diff --git a/cluster/addons/metadata-proxy/gce/metadata-proxy.yaml b/cluster/addons/metadata-proxy/gce/metadata-proxy.yaml
index e2d7a46fcf9..072c71d16ef 100644
--- a/cluster/addons/metadata-proxy/gce/metadata-proxy.yaml
+++ b/cluster/addons/metadata-proxy/gce/metadata-proxy.yaml
@@ -44,7 +44,7 @@ spec:
         effect: "NoSchedule"
       containers:
       - name: metadata-proxy
-        image: k8s.gcr.io/metadata-proxy:v0.1.10
+        image: k8s.gcr.io/metadata-proxy:v0.1.11
         securityContext:
           privileged: true
         # Request and limit resources to get guaranteed QoS.
diff --git a/test/images/metadata-concealment/VERSION b/test/images/metadata-concealment/VERSION
index 524cb55242b..5625e59da88 100644
--- a/test/images/metadata-concealment/VERSION
+++ b/test/images/metadata-concealment/VERSION
@@ -1 +1 @@
-1.1.1
+1.2
diff --git a/test/images/metadata-concealment/check_metadata_concealment.go b/test/images/metadata-concealment/check_metadata_concealment.go
index 4749e907ddd..f6e4345cd1c 100644
--- a/test/images/metadata-concealment/check_metadata_concealment.go
+++ b/test/images/metadata-concealment/check_metadata_concealment.go
@@ -40,9 +40,13 @@ var (
 		"http://metadata.google.internal/computeMetadata/v1/",
 		// Service account token endpoints.
 		"http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token",
-		// Params that contain 'recursive' as substring.
-		"http://metadata.google.internal/computeMetadata/v1/instance/?nonrecursive=true",
-		"http://metadata.google.internal/computeMetadata/v1/instance/?something=other&nonrecursive=true",
+		// Permitted recursive query to SA endpoint.
+		"http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/?recursive=true",
+		// Known query params.
+		"http://metadata.google.internal/computeMetadata/v1/instance/tags?alt=text",
+		"http://metadata.google.internal/computeMetadata/v1/instance/tags?wait_for_change=false",
+		"http://metadata.google.internal/computeMetadata/v1/instance/tags?wait_for_change=true&timeout_sec=0",
+		"http://metadata.google.internal/computeMetadata/v1/instance/tags?wait_for_change=true&last_etag=d34db33f",
 	}
 	legacySuccessEndpoints = []string{
 		// Discovery
@@ -54,6 +58,8 @@ var (
 		// Service account token endpoints.
 		"http://metadata.google.internal/0.1/meta-data/service-accounts/default/acquire",
 		"http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token",
+		// Known query params.
+		"http://metadata.google.internal/0.1/meta-data/service-accounts/default/acquire?scopes",
 	}
 	noKubeEnvEndpoints = []string{
 		// Check that these don't get a recursive result.
@@ -72,10 +78,12 @@ var (
 		"http://metadata.google.internal/0.1/meta-data/service-accounts/default/identity",
 		"http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/identity",
 		"http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity",
-		// Recursive.
+		// Forbidden recursive queries.
 		"http://metadata.google.internal/computeMetadata/v1/instance/?recursive=true",
-		"http://metadata.google.internal/computeMetadata/v1/instance/?something=other&recursive=true",
-		"http://metadata.google.internal/computeMetadata/v1/instance/?recursive=true&something=other",
+		"http://metadata.google.internal/computeMetadata/v1/instance/?%72%65%63%75%72%73%69%76%65=true", // url-encoded
+		// Unknown query param key.
+		"http://metadata.google.internal/computeMetadata/v1/instance/?something=else",
+		"http://metadata.google.internal/computeMetadata/v1/instance/?unknown",
 		// Other.
 		"http://metadata.google.internal/computeMetadata/v1/instance/attributes//kube-env",
 		"http://metadata.google.internal/computeMetadata/v1/instance/attributes/../attributes/kube-env",
@@ -96,7 +104,7 @@ func main() {
 		}
 	}
 	for _, e := range noKubeEnvEndpoints {
-		if err := checkURL(e, h, 200, "", "kube-env"); err != nil {
+		if err := checkURL(e, h, 403, "", "kube-env"); err != nil {
 			log.Printf("Wrong response for %v: %v", e, err)
 			success = 1
 		}
diff --git a/test/utils/image/manifest.go b/test/utils/image/manifest.go
index 2e5015bd3a7..1fed673a04a 100644
--- a/test/utils/image/manifest.go
+++ b/test/utils/image/manifest.go
@@ -97,7 +97,7 @@ var (
 	APIServer                = Config{e2eRegistry, "sample-apiserver", "1.10"}
 	AppArmorLoader           = Config{e2eRegistry, "apparmor-loader", "1.0"}
 	BusyBox                  = Config{dockerLibraryRegistry, "busybox", "1.29"}
-	CheckMetadataConcealment = Config{e2eRegistry, "metadata-concealment", "1.1.1"}
+	CheckMetadataConcealment = Config{e2eRegistry, "metadata-concealment", "1.2"}
 	CudaVectorAdd            = Config{e2eRegistry, "cuda-vector-add", "1.0"}
 	Dnsutils                 = Config{e2eRegistry, "dnsutils", "1.1"}
 	EchoServer               = Config{e2eRegistry, "echoserver", "2.2"}