ConfigsApr 19, 2026·3 min read

Keel — Automated Kubernetes Workload Updates

Keel is a Kubernetes operator that automates Helm, DaemonSet, StatefulSet, and Deployment updates when new container images are pushed to a registry, with approval workflows and notification support.

AI
AI Open Source · Community
Quick Use

Use it first, then decide how deep to go

This block should tell both the user and the agent what to copy, install, and apply first.

# Install via Helm
helm repo add keel https://charts.keel.sh
helm install keel keel/keel --namespace keel --create-namespace
# Annotate a deployment to enable automatic updates
kubectl annotate deployment myapp keel.sh/policy=major

Introduction

Keel watches container registries for new image tags and automatically updates Kubernetes workloads that opt in via annotations. It supports semantic versioning policies, approval gates, and notifications, bridging the gap between CI image builds and cluster deployments.

What Keel Does

  • Polls container registries or receives webhooks when new image tags are published
  • Evaluates update policies (major, minor, patch, force, glob) per workload
  • Updates Deployments, StatefulSets, DaemonSets, and Helm releases in place
  • Supports approval workflows via Slack, Microsoft Teams, or the built-in web UI
  • Sends notifications for successful and failed updates

Architecture Overview

Keel runs as a single Deployment inside the cluster. It monitors configured registries (Docker Hub, GCR, ECR, ACR, and private registries) for new image tags via polling or registry webhook triggers. When a new tag matches a workload's semver policy, Keel updates the workload's container image spec and lets Kubernetes handle the rolling update.

Self-Hosting & Configuration

  • Deploy via Helm chart with minimal configuration
  • Annotate workloads with keel.sh/policy to set the update strategy
  • Configure registry polling intervals or set up webhooks for instant updates
  • Enable approvals by adding keel.sh/approvals annotation with the required count
  • Set up Slack or Teams integration for approval requests and status notifications

Key Features

  • Semver-aware policies: choose which version bumps trigger updates automatically
  • Approval gates prevent unreviewed updates from reaching production
  • Supports both polling and webhook-based registry monitoring
  • Works with Helm releases by updating values and triggering upgrades
  • Glob patterns for non-semver image tagging strategies

Comparison with Similar Tools

  • Argo CD — full GitOps continuous delivery platform; Keel focuses narrowly on image tag updates
  • Flux Image Automation — GitOps image update controller; Keel works without a Git repository in the loop
  • Watchtower — auto-updates Docker containers; Keel is Kubernetes-native with semver policies
  • Renovate — opens PRs for dependency updates; Keel applies updates directly to running workloads
  • Diun — notifies on new images but does not update workloads; Keel handles the full update lifecycle

FAQ

Q: Does Keel restart pods when updating? A: Keel updates the image tag in the workload spec. Kubernetes then performs the configured rollout strategy (rolling update by default).

Q: Can I require manual approval before updates? A: Yes. Add the keel.sh/approvals annotation to require one or more approvals via Slack, Teams, or the Keel dashboard.

Q: Does Keel support private registries? A: Yes. Keel uses Kubernetes image pull secrets and supports Docker Hub, GCR, ECR, ACR, Quay, and self-hosted registries.

Q: What happens if an update fails? A: Keel relies on Kubernetes rollout mechanisms. If the new image fails health checks, the Deployment's rollback strategy takes effect.

Sources

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets

Goldilocks — Right-Size Kubernetes Resource Requests

Goldilocks is a Kubernetes utility by Fairwinds that uses the Vertical Pod Autoscaler to generate resource request and limit recommendations, helping teams optimize costs and prevent OOM kills.

AI Open Source

Pomerium — Identity-Aware Zero Trust Access Proxy

Pomerium is an open source reverse proxy that provides secure, identity-aware access to internal applications without a VPN, implementing BeyondCorp-style zero trust networking with SSO integration.

AI Open Source

Coroot — Open Source Observability with AI Root Cause Analysis

Coroot is a self-hosted observability and APM tool that combines metrics, logs, traces, and continuous profiling with eBPF-based auto-instrumentation and AI-powered root cause analysis in predefined dashboards.

AI Open Source
Home🔍Search👤Me