Impact statement for the OCPBUGS-56446 series:

Which 4.y.z to 4.y'.z' updates increase vulnerability?

Any upgrades of clusters with RHEL worker nodes (or non-CoreOS variants) to the following versions:

• 4.16.38 or higher
• 4.17.22 or higher
• 4.18.6 or higher

Which types of clusters?

Clusters running impacted releases (see the previous section) with package-managed RHEL nodes, regardless of platform.

Check the current cluster version with:

$ oc adm upgrade

This does not affect 4.19 or higher, because we no longer support RHEL worker nodes there (OCPBUGS-53427). If the cluster version is 4.18 or lower, check for package-managed RHEL nodes with:

$ oc get -l node.openshift.io/os_id=rhel nodes

If the output contains any nodes, the cluster is exposed.

What is the impact? Is it serious enough to warrant removing update recommendations?

RHEL worker nodes will fail to reboot during a node update. This will eventually result in the MCO degrading the cluster.

How involved is remediation?

Fairly involved, a cluster administrator needs to create and apply a "fake" service that always returns success on all RHEL worker nodes. This can get cumbersome on clusters with a large number of RHEL nodes. 

Is this a regression?

Yes, this breaks upgrades for clusters with package-managed RHEL worker nodes, which is supported through 4.18 (package-managed RHEL nodes are no longer supported in 4.19, OCPBUGS-53427).