Update-risk impact statement for OCPBUGS-73884.

Which 4.y.z to 4.y'.z' updates increase vulnerability?

Updates from 4.20.12 to 4.21.0. 4.20.13 picked up OCPBUGS-73884, so they have an admin-ack guard for this baked into the source release. 4.20.11 and older are not direct update sources for 4.21.0, because of graph-data#8624:

$ oc adm release info quay.io/openshift-release-dev/ocp-release:4.21.0-x86_64 | grep Upgrades
  Upgrades: 4.20.12, 4.20.13, 4.21.0-ec.0

Which types of clusters?

Clusters with ImageContentSourcePolicies or ImageDigestMirrorSets covering quay.io/openshift-release-dev/ocp-release. That is the scope of the openshift ClusterImagePolicy that becomes default in 4.21, and clusters with either mirror type for that scope will try to retrieve release payloads from the mirrors, and need to be able to find the Sigstore images in the same place they find the signed release payloads.

What is the impact?

The update to 4.21 should flow smoothly, because the openshift ClusterImagePolicy has run-level 90, which comes towards the end of the update. However, future updates or other actions that cause new release-image pulls (e.g. trying to reschedule the cluster-version operator to run on a different control-plane node) might fail on the missing Sigstore signature. The CVO is an important component for steady-state moniting (e.g. it is responsible for ClusterOperatorDown and ClusterOperatorDegraded alerting), and having it down for extended periods is not recommended.

How involved is remediation?

Options include removing the mirror configuration (for example, if it was only used as a performance boost), or one of several approaches to mirroring the Sigstore signature images, as covered in the documentation.

Is this a regression?

4.21 is tightening security by enabling the openshift ClusterImagePolicy by default. In order to continue to operate smoothly in these more restrictive conditions, cluster-admins need to be aware of 4.21's new restrictions. This update-risk declaration delivers that awareness for 4.20.12 to 4.21.0 updates. 4.20.13 grows a built-in guard, via OCPBUGS-73884. Later 4.21.z are expected to only allow updates from 4.20.13 or later, and will not need conditional update risk guardrails.