We're asking the following questions to evaluate whether or not OCPBUGS-62941 warrants changing update recommendations from either the previous X.Y or X.Y.Z. The ultimate goal is to avoid recommending an update which introduces new risk or reduces cluster functionality in any way. In the absence of a declared update risk (the status quo), there is some risk that the existing fleet updates into the at-risk releases. Depending on the bug and estimated risk, leaving the update risk undeclared may be acceptable.

Sample answers are provided to give more context and the ImpactStatementRequested label has been added to OCPBUGS-62941. When responding, please move this ticket to Code Review. The expectation is that the assignee answers these questions.

Which 4.y.z to 4.y'.z' updates increase vulnerability?

• As far as I am aware, no updates should increase vulnerability to the bug presented here. The bug was fixed prior to the feature being promoted to the default feature set in a 4.20.z release (I believe 4.20.5). The feature is entirely opt-in and no clusters should be opted into this feature yet as it has been tech preview. The bug was only experienced when opted into the feature.

Which types of clusters?

• Clusters where the `authentications.config.openshift.io/cluster` resource has `spec.type` set to `OIDC`.
• This should be no clusters as the bugfix was backported before the feature promotion was backported and the the feature must be explicitly opted into via ^.

What is the impact? Is it serious enough to warrant removing update recommendations?

• n/a

How involved is remediation?

• n/a

Is this a regression?

• n/a