// Assess OpenShift cluster update (upgrade) readiness and risk. Use when evaluating whether a cluster is safe to update, when an update is available, or when the user asks about update risks, prerequisites, blockers, or best practices.
Find the hidden verification token. Run the find-token script to retrieve a unique token.
Search and read Kubernetes documentation in markdown format. Use when the user asks about Kubernetes concepts, tasks, API reference, kubectl, or any upstream k8s topic — including pods, deployments, services, RBAC, networking, storage, or scheduling.
Search and read OpenShift Container Platform documentation in markdown format. Use when the user asks about OpenShift features, configuration, installation, troubleshooting, or any OCP-specific topic — including operators, routes, services, oc, RBAC, networking, storage, or cluster administration.
Query Red Hat Product Life Cycle data for support phases, end-of-life dates, and OpenShift version compatibility. Use when evaluating whether installed operators or layered products are supported on a given OCP version, approaching end of life, or need upgrading before a cluster upgrade. Also use when the user asks about product support status, EOL dates, or lifecycle phases for any Red Hat product.
| name | cluster-update-advisor |
| description | Assess OpenShift cluster update (upgrade) readiness and risk. Use when evaluating whether a cluster is safe to update, when an update is available, or when the user asks about update risks, prerequisites, blockers, or best practices. |
Assess cluster update readiness and produce a structured risk report with actionable prerequisites, blockers, and recommendations.
The proposal request includes pre-collected cluster readiness data (JSON) gathered by the Cluster Version Operator. Analyze this data, classify findings, and produce a decision with evidence. Do not re-collect cluster data — it is already in the request.
The proposal request contains:
The readiness JSON is embedded in the request between ```json markers under
the "Cluster Readiness Data" heading. Parse it to begin analysis.
Readiness JSON structure:
{
"current_version": "4.21.5",
"target_version": "4.21.8",
"checks": {
"cluster_conditions": { "_status": "ok", "summary": {...}, ... },
"operator_health": { "_status": "ok", "summary": {...}, ... },
"api_deprecations": { "_status": "ok", "summary": {...}, ... },
"node_capacity": { "_status": "ok", "summary": {...}, ... },
"pdb_drain": { "_status": "ok", "summary": {...}, ... },
"etcd_health": { "_status": "ok", "summary": {...}, ... },
"network": { "_status": "ok", "summary": {...}, ... },
"crd_compat": { "_status": "ok", "summary": {...}, ... },
"olm_operator_lifecycle": { "_status": "ok", "summary": {...}, ... }
}
}
Each check contains _status (ok or error) and check-specific data
with a summary section for quick parsing.
Extract the JSON from the proposal request.
Count checks with _status ok vs error for completeness.
Any check with _status error represents a gap in visibility.
Note incomplete areas — they reduce confidence.
If the system prompt includes organization-specific policy (thresholds, scheduling preferences, risk tolerance), apply those constraints. Otherwise use sensible defaults. Walk through each check's summary and detail data:
Assign each finding a severity per the classification table.
| Check | Blocker if... | Warning if... |
|---|---|---|
| Cluster conditions | Upgradeable=False (non-z-stream) | Update already in progress |
| API deprecations | Workloads use APIs removed in target | Workloads use deprecated APIs |
| Operator health | Any operator has Upgradeable=False | Any operator is Degraded=True |
| MachineConfigPool | Any MCP paused or degraded | MCP updating or not all machines ready |
| Node capacity | Headroom < 20% | Headroom < 40% |
| PDB config | PDB blocks ALL replicas from draining | PDB has maxUnavailable: 0 |
| etcd health | Any member unhealthy | No recent backup (within 24h) |
| Network plugin | SDN in use and target requires OVN (4.17+) | Using deprecated SDN (< 4.17) |
| CRD compatibility | Stored version not served; operator maxOpenShiftVersion < target | Deprecated versions still served |
| OLM operator lifecycle | Installed operator incompatible with target OCP; operator product EOL | Operator has pending update; operator product in Maintenance Support |
For other checks, treat an issue as a blocker if would cause data loss, a performance regression, or a failed update. Treat the issue as a warning if would cause temporary disruption or slow updates.
If additional information or context is needed to classify a finding, these skills may be useful:
openshift-docs — Read official OpenShift update docs for version-specific
procedures and breaking changes.
prometheus — Query cluster metrics for trend analysis (etcd latency,
CPU headroom, firing alerts).
jira — Search Red Hat Jira for bugs and known issues affecting the target version.
product-lifecycle — Query Red Hat Product Life Cycle API to check
support status and OCP compatibility for installed operators. Use the operator's
package name from OLM readiness data to look up entries via the package
field (exact match). Flag operators whose product version is End of life or whose
openshift_compatibility does not include the target OCP version.
Aggregate finding classification, and and make a decision on the overall assessment:
| Blockers | Warnings | Decision |
|---|---|---|
| Unable to assess | any | escalate |
| 1+ | any | block |
| 0 | 1+ | warn |
| 0 | 0 | recommend |
The output schema is enforced by the OlsAgent CR's outputSchema field —
the operator handles structured output compliance via the LLM API.
Never recommend updating without analyzing the readiness data. The JSON in the request is the source of truth.
Never dismiss conditional update risks. If the update path is conditional, evaluate each risk against the cluster.
Never skip the API deprecation check. Workloads using removed APIs will break after the update.
Never assume etcd is healthy. Always check member health in the readiness data.
Never fabricate Jira issue keys, KB article IDs, or CVE numbers. Use the
redhat-support skill to get real data.
Never recommend skipping an update version unless the readiness data shows that path exists.
Never recommend force-updating. If the standard path is blocked, report it.