So let's discuss updates first. Starting with the lowest level, and working our way up.
In our cloud deployment, patching of the infrastructure, switches, routers, firmware is all handled by Google. Sitting above that is Kubernetes, which is also handled by Google.
We then have the Google Kubernetes Engine and the node pool of VMs running Container-Optimized OS (COS).
We have some flexibility in selecting the master version of the Google Kubernetes Engine (at writing the default is 1.9.7), but ultimately Google manages the patching for everything I have mentioned so far.
In an on-premises deployment, you may have an infrastructure team that is responsible for patching these components. The good news is that none of this is specific to the TiDB platform so far, and to add to that because each TiDB platform component has built-in High Availability, it makes updates easier.
If you need to perform a rolling update where you temporarily shutdown infrastructure as you patch it, that is fine.
Sitting above the Google Kubernetes Engine is the TiDB operator and container images for TiDB. One of the nice properties of containers being lighter weight than a full operating system, is there is less surface area for security vulnerabilities.
The TiDB container images provided with TiDB operator are built with something called the builder pattern.
This means that an initial container is used to build the software binary, and then only the essential components are copied to a new container.
The builder pattern plus the use of a minimal alpine Linux base image is considered a best practice in the Kubernetes world, as it has the least amount of surface area for exposure.
Moving up the stack, the next component is the TiDB platform itself, and applying minor version updates such as from 2.0.4 to 2.0.7.
The first point is that you do not need to follow these updates in order, so upgrading from any 2.0.x to 2.0.y is expected to be a very low risk.
TiDB operator also allows you to perform a rolling upgrade and increase the minor version of each pod one after the other without downtime.
The second point is what is the best way to find out about updates to TiDB components:
One way is that you can watch for CVEs that affect TiDB. If you come from a systems administration background, you will be familiar with the CVE process and know how to watch for vulnerabilities that affect you.
But the easier way, and one I recommend is to make sure that you are subscribed for receiving updates with your pingcap.com account. This allows you to receive an email as new updates are released.