diff --git a/_argocd/apps/upgrade-plans.yaml b/_argocd/apps/upgrade-plans.yaml
new file mode 100644
index 0000000..4820086
--- /dev/null
+++ b/_argocd/apps/upgrade-plans.yaml
@@ -0,0 +1,18 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: upgrade-plans
+  namespace: argocd
+spec:
+  destination:
+    namespace: system-upgrade
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: cluster-components/upgrade-plans
+    repoURL: https://gitlab.mareshq.com/gitops/mareshq/bee.git
+    targetRevision: HEAD
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
diff --git a/cluster-components/upgrade-plans/k3s.yaml b/cluster-components/upgrade-plans/k3s.yaml
new file mode 100644
index 0000000..9561f41
--- /dev/null
+++ b/cluster-components/upgrade-plans/k3s.yaml
@@ -0,0 +1,47 @@
+apiVersion: upgrade.cattle.io/v1
+kind: Plan
+metadata:
+  name: k3s-server
+  namespace: system-upgrade
+  labels:
+    k3s-upgrade: server
+spec:
+  concurrency: 1 # Batch size (roughly maps to maximum number of unschedulable nodes)
+  channel: https://update.k3s.io/v1-release/channels/v1.24
+  nodeSelector:
+    matchExpressions:
+      - {key: k3s-upgrade, operator: Exists}
+      - {key: k3s-upgrade, operator: NotIn, values: ["disabled", "false"]}
+      - {key: k3os.io/mode, operator: DoesNotExist}
+      - {key: node-role.kubernetes.io/control-plane, operator: Exists}
+  serviceAccountName: system-upgrade
+  cordon: true
+  upgrade:
+    image: rancher/k3s-upgrade
+---
+apiVersion: upgrade.cattle.io/v1
+kind: Plan
+metadata:
+  name: k3s-agent
+  namespace: system-upgrade
+  labels:
+    k3s-upgrade: agent
+spec:
+  concurrency: 1 # Batch size (roughly maps to maximum number of unschedulable nodes)
+  channel: https://update.k3s.io/v1-release/channels/v1.24
+  nodeSelector:
+    matchExpressions:
+      - {key: k3s-upgrade, operator: Exists}
+      - {key: k3s-upgrade, operator: NotIn, values: ["disabled", "false"]}
+      - {key: k3os.io/mode, operator: DoesNotExist}
+      - {key: node-role.kubernetes.io/control-plane, operator: DoesNotExist}
+  serviceAccountName: system-upgrade
+  prepare:
+    # Defaults to the same "resolved" tag that is used for the `upgrade` container, NOT `latest`
+    image: rancher/k3s-upgrade
+    args: ["prepare", "k3s-server"]
+  drain:
+    force: true
+    skipWaitForDeleteTimeout: 60 # 1.18+ (honor pod disruption budgets up to 60 seconds per pod then moves on)
+  upgrade:
+    image: rancher/k3s-upgrade