diff --git a/cluster/aws/util.sh b/cluster/aws/util.sh
index c413b23c3db..96882dbd59c 100755
--- a/cluster/aws/util.sh
+++ b/cluster/aws/util.sh
@@ -999,6 +999,7 @@ function start-master() {
 
     echo "cat > kube_env.yaml << __EOF_MASTER_KUBE_ENV_YAML"
     cat ${KUBE_TEMP}/master-kube-env.yaml
+    echo "AUTO_UPGRADE: 'true'"
     # TODO: get rid of these exceptions / harmonize with common or GCE
     echo "DOCKER_STORAGE: $(yaml-quote ${DOCKER_STORAGE:-})"
     echo "API_SERVERS: $(yaml-quote ${MASTER_INTERNAL_IP:-})"
@@ -1093,6 +1094,7 @@ function start-minions() {
     echo "cd /var/cache/kubernetes-install"
     echo "cat > kube_env.yaml << __EOF_KUBE_ENV_YAML"
     cat ${KUBE_TEMP}/node-kube-env.yaml
+    echo "AUTO_UPGRADE: 'true'"
     # TODO: get rid of these exceptions / harmonize with common or GCE
     echo "DOCKER_STORAGE: $(yaml-quote ${DOCKER_STORAGE:-})"
     echo "API_SERVERS: $(yaml-quote ${MASTER_INTERNAL_IP:-})"
diff --git a/cluster/gce/configure-vm.sh b/cluster/gce/configure-vm.sh
index d345407cd9c..0a91cf50867 100755
--- a/cluster/gce/configure-vm.sh
+++ b/cluster/gce/configure-vm.sh
@@ -212,6 +212,57 @@ apt-get-update() {
   done
 }
 
+# Restart any services that need restarting due to a library upgrade
+# Uses needrestart
+restart-updated-services() {
+  # We default to restarting services, because this is only done as part of an update
+  if [[ "${AUTO_RESTART_SERVICES:-true}" != "true" ]]; then
+    echo "Auto restart of services prevented by AUTO_RESTART_SERVICES=${AUTO_RESTART_SERVICES}"
+    return
+  fi
+  echo "Restarting services with updated libraries (needrestart -r a)"
+  # The pipes make sure that needrestart doesn't think it is running with a TTY
+  # Debian bug #803249; fixed but not necessarily in package repos yet
+  echo "" | needrestart -r a 2>&1 | tee /dev/null
+}
+
+# Reboot the machine if /var/run/reboot-required exists
+reboot-if-required() {
+  if [[ ! -e "/var/run/reboot-required" ]]; then
+    return
+  fi
+
+  echo "Reboot is required (/var/run/reboot-required detected)"
+  if [[ -e "/var/run/reboot-required.pkgs" ]]; then
+    echo "Packages that triggered reboot:"
+    cat /var/run/reboot-required.pkgs
+  fi
+
+  # We default to rebooting the machine because this is only done as part of an update
+  if [[ "${AUTO_REBOOT:-true}" != "true" ]]; then
+    echo "Reboot prevented by AUTO_REBOOT=${AUTO_REBOOT}"
+    return
+  fi
+
+  rm -f /var/run/reboot-required
+  rm -f /var/run/reboot-required.pkgs
+  echo "Triggering reboot"
+  init 6
+}
+
+# Install upgrades using unattended-upgrades, then reboot or restart services
+auto-upgrade() {
+  # We default to not installing upgrades
+  if [[ "${AUTO_UPGRADE:-false}" != "true" ]]; then
+    echo "AUTO_UPGRADE not set to true; won't auto-upgrade"
+    return
+  fi
+  apt-get-install unattended-upgrades needrestart
+  unattended-upgrade --debug
+  reboot-if-required # We may reboot the machine right here
+  restart-updated-services
+}
+
 #
 # Install salt from GCS.  See README.md for instructions on how to update these
 # debs.
@@ -834,6 +885,7 @@ if [[ -z "${is_push}" ]]; then
   ensure-install-dir
   ensure-packages
   set-kube-env
+  auto-upgrade
   ensure-local-disks
   [[ "${KUBERNETES_MASTER}" == "true" ]] && mount-master-pd
   create-salt-pillar