The release notes for the Custom Metrics Autoscaler Operator for Red Hat OpenShift describe new features and enhancements, deprecated features, and known issues.

The Custom Metrics Autoscaler Operator uses the Kubernetes-based Event Driven Autoscaler (KEDA) and is built on top of the OKD horizontal pod autoscaler (HPA).

The Custom Metrics Autoscaler Operator for Red Hat OpenShift is provided as an installable component, with a distinct release cycle from the core OKD. The Red Hat OpenShift Container Platform Life Cycle Policy outlines release compatibility.

Supported versions

The following table defines the Custom Metrics Autoscaler Operator versions for each OKD version.

Version OKD version General availability



General availability



General availability



General availability



General availability

Custom Metrics Autoscaler Operator 2.12.1-394 release notes

This release of the Custom Metrics Autoscaler Operator 2.12.1-394 provides a bug fix for running the Operator in an OKD cluster. The following advisory is available for the RHSA-2024:2901.

Before installing this version of the Custom Metrics Autoscaler Operator, remove any previously installed Technology Preview versions or the community-supported version of KEDA.

Bug fixes

  • Previously, the protojson.Unmarshal function entered into an infinite loop when unmarshaling certain forms of invalid JSON. This condition could occur when unmarshaling into a message that contains a google.protobuf.Any value or when the UnmarshalOptions.DiscardUnknown option is set. This release fixes this issue. (OCPBUGS-30305)

  • Previously, when parsing a multipart form, either explicitly with the Request.ParseMultipartForm method or implicitly with the Request.FormValue, Request.PostFormValue, or Request.FormFile method, the limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This could have permitted a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With this fix, the parsing process now correctly limits the maximum size of form lines. (OCPBUGS-30360)

  • Previously, when following an HTTP redirect to a domain that is not on a matching subdomain or on an exact match of the initial domain, an HTTP client would not forward sensitive headers, such as Authorization or Cookie. For example, a redirect from example.com to www.example.com would forward the Authorization header; but a redirect to www.example.org would not forward the header. A maliciously crafted HTTP redirect could have caused sensitive headers to be unexpectedly forwarded. This release fixes this issue. (OCPBUGS-30365)

  • Previously, verifying a certificate chain that contains a certificate with an unknown public key algorithm caused the certificate verification process to panic. This condition affected all crypto and TLS clients and servers that set the Config.ClientAuth parameter to the VerifyClientCertIfGiven or RequireAndVerifyClientCert value. The default behavior is for TLS servers to not verify client certificates. This release fixes this issue. (OCPBUGS-30370)

  • Previously, if errors returned from the MarshalJSON method contained user-controlled data, the data could have been used to break the contextual auto-escaping behavior of the HTML template package. This condition would allow for subsequent actions to inject unexpected content into the templates. This release fixes this issue. (OCPBUGS-30397)

  • Previously, the net/http and golang.org/x/net/http2 Go packages did not limit the number of CONTINUATION frames that were read for an HTTP/2 request. This condition could permit an attacker to provide an arbitrarily large set of headers for a single request, which would be read, decoded, and subsequently discarded. This could result in excessive CPU consumption. This release fixes this issue. (OCPBUGS-30894)