This is an impact statement for the OCPBUGS-32328 series:

Which 4.y.z to 4.y'.z' updates increase vulnerability?

Customers upgrading from any 4.13 or 4.14.[0-14] to 4.14.(>=15), and from 4.14.[0-15] to any current 4.15.  Use oc adm upgrade to show your current cluster version.

Which types of clusters?

• Only Azure is affected
• So far this seems like a combination of UPI and something else, which I think is most common in ARO (I think our automated tests lack a bit in that area)
• The condition is for the image-registry-private-configuration-user (UPI) secret to be used, and cluster-wide configuration to be missing (which would provide the job with clientID and tenantID)

What is the impact? Is it serious enough to warrant removing update recommendations?

• Registry operator becomes degraded
• Azure path fix job cannot run, meaning the customer might in some cases experience missing images (if they pushed images to the registry on 4.14.[0-14], these images will not become available until the path fix job runs)

How involved is remediation?

• reasoning: This allows administrators who are already vulnerable, or who chose to waive conditional-update risks, to recover their cluster. And even moderately serious impacts might be acceptable if they are easy to mitigate.
• example: Issue resolves itself after five minutes.
• example: Admin can run a single: oc ....
• example: Admin must SSH to hosts, restore from backups, or other non standard admin activities.

Is this a regression?

• yes, OCPBUGS-29525 and OCPBUGS-29604 regressed behavior for this subset of Azure clusters while taking their blob-migration fixes back for all Azure clusters.