openshift · openshift-merge-robot · Jul 14, 2021 · Apr 7, 2021 · bparees · Sep 11, 2021
diff --git a/config/v1/0000_00_cluster-version-operator_01_clusterversion.crd.yaml b/config/v1/0000_00_cluster-version-operator_01_clusterversion.crd.yaml
@@ -63,7 +63,7 @@ spec:
                   type: object
                   properties:
                     force:
-                      description: "force allows an administrator to update to an image that has failed verification, does not appear in the availableUpdates list, or otherwise would be blocked by normal protections on update. This option should only be used when the authenticity of the provided image has been verified out of band because the provided image will run with full administrative access to the cluster. Do not use this flag with images that comes from unknown or potentially malicious sources. \n This flag does not override other forms of consistency checking that are required before a new update is deployed."
+                      description: force allows an administrator to update to an image that has failed verification or upgradeable checks. This option should only be used when the authenticity of the provided image has been verified out of band because the provided image will run with full administrative access to the cluster. Do not use this flag with images that comes from unknown or potentially malicious sources.
                       type: boolean
                     image:
                       description: image is a container image location that contains the update. When this field is part of spec, image is optional if version is specified and the availableUpdates field contains a matching version.
@@ -207,7 +207,7 @@ spec:
                         description: state reflects whether the update was fully applied. The Partial state indicates the update is not fully applied, while the Completed state indicates the update was successfully rolled out at least once (all parts of the update successfully applied).
                         type: string
                       verified:
-                        description: verified indicates whether the provided update was properly verified before it was installed. If this is false the cluster may not be trusted.
+                        description: verified indicates whether the provided update was properly verified before it was installed. If this is false the cluster may not be trusted. Verified does not cover upgradeable checks that depend on the cluster state at the time when the update target was accepted.
                         type: boolean
                       version:
                         description: version is a semantic versioning identifying the update version. If the requested image does not define a version, or if a failure occurs retrieving the image, this value may be empty.

diff --git a/config/v1/types_cluster_version.go b/config/v1/types_cluster_version.go
@@ -157,6 +157,7 @@ type UpdateHistory struct {
 	// +kubebuilder:validation:Required
 	// +required
 	StartedTime metav1.Time `json:"startedTime"`
+
 	// completionTime, if set, is when the update was fully applied. The update
 	// that is currently being applied will have a null completion time.
 	// Completion time will always be set for entries that are not the current
@@ -172,13 +173,17 @@ type UpdateHistory struct {
 	//
 	// +optional
 	Version string `json:"version"`
+
 	// image is a container image location that contains the update. This value
 	// is always populated.
 	// +kubebuilder:validation:Required
 	// +required
 	Image string `json:"image"`
+
 	// verified indicates whether the provided update was properly verified
 	// before it was installed. If this is false the cluster may not be trusted.
+	// Verified does not cover upgradeable checks that depend on the cluster
+	// state at the time when the update target was accepted.
 	// +kubebuilder:validation:Required
 	// +required
 	Verified bool `json:"verified"`
@@ -229,23 +234,21 @@ type Update struct {
 	//
 	// +optional
 	Version string `json:"version"`
+
 	// image is a container image location that contains the update. When this
 	// field is part of spec, image is optional if version is specified and the
 	// availableUpdates field contains a matching version.
 	//
 	// +optional
 	Image string `json:"image"`
+
 	// force allows an administrator to update to an image that has failed
-	// verification, does not appear in the availableUpdates list, or otherwise
-	// would be blocked by normal protections on update. This option should only
+	// verification or upgradeable checks. This option should only
 	// be used when the authenticity of the provided image has been verified out
 	// of band because the provided image will run with full administrative access
 	// to the cluster. Do not use this flag with images that comes from unknown
 	// or potentially malicious sources.
 	//
-	// This flag does not override other forms of consistency checking that are
-	// required before a new update is deployed.
-	//
 	// +optional
 	Force bool `json:"force"`
 }

diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go