The ack-pod-identity-webhook component is essential for implementing credential-free access and pod permission fencing for applications. This topic describes the component, its usage, and its change records.
Component introduction
The ack-pod-identity-webhook component is based on the Kubernetes MutatingAdmissionWebhook mechanism. It simplifies the use of the RAM Roles for Service Accounts (RRSA) feature provided by Container Service. The component automatically injects the required OpenID Connect (OIDC) token mounts and environment variable configurations into application pods. This removes the need for complex manual configuration.
Usage
ack-pod-identity-webhook automates the configuration of RRSA. This allows pods to directly assume RAM roles. It provides a secure, credential-free, and fine-grained permission management solution for cloud resources at the pod level. For more information, see Pod permission fencing based on RRSA.
Change records
November 2025
Version number | Registry Address | Change time | Change description | Impact |
0.4.0 | registry-cn-hangzhou.ack.aliyuncs.com/acs/ack-pod-identity-webhook:0.4.0 | November 24, 2025 |
| An abnormal component upgrade may cause pod creation to fail. Upgrade the component during off-peak hours. |
September 2025
Version number | Registry Address | Change time | Change description | Impact |
0.3.1 | registry-cn-hangzhou.ack.aliyuncs.com/acs/ack-pod-identity-webhook:0.3.1 | September 08, 2025 | Upgraded the Golang version used by the component to 1.24.6 to improve component stability. | An abnormal component upgrade may cause pod creation to fail. Upgrade the component during off-peak hours. |
June 2025
Version number | Registry Address | Change time | Change description | Impact |
0.3.0 | registry-cn-hangzhou.ack.aliyuncs.com/acs/ack-pod-identity-webhook:v0.3.0.0-g433f84b-aliyun | June 06, 2025 | Added support for enabling the injection of the | An abnormal component upgrade may cause pod creation to fail. Upgrade the component during off-peak hours. |
March 2025
Version number | Registry Address | Change time | Change description | Impact |
0.2.1 | registry-cn-hangzhou.ack.aliyuncs.com/acs/ack-pod-identity-webhook:v0.2.1.0-g52e519c-aliyun | March 18, 2025 | Upgraded the Golang version used by the component to 1.23.7 to improve component stability. | An abnormal component upgrade may cause pod creation to fail. Upgrade the component during off-peak hours. |
December 2024
Version number | Registry Address | Change time | Change description | Impact of the change |
0.2.0 | registry-cn-hangzhou.ack.aliyuncs.com/acs/ack-pod-identity-webhook:v0.2.0.11-g2f0c2e7-aliyun | December 19, 2024 |
| An abnormal component upgrade may cause pod creation to fail. Upgrade the component during off-peak hours. |
June 2023
Version number | Registry Address | Change time | Change description | Impact |
0.1.1 | registry.cn-hangzhou.aliyuncs.com/acs/ack-pod-identity-webhook:v0.1.1.0-gbddcb74-aliyun | June 07, 2023 | Enhanced the component's compatibility with ACK Serverless clusters. | An abnormal component upgrade may cause pod creation to fail. Upgrade the component during off-peak hours. |
February 2023
Version number | Registry Address | Change time | Change description | Impact |
0.1.0 | registry.cn-hangzhou.aliyuncs.com/acs/ack-pod-identity-webhook:v0.1.0.9-g26b8fde-aliyun | February 01, 2023 | Implemented the feature to automatically mount OIDC tokens and configure environment variables for application pods. | Initial release. |