All Products
Search

This Product

    Container Service for Kubernetes:Access ECS instance metadata in enhanced mode only

    Document Center

    Container Service for Kubernetes:Access ECS instance metadata in enhanced mode only

    Last Updated:Mar 26, 2026

    By default, ECS nodes in an ACK cluster support both normal mode and enhanced mode (IMDSv2) for accessing instance metadata such as instance IDs, VPC information, and network interface card (NIC) information. You can switch to enhanced mode only (IMDSv2) to improve the security of the instance metadata service.

    Important

    After switching to enhanced mode only, requests using normal mode are rejected. If you have applications in the cluster that depend on the instance metadata service, you must update the application code to use IMDSv2 before making this change.

    Prerequisites

    Before you begin, ensure that you have:

    • An ACK managed cluster or an ACK dedicated cluster running version 1.28 or later. To upgrade, see Manually upgrade a cluster

    • Any installed components listed in the following tables at or above the minimum version required for enhanced mode only

      Expand

      ACK managed cluster

      ComponentMinimum component versionMinimum cluster version
      cloud-controller-managerv2.11.31.28
      terwayv1.9.161.30
      terway-eniv1.9.161.30
      terway-eniipv1.9.161.30
      terway-eniipv1.14.01.31
      terway-controlplanev1.9.161.30
      terway-controlplanev1.14.01.31
      ack-erdma-controller0.2.61.28
      mse-ingress-controller1.1.181.28
      alb-ingress-controllerv2.18.0-aliyun.11.28
      csi-provisionerv1.33.3-884df97-aliyun1.28
      csi-pluginv1.33.3-884df97-aliyun1.28
      storage-operatorv1.32.101.28
      flexvolumeNo supported version. Migrate to csi-plugin first. See Migrate from FlexVolume to CSI.
      kritis-validation-hookv0.12.0.0-g1535b25b-aliyun1.28
      aliyun-acr-credential-helperv25.07.21.1-67f1f51-aliyun1.28
      logtail-dsv2.1.14.0-aliyun1.28
      loongcollector3.1.11.28
      metrics-serverv0.3.9.7-85b3699-aliyun1.28
      alicloud-monitor-controllerv1.8.41.28
      ack-node-problem-detector1.2.261.28
      arms-prometheus1.1.321.28
      ack-cost-exporter1.0.181.28
      ack-sysom-monitor1.1.21.28
      arms-cmonitor4.1.21.28
      ack-onepilot5.0.01.28
      cluster-autoscalerv1.3.18-48f43128-aliyun1.28
      ack-goatscalerv0.4.5-17c5a32-aliyun1.28
      migrate-controllerv1.8.6-17482bb-aliyun1.28
      ack-acr-acceleration-p2p0.3.101.28
      csi-secrets-store-provider-alibabacloud0.5.01.28
      ack-secret-manager0.5.121.28
      ack-extend-network-controllerv0.12.01.28

      ACK dedicated cluster

      ComponentMinimum component versionMinimum cluster version
      cloud-controller-managerv2.11.31.28
      terwayv1.9.161.30
      terway-eniv1.9.161.30
      terway-eniipv1.9.161.30
      terway-eniipv1.14.01.31
      terway-controlplanev1.9.161.30
      terway-controlplanev1.14.01.31
      ack-erdma-controller0.2.61.28
      mse-ingress-controller1.1.181.28
      alb-ingress-controllerv2.18.0-aliyun.11.28
      csi-provisionerv1.33.3-884df97-aliyun1.28
      csi-pluginv1.33.3-884df97-aliyun1.28
      storage-operatorv1.32.101.28
      flexvolumeNo supported version. Migrate to csi-plugin first. See Migrate from FlexVolume to CSI.
      kritis-validation-hookv0.12.0.0-g1535b25b-aliyun1.28
      aliyun-acr-credential-helperv25.07.21.1-67f1f51-aliyun1.28
      logtail-dsv2.1.14.0-aliyun1.28
      loongcollector3.1.11.28
      metrics-serverv0.3.9.7-85b3699-aliyun1.28
      alicloud-monitor-controllerv1.8.81.28
      ack-node-problem-detector1.2.271.28
      arms-prometheus1.1.331.28
      ack-cost-exporter1.0.211.28
      ack-sysom-monitor1.1.21.28
      arms-cmonitor4.1.21.28
      ack-onepilot5.0.01.28
      cluster-autoscalerv1.3.18-48f43128-aliyun1.28
      ack-goatscalerv0.4.5-17c5a32-aliyun1.28
      migrate-controllerv1.8.6-17482bb-aliyun1.28
      ack-acr-acceleration-p2p0.3.101.28
      csi-secrets-store-provider-alibabacloud0.5.01.28
      ack-secret-manager0.5.121.28
      ack-extend-network-controllerv0.12.01.28

    • Any applications that call the IMDS updated to use IMDSv2 (token-based requests). For details on how IMDSv2 works, see Instance metadata

    Enable enhanced mode only

    You can only set the instance metadata access mode when creating a node pool or configuring a node pool during cluster creation. You cannot change it after the node pool is created. The following procedure uses node pool creation as an example. The configuration items are the same when you create a cluster.

    1. Log on to the ACK console. In the left navigation pane, click Clusters.

    2. On the Clusters page, click the name of your cluster. In the left navigation pane, click Nodes > Node Pools.

    3. Click Create Node Pool and configure the node pool. For all configuration items, see Create and manage a node pool. The following items are specific to this feature:

      • Operating System: Select an image that supports enhanced mode only and meets the minimum version requirement.

        • Public image

          Operating system image

          Minimum version

          Container-optimized Alibaba Cloud Linux 3.2104 LTS 64-bit

          20241226

          Alibaba Cloud Linux 3.2104 LTS 64-bit

          20241218

          Ubuntu 22.04

          20250722

          ContainerOS 3.6

          20250916

        • Make sure the cloud-init version in the image is 23.2.2 or later. To check and upgrade cloud-init, see Install cloud-init.

      • Instance Metadata Access Mode: Select Security Hardening Mode.