All Products
Search
Document Center

Container Service for Kubernetes:Patch OS CVE vulnerabilities for node pools

Last Updated:Oct 10, 2024

OS common vulnerabilities and exposures (CVE) vulnerabilities may lead to data leaks and service interruptions on nodes and even downgrade the stability, security, and compliance of the cluster. You can enable the OS CVE patching feature to scan for OS vulnerabilities on nodes and obtain suggestions on how to patch the detected vulnerabilities. You can patch the vulnerabilities based on the suggestions in the Container Service for Kubernetes (ACK) console.

Prerequisites

CVE patching is an advanced feature provided by Security Center. To use this feature, you must activate Security Center Advanced Edition or higher and ensure a sufficient quota of servers that can be protected by Security Center. ACK does not charge additional fees. For more information, see Purchase Security Center and Functions and features.

Usage notes

  • Security Center ensures CVE compatibility. Before you install a patch, we recommend that you check the CVE compatibility of your application. You can pause or cancel a CVE patching task anytime.

  • ACK may need to restart nodes to patch specific vulnerabilities. ACK drains a node before restarting the node.

    • Make sure that the ACK cluster has sufficient nodes to host the pods evicted from the drained node.

      To ensure cluster availability, we recommend that you use the node pool scaling feature to scale out a node pool before you patch vulnerabilities for the nodes in the node pool. For more information, see Scale a node pool.

    • If you have configured a PodDisruptionBudget (PDB), make sure that the cluster has sufficient nodes to support node draining. In addition, make sure that the number of existing replicated pods is not less than the value of the spec.minAvailable parameter specified in the PDB. You can delete the PDB if it is no longer needed.

    • Make sure that containers in a pod can process the SIGTERM signal as expected so that the pod can be terminated within its grace period. This prevents node draining failures.

    • The maximum timeout period for node draining is 1 hour. If node draining time outs, ACK performs subsequent operations.

  • CVE patching is a progressive task that consists of multiple batches. After you pause or cancel a CVE patching task, ACK continues to process the dispatched batches. The batches that have not been dispatched are paused or canceled.

  • You can run only one CVE patching task at a time for each node pool.

  • If you want to patch ContainerOS vulnerabilities, the version of ContainerOS must be 3.2 or later.

  • If you modify the maintenance window of the cluster, scheduled CVE patching tasks are canceled. Then, the system generates a new schedule for CVE patching tasks.

Procedure

Auto CVE patching (recommended)

You can create a managed node pool and enable the auto CVE patching feature for the node pool. For more information, see Overview of managed node pools.

This way, ACK generates a global patching schedule and automatically runs patching tasks based on the schedule. Auto patching tasks are run within the maintenance window of the cluster. However, the tasks may not be run within the following maintenance window after you enable the auto CVE patching feature.

  1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

  2. On the Clusters page, find the cluster that you want to manage and click its name. In the left-side navigation pane, choose Nodes > Node Pools.

  3. On the Node Pools page, find the managed node pool you created and click More > Configure Managed Node Pool in the Actions column. In the Configure Managed Node Pool dialog box, select the severity levels of the vulnerabilities that you want to patch and specify whether to restart the node pool to patch vulnerabilities based on your business requirements.

Manual CVE patching

If do not want to use the auto CVE patching feature, you can perform the following steps to manually patch vulnerabilities:

  1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

  2. On the Clusters page, find the cluster that you want to manage and click its name. In the left-side navigation pane, choose Nodes > Node Pools.

  3. On the Node Pools page, find the node pool that you want to patch and choose More > CVE Patching (OS) in the Actions column.

  4. On the page that appears, select the vulnerabilities that you want to patch in the Vulnerabilities section, select the Elastic Compute Service (ECS) instances in the Instances section, configure the Batch Repair Policy, and then click Start Repair.

    The batch repair policy consists of the following parameters:

    • Maximum Number of Nodes to Repair per Batch: This parameter specifies the maximum number of nodes that can be patched in each batch. The number of nodes to be updated per batch increases batch by batch in the following sequence: 1, 2, 4, 8... After the maximum concurrency is reached, the maximum number of nodes to be updated in each batch is equal to the maximum concurrency. If you set the maximum concurrency to 4, one node is updated in the first batch, two nodes are concurrently updated in the second batch, and four nodes are concurrently updated in the third batch and subsequent batches.

    • Dry Run Mode: If you enable this mode, ACK simulates the patching and generates a report.

  5. Confirm the information and click OK.

References

After you enable CVE patching, you can pause, resume, or cancel the patching procedure.