⌂ Home

Kubernetes Component Upgrade Order

The critical sequence for upgrading Kubernetes components on each node

1
kubeadm
Cluster Orchestrator
2
kubelet
Node Agent
3
kubectl
CLI Client

Why This Order Matters

Control Plane Components (Updated by kubeadm)

kube-apiserver
kube-controller-manager
kube-scheduler
etcd
Sequential Component Upgrade: Dependency Chain 1. etcd Upgrade data store first No dependencies 2. kube-apiserver Central hub upgrade Depends on etcd 3. controller-manager Control loops upgrade Depends on API 4. kube-scheduler Pod placement upgrade Depends on API 5. kubelet Node agent Last to upgrade Safe vs Unsafe Upgrade Paths ✓ Safe Upgrade Path Sequential one version at a time: v1.27.0 → v1.28.0 → v1.29.0 Why safe: • Each component tested with adjacent versions • API compatibility guaranteed • Can rollback to previous version if needed ✗ Unsafe Upgrade Path Skipping versions: v1.27.0 → v1.29.0 (skips v1.28.0) Why unsafe: • API deprecations not handled incrementally • Version skew policy violated • Upgrade path not tested by Kubernetes team Always upgrade control plane before worker nodes | Never skip minor versions

Step 1: Upgrade kubeadm

Unhold the package, upgrade, and re-hold:

# Debian/Ubuntu
sudo apt-mark unhold kubeadm
sudo apt-get update
sudo apt-get install -y kubeadm=1.32.0-00
sudo apt-mark hold kubeadm

# RHEL/CentOS
sudo yum install -y kubeadm-1.32.0-0 --disableexcludes=kubernetes

Verify version and plan the upgrade:

kubeadm version

# On first control plane node only
sudo kubeadm upgrade plan
sudo kubeadm upgrade apply v1.32.0

# On additional control plane/worker nodes
sudo kubeadm upgrade node

Step 2: Upgrade kubelet

Drain the node first (run from control plane):

kubectl drain <node-name> --ignore-daemonsets --delete-emptydir-data

Upgrade kubelet package:

# Debian/Ubuntu
sudo apt-mark unhold kubelet
sudo apt-get update
sudo apt-get install -y kubelet=1.32.0-00
sudo apt-mark hold kubelet

# RHEL/CentOS
sudo yum install -y kubelet-1.32.0-0 --disableexcludes=kubernetes

Restart kubelet service:

sudo systemctl daemon-reload
sudo systemctl restart kubelet

# Verify kubelet is running
sudo systemctl status kubelet

Uncordon the node (run from control plane):

kubectl uncordon <node-name>

Step 3: Upgrade kubectl

Upgrade kubectl (usually done with kubelet):

# Debian/Ubuntu
sudo apt-mark unhold kubectl
sudo apt-get update
sudo apt-get install -y kubectl=1.32.0-00
sudo apt-mark hold kubectl

# RHEL/CentOS
sudo yum install -y kubectl-1.32.0-0 --disableexcludes=kubernetes

Verify the upgrade:

kubectl version --client
kubectl get nodes  # Check all nodes show new version

Critical: Package Hold/Unhold

apt-mark hold prevents automatic upgrades. Always unhold before upgrading, then re-hold after installation to prevent unintended version changes during system updates.

Complete Upgrade Command Sequence

For quick reference, the full upgrade sequence for a single node (Debian/Ubuntu):

# 1. Upgrade kubeadm
sudo apt-mark unhold kubeadm && \
sudo apt-get update && \
sudo apt-get install -y kubeadm=1.32.0-00 && \
sudo apt-mark hold kubeadm

# 2. Apply upgrade (control plane) or upgrade node config (workers)
sudo kubeadm upgrade apply v1.32.0  # First control plane
# OR
sudo kubeadm upgrade node  # Additional nodes

# 3. Drain node (from control plane)
kubectl drain <node-name> --ignore-daemonsets --delete-emptydir-data

# 4. Upgrade kubelet and kubectl
sudo apt-mark unhold kubelet kubectl && \
sudo apt-get update && \
sudo apt-get install -y kubelet=1.32.0-00 kubectl=1.32.0-00 && \
sudo apt-mark hold kubelet kubectl

# 5. Restart kubelet
sudo systemctl daemon-reload
sudo systemctl restart kubelet

# 6. Uncordon node (from control plane)
kubectl uncordon <node-name>

# 7. Verify
kubectl get nodes -o wide

Version Skew Policy

Key Rules: