Impact statement for the OCPBUGS-37486 series:

Which 4.y.z to 4.y'.z' updates increase vulnerability?

(4.14.z and 4.15.(z<17)) updating into 4.15.(17<=z<25).

4.15 to 4.16 has no exposure, because graph-data#5352 landed before 4.16.0's GA, so no exposed GA 4.16.z releases (4.16.(z<6)) bake in updates from any unexposed 4.15 releases (4.15.(z<17)).

Which types of clusters?

Hosted/HyperShift clusters where HostedCluster spec.networking.apiServer.port is 443.

What is the impact? Is it serious enough to warrant removing update recommendations?

Trouble with Pods on compute Nodes connecting to the internal Kubernetes API service via the service IP.

How involved is remediation?

Setting a different spec.networking.apiServer.port? Or updating to a fixed release? Nothing from subject-matter experts yet in the remediation space yet, as far as I'm aware.

Is this a regression?

Yes.  Introduced:

• 4.17.0, hypershift#3942, OCPBUGS-33428. I haven't dug into which EC yet.
• 4.16.0, hypershift#4096, OCPBUGS-34542. Possibly a prerelease and not 4.16.0 itself, but I didn't dig into that because those are covered by PreRelease risks.
• 4.15.17, hypershift#4097, OCPBUGS-34510.

Fixed:

• 4.17.0, hypershift#4422, OCPBUGS-37486. Only last week, so should be fixed in 4.17.0-ec.3, once that gets named.
• 4.16.6, hypershift#4431, OCPBUGS-37645.
• 4.15.25, hypershift#4441, OCPBUGS-37695.