Which 4.y.z to 4.y'.z' updates increase vulnerability?

• Updates to 4.13.14 or later, until OCPBUGS-21721 was fixed in 4.13.19.
• Updates from 4.12 into the impacted 4.13.z releases will trigger this issue.
• Updates from earlier 4.13.z into the impacted 4.13.z releases will trigger this issue.
• Updates within the impacted 4.13.z (e.g. from 4.13.14 to 4.13.15) will trigger this issue.

Which types of clusters?

• All clusters.

What is the impact? Is it serious enough to warrant removing update recommendations?

• The cluster is Upgradeable=False, blocking updates to 4.14 until the issue is remediated. If oc adm upgrade output includes:

Cluster minor level upgrades are not allowed while resource deletions are in progress; resources=clusterrolebinding "default-account-openshift-machine-config-operator"

you have been impacted. Aside from the Upgradeable=False blocking updates to 4.14, there is no impact on the cluster functionality.

How involved is remediation?

• Impacted clusters can restart the cluster-version operator after the update to 4.13 completes: oc -n openshift-cluster-version delete -l k8s-app=cluster-version-operator pods. The replacement CVO will not be impacted. This may happen automatically if the CVO container restarts or the pod is rescheduled, for clusters that spend a long enough time on 4.13.
• Alternatively, updating to a 4.13.z that includes the fix for OCPBUGS-21721 (4.13.19 and later) will recover the cluster.

Is this a regression?

• Yes, #3923 (OCPBUGS-19400) accidentally brought the delete manifest back to 4.13.14. 4.13.(z<14) were not exposed.