This card is only for the impact assessment of  OCPBUGS-7559 . For more details check the bug link.

Which 4.y.z to 4.y'.z' updates increase vulnerability?

This issue will occur when a cluster born on OCP 4.1 has been upgraded to OCP 4.11.0 and any further releases.

Which types of clusters?

This only impacts AWS clusters

What is the impact? Is it serious enough to warrant removing update recommendations?

AWS clusters that was originally created from OCP 4.1 and has now been upgraded to 4.11.0 or any further releases will see the issue. As a result of the issue, node scale-up will fail. This is because OCP 4.1 didn't have afterburn package as part of RHCOS bootimage.

In OCP 4.11, we added two services aws-kubelet-providerid.service and aws-kubelet-nodename.service with PR https://github.com/openshift/machine-config-operator/pull/3170/ and https://github.com/openshift/machine-config-operator/pull/2988  which requires afterburn.service. Since afterburn.service is not present in 4.1 bootimage, node fails to join the cluster during scale-up.

How involved is remediation?

To resolve the problem we will need to update machinesets with AMI ID referring to 4.2 or later releases.  Also, we may need to update *-user-data secret pointing to ignition 3.0.0 or later.

Is this a regression?

Yes, it is a regression introduced with OCP 4.11.0 release.