All Products
Document Center

Container Service for Kubernetes:CVE patching

Last Updated:Nov 16, 2023

Alibaba Cloud Security can periodically scan your Elastic Compute Service (ECS) instances to identify vulnerabilities, and provide suggestions and methods to patch the identified vulnerabilities. Container Service for Kubernetes (ACK) works with Security Center to help you patch high-risk common vulnerabilities and exposures (CVE) in node pools with a few clicks. This topic describes the CVE patching feature for node pools in ACK clusters.


CVE patching is an advanced feature provided by Security Center. To use this feature, you must log on to the Security Center console and activate Security Center Advanced Edition, Enterprise Edition, or Ultimate Edition. For more information, see Vulnerability patching overview.


  • ACK may need to restart nodes to patch specific vulnerabilities. ACK drains a node before it restarts the node. Make sure that the ACK cluster has sufficient nodes to support node draining. We recommend that you use the node pool scaling feature to expand a node pool before you patch vulnerabilities for the nodes in the node pool. Make sure that the number of nodes added to the node pool equals the number of nodes to be patched.

  • We recommend that you configure an appropriate PodDisruptionBudget (PDB) before you restart a node for the patch to take effect. This is because ACK performs pod eviction that lasts about 30 minutes based on the specified PDB during node draining.

  • Security Center ensures the CVE compatibility. We recommend that you check the CVE compatibility for your application before you install a patch. You can pause or cancel a CVE patching task anytime.

  • CVE patching is a progressive task that consists of multiple batches. After you pause or cancel a CVE patching task, ACK continues to process the dispatched batches. Only the batches that have not been dispatched are paused or canceled.

  • You can run only one CVE patching task at a time for each node pool.


  1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

  2. On the Clusters page, click the name of the cluster that you want to manage and choose Nodes > Node Pools in the left-side navigation pane.

  3. On the Node Pools page, find the node pool that you want to update and click CVE Patching, or More>CVE Patching.

  4. Select the vulnerabilities that you want to patch in the Vulnerabilities list, select the instances that you want to patch in the Instances list, and then configure Batch Repair Policy. Follow the instructions to configure other parameters and then click Start Repair.

  5. Confirm the information and click OK.

What to do next

You can click Pause, Continue, or Cancel to control the patching task.