Automatically or manually fix CVE vulnerabilities in a node pool's operating system (OS)-Container Service for Kubernetes(ACK)-阿里云帮助中心

CVE vulnerabilities in a node's operating system (OS) can cause data breaches and service interruptions, which threaten the stability, security, and compliance of your cluster. You can enable the OS CVE vulnerability patching feature to scan nodes for security vulnerabilities, receive patching recommendations, and quickly apply fixes from the console.

Prerequisites

To use this feature, you must subscribe to the Security Center Ultimate or purchase the vulnerability patching (pay-as-you-go) feature.

Usage notes

Security Center ensures the compatibility of CVE patches. However, you are responsible for checking the compatibility of your cluster applications with these patches. If you encounter any issues during the vulnerability patching process, you can pause or cancel the task at any time.
If patching a CVE vulnerability requires a node restart, ACK drains the node before restarting it.
- Cluster resource usage: Cluster resource usage should not be excessively high. Ensure there is enough space to allocate pods for drain operations.
  
  To ensure high availability for your cluster, we recommend that you scale out the node pool to add more nodes before you enable this feature. For more information, see Manually scale a node pool.
- PodDisruptionBudget (PDB) constraints: If a PDB is configured, ensure the cluster has enough resources for the drain operation and that the number of pod replicas meets the minimum availability requirement in the PDB. The number of pod replicas must be greater than spec.minAvailable. If this PDB rule is not required, delete it.
- Pod termination: Ensure that containers in a pod can correctly handle the TERM (SIGTERM) signal. This prevents a pod from failing to terminate within its grace period, which would cause the drain operation to fail.
- Maximum drain timeout: The maximum timeout for a drain operation is one hour. If the drain operation does not complete within this time, ACK stops subsequent operations.
When patching a CVE vulnerability that requires a node restart, if the target nodes include GPU nodes, we recommend upgrading the kernel manually instead. This helps avoid potential GPU driver compatibility issues. For more information, see Manually upgrade the kernel of a GPU node in an existing cluster.
CVE vulnerability patching tasks are performed in batches. If you pause or cancel a task, batches that are already in progress will continue until completion. Pending batches will be paused or canceled.
CVE vulnerability patching tasks run within the configured cluster maintenance window. If a task exceeds the maintenance window, it is automatically canceled. Batches that are already in progress will continue until completion, while pending batches will be canceled.
Only one CVE vulnerability patching task can run in a node pool at a time.
If the operating system is ContainerOS, we recommend that you patch CVE vulnerabilities by upgrading the operating system. The CVE vulnerability patching feature is supported only on ContainerOS 3.2 and 3.3.

For more information about ContainerOS versions, see ContainerOS image release notes.
If you modify the maintenance window, any scheduled CVE vulnerability patching plans are canceled. New plans will be scheduled later.

Procedure

Automatic OS CVE patching

Managed Node Pools provide automated O&M capabilities to automatically repair operating system CVE vulnerabilities. When enabled, ACK schedules and executes a repair plan based on global task rules. Automatic repairs are performed within the configured maintenance window. Because ACK rolls out fixes progressively, the exact time a fix is applied to a vulnerable node pool may be delayed depending on factors such as the region.

Starting from August 5, 2025, parameters related to the automatic CVE vulnerability patching policy will be adjusted. For more information, see Change 3: Adjustments to parameters related to the automatic security vulnerability patching policy.

Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, click the name of your cluster. In the left navigation pane, click Nodes > Node Pools.
In the Actions column of the target node pool, click and then select Enable Managed Node Pool (for a standard node pool) or Configure Managed Node Pool (for a Managed Node Pool). Set the Configure Managed Node Pool mode to Managed Node Pool, and then select the severity levels of CVE vulnerabilities to automatically patch.

This feature is provided by Security Center and requires an Enterprise edition or higher subscription. ACK does not charge extra fees. For Security Vulnerability Patching Level, you can select Critical, Medium, or Low.

When a security vulnerability is found in the Linux kernel, you typically need to upgrade the kernel package and restart the node. Due to the high stability risks of these operations, ACK skips patching kernel security vulnerabilities by default. We recommend handling these vulnerabilities manually by changing the operating system or by following the steps in Manually patch OS CVE vulnerabilities.

If you still need to automatically patch kernel vulnerabilities, submit a ticket to request this change.

Manual OS CVE patching

You can also manually patch CVE vulnerabilities.

Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, click the name of your cluster. In the left navigation pane, click Nodes > Node Pools.
On the Node Pools page, find the node pool that you want to manage. In the Actions column, click and select CVE Patching (OS) .
In the Vulnerabilities area, select the vulnerabilities to patch. In the Instance area, select the instances to patch. Configure the Batch Repair Policy and click Start Repair. Then, follow the on-screen instructions.

The batch repair policy includes the following parameters:
- Maximum Parallel Nodes per Batch: Nodes are patched for CVE vulnerabilities in batches. The number of nodes per batch doubles with each batch (1, 2, 4, 8, and so on) until it reaches the specified maximum. All subsequent batches then use the maximum number. For example, if you set the maximum to 4, the first batch patches 1 node, the second patches 2 nodes, and the third and all following batches patch 4 nodes.
- Dry Run Mode: If you enable this mode, ACK simulates the patching process and generates a report without actually patching the vulnerabilities.

Next steps

After the patching task starts, you can control the task by clicking Pause, Continue, or Cancel.