4.21 version change log

View information of version changes for major, minor, and patch updates that are available for your Red Hat® OpenShift® on IBM Cloud® clusters that run this version. Changes include updates to Red Hat OpenShift, Kubernetes, and IBM Cloud Provider components.

Overview

Unless otherwise noted in the change logs, the IBM Cloud provider version enables Red Hat OpenShift APIs and features that are at beta. Red Hat OpenShift alpha features are disabled and subject to change.

Check the Security Bulletins on IBM Cloud Status for security vulnerabilities that affect Red Hat OpenShift on IBM Cloud. You can filter the results to view only Kubernetes Service security bulletins that are relevant to Red Hat OpenShift on IBM Cloud. Change log entries that address other security vulnerabilities but don't include an IBM security bulletin are for vulnerabilities that are not known to affect Red Hat OpenShift on IBM Cloud in normal usage. If you run privileged containers, run commands on the workers, or execute untrusted code, then you might be at risk.

Master patch updates are applied automatically. Worker node patch updates can be applied by reloading or updating the worker nodes. For more information about major, minor, and patch versions and preparation actions between minor versions, see Red Hat OpenShift versions.

Version 4.21

Master fix pack 4.21.18_1520_openshift, released 26 June 2026

The following table shows the components that are in the master fix pack 4.21.18_1520_openshift. Master patch updates are applied automatically.

4.21.18_1520_openshift fix pack.
Component	Description
Cluster health image v1.6.16	New version contains updates and security fixes.
etcd v3.5.30	See the etcd release notes.
IBM Cloud Block Storage driver and plug-in v2.5.26	New version contains updates and security fixes.
IBM Cloud Controller Manager v1.34.8-2	New version contains updates and security fixes.
IBM Cloud File Storage for Classic plug-in and monitor v455	New version contains updates and security fixes.
Key Management Service provider 2.10.25	New version contains updates and security fixes.
Portieris admission controller v0.14.0	See the Portieris admission controller release notes
Red Hat OpenShift on IBM Cloud 4.21.18	See the Red Hat OpenShift on IBM Cloud release notes.

Worker node fix pack 4.21.19_1521_openshift, released 15 June 2026

The following table shows the components included in the worker node fix pack 4.21.19_1521_openshift. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

4.21.19_1521_openshift fix pack.
Component	Description
RHEL 9 (VPC) 5.14.0-570.116.1.el9_6	Resolves the following CVEs: CVE-2026-5119.
RHEL 9 (Satellite) 5.14.0-570.62.1.el9_6	N/A
RHEL 9 (Classic) 5.14.0-570.116.1.el9_6	N/A
Red Hat OpenShift 4.21.19	For more information, see the change logs.
Red Hat CoreOS 4.21.19	For more information, see the change logs.
HAProxy d4656f400ca14059e1b5b8ef8078b4903290791a	Resolves the following CVEs: CVE-2026-45186.

Worker node fix pack 4.21.17_1519_openshift, released 03 June 2026

The following table shows the components included in the worker node fix pack 4.21.17_1519_openshift. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

4.21.17_1519_openshift fix pack.
Component	Description
RHEL 9 (VPC) 5.14.0-570.116.1.el9_6	Resolves the following CVEs: RHSA-2026:21392, CVE-2026-4802, RHSA-2026:18042, CVE-2026-39979, CVE-2026-40164, RHSA-2026:16312, CVE-2026-43284, RHSA-2026:20129, CVE-2026-46300, CVE-2026-46333, RHSA-2026:19458, CVE-2026-4878, RHSA-2026:18031, CVE-2026-41651, RHSA-2026:19576, CVE-2026-4786, CVE-2026-6100, RHSA-2026:20603, CVE-2024-12086, CVE-2025-10158, CVE-2026-41035, RHSA-2026:19457, CVE-2025-14087, CVE-2025-14512, RHSA-2026:20548, and CVE-2026-33416.
RHEL 9 (Satellite) 5.14.0-570.62.1.el9_6	N/A
RHEL 9 (Classic) 5.14.0-570.116.1.el9_6	Resolves the following CVEs: RHSA-2026:18042, CVE-2026-39979, CVE-2026-40164, RHSA-2026:16312, CVE-2026-43284, RHSA-2026:20129, CVE-2026-46300, CVE-2026-46333, RHSA-2026:19458, CVE-2026-4878, RHSA-2026:19576, CVE-2026-4786, CVE-2026-6100, RHSA-2026:19457, CVE-2025-14087, CVE-2025-14512, RHSA-2026:20548, and CVE-2026-33416.
Red Hat OpenShift 4.21.17	For more information, see the change logs.
Red Hat CoreOS 4.21.17	For more information, see the change logs.
HAProxy 0e0730588ba21878845cdb0bee615a371a489a02	Resolves the following CVEs: CVE-2026-4046, CVE-2026-33846, CVE-2026-42010, CVE-2026-5260, CVE-2026-42014, CVE-2026-3833, CVE-2026-42015, CVE-2026-33845, CVE-2026-42011, CVE-2026-42009, CVE-2026-42013, and CVE-2026-42012.

Master fix pack 4.21.15_1517_openshift, released 22 May 2026

The following table shows the components that are in the master fix pack 4.21.15_1517_openshift. Master patch updates are applied automatically.

4.21.15_1517_openshift fix pack.
Component	Description
IBM Cloud Controller Manager v1.34.7-4	New version contains updates and security fixes.
Key Management Service provider 2.10.24	New version contains updates and security fixes.
Kubernetes feature gates configuration	RotateKubeletServerCertificate=true,BuildCSIVolumes=true,NetworkLiveMigration=true,OpenShiftPodSecurityAdmission=false,AdminNetworkPolicy=true,KMSv1=false,ExternalOIDC=true,NetworkDiagnosticsConfig=true,ManagedBootImages=true,TranslateStreamCloseWebsocketRequests=false,NewOLM=false,DisableNodeKubeProxyVersion=false,ServiceAccountTokenNodeBinding=true,AdditionalRoutingCapabilities=true,CPMSMachineNamePrefix=true,ConsolePluginContentSecurityPolicy=true,GatewayAPI=true,GatewayAPIController=true,MetricsCollectionProfiles=true,NetworkSegmentation=true,RouteExternalCertificate=true,HighlyAvailableArbiter=true,ImageVolume=true,MachineConfigNodes=true,PinnedImages=true,ProcMountType=true,RouteAdvertisements=true,SigstoreImageVerification=true,StoragePerformantSecurityPolicy=true,UpgradeStatus=true,UserNamespacesPodSecurityStandards=true,UserNamespacesSupport=true,ExternalOIDCWithUIDAndExtraClaimMappings=true,HyperShiftOnlyDynamicResourceAllocation=true,ImageStreamImportMode=true,ManagedBootImagesvSphere=true,PreconfiguredUDNAddresses=true,SigstoreImageVerificationPKI=true,VolumeAttributesClass=true. For more information, see Kubernetes docs
Portieris admission controller v0.13.38	See the Portieris admission controller release notes
Red Hat OpenShift on IBM Cloud 4.21.15	See the Red Hat OpenShift on IBM Cloud release notes.

Worker node fix pack 4.21.15_1518_openshift, released 20 May 2026

The following table shows the components included in the worker node fix pack 4.21.15_1518_openshift. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

4.21.15_1518_openshift fix pack.
Component	Description
RHEL 9 (VPC) 5.14.0-570.112.1.el9_6	Resolves the following CVEs: RHSA-2025:22392, CVE-2025-38724, CVE-2025-39864, CVE-2025-39881, CVE-2025-39883, CVE-2025-39918, CVE-2025-39955, CVE-2025-40186, RHSA-2026:0457, CVE-2025-23142, CVE-2025-39806, CVE-2025-39981, CVE-2025-39983, CVE-2025-40176, CVE-2025-68287, RHSA-2026:0804, CVE-2025-21795, CVE-2025-37849, CVE-2025-37891, CVE-2025-39697, CVE-2025-40154, CVE-2025-68285, RHSA-2026:14339, CVE-2024-53216, CVE-2025-68741, CVE-2026-23243, CVE-2026-23401, CVE-2026-31431, CVE-2026-31532, CVE-2026-43077, RHSA-2026:16312, CVE-2026-43284, RHSA-2026:1703, CVE-2025-21863, CVE-2025-40248, CVE-2025-68301, RHSA-2026:16059, CVE-2026-35385, CVE-2026-35386, CVE-2026-35387, CVE-2026-35388, CVE-2026-35414, RHSA-2026:13889, CVE-2026-35535, RHSA-2025:21563, CVE-2024-56690, RHSA-2025:21933, CVE-2025-39898, CVE-2025-39971, CVE-2025-39973, CVE-2025-40047, RHSA-2025:22802, CVE-2025-39966, RHSA-2025:23789, CVE-2025-39843, CVE-2025-39925, RHSA-2026:11313, CVE-2026-23097, CVE-2026-31402, RHSA-2026:1194, CVE-2023-53034, CVE-2025-37761, CVE-2025-37789, CVE-2025-37819, CVE-2025-37869, CVE-2025-38289, CVE-2025-40141, CVE-2025-40251, CVE-2025-40258, CVE-2025-40277, CVE-2025-40318, RHSA-2026:2352, CVE-2024-54456, CVE-2025-21647, CVE-2025-21786, CVE-2025-21791, CVE-2025-38022, CVE-2025-38051, CVE-2025-38568, CVE-2025-40294, CVE-2025-40322, CVE-2025-68349, RHSA-2026:2759, CVE-2025-37882, CVE-2025-38349, CVE-2025-38730, CVE-2025-39760, CVE-2025-39933, CVE-2025-40269, CVE-2025-40271, CVE-2025-40304, RHSA-2026:3088, CVE-2025-37861, CVE-2025-38106, CVE-2025-38415, RHSA-2026:3520, CVE-2025-38154, RHSA-2026:4011, CVE-2024-47727, CVE-2024-56603, CVE-2025-22056, CVE-2025-38024, CVE-2025-38129, CVE-2025-38141, CVE-2025-38703, RHSA-2026:4745, CVE-2024-53229, CVE-2025-38206, CVE-2025-40240, CVE-2025-68811, CVE-2025-71085, RHSA-2026:5197, CVE-2025-38248, CVE-2026-23001, RHSA-2026:6164, CVE-2024-56645, CVE-2025-40096, CVE-2025-68800, CVE-2026-23209, RHSA-2026:6940, CVE-2025-38180, CVE-2026-23231, RHSA-2026:9112, CVE-2026-23066, CVE-2026-23111, CVE-2026-23144, CVE-2026-23171, CVE-2026-23193, CVE-2026-23204, RHSA-2026:17524, and CVE-2026-33636.
RHEL 9 (Classic) 5.14.0-570.112.1.el9_6	Resolves the following CVEs: RHSA-2026:2229, CVE-2025-6176, RHSA-2025:21773, CVE-2025-59375, RHSA-2026:1229, CVE-2025-68973, RHSA-2026:18042, CVE-2026-39979, CVE-2026-40164, RHSA-2025:22392, CVE-2025-38724, CVE-2025-39864, CVE-2025-39881, CVE-2025-39883, CVE-2025-39918, CVE-2025-39955, CVE-2025-40186, RHSA-2026:0457, CVE-2025-23142, CVE-2025-39806, CVE-2025-39981, CVE-2025-39983, CVE-2025-40176, CVE-2025-68287, RHSA-2026:0804, CVE-2025-21795, CVE-2025-37849, CVE-2025-37891, CVE-2025-39697, CVE-2025-40154, CVE-2025-68285, RHSA-2026:14339, CVE-2024-53216, CVE-2025-68741, CVE-2026-23243, CVE-2026-23401, CVE-2026-31431, CVE-2026-31532, CVE-2026-43077, RHSA-2026:16312, CVE-2026-43284, RHSA-2026:1703, CVE-2025-21863, CVE-2025-40248, CVE-2025-68301, RHSA-2026:7105, CVE-2026-4111, RHSA-2026:8866, CVE-2026-4424, CVE-2026-5121, RHSA-2026:19458, CVE-2026-4878, RHSA-2026:0210, CVE-2025-64720, CVE-2025-65018, CVE-2025-66293, RHSA-2026:3576, CVE-2026-22695, CVE-2026-22801, CVE-2026-25646, RHSA-2026:8548, CVE-2026-27135, RHSA-2026:16059, CVE-2026-35385, CVE-2026-35386, CVE-2026-35387, CVE-2026-35388, CVE-2026-35414, RHSA-2026:9415, CVE-2026-3497, RHSA-2026:1503, CVE-2025-15467, CVE-2025-69419, RHSA-2026:1729, CVE-2025-66418, CVE-2025-66471, CVE-2026-21441, RHSA-2026:9354, CVE-2026-4519, RHSA-2025:21067, CVE-2025-11561, RHSA-2026:13889, CVE-2026-35535, RHSA-2026:6539, CVE-2026-25749, CVE-2026-28417, CVE-2026-28421, CVE-2026-33412, RHSA-2025:23400, CVE-2025-11083, RHSA-2025:23043, CVE-2025-9086, RHSA-2026:1465, CVE-2025-13601, RHSA-2026:19457, CVE-2025-14087, CVE-2025-14512, RHSA-2026:6630, CVE-2025-14831, RHSA-2026:4823, CVE-2025-61662, RHSA-2025:21563, CVE-2024-56690, RHSA-2025:21933, CVE-2025-39898, CVE-2025-39971, CVE-2025-39973, CVE-2025-40047, RHSA-2025:22802, CVE-2025-39966, RHSA-2025:23789, CVE-2025-39843, CVE-2025-39925, RHSA-2026:11313, CVE-2026-23097, CVE-2026-31402, RHSA-2026:1194, CVE-2023-53034, CVE-2025-37761, CVE-2025-37789, CVE-2025-37819, CVE-2025-37869, CVE-2025-38289, CVE-2025-40141, CVE-2025-40251, CVE-2025-40258, CVE-2025-40277, CVE-2025-40318, RHSA-2026:2352, CVE-2024-54456, CVE-2025-21647, CVE-2025-21786, CVE-2025-21791, CVE-2025-38022, CVE-2025-38051, CVE-2025-38568, CVE-2025-40294, CVE-2025-40322, CVE-2025-68349, RHSA-2026:2759, CVE-2025-37882, CVE-2025-38349, CVE-2025-38730, CVE-2025-39760, CVE-2025-39933, CVE-2025-40269, CVE-2025-40271, CVE-2025-40304, RHSA-2026:3088, CVE-2025-37861, CVE-2025-38106, CVE-2025-38415, RHSA-2026:3520, CVE-2025-38154, RHSA-2026:4011, CVE-2024-47727, CVE-2024-56603, CVE-2025-22056, CVE-2025-38024, CVE-2025-38129, CVE-2025-38141, CVE-2025-38703, RHSA-2026:4745, CVE-2024-53229, CVE-2025-38206, CVE-2025-40240, CVE-2025-68811, CVE-2025-71085, RHSA-2026:5197, CVE-2025-38248, CVE-2026-23001, RHSA-2026:6164, CVE-2024-56645, CVE-2025-40096, CVE-2025-68800, CVE-2026-23209, RHSA-2026:6940, CVE-2025-38180, CVE-2026-23231, RHSA-2026:9112, CVE-2026-23066, CVE-2026-23111, CVE-2026-23144, CVE-2026-23171, CVE-2026-23193, CVE-2026-23204, RHSA-2026:17524, CVE-2026-33636, RHSA-2026:0428, CVE-2025-5987, RHSA-2025:22377, CVE-2025-9714, RHSA-2026:3941, CVE-2025-12801, RHSA-2026:0693, CVE-2025-61984, CVE-2025-61985, RHSA-2025:21174, CVE-2025-9230, RHSA-2026:2275, CVE-2025-12084, RHSA-2026:5218, CVE-2025-15366, CVE-2025-15367, CVE-2026-1299, RHSA-2026:0435, and CVE-2025-45582.
RHEL 9 (Satellite) 5.14.0-570.62.1.el9_6	N/A
Red Hat OpenShift 4.21.15	For more information, see the change logs.
Red Hat CoreOS 4.21.15	For more information, see the change logs.
HAProxy 6ba93946d8bd08ba581321189c719ab548cadf01	Resolves the following CVEs: CVE-2025-9714, CVE-2026-4424, CVE-2026-40356, CVE-2025-14512, CVE-2026-4878, CVE-2026-40355, CVE-2026-5121, and CVE-2025-14087.

Change log for master fix pack 4.21.13_1516_openshift, released 13 May 2026

The following table shows the changes that are in the master fix pack 4.21.13_1516_openshift. Master patch updates are applied automatically.

Changes since master version 4.20.18_1545_openshift
Component	Previous	Current	Description
IBM Cloud Controller Manager	v1.33.10-2	v1.34.7-1	New version contains updates and security fixes.
Kubernetes pause container	3.10.1	3.10.2	New version contains updates and security fixes.
Red Hat OpenShift	4.20.18	4.21.13	See the Red Hat OpenShift on IBM Cloud release notes.

Change log for worker node fix pack 4.21.10_1514_openshift, released 13 May 2026

The following table shows the changes that are in the worker node fix pack 4.21.10_1514_openshift. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since worker node version 4.20.15_1544_openshift
Component	Previous	Current	Description
Red Hat OpenShift	4.20.15	4.21.10	See the Red Hat OpenShift on IBM Cloud release notes.