Secrets are no longer automatically generated when the integrated OpenShift image registry is disabled starting 4.15

Starting 4.15, if you disable the ImageRegistry cluster capability or if you disable the integrated OpenShift image registry in the Cluster Image Registry Operator’s configuration, a service account token secret and image pull secret are no longer generated for each service account. [1]

Any existing such secrets are also cleaned-up when the internal image registry is disabled/removed [2]. Clusters with a 4.14.* version that do not run the internal image registry may be using the secrets for different purposes. An upgrade from a 4.14.* to a 4.15.* version causes the secrets to be removed. This will fail any relevant resources using the secrets. This may be running workloads that will need to be manually modified.

Which 4.y.z to 4.y'.z' updates increase vulnerability?

• Customers upgrading from 4.14.* to 4.15.*

Which types of clusters?

• Clusters where the internal image registry is disabled/removed. The imageregistry_build_info metric could be potentially used to check whether no image registries are running.

What is the impact? Is it serious enough to warrant removing update recommendations?

• An upgrade from a 4.14.* to a 4.15.* version causes the secrets to be removed. This will fail any relevant resources using the secrets. This may be running workloads that will need to be manually modified.

How involved is remediation?

• Any relevant resources need to be modified so as to not use the removed secrets.

Is this a regression?

• No. This was done purposely to reclaim space from etcd and prevent abuse of the still generated token secrets. [3]