Technically no different than what you’d do in the cloud - have multiple of each resource so you can update them one by one while the others keep serving traffic.
Additionally, not every update needs to be applied, you need to understand your threat model and only apply updates when they actually patch something that would affect you - this cuts down on the actual number of updates that you need.
Additionally, not every update needs to be applied, you need to understand your threat model and only apply updates when they actually patch something that would affect you - this cuts down on the actual number of updates that you need.