What is Kubernetes cluster upgrade strategy?

Kubernetes cluster upgrades require careful planning and execution: Supported version skew: kube-apiserver must be at most 1 minor version ahead of kubelet. Upgrade control plane before worker nodes. Supported upgrade path: one minor version at a time (1.27 → 1.28 → 1.29, not 1.27 → 1.29 directly). Managed K8s (EKS/GKE/AKS): cloud providers handle control plane upgrade. You upgrade node groups separately. Blue/green node group upgrade is safest: create new node group with new K8s version → cordon and drain old nodes → delete old node group. Self-managed cluster upgrade (kubeadm): (1) Upgrade control plane: apt-get update && apt-get install -y kubeadm=1.29.0-00 kubeadm upgrade plan # Verify upgrade path kubeadm upgrade apply v1.29.0 apt-get install -y kubelet=1.29.0-00 kubectl=1.29.0-00 systemctl restart kubelet; (2) Upgrade each worker node: kubectl cordon node-1 # Mark unschedulable kubectl drain node-1 --ignore-daemonsets --delete-emptydir-data # Evict pods # On node-1: apt-get install kubeadm=1.29.0-00; kubeadm upgrade node; apt-get install kubelet=1.29.0-00; systemctl restart kubelet kubectl uncordon node-1 # Mark schedulable. Pre-upgrade checklist: review CHANGELOG for breaking changes and deprecated API removals; test in non-prod first; backup etcd; check addon compatibility (Ingress controller, CSI drivers, CNI plugin); run pluto to detect deprecated API usage; scale up capacity to allow draining nodes. API deprecations: Kubernetes deprecates APIs 2 versions before removal. Use kubectl convert to migrate manifests. Rollback: kubeadm doesn't support downgrade — test upgrades thoroughly in staging first.