diff --git a/.github/workflows/pull_request_template.md b/.github/pull_request_template.md
similarity index 100%
rename from .github/workflows/pull_request_template.md
rename to .github/pull_request_template.md
diff --git a/README.md b/README.md
index e372f55..619cc1a 100644
--- a/README.md
+++ b/README.md
@@ -22,7 +22,12 @@ on processor architecture:
 ## System requirements
 
 Deployment environment must have Ansible 2.4.0+
-Server and agent nodes must have passwordless SSH access
+
+All nodes in inventory must have:
+- Passwordless SSH access
+- Root access (or a user with equivalent permissions) 
+
+It is also recommended that all nodes disable firewalls and swap. See [K3s Requirements](https://docs.k3s.io/installation/requirements) for more information.
 
 ## Usage
 
@@ -59,6 +64,15 @@ Start provisioning of the cluster using the following command:
 ansible-playbook playbook/site.yml -i inventory.yml
 ```
 
+## Upgrading
+
+A playbook is provided to upgrade k3s on all nodes in the cluster. To use it, update `k3s_version` with the desired version in `inventory.yml` and run:
+
+```bash
+ansible-playbook playbook/upgrade.yml -i inventory.yml
+```
+
+
 ## Kubeconfig
 
 After successful bringup, the kubeconfig of the cluster is copied to the control-node and set as default (`~/.kube/config`).
diff --git a/playbook/upgrade.yml b/playbook/upgrade.yml
new file mode 100644
index 0000000..8410873
--- /dev/null
+++ b/playbook/upgrade.yml
@@ -0,0 +1,18 @@
+---
+
+# Servers should be restarted sequientally to avoid etcd learner issues
+# Agents have no such limitation
+- name: Upgrade K3s Servers
+  hosts: server
+  gather_facts: true
+  become: true
+  serial: 1
+  roles:
+    - role: upgrade
+
+- name: Upgrade K3s Agents
+  hosts: agent
+  gather_facts: true
+  become: true
+  roles:
+    - role: upgrade
diff --git a/roles/upgrade/tasks/main.yml b/roles/upgrade/tasks/main.yml
new file mode 100644
index 0000000..20b46bf
--- /dev/null
+++ b/roles/upgrade/tasks/main.yml
@@ -0,0 +1,39 @@
+---
+- name: Set var defaults
+  when: systemd_dir is undefined
+  ansible.builtin.set_fact:
+    systemd_dir: /etc/systemd/system
+
+# with_fileglob doesn't work with remote_src, it tries to find the file on the
+# local control-plane instead of the remote host. Shell supports wildcards.
+- name: Save current K3s service
+  ansible.builtin.shell:
+    cmd: "cp {{ systemd_dir }}/k3s*.service /tmp/"
+  changed_when: true
+
+- name: Install new K3s Version
+  ansible.builtin.command:
+    cmd: /usr/local/bin/k3s-install.sh
+  environment:
+    INSTALL_K3S_SKIP_START: "true"
+    INSTALL_K3S_VERSION: "{{ k3s_version }}"
+  changed_when: true
+
+- name: Restore K3s service
+  ansible.builtin.shell:
+    cmd: "mv /tmp/k3s*.service {{ systemd_dir }}/"
+  changed_when: true
+
+- name: Restart K3s service [server]
+  when: "'server' in group_names"
+  ansible.builtin.systemd:
+    state: restarted
+    daemon_reload: true
+    name: k3s
+
+- name: Restart K3s service [agent]
+  when: "'agent' in group_names"
+  ansible.builtin.systemd:
+    state: restarted
+    daemon_reload: true
+    name: k3s-agent