diff --git a/docs/upgrades.md b/docs/upgrades.md
index ff9e5459d0e77d95ab94176477607966af3240d3..52dccba4283b9fc7871461398265a5217da6d4ad 100644
--- a/docs/upgrades.md
+++ b/docs/upgrades.md
@@ -403,3 +403,16 @@ Please note that **migrating container engines is not officially supported by Ku
 As of Kubespray 2.18.0, containerd is already the default container engine. If you have the chance, it is advisable and safer to reset and redeploy the entire cluster with a new container engine.
 
 * [Migrating from Docker to Containerd](upgrades/migrate_docker2containerd.md)
+
+## System upgrade
+
+If you want to upgrade the APT or YUM packages while the nodes are cordoned, you can use:
+
+```ShellSession
+ansible-playbook upgrade-cluster.yml -b -i inventory/sample/hosts.ini -e system_upgrade=true
+```
+
+Nodes will be rebooted when there are package upgrades (`system_upgrade_reboot: on-upgrade`).
+This can be changed to `always` or `never`.
+
+Note: Downloads will happen twice unless `system_upgrade_reboot` is `never`.
diff --git a/playbooks/upgrade_cluster.yml b/playbooks/upgrade_cluster.yml
index 5eccc56ba042f5e5edb316290b116a0b443641b3..272ec310f15b138a9070f32918ae06c0fe11ebb8 100644
--- a/playbooks/upgrade_cluster.yml
+++ b/playbooks/upgrade_cluster.yml
@@ -84,6 +84,8 @@
   roles:
     - { role: kubespray-defaults }
     - { role: upgrade/pre-upgrade, tags: pre-upgrade }
+    - { role: upgrade/system-upgrade, tags: system-upgrade }
+    - { role: download, tags: download, when: "system_upgrade and system_upgrade_reboot != 'never' and not skip_downloads" }
     - { role: kubernetes-apps/kubelet-csr-approver, tags: kubelet-csr-approver }
     - { role: container-engine, tags: "container-engine", when: deploy_container_engine }
     - { role: kubernetes/node, tags: node }
@@ -116,6 +118,8 @@
   roles:
     - { role: kubespray-defaults }
     - { role: upgrade/pre-upgrade, tags: pre-upgrade }
+    - { role: upgrade/system-upgrade, tags: system-upgrade }
+    - { role: download, tags: download, when: "system_upgrade and system_upgrade_reboot != 'never' and not skip_downloads" }
     - { role: container-engine, tags: "container-engine", when: deploy_container_engine }
     - { role: kubernetes/node, tags: node }
     - { role: kubernetes/kubeadm, tags: kubeadm }
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index ec5b8e6a3235e673ce9bd7d7ac1a160244990fa2..d32dd3a5aae29bfdfc0fd4056a72c17a16212e08 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -681,3 +681,6 @@ krew_root_dir: "/usr/local/krew"
 
 # sysctl_file_path to add sysctl conf to
 sysctl_file_path: "/etc/sysctl.d/99-sysctl.conf"
+
+system_upgrade: false
+system_upgrade_reboot: on-upgrade  # never, always
diff --git a/roles/upgrade/system-upgrade/tasks/apt.yml b/roles/upgrade/system-upgrade/tasks/apt.yml
new file mode 100644
index 0000000000000000000000000000000000000000..992bbce443f3a1b6dc0d78e84647c20fdcb0164e
--- /dev/null
+++ b/roles/upgrade/system-upgrade/tasks/apt.yml
@@ -0,0 +1,13 @@
+---
+- name: APT Dist-Upgrade
+  apt:
+    upgrade: dist
+    autoremove: true
+    dpkg_options: force-confold,force-confdef
+  register: apt_upgrade
+
+- name: Reboot after APT Dist-Upgrade  # noqa no-handler
+  when:
+  - apt_upgrade.changed or system_upgrade_reboot == 'always'
+  - system_upgrade_reboot != 'never'
+  reboot:
diff --git a/roles/upgrade/system-upgrade/tasks/main.yml b/roles/upgrade/system-upgrade/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..61561b14578c1480c2a7d92b720e7e44020a3d18
--- /dev/null
+++ b/roles/upgrade/system-upgrade/tasks/main.yml
@@ -0,0 +1,17 @@
+---
+- name: APT upgrade
+  when:
+  - system_upgrade
+  - ansible_os_family == "Debian"
+  include_tasks: apt.yml
+  tags:
+  - system-upgrade-apt
+
+- name: YUM upgrade
+  when:
+  - system_upgrade
+  - ansible_os_family == "RedHat"
+  - not is_fedora_coreos
+  include_tasks: yum.yml
+  tags:
+  - system-upgrade-yum
diff --git a/roles/upgrade/system-upgrade/tasks/yum.yml b/roles/upgrade/system-upgrade/tasks/yum.yml
new file mode 100644
index 0000000000000000000000000000000000000000..6a27177f0d9e817f23baa9ffff769e922748787f
--- /dev/null
+++ b/roles/upgrade/system-upgrade/tasks/yum.yml
@@ -0,0 +1,12 @@
+---
+- name: YUM upgrade all packages  # noqa package-latest
+  yum:
+    name: '*'
+    state: latest
+  register: yum_upgrade
+
+- name: Reboot after YUM upgrade  # noqa no-handler
+  when:
+  - yum_upgrade.changed or system_upgrade_reboot == 'always'
+  - system_upgrade_reboot != 'never'
+  reboot: