Updates
Operating System
The underlying cluster nodes can be fully updated by using the following Ansible playbook:
- More information on this command can be found in the provisioning section.
For critical and/or security relevant updates the unattended-upgrades tool is configured on all nodes:
Unattended-Upgrade::Automatic-Reboot "false";
Unattended-Upgrade::Automatic-Reboot-Time "03:00";
Unattended-Upgrade::Allowed-Origins {
"${distro_id} ${distro_codename}-security";
"${distro_id} ${distro_codename}-updates";
};
Unattended-Upgrade::Package-Blacklist {
};
Kubernetes
Rancher's system-upgrade-controller is leveraged to update the K3s runtime on every node. See the implementation details in the cluster section for more detailed information.
Additionally, Renovate Bot is configured to automatically create Pull Requests for new versions of K3s – you can view an example here.
As soon as a pull request with an K3s update is merged, Flux starts reconciling the Plan manifests, the system-upgrade-controller detects the new version inside them and starts updating all nodes one by one, starting with the master nodes.
Services
Updates of the running services and containers are also done via Pull Requests by Renovate Bot which fits perfectly into the GitOps based workflow of Flux. It continuously checks the following data sources for new versions and creates Pull Requests to adapt them inside the cluster:
- Container images
- Helm Charts
- GitHub repositories
- GitHub releases