OpenSec Atlas

Name: system-upgrade-controller
Author: rancher

system-upgrade-controller: An Open Source Tool for Cloud Security | OpenSec Atlas

Back to Browse

Cloud Security

Tool

system-upgrade-controller

A Kubernetes-native controller that automates node upgrades through declarative upgrade plans.

View on GitHub

About This Tool

In your Kubernetes, upgrading your nodes

Primary Use Case

This tool is used by Kubernetes cluster administrators to automate and manage node upgrades in a controlled, declarative manner using custom resource definitions (CRDs). It is ideal for environments requiring consistent, repeatable node upgrade policies with minimal manual intervention.

Key Features

Kubernetes-native upgrade controller using a custom Plan CRD
Declarative upgrade policies with label selectors for node targeting
Supports arbitrary node mutations via container images
Optional cordon and drain of nodes during upgrades
Highly privileged jobs with host IPC, NET, PID, and root filesystem access
Concurrency control for upgrade rollout
Operator-overridable upgrade commands
Examples for upgrading k3s, Ubuntu packages, and Linux kernels

Insights & Recommendations

Upgrades should be designed to be idempotent to avoid issues during repeated executions. The controller runs highly privileged jobs with access to host IPC, network, PID namespaces, and root filesystem, so security considerations are critical. Node selection for upgrades is label-based and can be optionally opted in or out. The tool supports concurrency limits and optional cordon/drain behavior similar to kubectl.

Installation

Apply the system-upgrade-controller manifest via kubectl: kubectl apply -k github.com/rancher/system-upgrade-controller
Alternatively, use the release-specific manifest from the releases page, e.g., download and apply system-upgrade-controller.yaml from v0.4.0 release

Usage

kubectl apply -k github.com/rancher/system-upgrade-controller

Deploys the system-upgrade-controller to the Kubernetes cluster using the latest manifest.

Smart Usage Notes

Integrate with Kubernetes admission controllers to enforce upgrade policies and prevent unauthorized mutations.Use as part of automated patch management workflows to reduce attack surface from outdated node software.Combine with monitoring tools to detect failed or partial upgrades indicating potential compromise or instability.Leverage concurrency controls to minimize impact on cluster availability during rolling upgrades.Employ label selectors strategically to segment upgrade scopes and reduce blast radius in multi-tenant clusters.