Skip to content


Operating System

The underlying cluster nodes can be fully updated by using the following Ansible playbook:

# update nodes using ansible (1)
$ task cluster:update
  1. More information on this command can be found in the provisioning section.

For critical and/or security relevant updates the unattended-upgrades tool is configured on all nodes:

Unattended-Upgrade::Automatic-Reboot "false";
Unattended-Upgrade::Automatic-Reboot-Time "03:00";

Unattended-Upgrade::Allowed-Origins {
    "${distro_id} ${distro_codename}-security";
    "${distro_id} ${distro_codename}-updates";

Unattended-Upgrade::Package-Blacklist {


Rancher's system-upgrade-controller is leveraged to update the K3s runtime on every node. See the implementation details in the cluster section for more detailed information.

Additionally, Renovate Bot is configured to automatically create Pull Requests for new versions of K3s – you can view an example here.

As soon as a pull request with an K3s update is merged, Flux starts reconciling the Plan manifests, the system-upgrade-controller detects the new version inside them and starts updating all nodes one by one, starting with the master nodes.

Renovate Pull Request for K3s dependency


Updates of the running services are also done via Pull Requests by Renovate Bot which fits perfectly into the GitOps based workflow of Flux. It continuously checks the following data sources for new versions and creates Pull Requests to adapt them inside the cluster:

  • Container images
  • Helm Charts
  • GitHub repositories
  • GitHub releases