What's new in OpenShift, 4.20 Edition

OpenShift

- Toni Schmidbauer Toni Schmidbauer Thomas Jungbauer Thomas Jungbauer ( Lastmod: 2025-11-10 ) - 3 min read

image from What's new in OpenShift, 4.20 Edition

This article covers news and updates in the OpenShift 4.20 release. We focus on points that got our attention, but this is not a complete summary of the release notes.

Configuring a local arbiter node

Configuring a local arbiter node describes how to configure an OCP cluster with only two control plane (ETCD) nodes. Might be useful in a pure bare metal environment where three bare metal control plane nodes might be overkill.

Two node clusters with fencing

Two-node with Fencing still in tech preview. Useful for environments with only two active datacenters. Especially if you have bare metal control plane nodes. We got quite a few customers with only to data centers available.

About the HostFirmwareComponents resource

About the HostFirmwareComponents. When Metal3 is used it’s now possible to update the NIC (Network interface card) firmware.

Boot image updates on Vmware

Boot image management can be used to update the boot image for new nodes. Up until now when you installed you cluster on VMware with a certain boot image (let’s say 4.15) it never got updates. New nodes were always booted from this old image and later updated to the current cluster release.

About on-cluster image mode

About on-cluster image mode. Image mode allows you to customize the node operating system image. You basically create a Containerfile, install custom RPM’s or deploy custom configuration files in the Containerfile and OCP creates a layered image for you cluster. The image is automatically rolled out to the cluster with the Machine Config Operator. Fancy stuff…​.

Pinning images

Pinning images. If your internet connection is flaky, or you have reasons to not trust the availablity of Red Hat registries like quay.io or registry.redhat.io you can now pin images those images. They are pulled down immediately and will not be garbage collected (hopefully…​).

BGP routing

About BGP routing. MetalLB had support for announcing IP’s via BGP for a long time, but now it’s also possible to announce UDN’s or EgressIP. IMHO this is especially interesting for EgressIP because there were some nasty bugs around using GRAP (Gratuitous ARP) for announcing IP’s to switches.

Migrating a configured br-ex bridge to NMState

Migrating a configured br-ex bridge to NMState. There’s this ominous configure-ovs.sh that reconfigures the public interface of a node an brings up br-ex. There was support for deploying an NMState-based configuration during cluster installation and not using configure-ovs.sh. Now it’s also possible to get rid of the shell script after installation.

Configuration for a Bond CNI secondary network

Configuration for a Bond CNI secondary network. Bond interface can now be created for interface in containers. This currently only supports SR-IOV virtual functions.

Manage secure signatures with sigstore

Manage secure signatures with sigstore. Sigstore support can now be enabled on a cluster level or on an individual namespace level.

Running pods in Linux user namespaces

Running pods in Linux user namespaces. This is IMHO a big one. Linux user namespaces are finally supported in OpenShift! So it’s possible to grant root inside a container and map the root UID to an unprivileged ID outside the container.

Adjust pod resource levels without pod disruption

Adjust pod resource levels without pod disruption. Resize CPU and memory resource without restarting a Pod!

Introducing the oc adm upgrade recommend command (General Availability)

Understanding OpenShift upgrades. oc know officially supports cluster upgrade from the command line. oc adm upgrade recommended performs some pre-flight checks before upgrading a cluster.

Additional cluster latency requirements for etcd

Cluster latency requirements for etcd. ETCD latency requirements were updated in the documentation.

Sunset of the Red Hat Marketplace, operated by IBM

Sunset of the Red Hat Marketplace, operated by IBM. It seems Red Hat Marktplace is no more…​

How to use Changed Block Tracking (Dev Preview) in OpenShift 4.20

How to use Changed Block Tracking (Dev Preview) in OpenShift 4.20. Change block tracking for PV’s is now in dev preview. Whatever this means exactly, needs more investigation.

See Also:

  • Red Hat Quay Registry - Integrate Keycloak

    This guide shows you how to configure Keycloak as an OpenID Connect (OIDC) provider for Red Hat Quay Registry. It covers what to configure in Keycloak, what to put into Quay’s config.yaml (or Operator config), how to verify the login flow, and how to switch your Quay initial/admin account (stored locally in Quay’s DB) to an admin user that authenticates via Keycloak.

  • A second look into the Kubernetes Gateway API on OpenShift

    This is our second look into the Kubernetes Gateway API an it’s integration into OpenShift. This post covers TLS configuration. The Kubernetes Gateway API is new implementation of the ingress, load balancing and service mesh API’s. See upstream for more information. Also the OpenShift documentation provides an overview of the Gateway API and it’s integration. We demonstrate how to add TLS to our Nginx deployment, how to implement a shared Gateway and finally how to implement HTTP to HTTPS redirection with the Gateway API. Furthermore we cover how HTTPRoute objects attach to Gateways and dive into ordering of HTTPRoute objects.

  • A first look into the Kubernetes Gateway API on OpenShift

    This blog post summarizes our first look into the Kubernetes Gateway API and how it is integrated in OpenShift.

  • Reusable Argo CD Application Helm Template

    When working with Argo CD at scale, you often find yourself creating similar Application manifests repeatedly. Each application needs the same basic structure but with different configurations for source repositories, destinations, and sync policies. Additionally, managing namespace metadata becomes tricky when you need to conditionally control whether Argo CD should manage namespace metadata based on sync options. In this article, I’ll walk you through a reusable Helm template that solves these challenges by providing a flexible, DRY (Don’t Repeat Yourself) approach to creating Argo CD Applications. This template is available in my public Helm Chart library and can easily be used by anyone.

  • Cert-Manager Policy Approver in OpenShift

    One of the most commonly deployed operators in OpenShift environments is the Cert-Manager Operator. It automates the management of TLS certificates for applications running within the cluster, including their issuance and renewal. The tool supports a variety of certificate issuers by default, including ACME, Vault, and self-signed certificates. Whenever a certificate is needed, Cert-Manager will automatically create a CertificateRequest resource that contains the details of the certificate. This resource is then processed by the appropriate issuer to generate the actual TLS certificate. The approval process in this case is usually fully automated, meaning that the certificate is issued without any manual intervention. But what if you want to have more control? What if certificate issuance must follow strict organizational policies, such as requiring a specifc country code or organization name? This is where the CertificateRequestPolicy resource, a resource provided by the Approver Policy, comes into play. This article walks through configuring the Cert-Manager Approver Policy in OpenShift to enforce granular policies on certificate requests.

Copyright © 2020 - 2025 Toni Schmidbauer & Thomas Jungbauer