{ "apiVersion": "v1", "items": [ { "apiVersion": "config.openshift.io/v1", "kind": "ClusterVersion", "metadata": { "annotations": { "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"config.openshift.io/v1\",\"kind\":\"ClusterVersion\",\"metadata\":{\"annotations\":{},\"creationTimestamp\":null,\"name\":\"version\"},\"spec\":{\"clusterID\":\"3377b550-f38f-4c3a-a366-1df3f6deadfd\",\"signatureStores\":null},\"status\":{\"availableUpdates\":null,\"capabilities\":{},\"desired\":{\"image\":\"\",\"version\":\"\"},\"observedGeneration\":0,\"versionHash\":\"\"}}\n" }, "creationTimestamp": "2026-04-21T10:47:32Z", "generation": 2, "labels": { "hypershift.openshift.io/managed": "true" }, "name": "version", "resourceVersion": "77583", "uid": "df3b7f3d-e56a-4e43-b302-97ce8b89166b" }, "spec": { "channel": "stable-4.18", "clusterID": "3377b550-f38f-4c3a-a366-1df3f6deadfd" }, "status": { "availableUpdates": [ { "channels": [ "candidate-4.18", "candidate-4.19", "candidate-4.20", "eus-4.18", "fast-4.18", "fast-4.19", "stable-4.18" ], "image": "quay.io/openshift-release-dev/ocp-release@sha256:6ecc22b2402efb6c2f67fa5404845ee0b77a3317e0d437a93da16e7130a8177d", "url": "https://access.redhat.com/errata/RHSA-2026:6554", "version": "4.18.37" }, { "channels": [ "candidate-4.18", "candidate-4.19", "candidate-4.20", "eus-4.18", "eus-4.20", "fast-4.18", "fast-4.19", "fast-4.20", "stable-4.18", "stable-4.19", "stable-4.20" ], "image": "quay.io/openshift-release-dev/ocp-release@sha256:113d04611c17a75c9262c1460178d42d0ac00fe73446d206c5a9e83fe41695d2", "url": "https://access.redhat.com/errata/RHSA-2026:5133", "version": "4.18.36" }, { "channels": [ "candidate-4.18", "candidate-4.19", "candidate-4.20", "eus-4.18", "eus-4.20", "fast-4.18", "fast-4.19", "fast-4.20", "stable-4.18", "stable-4.19", "stable-4.20" ], "image": "quay.io/openshift-release-dev/ocp-release@sha256:c095155b72a383bb52c055d7479b466b9552d7bd5db28035179b260e5906c3d4", "url": "https://access.redhat.com/errata/RHSA-2026:3905", "version": "4.18.35" }, { "channels": [ "candidate-4.18", "candidate-4.19", "candidate-4.20", "eus-4.18", "eus-4.20", "fast-4.18", "fast-4.19", "fast-4.20", "stable-4.18", "stable-4.19", "stable-4.20" ], "image": "quay.io/openshift-release-dev/ocp-release@sha256:2c1561c9625286c4e5bdf2ebaffd2e58da2d5f3d127547506375285e0f219d9f", "url": "https://access.redhat.com/errata/RHSA-2026:2977", "version": "4.18.34" }, { "channels": [ "candidate-4.18", "candidate-4.19", "candidate-4.20", "eus-4.18", "eus-4.20", "fast-4.18", "fast-4.19", "fast-4.20", "stable-4.18", "stable-4.19", "stable-4.20" ], "image": "quay.io/openshift-release-dev/ocp-release@sha256:cf2db6c092f43a7fc7eaf2a28cf83b63f35df40f255b99cdede222cfeeeafb6e", "url": "https://access.redhat.com/errata/RHSA-2026:2078", "version": "4.18.33" }, { "channels": [ "candidate-4.18", "candidate-4.19", "candidate-4.20", "eus-4.18", "eus-4.20", "fast-4.18", "fast-4.19", "fast-4.20", "stable-4.18", "stable-4.19", "stable-4.20" ], "image": "quay.io/openshift-release-dev/ocp-release@sha256:1b388d0933b5b207e71a636d072a05bcd021483ab6a0075b02889f13e49a9f92", "url": "https://access.redhat.com/errata/RHSA-2026:1062", "version": "4.18.32" }, { "channels": [ "candidate-4.18", "candidate-4.19", "candidate-4.20", "eus-4.18", "eus-4.20", "fast-4.18", "fast-4.19", "fast-4.20", "stable-4.18", "stable-4.19", "stable-4.20" ], "image": "quay.io/openshift-release-dev/ocp-release@sha256:57c90876dcb62b3156f8879dd0f7df0b24a735137eba67e51625fe347706b508", "url": "https://access.redhat.com/errata/RHSA-2026:338", "version": "4.18.31" }, { "channels": [ "candidate-4.18", "candidate-4.19", "candidate-4.20", "eus-4.18", "eus-4.20", "fast-4.18", "fast-4.19", "fast-4.20", "stable-4.18", "stable-4.19", "stable-4.20" ], "image": "quay.io/openshift-release-dev/ocp-release@sha256:7426d9127060bd953be7f65b2b7bb2ad0b84dc366a320c789d3dbd9401864c03", "url": "https://access.redhat.com/errata/RHBA-2025:22696", "version": "4.18.30" }, { "channels": [ "candidate-4.18", "candidate-4.19", "candidate-4.20", "eus-4.18", "eus-4.20", "fast-4.18", "fast-4.19", "fast-4.20", "stable-4.18", "stable-4.19", "stable-4.20" ], "image": "quay.io/openshift-release-dev/ocp-release@sha256:876d292e2e54e4cee4b03de0867fc92a73b9fba09f133645ca9f63766032f82f", "url": "https://access.redhat.com/errata/RHBA-2025:19865", "version": "4.18.28" }, { "channels": [ "candidate-4.18", "candidate-4.19", "candidate-4.20", "eus-4.18", "eus-4.20", "fast-4.18", "fast-4.19", "fast-4.20", "stable-4.18", "stable-4.19", "stable-4.20" ], "image": "quay.io/openshift-release-dev/ocp-release@sha256:edcedfff11a2f0a1dead9d818b3ee6cfd0d152c23537ca703237d40c007ac207", "url": "https://access.redhat.com/errata/RHSA-2025:19047", "version": "4.18.27" }, { "channels": [ "candidate-4.18", "candidate-4.19", "candidate-4.20", "eus-4.18", "eus-4.20", "fast-4.18", "fast-4.19", "fast-4.20", "stable-4.18", "stable-4.19", "stable-4.20" ], "image": "quay.io/openshift-release-dev/ocp-release@sha256:7df246db514d1648bb62d6d9dfd2cdfa25e20e0d6fe457a263c85dd0a81a227a", "url": "https://access.redhat.com/errata/RHSA-2025:11677", "version": "4.18.21" }, { "channels": [ "candidate-4.18", "candidate-4.19", "candidate-4.20", "eus-4.18", "eus-4.20", "fast-4.18", "fast-4.19", "fast-4.20", "stable-4.18", "stable-4.19", "stable-4.20" ], "image": "quay.io/openshift-release-dev/ocp-release@sha256:c78c1eafc0c4ea46a83e6fea53aed8272259415a3686281b3cb866242d9181f5", "url": "https://access.redhat.com/errata/RHSA-2025:10767", "version": "4.18.20" }, { "channels": [ "candidate-4.18", "candidate-4.19", "candidate-4.20", "eus-4.18", "eus-4.20", "fast-4.18", "fast-4.19", "fast-4.20", "stable-4.18", "stable-4.19", "stable-4.20" ], "image": "quay.io/openshift-release-dev/ocp-release@sha256:a0d938131d24ad872c4d865885189f395c64fbf0c09a9c361cb497142ffa331c", "url": "https://access.redhat.com/errata/RHSA-2025:9725", "version": "4.18.19" }, { "channels": [ "candidate-4.18", "candidate-4.19", "candidate-4.20", "eus-4.18", "eus-4.20", "fast-4.18", "fast-4.19", "fast-4.20", "stable-4.18", "stable-4.19", "stable-4.20" ], "image": "quay.io/openshift-release-dev/ocp-release@sha256:fd6c7ba61d366321e1bcbb21395e3e6a2aa00443e42df5c25a877c7ee28e4d69", "url": "https://access.redhat.com/errata/RHSA-2025:9269", "version": "4.18.18" } ], "capabilities": { "enabledCapabilities": [ "Build", "CSISnapshot", "CloudControllerManager", "CloudCredential", "Console", "DeploymentConfig", "ImageRegistry", "Ingress", "Insights", "MachineAPI", "NodeTuning", "OperatorLifecycleManager", "OperatorLifecycleManagerV1", "Storage", "baremetal", "marketplace", "openshift-samples" ], "knownCapabilities": [ "Build", "CSISnapshot", "CloudControllerManager", "CloudCredential", "Console", "DeploymentConfig", "ImageRegistry", "Ingress", "Insights", "MachineAPI", "NodeTuning", "OperatorLifecycleManager", "OperatorLifecycleManagerV1", "Storage", "baremetal", "marketplace", "openshift-samples" ] }, "conditionalUpdates": [ { "conditions": [ { "lastTransitionTime": "2026-04-21T10:47:57Z", "message": "Some runc 1.2 releases fail to launch containers in some Pods where shareProcessNamespace is explicitly set true. https://issues.redhat.com/browse/RUN-3748", "reason": "RuncShareProcessNamespace", "status": "False", "type": "Recommended" } ], "release": { "channels": [ "candidate-4.18", "candidate-4.19", "candidate-4.20", "eus-4.18", "eus-4.20", "fast-4.18", "fast-4.19", "fast-4.20", "stable-4.18", "stable-4.19", "stable-4.20" ], "image": "quay.io/openshift-release-dev/ocp-release@sha256:dd3c596d7c070bd72e159dbb7c5a3f3594d32dbc146413a62b452c9d26458def", "url": "https://access.redhat.com/errata/RHBA-2025:21797", "version": "4.18.29" }, "risks": [ { "matchingRules": [ { "type": "Always" } ], "message": "Some runc 1.2 releases fail to launch containers in some Pods where shareProcessNamespace is explicitly set true.", "name": "RuncShareProcessNamespace", "url": "https://issues.redhat.com/browse/RUN-3748" } ] }, { "conditions": [ { "lastTransitionTime": "2026-04-21T10:47:57Z", "message": "OCP nodes get rebooted continuously due to kernel panic by loading of third party modules. https://issues.redhat.com/browse/COS-3700\n\nCould not evaluate exposure to update risk HyperShiftClusterVersionOperatorMetrics (creating PromQL round-tripper: unable to read CA cert: unable to read file /etc/tls/service-ca/service-ca.crt: open /etc/tls/service-ca/service-ca.crt: no such file or directory)\n HyperShiftClusterVersionOperatorMetrics description: Hosted/HyperShift clusters in exposed releases will fail to scrape cluster-version operator metrics.\n HyperShiftClusterVersionOperatorMetrics URL: https://issues.redhat.com/browse/OTA-1705", "reason": "MultipleReasons", "status": "False", "type": "Recommended" } ], "release": { "channels": [ "candidate-4.18", "candidate-4.19", "candidate-4.20", "eus-4.18", "eus-4.20", "fast-4.18", "fast-4.19", "fast-4.20", "stable-4.18", "stable-4.19", "stable-4.20" ], "image": "quay.io/openshift-release-dev/ocp-release@sha256:60c8a8f9fc46d4a78c768569b1fa3a41282a602e121a358e7b1777f6129be10b", "url": "https://access.redhat.com/errata/RHSA-2025:17657", "version": "4.18.26" }, "risks": [ { "matchingRules": [ { "type": "Always" } ], "message": "OCP nodes get rebooted continuously due to kernel panic by loading of third party modules.", "name": "ContinuousNodeRebootingDueToKernelPanic", "url": "https://issues.redhat.com/browse/COS-3700" }, { "matchingRules": [ { "promql": { "promql": "group by (_id, invoker) (cluster_installer{_id=\"3377b550-f38f-4c3a-a366-1df3f6deadfd\",invoker=\"hypershift\"})\nor\n0 * group by (_id, invoker) (cluster_installer{_id=\"3377b550-f38f-4c3a-a366-1df3f6deadfd\"})\n" }, "type": "PromQL" } ], "message": "Hosted/HyperShift clusters in exposed releases will fail to scrape cluster-version operator metrics.", "name": "HyperShiftClusterVersionOperatorMetrics", "url": "https://issues.redhat.com/browse/OTA-1705" } ] }, { "conditions": [ { "lastTransitionTime": "2026-04-21T10:47:57Z", "message": "OCP nodes get rebooted continuously due to kernel panic by loading of third party modules. https://issues.redhat.com/browse/COS-3700\n\nCould not evaluate exposure to update risk HyperShiftClusterVersionOperatorMetrics (creating PromQL round-tripper: unable to read CA cert: unable to read file /etc/tls/service-ca/service-ca.crt: open /etc/tls/service-ca/service-ca.crt: no such file or directory)\n HyperShiftClusterVersionOperatorMetrics description: Hosted/HyperShift clusters in exposed releases will fail to scrape cluster-version operator metrics.\n HyperShiftClusterVersionOperatorMetrics URL: https://issues.redhat.com/browse/OTA-1705", "reason": "MultipleReasons", "status": "False", "type": "Recommended" } ], "release": { "channels": [ "candidate-4.18", "candidate-4.19", "candidate-4.20", "eus-4.18", "eus-4.20", "fast-4.18", "fast-4.19", "fast-4.20", "stable-4.18", "stable-4.19", "stable-4.20" ], "image": "quay.io/openshift-release-dev/ocp-release@sha256:52a122eacd6dbfeda73ac41fc3a49799e67f8b5ddd9bd3beafdde2cd810c5b9c", "url": "https://access.redhat.com/errata/RHBA-2025:16732", "version": "4.18.25" }, "risks": [ { "matchingRules": [ { "type": "Always" } ], "message": "OCP nodes get rebooted continuously due to kernel panic by loading of third party modules.", "name": "ContinuousNodeRebootingDueToKernelPanic", "url": "https://issues.redhat.com/browse/COS-3700" }, { "matchingRules": [ { "promql": { "promql": "group by (_id, invoker) (cluster_installer{_id=\"3377b550-f38f-4c3a-a366-1df3f6deadfd\",invoker=\"hypershift\"})\nor\n0 * group by (_id, invoker) (cluster_installer{_id=\"3377b550-f38f-4c3a-a366-1df3f6deadfd\"})\n" }, "type": "PromQL" } ], "message": "Hosted/HyperShift clusters in exposed releases will fail to scrape cluster-version operator metrics.", "name": "HyperShiftClusterVersionOperatorMetrics", "url": "https://issues.redhat.com/browse/OTA-1705" } ] }, { "conditions": [ { "lastTransitionTime": "2026-04-21T10:47:57Z", "message": "OCP nodes get rebooted continuously due to kernel panic by loading of third party modules. https://issues.redhat.com/browse/COS-3700\n\nCould not evaluate exposure to update risk HyperShiftClusterVersionOperatorMetrics (creating PromQL round-tripper: unable to read CA cert: unable to read file /etc/tls/service-ca/service-ca.crt: open /etc/tls/service-ca/service-ca.crt: no such file or directory)\n HyperShiftClusterVersionOperatorMetrics description: Hosted/HyperShift clusters in exposed releases will fail to scrape cluster-version operator metrics.\n HyperShiftClusterVersionOperatorMetrics URL: https://issues.redhat.com/browse/OTA-1705\n\nCould not evaluate exposure to update risk HyperShiftProxyScheme (creating PromQL round-tripper: unable to read CA cert: unable to read file /etc/tls/service-ca/service-ca.crt: open /etc/tls/service-ca/service-ca.crt: no such file or directory)\n HyperShiftProxyScheme description: Hosted/HyperShift clusters where HostedCluster has a configured proxy needed for IDP or ingress canary probes may lose the ability to login.\n HyperShiftProxyScheme URL: https://issues.redhat.com/browse/CNTRLPLANE-1407\n\nCould not evaluate exposure to update risk NMStateServiceFailure (creating PromQL round-tripper: unable to read CA cert: unable to read file /etc/tls/service-ca/service-ca.crt: open /etc/tls/service-ca/service-ca.crt: no such file or directory)\n NMStateServiceFailure description: The NMState service can fail on baremetal cluster nodes, causing node scaleups and re-deployment failures.\n NMStateServiceFailure URL: https://issues.redhat.com/browse/CORENET-6419", "reason": "MultipleReasons", "status": "False", "type": "Recommended" } ], "release": { "channels": [ "candidate-4.18", "candidate-4.19", "candidate-4.20", "eus-4.18", "eus-4.20", "fast-4.18", "fast-4.19", "fast-4.20", "stable-4.18", "stable-4.19", "stable-4.20" ], "image": "quay.io/openshift-release-dev/ocp-release@sha256:1df844c177e987ffcb6ef64ce63987fc0efc94745f19a1b6cfa28aabcd8d3089", "url": "https://access.redhat.com/errata/RHBA-2025:15714", "version": "4.18.24" }, "risks": [ { "matchingRules": [ { "type": "Always" } ], "message": "OCP nodes get rebooted continuously due to kernel panic by loading of third party modules.", "name": "ContinuousNodeRebootingDueToKernelPanic", "url": "https://issues.redhat.com/browse/COS-3700" }, { "matchingRules": [ { "promql": { "promql": "group by (_id, invoker) (cluster_installer{_id=\"3377b550-f38f-4c3a-a366-1df3f6deadfd\",invoker=\"hypershift\"})\nor\n0 * group by (_id, invoker) (cluster_installer{_id=\"3377b550-f38f-4c3a-a366-1df3f6deadfd\"})\n" }, "type": "PromQL" } ], "message": "Hosted/HyperShift clusters in exposed releases will fail to scrape cluster-version operator metrics.", "name": "HyperShiftClusterVersionOperatorMetrics", "url": "https://issues.redhat.com/browse/OTA-1705" }, { "matchingRules": [ { "promql": { "promql": "group by (_id, invoker) (cluster_installer{_id=\"3377b550-f38f-4c3a-a366-1df3f6deadfd\",invoker=\"hypershift\"})\nor\n0 * group by (_id, invoker) (cluster_installer{_id=\"3377b550-f38f-4c3a-a366-1df3f6deadfd\"})\n" }, "type": "PromQL" } ], "message": "Hosted/HyperShift clusters where HostedCluster has a configured proxy needed for IDP or ingress canary probes may lose the ability to login.", "name": "HyperShiftProxyScheme", "url": "https://issues.redhat.com/browse/CNTRLPLANE-1407" }, { "matchingRules": [ { "promql": { "promql": "topk by (_id) (1,\n group by (_id, type) (cluster_infrastructure_provider{_id=\"3377b550-f38f-4c3a-a366-1df3f6deadfd\",type=~\"None|BareMetal\"})\n or\n 0 * group by (_id, type) (cluster_infrastructure_provider{_id=\"3377b550-f38f-4c3a-a366-1df3f6deadfd\",type!~\"None|BareMetal\"})\n)\n" }, "type": "PromQL" } ], "message": "The NMState service can fail on baremetal cluster nodes, causing node scaleups and re-deployment failures.", "name": "NMStateServiceFailure", "url": "https://issues.redhat.com/browse/CORENET-6419" } ] }, { "conditions": [ { "lastTransitionTime": "2026-04-21T10:47:57Z", "message": "Could not evaluate exposure to update risk CrunConflictsWithNVIDIA (creating PromQL round-tripper: unable to read CA cert: unable to read file /etc/tls/service-ca/service-ca.crt: open /etc/tls/service-ca/service-ca.crt: no such file or directory)\n CrunConflictsWithNVIDIA description: Some crun 1.23 releases conflict with the NVIDIA GPU Operator over eBPF, causing issues with GPU workloads.\n CrunConflictsWithNVIDIA URL: https://issues.redhat.com/browse/RUN-3446\n\nCould not evaluate exposure to update risk HyperShiftClusterVersionOperatorMetrics (creating PromQL round-tripper: unable to read CA cert: unable to read file /etc/tls/service-ca/service-ca.crt: open /etc/tls/service-ca/service-ca.crt: no such file or directory)\n HyperShiftClusterVersionOperatorMetrics description: Hosted/HyperShift clusters in exposed releases will fail to scrape cluster-version operator metrics.\n HyperShiftClusterVersionOperatorMetrics URL: https://issues.redhat.com/browse/OTA-1705\n\nCould not evaluate exposure to update risk HyperShiftProxyScheme (creating PromQL round-tripper: unable to read CA cert: unable to read file /etc/tls/service-ca/service-ca.crt: open /etc/tls/service-ca/service-ca.crt: no such file or directory)\n HyperShiftProxyScheme description: Hosted/HyperShift clusters where HostedCluster has a configured proxy needed for IDP or ingress canary probes may lose the ability to login.\n HyperShiftProxyScheme URL: https://issues.redhat.com/browse/CNTRLPLANE-1407\n\nCould not evaluate exposure to update risk NMStateServiceFailure (creating PromQL round-tripper: unable to read CA cert: unable to read file /etc/tls/service-ca/service-ca.crt: open /etc/tls/service-ca/service-ca.crt: no such file or directory)\n NMStateServiceFailure description: The NMState service can fail on baremetal cluster nodes, causing node scaleups and re-deployment failures.\n NMStateServiceFailure URL: https://issues.redhat.com/browse/CORENET-6419", "reason": "EvaluationFailed", "status": "Unknown", "type": "Recommended" } ], "release": { "channels": [ "candidate-4.18", "candidate-4.19", "candidate-4.20", "eus-4.18", "eus-4.20", "fast-4.18", "fast-4.19", "fast-4.20", "stable-4.18", "stable-4.19", "stable-4.20" ], "image": "quay.io/openshift-release-dev/ocp-release@sha256:1bb5d0bec8d4fc7fda5191c313b5e224b54e1171bd3d4fdac086962540e4257e", "url": "https://access.redhat.com/errata/RHSA-2025:14820", "version": "4.18.23" }, "risks": [ { "matchingRules": [ { "promql": { "promql": "group by (name) (csv_succeeded{_id=\"3377b550-f38f-4c3a-a366-1df3f6deadfd\", name=~\"gpu-operator-certified[.].*\"})\nor on (_id)\n0 * group(csv_count{_id=\"3377b550-f38f-4c3a-a366-1df3f6deadfd\"})" }, "type": "PromQL" } ], "message": "Some crun 1.23 releases conflict with the NVIDIA GPU Operator over eBPF, causing issues with GPU workloads.", "name": "CrunConflictsWithNVIDIA", "url": "https://issues.redhat.com/browse/RUN-3446" }, { "matchingRules": [ { "promql": { "promql": "group by (_id, invoker) (cluster_installer{_id=\"3377b550-f38f-4c3a-a366-1df3f6deadfd\",invoker=\"hypershift\"})\nor\n0 * group by (_id, invoker) (cluster_installer{_id=\"3377b550-f38f-4c3a-a366-1df3f6deadfd\"})\n" }, "type": "PromQL" } ], "message": "Hosted/HyperShift clusters in exposed releases will fail to scrape cluster-version operator metrics.", "name": "HyperShiftClusterVersionOperatorMetrics", "url": "https://issues.redhat.com/browse/OTA-1705" }, { "matchingRules": [ { "promql": { "promql": "group by (_id, invoker) (cluster_installer{_id=\"3377b550-f38f-4c3a-a366-1df3f6deadfd\",invoker=\"hypershift\"})\nor\n0 * group by (_id, invoker) (cluster_installer{_id=\"3377b550-f38f-4c3a-a366-1df3f6deadfd\"})\n" }, "type": "PromQL" } ], "message": "Hosted/HyperShift clusters where HostedCluster has a configured proxy needed for IDP or ingress canary probes may lose the ability to login.", "name": "HyperShiftProxyScheme", "url": "https://issues.redhat.com/browse/CNTRLPLANE-1407" }, { "matchingRules": [ { "promql": { "promql": "topk by (_id) (1,\n group by (_id, type) (cluster_infrastructure_provider{_id=\"3377b550-f38f-4c3a-a366-1df3f6deadfd\",type=~\"None|BareMetal\"})\n or\n 0 * group by (_id, type) (cluster_infrastructure_provider{_id=\"3377b550-f38f-4c3a-a366-1df3f6deadfd\",type!~\"None|BareMetal\"})\n)\n" }, "type": "PromQL" } ], "message": "The NMState service can fail on baremetal cluster nodes, causing node scaleups and re-deployment failures.", "name": "NMStateServiceFailure", "url": "https://issues.redhat.com/browse/CORENET-6419" } ] }, { "conditions": [ { "lastTransitionTime": "2026-04-21T10:47:57Z", "message": "Could not evaluate exposure to update risk CrunConflictsWithNVIDIA (creating PromQL round-tripper: unable to read CA cert: unable to read file /etc/tls/service-ca/service-ca.crt: open /etc/tls/service-ca/service-ca.crt: no such file or directory)\n CrunConflictsWithNVIDIA description: Some crun 1.23 releases conflict with the NVIDIA GPU Operator over eBPF, causing issues with GPU workloads.\n CrunConflictsWithNVIDIA URL: https://issues.redhat.com/browse/RUN-3446\n\nCould not evaluate exposure to update risk HyperShiftProxyScheme (creating PromQL round-tripper: unable to read CA cert: unable to read file /etc/tls/service-ca/service-ca.crt: open /etc/tls/service-ca/service-ca.crt: no such file or directory)\n HyperShiftProxyScheme description: Hosted/HyperShift clusters where HostedCluster has a configured proxy needed for IDP or ingress canary probes may lose the ability to login.\n HyperShiftProxyScheme URL: https://issues.redhat.com/browse/CNTRLPLANE-1407\n\nCould not evaluate exposure to update risk NMStateServiceFailure (creating PromQL round-tripper: unable to read CA cert: unable to read file /etc/tls/service-ca/service-ca.crt: open /etc/tls/service-ca/service-ca.crt: no such file or directory)\n NMStateServiceFailure description: The NMState service can fail on baremetal cluster nodes, causing node scaleups and re-deployment failures.\n NMStateServiceFailure URL: https://issues.redhat.com/browse/CORENET-6419", "reason": "EvaluationFailed", "status": "Unknown", "type": "Recommended" } ], "release": { "channels": [ "candidate-4.18", "candidate-4.19", "candidate-4.20", "eus-4.18", "eus-4.20", "fast-4.18", "fast-4.19", "fast-4.20", "stable-4.18", "stable-4.19", "stable-4.20" ], "image": "quay.io/openshift-release-dev/ocp-release@sha256:5e992671c4ac3ea131f7054dbddcd0d2a70590dcdb4fcc7c530b13d9501824d8", "url": "https://access.redhat.com/errata/RHSA-2025:13325", "version": "4.18.22" }, "risks": [ { "matchingRules": [ { "promql": { "promql": "group by (name) (csv_succeeded{_id=\"3377b550-f38f-4c3a-a366-1df3f6deadfd\", name=~\"gpu-operator-certified[.].*\"})\nor on (_id)\n0 * group(csv_count{_id=\"3377b550-f38f-4c3a-a366-1df3f6deadfd\"})" }, "type": "PromQL" } ], "message": "Some crun 1.23 releases conflict with the NVIDIA GPU Operator over eBPF, causing issues with GPU workloads.", "name": "CrunConflictsWithNVIDIA", "url": "https://issues.redhat.com/browse/RUN-3446" }, { "matchingRules": [ { "promql": { "promql": "group by (_id, invoker) (cluster_installer{_id=\"3377b550-f38f-4c3a-a366-1df3f6deadfd\",invoker=\"hypershift\"})\nor\n0 * group by (_id, invoker) (cluster_installer{_id=\"3377b550-f38f-4c3a-a366-1df3f6deadfd\"})\n" }, "type": "PromQL" } ], "message": "Hosted/HyperShift clusters where HostedCluster has a configured proxy needed for IDP or ingress canary probes may lose the ability to login.", "name": "HyperShiftProxyScheme", "url": "https://issues.redhat.com/browse/CNTRLPLANE-1407" }, { "matchingRules": [ { "promql": { "promql": "topk by (_id) (1,\n group by (_id, type) (cluster_infrastructure_provider{_id=\"3377b550-f38f-4c3a-a366-1df3f6deadfd\",type=~\"None|BareMetal\"})\n or\n 0 * group by (_id, type) (cluster_infrastructure_provider{_id=\"3377b550-f38f-4c3a-a366-1df3f6deadfd\",type!~\"None|BareMetal\"})\n)\n" }, "type": "PromQL" } ], "message": "The NMState service can fail on baremetal cluster nodes, causing node scaleups and re-deployment failures.", "name": "NMStateServiceFailure", "url": "https://issues.redhat.com/browse/CORENET-6419" } ] }, { "conditions": [ { "lastTransitionTime": "2026-04-21T10:47:57Z", "message": "Could not evaluate exposure to update risk ConsoleEnabledTargetDownAlert (creating PromQL round-tripper: unable to read CA cert: unable to read file /etc/tls/service-ca/service-ca.crt: open /etc/tls/service-ca/service-ca.crt: no such file or directory)\n ConsoleEnabledTargetDownAlert description: The alert TargetDown is triggered if the capability Console is enabled on the cluster.\n ConsoleEnabledTargetDownAlert URL: https://issues.redhat.com/browse/CONSOLE-4632", "reason": "EvaluationFailed", "status": "Unknown", "type": "Recommended" } ], "release": { "channels": [ "candidate-4.18", "candidate-4.19", "candidate-4.20", "eus-4.18", "eus-4.20", "fast-4.18", "fast-4.19", "fast-4.20", "stable-4.18", "stable-4.19", "stable-4.20" ], "image": "quay.io/openshift-release-dev/ocp-release@sha256:da05310b7fa3489c2a4f18dc2d7e76f967a3895710263ea66aed04b65882828e", "url": "https://access.redhat.com/errata/RHSA-2025:8560", "version": "4.18.17" }, "risks": [ { "matchingRules": [ { "promql": { "promql": "max(cluster_version_capability{name=\"Console\"})" }, "type": "PromQL" } ], "message": "The alert TargetDown is triggered if the capability Console is enabled on the cluster.", "name": "ConsoleEnabledTargetDownAlert", "url": "https://issues.redhat.com/browse/CONSOLE-4632" } ] }, { "conditions": [ { "lastTransitionTime": "2026-04-21T10:47:57Z", "message": "Could not evaluate exposure to update risk ConsoleEnabledTargetDownAlert (creating PromQL round-tripper: unable to read CA cert: unable to read file /etc/tls/service-ca/service-ca.crt: open /etc/tls/service-ca/service-ca.crt: no such file or directory)\n ConsoleEnabledTargetDownAlert description: The alert TargetDown is triggered if the capability Console is enabled on the cluster.\n ConsoleEnabledTargetDownAlert URL: https://issues.redhat.com/browse/CONSOLE-4632", "reason": "EvaluationFailed", "status": "Unknown", "type": "Recommended" } ], "release": { "channels": [ "candidate-4.18", "candidate-4.19", "candidate-4.20", "eus-4.18", "eus-4.20", "fast-4.18", "fast-4.19", "fast-4.20", "stable-4.18", "stable-4.19", "stable-4.20" ], "image": "quay.io/openshift-release-dev/ocp-release@sha256:e5129eb2070cdd2efc34ec30d49f47cece86b3e3e601daa49e392da4cf24daee", "url": "https://access.redhat.com/errata/RHSA-2025:8284", "version": "4.18.16" }, "risks": [ { "matchingRules": [ { "promql": { "promql": "max(cluster_version_capability{name=\"Console\"})" }, "type": "PromQL" } ], "message": "The alert TargetDown is triggered if the capability Console is enabled on the cluster.", "name": "ConsoleEnabledTargetDownAlert", "url": "https://issues.redhat.com/browse/CONSOLE-4632" } ] }, { "conditions": [ { "lastTransitionTime": "2026-04-21T10:47:57Z", "message": "Could not evaluate exposure to update risk ConsoleEnabledTargetDownAlert (creating PromQL round-tripper: unable to read CA cert: unable to read file /etc/tls/service-ca/service-ca.crt: open /etc/tls/service-ca/service-ca.crt: no such file or directory)\n ConsoleEnabledTargetDownAlert description: The alert TargetDown is triggered if the capability Console is enabled on the cluster.\n ConsoleEnabledTargetDownAlert URL: https://issues.redhat.com/browse/CONSOLE-4632", "reason": "EvaluationFailed", "status": "Unknown", "type": "Recommended" } ], "release": { "channels": [ "candidate-4.18", "candidate-4.19", "candidate-4.20", "eus-4.18", "eus-4.20", "fast-4.18", "fast-4.19", "fast-4.20", "stable-4.18", "stable-4.19", "stable-4.20" ], "image": "quay.io/openshift-release-dev/ocp-release@sha256:b11973845d1c72c5b3975209284ef3bdbb00a23f1d18b8a3f4f141c491f4027d", "url": "https://access.redhat.com/errata/RHBA-2025:8104", "version": "4.18.15" }, "risks": [ { "matchingRules": [ { "promql": { "promql": "max(cluster_version_capability{name=\"Console\"})" }, "type": "PromQL" } ], "message": "The alert TargetDown is triggered if the capability Console is enabled on the cluster.", "name": "ConsoleEnabledTargetDownAlert", "url": "https://issues.redhat.com/browse/CONSOLE-4632" } ] }, { "conditions": [ { "lastTransitionTime": "2026-04-21T10:47:57Z", "message": "Could not evaluate exposure to update risk ConsoleEnabledTargetDownAlert (creating PromQL round-tripper: unable to read CA cert: unable to read file /etc/tls/service-ca/service-ca.crt: open /etc/tls/service-ca/service-ca.crt: no such file or directory)\n ConsoleEnabledTargetDownAlert description: The alert TargetDown is triggered if the capability Console is enabled on the cluster.\n ConsoleEnabledTargetDownAlert URL: https://issues.redhat.com/browse/CONSOLE-4632", "reason": "EvaluationFailed", "status": "Unknown", "type": "Recommended" } ], "release": { "channels": [ "candidate-4.18", "candidate-4.19", "candidate-4.20", "eus-4.18", "eus-4.20", "fast-4.18", "fast-4.19", "fast-4.20", "stable-4.18", "stable-4.19", "stable-4.20" ], "image": "quay.io/openshift-release-dev/ocp-release@sha256:7e05e15756d5b23f768e4441b319e07b5dd7613dd44778fcffea8da202ebdcf1", "url": "https://access.redhat.com/errata/RHSA-2025:7863", "version": "4.18.14" }, "risks": [ { "matchingRules": [ { "promql": { "promql": "max(cluster_version_capability{name=\"Console\"})" }, "type": "PromQL" } ], "message": "The alert TargetDown is triggered if the capability Console is enabled on the cluster.", "name": "ConsoleEnabledTargetDownAlert", "url": "https://issues.redhat.com/browse/CONSOLE-4632" } ] }, { "conditions": [ { "lastTransitionTime": "2026-04-21T10:47:57Z", "message": "Could not evaluate exposure to update risk ConsoleEnabledTargetDownAlert (creating PromQL round-tripper: unable to read CA cert: unable to read file /etc/tls/service-ca/service-ca.crt: open /etc/tls/service-ca/service-ca.crt: no such file or directory)\n ConsoleEnabledTargetDownAlert description: The alert TargetDown is triggered if the capability Console is enabled on the cluster.\n ConsoleEnabledTargetDownAlert URL: https://issues.redhat.com/browse/CONSOLE-4632", "reason": "EvaluationFailed", "status": "Unknown", "type": "Recommended" } ], "release": { "channels": [ "candidate-4.18", "candidate-4.19", "candidate-4.20", "eus-4.18", "eus-4.20", "fast-4.18", "fast-4.19", "fast-4.20", "stable-4.18", "stable-4.19", "stable-4.20" ], "image": "quay.io/openshift-release-dev/ocp-release@sha256:e937c839faf254a842341489059ce47eac468c54cde28fae647a64f8bd3489fd", "url": "https://access.redhat.com/errata/RHSA-2025:4712", "version": "4.18.13" }, "risks": [ { "matchingRules": [ { "promql": { "promql": "max(cluster_version_capability{name=\"Console\"})" }, "type": "PromQL" } ], "message": "The alert TargetDown is triggered if the capability Console is enabled on the cluster.", "name": "ConsoleEnabledTargetDownAlert", "url": "https://issues.redhat.com/browse/CONSOLE-4632" } ] }, { "conditions": [ { "lastTransitionTime": "2026-04-21T10:47:57Z", "message": "Could not evaluate exposure to update risk ConsoleEnabledTargetDownAlert (creating PromQL round-tripper: unable to read CA cert: unable to read file /etc/tls/service-ca/service-ca.crt: open /etc/tls/service-ca/service-ca.crt: no such file or directory)\n ConsoleEnabledTargetDownAlert description: The alert TargetDown is triggered if the capability Console is enabled on the cluster.\n ConsoleEnabledTargetDownAlert URL: https://issues.redhat.com/browse/CONSOLE-4632", "reason": "EvaluationFailed", "status": "Unknown", "type": "Recommended" } ], "release": { "channels": [ "candidate-4.18", "candidate-4.19", "candidate-4.20", "eus-4.18", "eus-4.20", "fast-4.18", "fast-4.19", "fast-4.20", "stable-4.18", "stable-4.19", "stable-4.20" ], "image": "quay.io/openshift-release-dev/ocp-release@sha256:a7b08a023f84c14cf731f2076bc06ae0100e027446835273506f5556bf739298", "url": "https://access.redhat.com/errata/RHSA-2025:4427", "version": "4.18.12" }, "risks": [ { "matchingRules": [ { "promql": { "promql": "max(cluster_version_capability{name=\"Console\"})" }, "type": "PromQL" } ], "message": "The alert TargetDown is triggered if the capability Console is enabled on the cluster.", "name": "ConsoleEnabledTargetDownAlert", "url": "https://issues.redhat.com/browse/CONSOLE-4632" } ] }, { "conditions": [ { "lastTransitionTime": "2026-04-21T10:47:57Z", "message": "Could not evaluate exposure to update risk MetallbBgpBfdFrrRpm (creating PromQL round-tripper: unable to read CA cert: unable to read file /etc/tls/service-ca/service-ca.crt: open /etc/tls/service-ca/service-ca.crt: no such file or directory)\n MetallbBgpBfdFrrRpm description: Clusters using MetalLB BFD capabilities alongside BGP can fail to establish BGP peering, reducing the availability of LoadBalancer services exposed by MetalLB, or even making them unreachable\n MetallbBgpBfdFrrRpm URL: https://issues.redhat.com/browse/CNF-17689", "reason": "EvaluationFailed", "status": "Unknown", "type": "Recommended" } ], "release": { "channels": [ "candidate-4.18", "candidate-4.19", "candidate-4.20", "eus-4.18", "eus-4.20", "fast-4.18", "fast-4.19", "fast-4.20", "stable-4.18", "stable-4.19", "stable-4.20" ], "image": "quay.io/openshift-release-dev/ocp-release@sha256:4198606580b69c8335ad7ae531c3a74e51aee25db5faaf368234e8c8dae5cbea", "url": "https://access.redhat.com/errata/RHSA-2025:4211", "version": "4.18.11" }, "risks": [ { "matchingRules": [ { "promql": { "promql": "(\n group by (_id, name) (csv_succeeded{_id=\"3377b550-f38f-4c3a-a366-1df3f6deadfd\", name=~\"metallb-operator[.].*\"})\n or on (_id)\n 0 * label_replace(group by (_id) (csv_succeeded{_id=\"3377b550-f38f-4c3a-a366-1df3f6deadfd\"}), \"name\", \"metallb operator not installed\", \"name\", \".*\")\n)\n" }, "type": "PromQL" } ], "message": "Clusters using MetalLB BFD capabilities alongside BGP can fail to establish BGP peering, reducing the availability of LoadBalancer services exposed by MetalLB, or even making them unreachable", "name": "MetallbBgpBfdFrrRpm", "url": "https://issues.redhat.com/browse/CNF-17689" } ] }, { "conditions": [ { "lastTransitionTime": "2026-04-21T10:47:57Z", "message": "Could not evaluate exposure to update risk MetallbBgpBfdFrrRpm (creating PromQL round-tripper: unable to read CA cert: unable to read file /etc/tls/service-ca/service-ca.crt: open /etc/tls/service-ca/service-ca.crt: no such file or directory)\n MetallbBgpBfdFrrRpm description: Clusters using MetalLB BFD capabilities alongside BGP can fail to establish BGP peering, reducing the availability of LoadBalancer services exposed by MetalLB, or even making them unreachable\n MetallbBgpBfdFrrRpm URL: https://issues.redhat.com/browse/CNF-17689", "reason": "EvaluationFailed", "status": "Unknown", "type": "Recommended" } ], "release": { "channels": [ "candidate-4.18", "candidate-4.19", "candidate-4.20", "eus-4.18", "eus-4.20", "fast-4.18", "fast-4.19", "fast-4.20", "stable-4.18", "stable-4.19", "stable-4.20" ], "image": "quay.io/openshift-release-dev/ocp-release@sha256:0e63f36129991fe6fa25112ab12a56110d1660f21f3e2582d290f7820a3479d2", "url": "https://access.redhat.com/errata/RHSA-2025:4019", "version": "4.18.10" }, "risks": [ { "matchingRules": [ { "promql": { "promql": "(\n group by (_id, name) (csv_succeeded{_id=\"3377b550-f38f-4c3a-a366-1df3f6deadfd\", name=~\"metallb-operator[.].*\"})\n or on (_id)\n 0 * label_replace(group by (_id) (csv_succeeded{_id=\"3377b550-f38f-4c3a-a366-1df3f6deadfd\"}), \"name\", \"metallb operator not installed\", \"name\", \".*\")\n)\n" }, "type": "PromQL" } ], "message": "Clusters using MetalLB BFD capabilities alongside BGP can fail to establish BGP peering, reducing the availability of LoadBalancer services exposed by MetalLB, or even making them unreachable", "name": "MetallbBgpBfdFrrRpm", "url": "https://issues.redhat.com/browse/CNF-17689" } ] } ], "conditions": [ { "lastTransitionTime": "2026-04-21T10:47:57Z", "status": "True", "type": "RetrievedUpdates" }, { "lastTransitionTime": "2026-04-21T10:47:38Z", "message": "Capabilities match configured spec", "reason": "AsExpected", "status": "False", "type": "ImplicitlyEnabledCapabilities" }, { "lastTransitionTime": "2026-04-21T10:47:38Z", "message": "Payload loaded version=\"4.18.9\" image=\"quay.io/openshift-release-dev/ocp-release@sha256:dafd6d1fe6008bf1a3e5baea3420aa0344412bf3167e1e92bec5c92098dc6464\" architecture=\"Multi\"", "reason": "PayloadLoaded", "status": "True", "type": "ReleaseAccepted" }, { "lastTransitionTime": "2026-04-21T11:01:27Z", "message": "Done applying 4.18.9", "status": "True", "type": "Available" }, { "lastTransitionTime": "2026-04-21T11:01:27Z", "status": "False", "type": "Failing" }, { "lastTransitionTime": "2026-04-21T11:01:27Z", "message": "Cluster version is 4.18.9", "status": "False", "type": "Progressing" } ], "desired": { "channels": [ "candidate-4.18", "candidate-4.19", "candidate-4.20", "eus-4.18", "eus-4.20", "fast-4.18", "fast-4.19", "fast-4.20", "stable-4.18", "stable-4.19", "stable-4.20" ], "image": "quay.io/openshift-release-dev/ocp-release@sha256:dafd6d1fe6008bf1a3e5baea3420aa0344412bf3167e1e92bec5c92098dc6464", "url": "https://access.redhat.com/errata/RHSA-2025:3775", "version": "4.18.9" }, "history": [ { "completionTime": "2026-04-21T11:01:27Z", "image": "quay.io/openshift-release-dev/ocp-release@sha256:dafd6d1fe6008bf1a3e5baea3420aa0344412bf3167e1e92bec5c92098dc6464", "startedTime": "2026-04-21T10:47:38Z", "state": "Completed", "verified": false, "version": "4.18.9" } ], "observedGeneration": 2, "versionHash": "-a-lnR9LJgI=" } } ], "kind": "List", "metadata": { "resourceVersion": "" } }