Purpose
This policy establishes the controls and processes for managing software patches and updates to ensure systems remain secure, stable, and compliant. This policy applies to all infrastructure, applications, and services, including cloud resources, internal tooling, and third-party dependencies managed through our GitOps workflow.
Policy Statement
The company maintains up-to-date software across all environments by:
-
Applying security patches promptly upon notification from vendors or automated scanning tools.
-
Using a GitOps-based change management process with peer review for all software version alongside infrastructure updates.
-
Maintaining an auditable history of all patches and updates through Git version control.
Roles and Responsibilities
-
DevOps or Engineering Team:
-
Create pull requests for all patches and updates.
-
Ensure all changes receive peer or senior review before merge.
-
Document relevant release notes or security advisories in the pull request.
-
-
DevOps / DevSecOps Senior Reviewers:
-
Validate changes for correctness, security, and operational impact.
-
Approve or reject changes prior to merge.
-
Procedures
-
Initiation – Identify required updates via vendor advisories, automated dependency scanning, or ongoing maintenance reviews.
-
Change Submission – Submit updates as pull requests in the relevant Git repository.
-
Peer Review & Approval – A senior DevOps/DevSecOps engineer must approve before merging.
-
Automated Validation – Layered approach including Kubernetes API Server admissions, Kustomize, Flux and Crossplane
-
Deployment – Flux/Crossplane reconciliation applies changes to the target environment.
-
Verification – Post-deployment checks confirm successful patch application.
Process Review
Failure to follow this policy may result in security vulnerabilities or operational instability. This policy will be reviewed regularly