues.redhat.com/browse/OCPBUGS-63125): use tenancy path for project scoped status card [#15608](https://github.com/openshift/console/pull/15608)
* [OCPBUGS-61330](https://issues.redhat.com/browse/OCPBUGS-61330): fix namespace path generation for non-namespaced resources [#15498](https://github.com/openshift/console/pull/15498)
* [OCPBUGS-62953](https://issues.redhat.com/browse/OCPBUGS-62953): Automatically redirect all-namespaces catalog to default namespace [#15640](https://github.com/openshift/console/pull/15640)
* [OCPBUGS-64862](https://issues.redhat.com/browse/OCPBUGS-64862): Convert standalone terminal route to extension [#15702](https://github.com/openshift/console/pull/15702)
* [OCPBUGS-63499](https://issues.redhat.com/browse/OCPBUGS-63499): Turn on `fContentSecurityPolicyEnabled` by default [#15639](https://github.com/openshift/console/pull/15639)
* [OCPBUGS-64639](https://issues.redhat.com/browse/OCPBUGS-64639): HPA Form View in RHOCP Web Console Incorrectly Requires Both CPU and … [#15673](https://github.com/openshift/console/pull/15673)
* [Full changelog](https://github.com/openshift/console/compare/d568950eaea74c15da2c3e5a89d95fcc0b5cc90a...5f07ad2930130fd041b2114e0eb3f78ad75ad2be)


### [csi-driver-manila, openstack-cinder-csi-driver, openstack-cloud-controller-manager](https://github.com/openshift/cloud-provider-openstack/tree/eeae3b042d3de06808d00c7f4e72c014e25ffb1c)

* [OCPBUGS-64811](https://issues.redhat.com/browse/OCPBUGS-64811): Merge https://github.com/kubernetes/cloud-provider-openstack:release-1.33 into release-4.20 [#355](https://github.com/openshift/cloud-provider-openstack/pull/355)
* [Full changelog](https://github.com/openshift/cloud-provider-openstack/compare/c4fe3e8ad29e58f081f3883de0893c2025a097b2...eeae3b042d3de06808d00c7f4e72c014e25ffb1c)


### [docker-builder](https://github.com/openshift/builder/tree/8c0a564f464540d0e2ffc0ce4c98d90a730bc2d2)

* [OCPBUGS-64857](https://issues.redhat.com/browse/OCPBUGS-64857): BuildConfig inline Dockerfile fails with heredoc syntax [#483](https://github.com/openshift/builder/pull/483)
* [Full changelog](https://github.com/openshift/builder/compare/ff595e4bbf5301039fc62f0cdd7b5610605f633e...8c0a564f464540d0e2ffc0ce4c98d90a730bc2d2)


### [haproxy-router](https://github.com/openshift/router/tree/db8d384266051ef06b67883aaa83674bc6c9f1ae)

* [OCPBUGS-66204](https://issues.redhat.com/browse/OCPBUGS-66204): Add option abortonclose to HAProxy configuration template [#695](https://github.com/openshift/router/pull/695)
* [Full changelog](https://github.com/openshift/router/compare/96bfd2164c7885df9019ce9eeb79d506bd7e871b...db8d384266051ef06b67883aaa83674bc6c9f1ae)


### [hyperkube, installer-kube-apiserver-artifacts, kube-proxy, pod](https://github.com/openshift/kubernetes/tree/2a7ef4adf7d3074804e6666221bc7c73c2c89ca1)

* [OCPBUGS-65551](https://issues.redhat.com/browse/OCPBUGS-65551): Bump 1.33.6 [#2518](https://github.com/openshift/kubernetes/pull/2518)
* [OCPBUGS-46422](https://issues.redhat.com/browse/OCPBUGS-46422): Remove patch/update from ServiceCIDR API conformance test [#2466](https://github.com/openshift/kubernetes/pull/2466)
* [Full changelog](https://github.com/openshift/kubernetes/compare/cf396bff09dcb68a96f718b5e0e80b50e874afb5...2a7ef4adf7d3074804e6666221bc7c73c2c89ca1)


### [hypershift](https://github.com/openshift/hypershift/tree/2a951d0352327e2f4f030595bc3011f3c0c5a809)

* [OCPBUGS-66397](https://issues.redhat.com/browse/OCPBUGS-66397): fix(kas): apply LoadBalancerSourceRanges only for LoadBalancer service type [#7336](https://github.com/openshift/hypershift/pull/7336)
* NO-JIRA: Update expected digest for busybox:latest in TestGetDigest [#7350](https://github.com/openshift/hypershift/pull/7350)
* [CNTRLPLANE-1710](https://issues.redhat.com/browse/CNTRLPLANE-1710): feat(globalps): security enhancements on GlobalPullSecret feature [#7234](https://github.com/openshift/hypershift/pull/7234)
* [OCPBUGS-65576](https://issues.redhat.com/browse/OCPBUGS-65576): add hypershift-no-cgo to the latest operator conta… [#7229](https://github.com/openshift/hypershift/pull/7229)
* [CORENET-6484](https://issues.redhat.com/browse/CORENET-6484): Restart ovnkube-control-plane pods when restart-date annotation is set [#7190](https://github.com/openshift/hypershift/pull/7190)
* [OCPBUGS-63509](https://issues.redhat.com/browse/OCPBUGS-63509): fix(ingress): add LoadBalancerSourceRanges support for external router service [#7098](https://github.com/openshift/hypershift/pull/7098)
* [OCPBUGS-64848](https://issues.redhat.com/browse/OCPBUGS-64848): feat: Promote ExternalOIDCWithUIDAndExtraClaimMappings feature to GA for Hypershift [#7204](https://github.com/openshift/hypershift/pull/7204)
* [OCPBUGS-61774](https://issues.redhat.com/browse/OCPBUGS-61774): fix(capi-provider): use single replica deployment for aws and azure [#6834](https://github.com/openshift/hypershift/pull/6834)
* [CNTRLPLANE-1908](https://issues.redhat.com/browse/CNTRLPLANE-1908): control-plane-operator-4-20 Konflux pipelines [#7216](https://github.com/openshift/hypershift/pull/7216)
* [OCPBUGS-63539](https://issues.redhat.com/browse/OCPBUGS-63539): remove NTO Service and ServiceMonitor [#7099](https://github.com/openshift/hypershift/pull/7099)
* [Full changelog](https://github.com/openshift/hypershift/compare/73e8a0ef65aa019bad67eae70987f5ca71edda52...2a951d0352327e2f4f030595bc3011f3c0c5a809)


### [insights-operator](https://github.com/openshift/insights-operator/tree/d677651537715900907eec88e6f0537c8c94c6e9)

* [OCPBUGS-66062](https://issues.redhat.com/browse/OCPBUGS-66062): Add filtering to add other possible pod status to QEMU gatherer [#1185](https://github.com/openshift/insights-operator/pull/1185)
* [OCPBUGS-64800](https://issues.redhat.com/browse/OCPBUGS-64800): QEMU logs are not gathered if there are pending status virt-launcher pods [#1174](https://github.com/openshift/insights-operator/pull/1174)
* [OCPBUGS-65660](https://issues.redhat.com/browse/OCPBUGS-65660): [bugfix] The archive's records may include files whose names are out of bounds [#1177](https://github.com/openshift/insights-operator/pull/1177)
* [Full changelog](https://github.com/openshift/insights-operator/compare/10a1c1746d728197c42163217764eda00a3cbb4f...d677651537715900907eec88e6f0537c8c94c6e9)


### [ironic](https://github.com/openshift/ironic-image/tree/1821ac0208c0af8decbfb5aa077b793b7222d102)

* [METAL-1695](https://issues.redhat.com/browse/METAL-1695): OKD: install Ironic from the OpenShift fork [#740](https://github.com/openshift/ironic-image/pull/740)
* [OKD-304](https://issues.redhat.com/browse/OKD-304): Fix python dependencies for OKD [#731](https://github.com/openshift/ironic-image/pull/731)
* [OCPBUGS-64850](https://issues.redhat.com/browse/OCPBUGS-64850): Handle HTTP 400 and 409 race condition in Redfish power operations [#720](https://github.com/openshift/ironic-image/pull/720)
* [OCPBUGS-64820](https://issues.redhat.com/browse/OCPBUGS-64820): Fix IPA external inspection callback url override [#713](https://github.com/openshift/ironic-image/pull/713)
* [Full changelog](https://github.com/openshift/ironic-image/compare/9c57a81902530b0268eddd7ad623a972b5ba4042...1821ac0208c0af8decbfb5aa077b793b7222d102)


### [ironic-agent](https://github.com/openshift/ironic-agent-image/tree/eecc364b2a4abb6375fd41a9751c047d15aa7f63)

* [OCPBUGS-66934](https://issues.redhat.com/browse/OCPBUGS-66934): Filter out more USB network devices [#221](https://github.com/openshift/ironic-agent-image/pull/221)
* [OCPBUGS-66084](https://issues.redhat.com/browse/OCPBUGS-66084), [OKD-295](https://issues.redhat.com/browse/OKD-295): Fix broken OKD ironic-agent-image [#216](https://github.com/openshift/ironic-agent-image/pull/216)
* [OCPBUGS-65519](https://issues.redhat.com/browse/OCPBUGS-65519): Include Test advertised ip reachability before assigning it [#212](https://github.com/openshift/ironic-agent-image/pull/212)
* [Full changelog](https://github.com/openshift/ironic-agent-image/compare/ce01f3c1ed6022f9eecc164b2ae34aec25b3dee4...eecc364b2a4abb6375fd41a9751c047d15aa7f63)


### [machine-config-operator](https://github.com/openshift/machine-config-operator/tree/3eb8e48748919195aaa65b415c21b05f6287fc8f)

* [OCPBUGS-65545](https://issues.redhat.com/browse/OCPBUGS-65545), [OCPBUGS-67007](https://issues.redhat.com/browse/OCPBUGS-67007): cherry pick to few fixes that needed for missing services and configuration [#5480](https://github.com/openshift/machine-config-operator/pull/5480)
* [OCPBUGS-67137](https://issues.redhat.com/browse/OCPBUGS-67137): Fix cleanup in `TestInstallRPMAndCheckMCDMetrics` to decrease risk of test failures due to interference [#5478](https://github.com/openshift/machine-config-operator/pull/5478)
* [OKD-294](https://issues.redhat.com/browse/OKD-294): Migrate runtime from runc to crun on an upgrade for OKD [#5467](https://github.com/openshift/machine-config-operator/pull/5467)
* [OCPBUGS-65898](https://issues.redhat.com/browse/OCPBUGS-65898): fixes systemd unit creation for empty units [#5437](https://github.com/openshift/machine-config-operator/pull/5437)
* [OCPBUGS-64822](https://issues.redhat.com/browse/OCPBUGS-64822): block upgrades for conflict  non-default ClusterImagePolicy resources [#5414](https://github.com/openshift/machine-config-operator/pull/5414)
* [OCPBUGS-65777](https://issues.redhat.com/browse/OCPBUGS-65777): Enforce OCP 4.20 and earlier cluster to have AutoSizingReserved disabled by default [#5387](https://github.com/openshift/machine-config-operator/pull/5387)
* [OCPBUGS-65781](https://issues.redhat.com/browse/OCPBUGS-65781): Remove --mount directives [#5425](https://github.com/openshift/machine-config-operator/pull/5425)
* [OCPBUGS-65556](https://issues.redhat.com/browse/OCPBUGS-65556): [release-4.20] Backport: Add delays to reduce TestOSBuildController failures [#5396](https://github.com/openshift/machine-config-operator/pull/5396)
* [OCPBUGS-64822](https://issues.redhat.com/browse/OCPBUGS-64822): remove check for conflicting ClusterImagePolicy in syncUpgradeableStatus [#5413](https://github.com/openshift/machine-config-operator/pull/5413)
* [OCPBUGS-65509](https://issues.redhat.com/browse/OCPBUGS-65509): e2e gcp ocl PR backport [#5407](https://github.com/openshift/machine-config-operator/pull/5407)
* [OCPBUGS-64822](https://issues.redhat.com/browse/OCPBUGS-64822): Implement upgrade blocking for conflicting ClusterImagePolicy named "openshift" [#5397](https://github.com/openshift/machine-config-operator/pull/5397)
* [OCPBUGS-59766](https://issues.redhat.com/browse/OCPBUGS-59766): Update timing of MCN desired config spec update to align with node annotation setting [#5367](https://github.com/openshift/machine-config-operator/pull/5367)
* [Full changelog](https://github.com/openshift/machine-config-operator/compare/b9dbf396412a463e6828332ce28a2ff514424e9e...3eb8e48748919195aaa65b415c21b05f6287fc8f)


### [metallb-frr](https://github.com/openshift/frr/tree/3ca45c517eafe07aac0866e5cbd32a5c08081f22)

* [OCPBUGS-65516](https://issues.redhat.com/browse/OCPBUGS-65516): [release-4.20] Dockerfile: unpin FRR rpm [#111](https://github.com/openshift/frr/pull/111)
* [Full changelog](https://github.com/openshift/frr/compare/fc0fe74f94b415b28d772dbc61f6323171a11b50...3ca45c517eafe07aac0866e5cbd32a5c08081f22)


### [monitoring-plugin](https://github.com/openshift/monitoring-plugin/tree/68bc2198076b3200a71469eb0b9544e1d363d03a)

* [OCPBUGS-66389](https://issues.redhat.com/browse/OCPBUGS-66389): Time range and Refresh interval dropdown button lack of unique identifier [#668](https://github.com/openshift/monitoring-plugin/pull/668)
* [OCPBUGS-66240](https://issues.redhat.com/browse/OCPBUGS-66240): configure max TLS version only when specified [#664](https://github.com/openshift/monitoring-plugin/pull/664)
* [OCPBUGS-65947](https://issues.redhat.com/browse/OCPBUGS-65947): add missing conversion units [#654](https://github.com/openshift/monitoring-plugin/pull/654)
* [Full changelog](https://github.com/openshift/monitoring-plugin/compare/c6a042a64369147cf997e5e794b89e577a3c3532...68bc2198076b3200a71469eb0b9544e1d363d03a)


### [networking-console-plugin](https://github.com/openshift/networking-console-plugin/tree/619d169136e369b1d8d1f48f598ab713bac6b4bb)

* [OCPBUGS-66335](https://issues.redhat.com/browse/OCPBUGS-66335): fix flickerying in synced editor [#304](https://github.com/openshift/networking-console-plugin/pull/304)
* [CNV-72771](https://issues.redhat.com/browse/CNV-72771): fix null error [#300](https://github.com/openshift/networking-console-plugin/pull/300)
* [CNV-71965](https://issues.redhat.com/browse/CNV-71965): replacing the broken link to VirtualMachine network docs [#298](https://github.com/openshift/networking-console-plugin/pull/298)
* [Full changelog](https://github.com/openshift/networking-console-plugin/compare/9de315953ad1b357c35003937a1a2f27aa9068e0...619d169136e369b1d8d1f48f598ab713bac6b4bb)


### [oc-mirror](https://github.com/openshift/oc-mirror/tree/f4775a263f2ddbc9f94c9349231883614dce0193)

* [OCPBUGS-64647](https://issues.redhat.com/browse/OCPBUGS-64647): fix: return only requested version [#1306](https://github.com/openshift/oc-mirror/pull/1306)
* [OCPBUGS-65787](https://issues.redhat.com/browse/OCPBUGS-65787): Remove empty status field from generated IDMS/ITMS files [#1313](https://github.com/openshift/oc-mirror/pull/1313)
* [Full changelog](https://github.com/openshift/oc-mirror/compare/b598121bb70555120dde8d60fa9fbcde4f7b3d65...f4775a263f2ddbc9f94c9349231883614dce0193)


### [openshift-apiserver](https://github.com/openshift/openshift-apiserver/tree/34cb4762e1716c1a31a344118b8a3ad00c28d831)

* [OCPBUGS-65848](https://issues.redhat.com/browse/OCPBUGS-65848): Add ValidatingAdmissionPolicy and check for omissions next time. [#577](https://github.com/openshift/openshift-apiserver/pull/577)
* [OCPBUGS-61982](https://issues.redhat.com/browse/OCPBUGS-61982): pkg/image: conditionally parse raw image manifest [#559](https://github.com/openshift/openshift-apiserver/pull/559)
* [OCPBUGS-65814](https://issues.redhat.com/browse/OCPBUGS-65814): update pkg/image/OWNERS [#575](https://github.com/openshift/openshift-apiserver/pull/575)
* [Full changelog](https://github.com/openshift/openshift-apiserver/compare/a1535bf4ed12bd3210135bbe459f9324875f24ce...34cb4762e1716c1a31a344118b8a3ad00c28d831)


### [openstack-cluster-api-controllers](https://github.com/openshift/cluster-api-provider-openstack/tree/3bb292d0c612a59cb78061dc24dc7081c5119894)

* [OCPBUGS-64814](https://issues.redhat.com/browse/OCPBUGS-64814): Fix verify step [#389](https://github.com/openshift/cluster-api-provider-openstack/pull/389)
* [Full changelog](https://github.com/openshift/cluster-api-provider-openstack/compare/30944900c974852654db4125082d616f9be4b1a6...3bb292d0c612a59cb78061dc24dc7081c5119894)


### [operator-framework-tools, operator-lifecycle-manager, operator-registry](https://github.com/openshift/operator-framework-olm/tree/dd6d22bd02554c039e7bbec4bf39c6e97ebf0b9b)

* [OCPBUGS-64724](https://issues.redhat.com/browse/OCPBUGS-64724): Fix TOCTOU race condition in ensureInstallPlan (#3682) [#1139](https://github.com/openshift/operator-framework-olm/pull/1139)
* [Full changelog](https://github.com/openshift/operator-framework-olm/compare/10d327b38876b2fbc654ddc54eee6199ea0dbbb8...dd6d22bd02554c039e7bbec4bf39c6e97ebf0b9b)


### [operator-marketplace](https://github.com/operator-framework/operator-marketplace/tree/e88619ea60753b276b2d813e050d8cfbbfce5a41)

* [OCPBUGS-65680](https://issues.redhat.com/browse/OCPBUGS-65680): enforce client side auth requirement for metrics endpoint [#688](https://github.com/operator-framework/operator-marketplace/pull/688)
* [Full changelog](https://github.com/operator-framework/operator-marketplace/compare/c6abd3acc6af77a7f117bd89cececfae8c4830b1...e88619ea60753b276b2d813e050d8cfbbfce5a41)


### [ovn-kubernetes, ovn-kubernetes-microshift](https://github.com/openshift/ovn-kubernetes/tree/6c78b6defbd606f8fdf002d7cc37e3d49c7bcd98)

* [OCPBUGS-64836](https://issues.redhat.com/browse/OCPBUGS-64836): back-port IP & MAC conflict detection [#2827](https://github.com/openshift/ovn-kubernetes/pull/2827)
* [OCPBUGS-65514](https://issues.redhat.com/browse/OCPBUGS-65514): [4.20] status manager: remove managedFields for deleted zone upon zone deletion [#2855](https://github.com/openshift/ovn-kubernetes/pull/2855)
* [OCPBUGS-65951](https://issues.redhat.com/browse/OCPBUGS-65951): [release-4.20]: Fix linter issues, add missing cheryy-pick bits of #2844 [#2866](https://github.com/openshift/ovn-kubernetes/pull/2866)
* [OCPBUGS-65618](https://issues.redhat.com/browse/OCPBUGS-65618): [release-4.20] OCP4: 4.18.22 EgressIP Failover does not succeed - extended downtime and no reassignment between egress-capable peers [#2865](https://github.com/openshift/ovn-kubernetes/pull/2865)
* [OCPBUGS-65605](https://issues.redhat.com/browse/OCPBUGS-65605): add lint target to run golanci natively [#2856](https://github.com/openshift/ovn-kubernetes/pull/2856)
* [OCPBUGS-64697](https://issues.redhat.com/browse/OCPBUGS-64697): [release-4.20] Referencing pod named ports within a service results in bad DNAT rules containing tcp/0 target port [#2844](https://github.com/openshift/ovn-kubernetes/pull/2844)
* [OCPBUGS-63686](https://issues.redhat.com/browse/OCPBUGS-63686): Fix stale EIP assignments during failover and controller restart [#2835](https://github.com/openshift/ovn-kubernetes/pull/2835)
* [Full changelog](https://github.com/openshift/ovn-kubernetes/compare/c7e12ae3e00d8fdc6744815370e450bcc68c0dac...6c78b6defbd606f8fdf002d7cc37e3d49c7bcd98)


### [tests](https://github.com/openshift/origin/tree/f68cadc88290dd0e813736b75d1c1fe0f9d87a2b)

* [OCPBUGS-66072](https://issues.redhat.com/browse/OCPBUGS-66072): [release-4.20] net(virt) remove virtctl if not correctly retrieved [#30538](https://github.com/openshift/origin/pull/30538)
* [OCPBUGS-64836](https://issues.redhat.com/browse/OCPBUGS-64836): back-port IP & MAC conflict detection e2e tests [#30414](https://github.com/openshift/origin/pull/30414)
* [OCPBUGS-66963](https://issues.redhat.com/browse/OCPBUGS-66963): Fix MachineConfigNode test in two-node fencing clusters [#30540](https://github.com/openshift/origin/pull/30540)
* [OCPBUGS-66365](https://issues.redhat.com/browse/OCPBUGS-66365): update watch request limits for marketplace-operator [#30569](https://github.com/openshift/origin/pull/30569)
* [OCPBUGS-66979](https://issues.redhat.com/browse/OCPBUGS-66979): Revert "OCPNODE-3912: Add a test for NodeSizing default change to OCP 4.20" [#30582](https://github.com/openshift/origin/pull/30582)
* [OCPNODE-3912](https://issues.redhat.com/browse/OCPNODE-3912): Add a test for NodeSizing default change to OCP 4.20 [#30467](https://github.com/openshift/origin/pull/30467)
* [OCPBUGS-64777](https://issues.redhat.com/browse/OCPBUGS-64777): [release-4.20] Add e2e tests for storage network policy [#30468](https://github.com/openshift/origin/pull/30468)
* [OCPBUGS-46422](https://issues.redhat.com/browse/OCPBUGS-46422): Add test that the ServiceCIDR API is blocked [4.20] [#30434](https://github.com/openshift/origin/pull/30434)
* [OCPBUGS-63656](https://issues.redhat.com/browse/OCPBUGS-63656): Redact bearertoken in TestContext [#30435](https://github.com/openshift/origin/pull/30435)
* [Full changelog](https://github.com/openshift/origin/compare/b4a97e59b086e20d856d2fca30e27cbf994ed4a8...f68cadc88290dd0e813736b75d1c1fe0f9d87a2b)


### [vsphere-problem-detector](https://github.com/openshift/vsphere-problem-detector/tree/a417b217d7f39b02ba0bc1b75aa3bf52602df189)

* [OCPBUGS-65795](https://issues.redhat.com/browse/OCPBUGS-65795): Fixed logic for vSphere compute cluster permission [#197](https://github.com/openshift/vsphere-problem-detector/pull/197)
* [Full changelog](https://github.com/openshift/vsphere-problem-detector/compare/9d55c028b27bc63c687342f0b7172ce39e07ec5a...a417b217d7f39b02ba0bc1b75aa3bf52602df189)