For the instructions to upgrade Rancher installed on Kubernetes with RancherD, refer to

For the instructions to upgrade Rancher installed with Docker, refer to this page.

To upgrade the components in your Kubernetes cluster, or the definition of the or add-ons, refer to the , the Rancher Kubernetes Engine.

If you installed Rancher using the RKE Add-on yaml, follow the directions to migrate or upgrade.

Prerequisites

Helm should be run from the same location as your kubeconfig file, or the same location where you run your kubectl commands from.

If you installed Kubernetes with RKE, the config will have been created in the directory you ran in.

The kubeconfig can also be manually targeted for the intended cluster with the --kubeconfig tag (see: https://helm.sh/docs/helm/helm/)

Review Known Issues

Review the known upgrade issues in the Rancher documentation for the most noteworthy issues to consider when upgrading Rancher.

A more complete list of known issues for each Rancher version can be found in the release notes on and on the Rancher forums.

Note that upgrades to or from any chart in the aren’t supported.

Helm Version

The upgrade instructions assume you are using Helm 3.

For migration of installs started with Helm 2, refer to the official The Helm 2 upgrade page hereprovides a copy of the older upgrade instructions that used Helm 2, and it is intended to be used if upgrading to Helm 3 is not feasible.

For air gap installs: Populate private registry

-For air gap installs only, collect and populate images for the new Rancher server version. Follow the guide to with the images for the Rancher version that you want to upgrade to.

If you are upgrading to Rancher v2.5 from a Rancher server that was started with the Helm chart option --add-local=false, you will need to drop that flag when upgrading. Otherwise, the Rancher server will not start. The restricted-admin role can be used to continue restricting access to the local cluster. For more information, see this section.

For upgrades from v2.0-v2.2 with external TLS termination

If you are upgrading Rancher from v2.x to v2.3+, and you are using external TLS termination, you will need to edit the cluster.yml to enable using forwarded host headers.

For upgrades with cert-manager older than 0.8.0

Let’s Encrypt will be blocking cert-manager instances older than 0.8.0 starting November 1st 2019. Upgrade cert-manager to the latest version by following

Upgrade Outline

Follow the steps to upgrade Rancher server:

1. Back up Your Kubernetes Cluster that is Running Rancher Server

For Rancher v2.0-v2.4, of your Kubernetes cluster running Rancher server.

You’ll use the backup as a restoration point if something goes wrong during upgrade.

2. Update the Helm chart repository

  1. Update your local helm repo cache.

  2. Get the repository name that you used to install Rancher.

    For information about the repos and their differences, see .

    Latest: Recommended for trying out the newest features

    Stable: Recommended for production environments

    Alpha: Experimental preview of upcoming releases.
    Note: Upgrades are not supported to, from, or between Alphas.

    1. helm repo list
    3. NAME                   URL
    4. stable                 https://charts.helm.sh/stable
    5. rancher-<CHART_REPO>     https://releases.rancher.com/server-charts/<CHART_REPO>

  3. Fetch the latest chart to install Rancher from the Helm chart repository.

    This command will pull down the latest charts and save it in the current directory as a .tgz file.

    1. helm fetch rancher-<CHART_REPO>/rancher

    You can fetch the chart for the specific version you are upgrading to by adding in the --version= tag. For example:

    1. helm fetch rancher-<CHART_REPO>/rancher --version=v2.4.11

3. Upgrade Rancher

This section describes how to upgrade normal (Internet-connected) or air gap installations of Rancher with Helm.

Get the values, which were passed with --set, from the current Rancher Helm chart that is installed.

If you are also upgrading cert-manager to the latest version from a version older than 0.11.0, follow

Otherwise, follow Option A: Upgrading Rancher.

Option A: Upgrading Rancher

Take all the values from the previous step and append them to the command using --set key=value:

  1. helm upgrade rancher rancher-<CHART_REPO>/rancher \
  2.   --namespace cattle-system \
  3.   --set hostname=rancher.my.org

Alternatively, it’s possible to export the current values to a file and reference that file during upgrade. For example, to only change the Rancher version:

  1. helm get values rancher -n cattle-system -o yaml > values.yaml
  4.   --namespace cattle-system \
  5.   -f values.yaml \
  6.   --version=2.4.5

If you are currently running the cert-manger whose version is older than v0.11, and want to upgrade both Rancher and cert-manager to a newer version, then you need to reinstall both Rancher and cert-manger due to the API change in cert-manger v0.11.

  1. Uninstall Rancher

    1. helm delete rancher -n cattle-system

  2. Uninstall and reinstall cert-manager according to the instructions on the Upgrading Cert-Manager page.

Render the Rancher template using the same chosen options that were used when installing Rancher. Use the reference table below to replace each placeholder. Rancher needs to be configured to use the private registry in order to provision any Rancher launched Kubernetes clusters or Rancher tools.

Based on the choice you made during installation, complete one of the procedures below.

Option A: Default Self-signed Certificate

  1. helm template ./rancher-<VERSION>.tgz --output-dir . \
  2.  --name rancher \
  3.  --namespace cattle-system \
  4.  --set hostname=<RANCHER.YOURDOMAIN.COM> \
  5.  --set certmanager.version=<CERTMANAGER_VERSION> \
  6.  --set rancherImage=<REGISTRY.YOURDOMAIN.COM:PORT>/rancher/rancher \
  7.  --set systemDefaultRegistry=<REGISTRY.YOURDOMAIN.COM:PORT> \ # Available as of v2.2.0, set a default private registry to be used in Rancher
  8.  --set useBundledSystemChart=true # Available as of v2.3.0, use the packaged Rancher system charts

Option B: Certificates from Files using Kubernetes Secrets

  1. helm template ./rancher-<VERSION>.tgz --output-dir . \
  3. --namespace cattle-system \
  4. --set hostname=<RANCHER.YOURDOMAIN.COM> \
  5. --set rancherImage=<REGISTRY.YOURDOMAIN.COM:PORT>/rancher/rancher \
  6. --set ingress.tls.source=secret \
  7. --set systemDefaultRegistry=<REGISTRY.YOURDOMAIN.COM:PORT> \ # Available as of v2.2.0, set a default private registry to be used in Rancher
  8. --set useBundledSystemChart=true # Available as of v2.3.0, use the packaged Rancher system charts

If you are using a Private CA signed cert, add --set privateCA=true following --set ingress.tls.source=secret:

  1. helm template ./rancher-<VERSION>.tgz --output-dir . \
  2. --name rancher \
  3. --namespace cattle-system \
  4. --set hostname=<RANCHER.YOURDOMAIN.COM> \
  5. --set rancherImage=<REGISTRY.YOURDOMAIN.COM:PORT>/rancher/rancher \
  6. --set ingress.tls.source=secret \
  7. --set privateCA=true \
  8. --set systemDefaultRegistry=<REGISTRY.YOURDOMAIN.COM:PORT> \ # Available as of v2.2.0, set a default private registry to be used in Rancher

Apply the Rendered Templates

Copy the rendered manifest directories to a system with access to the Rancher server cluster and apply the rendered templates.

Use kubectl to apply the rendered manifests.

4. Verify the Upgrade

Log into Rancher to confirm that the upgrade succeeded.

Known Upgrade Issues

The following table lists some of the most noteworthy issues to be considered when upgrading Rancher. A more complete list of known issues for each Rancher version can be found in the release notes on GitHub and on the

Upgrade ScenarioIssue
Upgrading to v2.4.6 or v2.4.7These Rancher versions had an issue where the kms:ListKeys permission was required to create, edit, or clone Amazon EC2 node templates. This requirement was removed in v2.4.8.
Upgrading to v2.3.0+Any user provisioned cluster will be automatically updated upon any edit as tolerations were added to the images used for Kubernetes provisioning.
Upgrading to v2.2.0-v2.2.xRancher introduced the system charts repository which contains all the catalog items required for features such as monitoring, logging, alerting and global DNS. To be able to use these features in an air gap install, you will need to mirror the repository locally and configure Rancher to use that repository. Please follow the instructions to .
Upgrading from v2.0.13 or earlierIf your cluster’s certificates have expired, you will need to perform additional steps to rotate the certificates.
Upgrading from v2.0.7 or earlierRancher introduced the system project, which is a project that’s automatically created to store important namespaces that Kubernetes needs to operate. During upgrade to v2.0.7+, Rancher expects these namespaces to be unassigned from all projects. Before beginning upgrade, check your system namespaces to make sure that they’re unassigned to

RKE Add-on Installs

Important: RKE add-on install is only supported up to Rancher v2.0.8

If you are currently using the RKE add-on install method, see for details on how to move to using the helm chart.