OTA-1548: set up accepted risks

[hongkailiu]

With OC_ENABLE_CMD_UPGRADE_ACCEPT_RISKS=true, a new command oc adm upgrade accept is enabled. It accepts comma-separated risks exposed to an OpenShift release [1].

The risks are stored in clusterversion/version's .specs.desiredUpdate.acceptRisks.

[1]. https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html-single/updating_clusters/index#understanding-clusterversion-conditiontypes_understanding-openshift-updates

Summary by CodeRabbit

• New Features

  • Added a CLI command to manage accepting conditional update risks.
  • CLI can set per-command environment variables for test commands.

• Improvements

  • Upgrade flow now preserves accepted risks when constructing or clearing updates.
  • Rollback command is now visible in the CLI.
  • Feature-gate wiring added for the new accept command.

• Tests

  • Added unit tests for add/remove/replace/clear risk logic and new end-to-end tests.

• Chores

  • Updated dependencies.

• Style

  • Expanded describer exceptions for an additional API group/version.

[openshift-ci-robot]

@hongkailiu: This pull request references OTA-1548 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

With OC_ENABLE_CMD_UPGRADE_ACCEPT_RISKS=true, a new command oc adm upgrade accept is enabled. It accepts comma-separated risks exposed to an OpenShift release [1].

The risks are stored in clusterversion/version's .specs.desiredUpdate.acceptRisks.

[1]. https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html-single/updating_clusters/index#understanding-clusterversion-conditiontypes_understanding-openshift-updates

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)

• do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e784c57c-a329-4e78-a606-761093093199

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds a new Cobra subcommand to manage ClusterVersion.spec.desiredUpdate.acceptRisks, wires it behind a feature gate, propagates AcceptRisks into upgrade/cancel flows, adds unit and e2e tests, extends test CLI env var support, tweaks rollback visibility and describer exceptions, and bumps two dependencies. (≤50 words)

Changes

Cohort / File(s)	Summary
Accept Risk command & unit tests pkg/cli/admin/upgrade/accept/accept.go, pkg/cli/admin/upgrade/accept/accept_test.go	New accept Cobra command (New) with options, clusterVersionInterface, Complete/Run, getAcceptRisks, patchDesiredUpdate, flag handling (--replace,--clear), validation logic, and unit tests for getAcceptRisks.
Upgrade integration pkg/cli/admin/upgrade/upgrade.go	Wired accept subcommand behind OC_ENABLE_CMD_UPGRADE_ACCEPT_RISKS; changed cancel/update flows to preserve and propagate spec.desiredUpdate.acceptRisks when constructing and patching updates.
E2E tests & CLI env var support test/e2e/accept.go, test/e2e/util.go	New e2e test exercising accept-risk CLI flows and helper verifyAcceptRisks; test CLI utilities extended to support per-command env vars (CLI.EnvVar) and IsTechPreviewNoUpgrade/SkipIfNotTechPreviewNoUpgrade.
CLI rollback visibility pkg/cli/admin/upgrade/rollback/rollback.go	Removed Hidden: true from rollback cobra.Command (command now visible); minor formatting adjustments.
Describer test exceptions pkg/helpers/describe/describer_test.go	Added {Group: "apiextensions.openshift.io", Version: "v1alpha1"} to MissingDescriberGroupCoverageExceptions.
Dependencies go.mod	Bumped github.com/openshift/api and github.com/openshift/client-go versions in require block.

Sequence Diagram(s)

sequenceDiagram
    participant User as "User"
    participant CLI as "oc upgrade accept\n(Cobra cmd)"
    participant Client as "ClusterVersion client"
    participant API as "Kubernetes API / ClusterVersion"

    User->>CLI: invoke command (tokens, --replace/--clear)
    CLI->>CLI: parse flags, validate args
    CLI->>Client: GET ClusterVersion
    Client->>API: GET /clusterversions/{name}
    API-->>Client: return ClusterVersion (includes spec.desiredUpdate.acceptRisks)
    Client-->>CLI: return cv
    CLI->>CLI: compute new acceptRisks (getAcceptRisks)
    alt changes required
        CLI->>Client: PATCH ClusterVersion (JSON Merge Patch)
        Client->>API: PATCH /clusterversions/{name}
        API-->>Client: patched cv
        Client-->>CLI: success
        CLI->>User: print updated acceptRisks
    else no changes
        CLI->>User: print "no changes"
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 18.18% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	Test code violates multiple requirements: e2e test assumes pristine cluster state and forcibly clears AcceptRisks instead of preserving original state; uses [Serial] in name without g.Serial decorator; lacks context deadlines; helper function assertions missing failure messages; environment variable handling inconsistent across Output/Outputs/Background methods.	Preserve/restore original acceptRisks state in BeforeEach/AfterEach; add g.Serial decorator; use context with deadline instead of context.TODO(); add failure messages to all assertions; centralize environment variable construction in buildEnv() helper applied consistently across all methods.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'OTA-1548: set up accepted risks' directly references the Jira ticket and describes the main feature added: setting up accepted risks functionality for cluster upgrades.
Stable And Deterministic Test Names	✅ Passed	All test names are static strings with no generated components, dynamic identifiers, timestamps, UUIDs, or values that change between runs.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

pkg/cli/admin/upgrade/accept/accept.go (1)

134-136: Placeholder logic pending API update.

The hardcoded fake risks bypass actual ClusterVersion data. Ensure this is tracked for completion once the o/api dependency is updated.

Would you like me to open an issue to track this TODO?

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between f68dc90 and 42ccc9a.

📒 Files selected for processing (2)

• pkg/cli/admin/upgrade/accept/accept.go
• pkg/cli/admin/upgrade/upgrade.go

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• pkg/cli/admin/upgrade/accept/accept.go
• pkg/cli/admin/upgrade/upgrade.go

🧬 Code graph analysis (2)

pkg/cli/admin/upgrade/accept/accept.go (1)

pkg/cli/admin/upgrade/upgrade.go (1)

• New (56-132)

pkg/cli/admin/upgrade/upgrade.go (1)

pkg/cli/admin/upgrade/accept/accept.go (1)

• New (29-57)

🔇 Additional comments (1)

pkg/cli/admin/upgrade/upgrade.go (1)

28-28: LGTM!

The import and feature gate wiring follow the established pattern used for the status and rollback subcommands.

Also applies to: 126-128

[hongkailiu]

I will wait a bit on

• e2e utilities from https://github.com/openshift/oc/pull/2181/files#diff-c3b02e1c6c92fc59f6b49a20a38dbf177d8bf4189579639ab6e08a329b85cf59
• bump o/api from the team.

[hongkailiu]

Cluster bot: launch 4.22.0-0.nightly aws,techpreview. Note that the new accept cmd probably wont work with a cluster in 4.21. But i have not tested myself.

Testing results with 583aa51:

CGO_CFLAGS="-I/opt/homebrew/opt/heimdal/include" make oc                   
go build -mod=vendor -tags 'include_gcs include_oss containers_image_openpgp gssapi' -ldflags "-X github.com/openshift/oc/pkg/version.versionFromGit="v4.2.0-alpha.0-2854-g072f397" -X github.com/openshift/oc/pkg/version.commitFromGit="072f397b9" -X github.com/openshift/oc/pkg/version.gitTreeState="dirty" -X github.com/openshift/oc/pkg/version.buildDate="2026-01-26T02:45:16Z" -X k8s.io/component-base/version.gitMajor="1" -X k8s.io/component-base/version.gitMinor="34" -X k8s.io/component-base/version.gitVersion="v1.34.1" -X k8s.io/component-base/version.gitCommit="072f397b9" -X k8s.io/component-base/version.buildDate="2026-01-26T02:45:14Z" -X k8s.io/component-base/version.gitTreeState="clean" -X k8s.io/client-go/pkg/version.gitVersion="v4.2.0-alpha.0-2854-g072f397" -X k8s.io/client-go/pkg/version.gitCommit="072f397b9" -X k8s.io/client-go/pkg/version.buildDate="2026-01-26T02:45:14Z" -X k8s.io/client-go/pkg/version.gitTreeState="dirty"" github.com/openshift/oc/cmd/oc

$ OC_ENABLE_CMD_UPGRADE_ACCEPT_RISKS=true ./oc adm upgrade accept riskA,riskB
info: Accept risks are [riskA, riskB]
$ oc get clusterversion version -o yaml | yq -y .spec.desiredUpdate          
acceptRisks:
  - name: riskA
  - name: riskB
architecture: ''
force: false
image: registry.build07.ci.openshift.org/ci-ln-gz13mrk/release@sha256:9cd1f1b0227f6f61ae6a921a12fedc1d89a73733a12ba2f2b98620c00e6b65cb
version: 4.22.0-0.nightly-2026-01-24-213011
$  OC_ENABLE_CMD_UPGRADE_ACCEPT_RISKS=true ./oc adm upgrade accept --clear                  
info: Accept risks are []
$ oc get clusterversion version -o yaml | yq -y .spec.desiredUpdate      
architecture: ''
force: false
image: registry.build07.ci.openshift.org/ci-ln-gz13mrk/release@sha256:9cd1f1b0227f6f61ae6a921a12fedc1d89a73733a12ba2f2b98620c00e6b65cb
version: 4.22.0-0.nightly-2026-01-24-213011
$ OC_ENABLE_CMD_UPGRADE_ACCEPT_RISKS=true ./oc adm upgrade accept riskA,riskB
info: Accept risks are [riskA, riskB]
$ OC_ENABLE_CMD_UPGRADE_ACCEPT_RISKS=true ./oc adm upgrade --to-image quay.io/openshift-release-dev/ocp-release@sha256:eea721e62d3a06a742adc3d10d9c430af061694d558da9a8d9a17c52a342ddd4 --force --allow-explicit-upgrade --allow-upgrade-with-warnings
warning: The requested upgrade image is not one of the available updates. You have used --allow-explicit-upgrade for the update to proceed anyway
warning: --force overrides cluster verification of your supplied release image and waives any update precondition failures. Only use this if you are testing unsigned release images or you are working around a known bug in the cluster-version operator and you have verified the authenticity of the provided image yourself.
Requested update to release image quay.io/openshift-release-dev/ocp-release@sha256:eea721e62d3a06a742adc3d10d9c430af061694d558da9a8d9a17c52a342ddd4
$ oc get clusterversion version -o yaml | yq -y .spec.desiredUpdate          
acceptRisks:
  - name: riskA
  - name: riskB
architecture: ''
force: true
image: quay.io/openshift-release-dev/ocp-release@sha256:eea721e62d3a06a742adc3d10d9c430af061694d558da9a8d9a17c52a342ddd4
version: ''
$ ✗ oc adm upgrade status                                            
Unable to fetch alerts, ignoring alerts in 'Update Health':  no token is currently in use for this session
= Control Plane =
Assessment:      Progressing
Target Version:  4.22.0-ec.1 (from 4.22.0-0.nightly-2026-01-24-213011)
...

So we showed that the patchDesiredUpdate function keeps the cv.spec.desiredUpdate.acceptRisks intact.

oc/pkg/cli/admin/upgrade/upgrade.go

Line 688 in 90d7ae6

func patchDesiredUpdate(ctx context.Context, update *configv1.Update, client configv1client.Interface,

[JianLi-RH]

/verified by @JianLi-RH

[openshift-ci-robot]

@JianLi-RH: This PR has been marked as verified by @JianLi-RH.

Details

In response to this:

/verified by @JianLi-RH

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[hongkailiu]

/testwith openshift/cluster-version-operator/main/e2e-agnostic-ovn-techpreview-serial openshift/cluster-version-operator#1337

[openshift-ci]

@hongkailiu, testwith: could not generate prow job. ERROR:

create refs for PR: path alias: resolve config openshift/oc@: got unexpected http 400 status code from configresolver: branch query missing or incorrect

[wking]

This Update (instead of Patch) risks dropping ClusterVersion properties that have not yet been vendored into oc (e.g. see 123fa58, #1111, for how Update caused trouble before oc had been taught about spec.capabilities).

[hongkailiu]

I want to keep this one with a guard.
See b655628

We have to wait for the revert of the revert.
#2219

[wking]

I want to keep this one with a guard.
See b655628

That SpecStateSkipped guard protects the Update from running in clusters that don't have the acceptRisks property. Which is good. But I don't see how it protects the Update from clearing out spec.someNewProperty if someNewProperty is added to openshift/api and vendored into openshift/cluster-version-operator but folks forget to bump the vendored API in this oc repository.

[hongkailiu]

Oh. Now I see your point.
Your concerns is not AcceptRisk because we know oc bumps API already that we can reply on.
Instead, it is about a new field in the spec that happens in the future.
The backup is the whole CV, and oc might not recognize the field because of not yet bumping to the new API. Some component, e.g. CVO, fills that field in, my backup will destroy it.

What a case! 👍
Let me call the patch since I got your point now.

[hongkailiu]

https://redhat.atlassian.net/browse/OTA-1901
We will do it for 5.0.
Because new API is unlikely to happen before that.

[wking]

note to self, this is catching the local utils up with openshift/origin@85cad81 (openshift/origin#29954), which added similar functionality to origin's CLI structure.

[openshift-ci]

@hongkailiu: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-oc-ote	b655628	link	false	/test e2e-aws-oc-ote
ci/prow/e2e-aws-oc-ote-serial	b655628	link	false	/test e2e-aws-oc-ote-serial

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[hongkailiu]

/testwith openshift/cluster-version-operator/main/e2e-agnostic-ovn-techpreview-serial openshift/cluster-version-operator#1337

[wking]

#2241 remerged the vendoring we depend on here.

/retest-required

[wking]

I'm still nervous about the use of Update, but whatever, it's just CI, and if it breaks CI in the future, we can pivot to patch at that point.  Not a merge blocker for me. The actual shipped-to-users portions of this change look solid to me, so let's merge:

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: hongkailiu, wking
Once this PR has been reviewed and has the lgtm label, please assign atiratree for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[hongkailiu]

/testwith openshift/cluster-version-operator/main/e2e-agnostic-ovn-techpreview-serial openshift/cluster-version-operator#1337

[hongkailiu]

In this job, the case is skipped as TP is not enabled.

$ curl -s https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_oc/2170/pull-ci-openshift-oc-main-e2e-aws-ovn-serial-1of2/2036653227151200256/artifacts/e2e-aws-ovn-serial/openshift-e2e-test/artifacts/e2e.log | grep risks
started: 0/1/63 "[Jira:\"Cluster Version Operator\"] cluster-version-operator should work with accept risks"
skipped: (200ms) 2026-03-25T06:27:37 "[Jira:\"Cluster Version Operator\"] cluster-version-operator should work with accept risks"

[hongkailiu]

/retest-required

[hongkailiu]

Run the test (b655628) locally with a TP enabled cluster:

$ ./oc-tests-ext run-test "[sig-cli][OCPFeatureGate:ClusterUpdateAcceptRisks] oc can operate accept risks [Serial]"
  Running Suite:  - /Users/hongkliu/repo/openshift/oc
  ===================================================
  Random Seed: 1774468811 - will randomize all specs

  Will run 1 of 1 specs
  ------------------------------
  [sig-cli][OCPFeatureGate:ClusterUpdateAcceptRisks] oc can operate accept risks [Serial] [cluster-version-operator, tech-preview, Lifecycle:informing]
  /Users/hongkliu/repo/openshift/oc/test/e2e/accept.go:62
I0325 16:00:11.581897   87699 util.go:47] Running 'oc --kubeconfig=/Users/hongkliu/.kube/config get configmap microshift-version -n kube-public -o jsonpath={.data.version}'
  Running 'oc --kubeconfig=/Users/hongkliu/.kube/config get configmap microshift-version -n kube-public -o jsonpath={.data.version}'
E0325 16:00:13.790889   87699 util.go:59] Command failed with error: exit status 1
Output: Error from server (NotFound): configmaps "microshift-version" not found
  ERROR: Command failed with error: exit status 1
  Output: Error from server (NotFound): configmaps "microshift-version" not found

    STEP: accepting some risks @ 03/25/26 16:00:14.085
I0325 16:00:14.085260   87699 util.go:47] Running 'oc --kubeconfig=/Users/hongkliu/.kube/config adm upgrade accept RiskA,RiskB'
  Running 'oc --kubeconfig=/Users/hongkliu/.kube/config adm upgrade accept RiskA,RiskB'
    STEP: accepting more risks @ 03/25/26 16:00:14.761
I0325 16:00:14.761797   87699 util.go:47] Running 'oc --kubeconfig=/Users/hongkliu/.kube/config adm upgrade accept RiskA,RiskB,RiskC'
  Running 'oc --kubeconfig=/Users/hongkliu/.kube/config adm upgrade accept RiskA,RiskB,RiskC'
    STEP: replacing some risks @ 03/25/26 16:00:15.199
I0325 16:00:15.199543   87699 util.go:47] Running 'oc --kubeconfig=/Users/hongkliu/.kube/config adm upgrade accept --replace RiskB,RiskD'
  Running 'oc --kubeconfig=/Users/hongkliu/.kube/config adm upgrade accept --replace RiskB,RiskD'
    STEP: removing some risks @ 03/25/26 16:00:15.641
I0325 16:00:15.641971   87699 util.go:47] Running 'oc --kubeconfig=/Users/hongkliu/.kube/config adm upgrade accept RiskB,RiskD-'
  Running 'oc --kubeconfig=/Users/hongkliu/.kube/config adm upgrade accept RiskB,RiskD-'
    STEP: removing all risks @ 03/25/26 16:00:16.087
I0325 16:00:16.087271   87699 util.go:47] Running 'oc --kubeconfig=/Users/hongkliu/.kube/config adm upgrade accept --clear'
  Running 'oc --kubeconfig=/Users/hongkliu/.kube/config adm upgrade accept --clear'
  • [5.013 seconds]
  ------------------------------

  Ran 1 of 1 Specs in 5.014 seconds
  SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 0 Skipped
[
  {
    "name": "[sig-cli][OCPFeatureGate:ClusterUpdateAcceptRisks] oc can operate accept risks [Serial]",
    "lifecycle": "informing",
    "duration": 5014,
    "startTime": "2026-03-25 20:00:11.579743 UTC",
    "endTime": "2026-03-25 20:00:16.594210 UTC",
    "result": "passed",
    "output": "Running 'oc --kubeconfig=/Users/hongkliu/.kube/config get configmap microshift-version -n kube-public -o jsonpath={.data.version}'\nERROR: Command failed with error: exit status 1\nOutput: Error from server (NotFound): configmaps \"microshift-version\" not found\n\n  STEP: accepting some risks @ 03/25/26 16:00:14.085\nRunning 'oc --kubeconfig=/Users/hongkliu/.kube/config adm upgrade accept RiskA,RiskB'\n  STEP: accepting more risks @ 03/25/26 16:00:14.761\nRunning 'oc --kubeconfig=/Users/hongkliu/.kube/config adm upgrade accept RiskA,RiskB,RiskC'\n  STEP: replacing some risks @ 03/25/26 16:00:15.199\nRunning 'oc --kubeconfig=/Users/hongkliu/.kube/config adm upgrade accept --replace RiskB,RiskD'\n  STEP: removing some risks @ 03/25/26 16:00:15.641\nRunning 'oc --kubeconfig=/Users/hongkliu/.kube/config adm upgrade accept RiskB,RiskD-'\n  STEP: removing all risks @ 03/25/26 16:00:16.087\nRunning 'oc --kubeconfig=/Users/hongkliu/.kube/config adm upgrade accept --clear'\n"
  }
] 

[hongkailiu]

/verified by @hongkailiu

[openshift-ci-robot]

@hongkailiu: This PR has been marked as verified by @hongkailiu.

Details

In response to this:

/verified by @hongkailiu

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[hongkailiu]

The multi-pr job failed on other tests (seem not relevant to this pull). Our e2e tests are green:

$ curl -s https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/logs/multi-pr-openshift-oc-2170-openshift-cluster-version-operator-1337-e2e-agnostic-ovn-techpreview-serial/2036880026560892928/artifacts/e2e-agnostic-ovn-techpreview-serial/openshift-e2e-test/artifacts/e2e.log | rg risks
started: 0/1/112 "[Jira:\"Cluster Version Operator\"] cluster-version-operator should work with accept risks"
passed: (30.8s) 2026-03-25T22:33:43 "[Jira:\"Cluster Version Operator\"] cluster-version-operator should work with accept risks"
started: 0/56/112 "[sig-cli][OCPFeatureGate:ClusterUpdateAcceptRisks] oc can operate accept risks [Serial]"
passed: (1.7s) 2026-03-25T23:25:20 "[sig-cli][OCPFeatureGate:ClusterUpdateAcceptRisks] oc can operate accept risks [Serial]"