Interactive Lab · CKA Topic · Intermediate

CLUSTER UPGRADE

$ kubeadm upgrade apply v1.29.0

📋 Step 1 Plan the Upgrade

1Kubernetes only supports upgrading one minor version at a time. You cannot jump from 1.27 to 1.29. You must go 1.27 to 1.28 to 1.29.
2The upgrade order is always: kubeadm first, then kubelet and kubectl. Never upgrade kubelet before kubeadm.
3Run kubeadm upgrade plan to see what versions are available and what will be upgraded. Always run this first.
4Before upgrading a node, always drain it so pods are evicted safely. After the upgrade, uncordon it.

🎛

Control Plane

controlplane

v1.28.0

Ready · schedulable

⚙️

Worker

worker-node-1

v1.28.0

Ready · schedulable

⚙️

Worker

worker-node-2

v1.28.0

Ready · schedulable

kubeadm upgrade plan

# See available upgrade versions

kubeadm upgrade plan

terminalLIVE

🎛 Step 2 Upgrade the Control Plane

1First upgrade the kubeadm package itself to the target version using apt or yum.
2Run kubeadm upgrade apply v1.29.0 to upgrade the control plane components: API server, scheduler, controller manager, etcd.
3After kubeadm apply, drain the control plane node, then upgrade kubelet and kubectl, then uncordon the node.

⚠ The control plane node must be upgraded before worker nodes. kubeadm upgrade apply only runs on the control plane.

🎛

Control Plane

controlplane

v1.28.0

Ready · schedulable

Control plane upgrade sequence

# 1. Unhold and upgrade kubeadm

apt-mark unhold kubeadm

apt-get install -y kubeadm=1.29.0-00

apt-mark hold kubeadm

# 2. Apply the upgrade

kubeadm upgrade apply v1.29.0

# 3. Drain the control plane node

kubectl drain controlplane --ignore-daemonsets

# 4. Upgrade kubelet and kubectl

apt-get install -y kubelet=1.29.0-00 kubectl=1.29.0-00

systemctl daemon-reload && systemctl restart kubelet

# 5. Uncordon the node

kubectl uncordon controlplane

terminalLIVE

⚙️ Step 3 Upgrade a Worker Node

1Worker node upgrades use kubeadm upgrade node instead of kubeadm upgrade apply. The apply command is only for the control plane.
2You must drain the worker node first from the control plane not from the worker itself. This evicts all pods to other nodes.
3After upgrading kubelet on the worker, restart the kubelet service and then uncordon the node so it can receive pods again.

⚙️

Worker

worker-node-1

v1.28.0

Ready · schedulable

⚙️

Worker

worker-node-2

v1.28.0

Ready · schedulable

Worker node upgrade sequence

# From control plane: drain the worker

kubectl drain worker-node-1 --ignore-daemonsets --force

# SSH into worker-node-1, then:

apt-mark unhold kubeadm

apt-get install -y kubeadm=1.29.0-00

kubeadm upgrade node

apt-get install -y kubelet=1.29.0-00 kubectl=1.29.0-00

systemctl daemon-reload && systemctl restart kubelet

# Back on control plane: uncordon

kubectl uncordon worker-node-1

terminalLIVE

✅ Step 4 Verify the Upgrade

1kubectl get nodes shows the Kubernetes version for each node. All nodes should now show v1.29.0.
2Check that all system pods in kube-system are running normally after the upgrade.
3Verify your workload pods are still running and no pods are stuck in Pending or CrashLoopBackOff.

🎛

Control Plane

controlplane

v1.28.0

checking...

⚙️

Worker

worker-node-1

v1.28.0

checking...

⚙️

Worker

worker-node-2

v1.28.0

checking...

terminalLIVE

Upgrade Order

1. kubeadmAlways upgrade kubeadm package first.

2. kubeadm upgrade applyUpgrades control plane components. Only runs on control plane.

3. drain nodeSafely evict all pods before upgrading kubelet.

4. kubelet + kubectlUpgrade the node agent and CLI.

5. systemctl restart kubeletRestart to apply the new version.

6. uncordon nodeAllow pods to schedule on the node again.

Key Rules

One minor at a timeCannot skip versions. 1.27 to 1.29 requires two upgrades.

Control plane firstAlways upgrade control plane before worker nodes.

kubeadm upgrade nodeUsed on worker nodes, not kubeadm upgrade apply.

apt-mark hold/unholdPackages are held to prevent accidental upgrades. Must unhold before upgrading.

After upgrade verifykubectl get nodes should show new version and Ready status.