Introduction
Keel watches container registries for new image tags and automatically updates Kubernetes workloads that opt in via annotations. It supports semantic versioning policies, approval gates, and notifications, bridging the gap between CI image builds and cluster deployments.
What Keel Does
- Polls container registries or receives webhooks when new image tags are published
- Evaluates update policies (major, minor, patch, force, glob) per workload
- Updates Deployments, StatefulSets, DaemonSets, and Helm releases in place
- Supports approval workflows via Slack, Microsoft Teams, or the built-in web UI
- Sends notifications for successful and failed updates
Architecture Overview
Keel runs as a single Deployment inside the cluster. It monitors configured registries (Docker Hub, GCR, ECR, ACR, and private registries) for new image tags via polling or registry webhook triggers. When a new tag matches a workload's semver policy, Keel updates the workload's container image spec and lets Kubernetes handle the rolling update.
Self-Hosting & Configuration
- Deploy via Helm chart with minimal configuration
- Annotate workloads with keel.sh/policy to set the update strategy
- Configure registry polling intervals or set up webhooks for instant updates
- Enable approvals by adding keel.sh/approvals annotation with the required count
- Set up Slack or Teams integration for approval requests and status notifications
Key Features
- Semver-aware policies: choose which version bumps trigger updates automatically
- Approval gates prevent unreviewed updates from reaching production
- Supports both polling and webhook-based registry monitoring
- Works with Helm releases by updating values and triggering upgrades
- Glob patterns for non-semver image tagging strategies
Comparison with Similar Tools
- Argo CD — full GitOps continuous delivery platform; Keel focuses narrowly on image tag updates
- Flux Image Automation — GitOps image update controller; Keel works without a Git repository in the loop
- Watchtower — auto-updates Docker containers; Keel is Kubernetes-native with semver policies
- Renovate — opens PRs for dependency updates; Keel applies updates directly to running workloads
- Diun — notifies on new images but does not update workloads; Keel handles the full update lifecycle
FAQ
Q: Does Keel restart pods when updating? A: Keel updates the image tag in the workload spec. Kubernetes then performs the configured rollout strategy (rolling update by default).
Q: Can I require manual approval before updates? A: Yes. Add the keel.sh/approvals annotation to require one or more approvals via Slack, Teams, or the Keel dashboard.
Q: Does Keel support private registries? A: Yes. Keel uses Kubernetes image pull secrets and supports Docker Hub, GCR, ECR, ACR, Quay, and self-hosted registries.
Q: What happens if an update fails? A: Keel relies on Kubernetes rollout mechanisms. If the new image fails health checks, the Deployment's rollback strategy takes effect.