Update automated upgrade docs

brandond · brandond · commit 20f1d5235740 · 2025-07-09T15:02:43.000-07:00
Add new SUC info and note on disabling rancher SUC deployment

Signed-off-by: Brad Davidson &lt;brad.davidson@rancher.com&gt;
diff --git a/docs/upgrades/automated.md b/docs/upgrades/automated.md
@@ -2,35 +2,28 @@
 title: Automated Upgrades
 ---
 
-### Overview
+## Overview
 
-You can manage K3s cluster upgrades using Rancher's system-upgrade-controller. This is a Kubernetes-native approach to cluster upgrades. It leverages a [custom resource definition (CRD)](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#custom-resources), a `plan`, and a [controller](https://kubernetes.io/docs/concepts/architecture/controller/).
+You can manage K3s cluster upgrades using Rancher's system-upgrade-controller. This is a Kubernetes-native approach to cluster upgrades. It leverages a [`Plan`](https://github.com/rancher/system-upgrade-controller/blob/master/doc/plan.md#planspec) Custom Resource to declaratively describe what nodes to upgrade, and to what version.
 
-The plan defines upgrade policies and requirements. It also defines which nodes should be upgraded through a [label selector](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/). See below for plans with defaults appropriate for upgrading a K3s cluster. For more advanced plan configuration options, please review the [CRD](https://github.com/rancher/system-upgrade-controller/blob/master/pkg/apis/upgrade.cattle.io/v1/types.go).
+The plan defines upgrade policies and requirements. It also defines which nodes should be upgraded through a [label selector](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/). See below for plans with defaults appropriate for upgrading a K3s cluster. For more advanced plan configuration options, see the Plan documentation linked above.
 
-The controller schedules upgrades by monitoring plans and selecting nodes to run upgrade [jobs](https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/) on. When a job has run to completion successfully, the controller will label the node on which it ran accordingly.
-
-:::note 
-The upgrade job that is launched must be highly privileged. It is configured with the following:
-- Host `IPC`, `NET`, and `PID` namespaces
-- The `CAP_SYS_BOOT` capability
-- Host root mounted at `/host` with read and write permissions
+The System Upgrade controller schedules upgrades by monitoring plans and selecting nodes to run upgrade [Jobs](https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/) on. When a Job has run to completion successfully, the controller will label the node on which it ran accordingly.
 
+:::warning
+If the K3s cluster is managed by Rancher, you should use the Rancher UI to manage upgrades.
+- If the K3s cluster was imported (registered) into Rancher, Rancher will by default manage the system-upgrade-controller deployment and plans. Do not follow the steps on this page unless you have disabled version management in Rancher.  
+  See [Configuring Version Management for RKE2 and K3s Clusters](https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/register-existing-clusters#configuring-version-management-for-rke2-and-k3s-clusters) for more information.
+- If the K3s cluster was provisioned by Rancher, Rancher will use system agent to manage version upgrades. Do not follow the steps on this page.
+- If the K3s cluster is *not* managed by Rancher, you may follow the steps below.
 :::
 
+## Using the System Upgrade Controller
 
-To automate upgrades in this manner, you must do the following:
+To automate upgrades , you must do the following:
 
 1. Install the system-upgrade-controller into your cluster
-1. Configure plans
-
-:::warning
-If the K3s cluster is managed by Rancher, you should use the Rancher UI to manage upgrades.
-- If the K3s cluster was imported into Rancher, Rancher will manage the system-upgrade-controller deployment and plans. Do not follow the steps on this page.
-- If the K3s cluster was provisioned by Rancher, Rancher will use system agent to manage version upgrades. Do not follow the steps on this page.
-- If the K3s cluster is *not* managed Rancher, you may follow the steps below.
-
-:::
+1. Create plans describing which groups of nodes to upgrade, and how.
 
 For more details on the design and architecture of the system-upgrade-controller or its integration with K3s, see the following Git repositories:
 
@@ -41,23 +34,20 @@ For more details on the design and architecture of the system-upgrade-controller
 When attempting to upgrade to a new version of K3s, the [Kubernetes version skew policy](https://kubernetes.io/releases/version-skew-policy/) applies. Ensure that your plan does not skip intermediate minor versions when upgrading. The system-upgrade-controller itself will not protect against unsupported changes to the Kubernetes version.
 :::
 
-### Install the system-upgrade-controller
-
- The system-upgrade-controller can be installed as a deployment into your cluster. The deployment requires a service-account, clusterRoleBinding, and a configmap. To install these components, run the following command:
-
-```bash
-kubectl apply -f https://github.com/rancher/system-upgrade-controller/releases/latest/download/system-upgrade-controller.yaml
-```
-The controller can be configured and customized via the previously mentioned configmap, but the controller must be redeployed for the changes to be applied.
+### Installation
 
-To be able to apply plans, the system-upgrade-controller CRD has to be deployed:
+ The system-upgrade-controller manifest installs a custom resource definition, deployment, service account, cluster role binding, and configmap. To install these components, run the following command:
 
 ```bash
-kubectl apply -f https://github.com/rancher/system-upgrade-controller/releases/latest/download/crd.yaml
+kubectl apply -f https://github.com/rancher/system-upgrade-controller/releases/latest/download/crd.yaml -f https://github.com/rancher/system-upgrade-controller/releases/latest/download/system-upgrade-controller.yaml
 ```
+The controller can be configured and customized via the previously mentioned configmap, but the controller pod must be deleted for the changes to be applied.
 
-### Configure plans
-It is recommended you create at least two plans: a plan for upgrading server (control-plane) nodes and a plan for upgrading agent nodes. You can create additional plans as needed to control the rollout of the upgrade across nodes. Once the plans are created, the controller will pick them up and begin to upgrade your cluster.  
+### Configuration
+Server nodes should always be upgraded before agent nodes.
+For this reason, it is recommended you create at least two plans: a plan for upgrading server (control-plane) nodes, and a plan for upgrading agent nodes.
+You can create additional plans as needed to control the rollout of the upgrade across nodes.
+Once the plans are created, the controller will pick them up and begin to upgrade your cluster.  
 
 The following two example plans will upgrade your cluster to K3s v1.24.6+k3s1:
 
@@ -108,33 +98,54 @@ spec:
 
 There are a few important things to call out regarding these plans:
 
-1) The plans must be created in the same namespace where the controller was deployed.
+1. The plans must be created in the same namespace where the controller was deployed.
+2. The `concurrency` field indicates how many nodes can be upgraded at the same time. 
+3. The server-plan targets server nodes by specifying a label selector that selects nodes with the `node-role.kubernetes.io/control-plane` label. The agent-plan targets agent nodes by specifying a label selector that select nodes without that label.
+4. The `prepare` step in the agent-plan will cause upgrade jobs for that plan to wait for the server-plan to complete before they execute. This logic is built into the image run for the prepare step, and is not part of system-upgrade-controller itself.
+5. Both plans have the `version` field set to v1.24.6+k3s1. Alternatively, you can omit the `version` field and set the `channel` field to a URL that resolves to a release of K3s. This will cause the controller to monitor that URL and upgrade the cluster any time it resolves to a new release. This works well with the [release channels](manual.md#release-channels). Thus, you can configure your plans with the following channel to ensure your cluster is always automatically upgraded to the newest stable release of K3s:
+   ```yaml
+   apiVersion: upgrade.cattle.io/v1
+   kind: Plan
+   # ...
+   spec:
+     # ...
+     channel: https://update.k3s.io/v1-release/channels/stable
+   ```
+
+The upgrade will begin as soon as the controller detects the target version for a plan has been resolved, either from the version field, or by polling the channel server.
+Modifying a plan will cause the controller to re-evaluate the plan and determine if another upgrade is needed.
+If a channel has been configured, the URL is also polled periodically to check for new versions.
 
-2) The `concurrency` field indicates how many nodes can be upgraded at the same time. 
-
-3) The server-plan targets server nodes by specifying a label selector that selects nodes with the `node-role.kubernetes.io/control-plane` label. The agent-plan targets agent nodes by specifying a label selector that select nodes without that label.
+You can monitor the progress of an upgrade by viewing the plan and jobs via kubectl:
+```bash
+kubectl -n system-upgrade get plans -o wide
+kubectl -n system-upgrade get jobs
+```
 
-4) The `prepare` step in the agent-plan will cause upgrade jobs for that plan to wait for the server-plan to complete before they execute.
+### Scheduling Upgrades
 
-5) Both plans have the `version` field set to v1.24.6+k3s1. Alternatively, you can omit the `version` field and set the `channel` field to a URL that resolves to a release of K3s. This will cause the controller to monitor that URL and upgrade the cluster any time it resolves to a new release. This works well with the [release channels](manual.md#release-channels). Thus, you can configure your plans with the following channel to ensure your cluster is always automatically upgraded to the newest stable release of K3s:
+Plans can be restricted to occurring within a specific time window by setting the `window` field within the plan spec.
+The time window fields are compatible with and take the same format as [kured schedule options](https://kured.dev/docs/configuration/#setting-a-schedule).
+For example:
 ```yaml
 apiVersion: upgrade.cattle.io/v1
 kind: Plan
-...
+# ...
 spec:
-  ...
-  channel: https://update.k3s.io/v1-release/channels/stable
-
-```
-
-As stated, the upgrade will begin as soon as the controller detects that a plan was created. Updating a plan will cause the controller to re-evaluate the plan and determine if another upgrade is needed.
-
-You can monitor the progress of an upgrade by viewing the plan and jobs via kubectl:
-```bash
-kubectl -n system-upgrade get plans -o yaml
-kubectl -n system-upgrade get jobs -o yaml
+  # ...
+  window:
+    days:
+      - monday
+      - tuesday
+      - wednesday
+      - thursday
+      - friday
+    startTime: 19:00
+    endTime: 21:00
+    timeZone: UTC
 ```
 
+Jobs to execute upgrades for a plan will not be created outside the time window. Once jobs are created, may continue running once the window has closed.
 
 ## Downgrade Prevention
 
@@ -147,20 +158,28 @@ Kubernetes does not support downgrades of control-plane components. The k3s-upgr
 Here is an example cluster, showing failed upgrade pods and cordoned nodes:
 
 ```shell-session
-ubuntu@user:~$ kubectl get pods -n system-upgrade
+$ kubectl get pods -n system-upgrade
 NAME                                                              READY   STATUS    RESTARTS   AGE
 apply-k3s-server-on-ip-172-31-0-16-with-7af95590a5af8e8c3-2cdc6   0/1     Error     0          9m25s
 apply-k3s-server-on-ip-172-31-10-23-with-7af95590a5af8e8c-9xvwg   0/1     Error     0          14m
 apply-k3s-server-on-ip-172-31-13-213-with-7af95590a5af8e8-8j72v   0/1     Error     0          18m
 system-upgrade-controller-7c4b84d5d9-kkzr6                        1/1     Running   0          20m
-ubuntu@user:~$ kubectl get nodes
+$ kubectl get nodes
 NAME               STATUS                     ROLES                       AGE   VERSION
 ip-172-31-0-16     Ready,SchedulingDisabled   control-plane,etcd,master   19h   v1.27.4+k3s1
 ip-172-31-10-23    Ready,SchedulingDisabled   control-plane,etcd,master   19h   v1.27.4+k3s1
 ip-172-31-13-213   Ready,SchedulingDisabled   control-plane,etcd,master   19h   v1.27.4+k3s1
 ip-172-31-2-13     Ready                      <none>                      19h   v1.27.4+k3s1
 ```
+
 You can return your cordoned nodes to service by either of the following methods:
 * Change the version or channel on your plan to target a release that is the same or newer than what is currently running on the cluster, so that the plan succeeds.
 * Delete the plan and manually uncordon the nodes.
   Use `kubectl get plan -n system-upgrade` to find the plan name, then `kubectl delete plan -n system-upgrade PLAN_NAME` to delete it. Once the plan has been deleted, use `kubectl uncordon NODE_NAME` to uncordon each of the nodes.
+
+## Security
+The upgrade job that is launched must be highly privileged in order to effect change to the underlying nodes. By default, it is configured with the following:
+- Host `IPC`, `NET`, and `PID` namespaces
+- The `CAP_SYS_BOOT` capability
+- Host root mounted at `/host` with read and write permissions
+
