Container Service for Kubernetes:CVE patching

Precautions

• ACK may need to restart nodes to patch specific vulnerabilities. ACK drains a node before it restarts the node. Make sure that the ACK cluster has sufficient nodes to support node draining. We recommend that you use the node pool scaling feature to expand a node pool before you patch vulnerabilities for the nodes in the node pool. Make sure that the number of nodes added to the node pool equals the number of nodes to be patched.

• We recommend that you configure an appropriate PodDisruptionBudget (PDB) before you restart a node for the patch to take effect. This is because ACK performs pod eviction that lasts about 30 minutes based on the specified PDB during node draining.

• Security Center ensures the CVE compatibility. We recommend that you check the CVE compatibility for your application before you install a patch. You can pause or cancel a CVE patching task anytime.

• CVE patching is a progressive task that consists of multiple batches. After you pause or cancel a CVE patching task, ACK continues to process the dispatched batches. Only the batches that have not been dispatched are paused or canceled.

• You can run only one CVE patching task at a time for each node pool.

Procedure

1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

2. On the Clusters page, click the name of the cluster that you want to manage and choose Nodes > Node Pools in the left-side navigation pane.

3. On the Node Pools page, find the node pool that you want to update and click CVE Patching, or More>CVE Patching.

4. Select the vulnerabilities that you want to patch in the Vulnerabilities list, select the instances that you want to patch in the Instances list, and then configure Batch Repair Policy. Follow the instructions to configure other parameters and then click Start Repair.

   

5. Confirm the information and click OK.