Which 4.y.z to 4.y'.z' updates increase vulnerability?

Upgrading any version prior to 4.14, into any 4.14.z or higher

Which types of clusters?

AWS clusters that require access to pull images from Private ECR registries.

What is the impact? Is it serious enough to warrant removing update recommendations?

Images can no longer be pulled from the ECR private registry.

Customers that have a container pulling from ECR, during an upgrade to 4.14...:

...if they have a PDB:

• And the ImagePullPolicy is Always:
  • The first pod in the set will be moved, enter ImagePullBackOff and the cluster upgrade will halt.
  • Worker MachineConfigPool will never reach an upgraded state
• And the ImagePullPolicy is IfNotPresent:
  • Undefined behaviour, the image may or may not be present on workers so users may be lucky, or they may end up in the same situation as the Always ImagePullPolicy case

...if they do not have a PDB:

• And the ImagePullPolicy is Always:
  • All pods that require pulling from an ECR private registry, will enter ImagePullBackOff during the upgrade
• And the ImagePullPolicy is IfNotPresent:
  • As above, users may get lucky, or may end up in ImagePullBackOff

How involved is remediation?

Users can provide a token in the form of a pull secret and reference this within their workloads

• Instructions for getting the token: https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html
• This token expires after 12 hours, not a permanent solution

Is this a regression?

Yes, code was removed between 4.13 and 4.14. We used to use the EC2 instances' credentials to pull images from ECR, this is no longer possible.