Problem

In 4.21, the openshift ClusterImagePolicy is enabled by default (OCPSTRAT-2471), enforcing Sigstore signature verification for release images. The supported mechanism to disable this policy is via cv.spec.overrides with unmanaged: true, as documented in the openshift-image-policy enhancement.

However, setting any override with unmanaged: true causes CVO to set Upgradeable=False and block all upgrades, including z-stream/patch updates. This is overly restrictive — users who legitimately disable the default signature policy (e.g., disconnected environments where mirror registries cannot serve Sigstore signatures, or CI/QE with unsigned builds) are locked out of patch updates that deliver critical security and bug fixes.

Expected behavior

Overrides should continue to block minor/major version upgrades via Upgradeable=False, but should not block patch-level (z-stream) updates. When a patch update proceeds with overrides set, it should be recorded as an accepted risk in the update history.

Acceptance criteria

• A cluster with overrides set can complete z-stream/patch updates (accepted risk recorded in update history)
• Minor and major version upgrades remain blocked when overrides are set
• oc adm upgrade correctly reflects that overrides prevent minor/major version upgrades (not all upgrades)

Fix version

4.22 with backport to 4.21.z required — disconnected environments and CI workflows are actively impacted in 4.21 (see OCPBUGS-70261).