Impact statement for the OCPBUGS-43587 and OCPBUGS-44118 series:

Which 4.y.z to 4.y'.z' updates increase vulnerability?

Currently any upgrade to 4.17 is affected.

Which types of clusters?

Clusters where either of the following conditions is met:

• At least two password-based IDPs have been configured in the OAuth configuration custom resource, and one of them contains a white space in its name. If the "kube:admin" user has not been removed from a cluster, then this already counts as an IDP. Currently, the supported password-based IDPs are HTPasswd, Keystone, LDAP, and BasicAuth.
• At least one OAuth IDP with a white space in its name has been configured. Currently, the supported OAuth IDPs are OpenID, GitHub, GitLab and Google.

We can use the following command to check:

oc get oauth cluster -o json | jq -r '.spec.identityProviders[]|select(((.type=="HTPasswd") or (.type=="Keystone") or (.type=="LDAP") or (.type=="BasicAuth") or (.type=="OpenID") or (.type=="GitHub") or (.type=="GitLab") or (.type=="Google")) and (.name | contains(" ")))|.name' 

What is the impact? Is it serious enough to warrant removing update recommendations?

This will cause the oauth-server to keep crashing. The consequence is complete outage of the ability to log into the cluster. This will also cause the authentication operator to go degraded. This prevents humans from interacting with the cluster (except if using a kubeconfig to access the cluster). Workloads should continue to run, as machine actions are not impacted (service accounts, kubelets, client-certs).

How involved is remediation?

Removing spaces from providers name will correct the problem, but will require changes to any external system that matched it. Using the recovery user or at worst, SSH to a master and use the rendered system:masters kubeconfig.

Is this a regression?

Yes, this regression was introduced with 4.17.