AWS Quickstart
On this page
Connect Crossplane to AWS to create and manage cloud resources from Kubernetes
with
provider-upjet-aws.
This guide is in two parts:
- Part 1 walks through installing Crossplane, configuring the provider to authenticate to AWS and creating a Managed Resource in AWS directly from your Kubernetes cluster. This shows Crossplane can communicate with AWS.
- Part 2 shows how to build and access a custom API with Crossplane.
Prerequisites
This quickstart requires:
- a Kubernetes cluster with at least 2 GB of RAM
- permissions to create pods and secrets in the Kubernetes cluster
- Helm version v3.2.0 or later
- an AWS account with permissions to create an S3 storage bucket
- AWS access keys
Install Crossplane
Crossplane installs into an existing Kubernetes cluster.
Tip
If you don’t have a Kubernetes cluster create one locally with Kind.
Install the Crossplane Helm chart
Helm enables Crossplane to install all its Kubernetes components through a Helm Chart.
Enable the Crossplane Helm Chart repository:
Run the Helm dry-run to see all the Crossplane components Helm installs.
1helm install crossplane \
2crossplane-stable/crossplane \
3--dry-run --debug \
4--namespace crossplane-system \
5--create-namespace
1helm install crossplane \
2crossplane-stable/crossplane \
3--dry-run --debug \
4--namespace crossplane-system \
5--create-namespace
6install.go:214: [debug] Original chart version: ""
7install.go:216: [debug] setting version to >0.0.0-0
8install.go:231: [debug] CHART PATH: /Users/plumbis/Library/Caches/helm/repository/crossplane-1.15.0.tgz
9
10NAME: crossplane
11LAST DEPLOYED: Mon Feb 12 14:46:15 2024
12NAMESPACE: default
13STATUS: pending-install
14REVISION: 1
15TEST SUITE: None
16USER-SUPPLIED VALUES:
17{}
18
19COMPUTED VALUES:
20affinity: {}
21args: []
22configuration:
23 packages: []
24customAnnotations: {}
25customLabels: {}
26deploymentStrategy: RollingUpdate
27extraEnvVarsCrossplane: {}
28extraEnvVarsRBACManager: {}
29extraObjects: []
30extraVolumeMountsCrossplane: {}
31extraVolumesCrossplane: {}
32function:
33 packages: []
34hostNetwork: false
35image:
36 pullPolicy: IfNotPresent
37 repository: xpkg.crossplane.io/crossplane/crossplane
38 tag: ""
39imagePullSecrets: {}
40leaderElection: true
41metrics:
42 enabled: false
43nodeSelector: {}
44packageCache:
45 configMap: ""
46 medium: ""
47 pvc: ""
48 sizeLimit: 20Mi
49podSecurityContextCrossplane: {}
50podSecurityContextRBACManager: {}
51priorityClassName: ""
52provider:
53 packages: []
54rbacManager:
55 affinity: {}
56 args: []
57 deploy: true
58 leaderElection: true
59 nodeSelector: {}
60 replicas: 1
61 skipAggregatedClusterRoles: false
62 tolerations: []
63registryCaBundleConfig:
64 key: ""
65 name: ""
66replicas: 1
67resourcesCrossplane:
68 limits:
69 cpu: 100m
70 memory: 512Mi
71 requests:
72 cpu: 100m
73 memory: 256Mi
74resourcesRBACManager:
75 limits:
76 cpu: 100m
77 memory: 512Mi
78 requests:
79 cpu: 100m
80 memory: 256Mi
81securityContextCrossplane:
82 allowPrivilegeEscalation: false
83 readOnlyRootFilesystem: true
84 runAsGroup: 65532
85 runAsUser: 65532
86securityContextRBACManager:
87 allowPrivilegeEscalation: false
88 readOnlyRootFilesystem: true
89 runAsGroup: 65532
90 runAsUser: 65532
91serviceAccount:
92 customAnnotations: {}
93tolerations: []
94webhooks:
95 enabled: true
96
97HOOKS:
98MANIFEST:
99---
100# Source: crossplane/templates/rbac-manager-serviceaccount.yaml
101apiVersion: v1
102kind: ServiceAccount
103metadata:
104 name: rbac-manager
105 namespace: default
106 labels:
107 app: crossplane
108 helm.sh/chart: crossplane-1.15.0
109 app.kubernetes.io/managed-by: Helm
110 app.kubernetes.io/component: cloud-infrastructure-controller
111 app.kubernetes.io/part-of: crossplane
112 app.kubernetes.io/name: crossplane
113 app.kubernetes.io/instance: crossplane
114 app.kubernetes.io/version: "1.15.0"
115---
116# Source: crossplane/templates/serviceaccount.yaml
117apiVersion: v1
118kind: ServiceAccount
119metadata:
120 name: crossplane
121 namespace: default
122 labels:
123 app: crossplane
124 helm.sh/chart: crossplane-1.15.0
125 app.kubernetes.io/managed-by: Helm
126 app.kubernetes.io/component: cloud-infrastructure-controller
127 app.kubernetes.io/part-of: crossplane
128 app.kubernetes.io/name: crossplane
129 app.kubernetes.io/instance: crossplane
130 app.kubernetes.io/version: "1.15.0"
131---
132# Source: crossplane/templates/secret.yaml
133# The reason this is created empty and filled by the init container is we want
134# to manage the lifecycle of the secret via Helm. This way whenever Crossplane
135# is deleted, the secret is deleted as well.
136apiVersion: v1
137kind: Secret
138metadata:
139 name: crossplane-root-ca
140 namespace: default
141type: Opaque
142---
143# Source: crossplane/templates/secret.yaml
144# The reason this is created empty and filled by the init container is we want
145# to manage the lifecycle of the secret via Helm. This way whenever Crossplane
146# is deleted, the secret is deleted as well.
147apiVersion: v1
148kind: Secret
149metadata:
150 name: crossplane-tls-server
151 namespace: default
152type: Opaque
153---
154# Source: crossplane/templates/secret.yaml
155# The reason this is created empty and filled by the init container is we want
156# to manage the lifecycle of the secret via Helm. This way whenever Crossplane
157# is deleted, the secret is deleted as well.
158apiVersion: v1
159kind: Secret
160metadata:
161 name: crossplane-tls-client
162 namespace: default
163type: Opaque
164---
165# Source: crossplane/templates/clusterrole.yaml
166apiVersion: rbac.authorization.k8s.io/v1
167kind: ClusterRole
168metadata:
169 name: crossplane
170 labels:
171 app: crossplane
172 helm.sh/chart: crossplane-1.15.0
173 app.kubernetes.io/managed-by: Helm
174 app.kubernetes.io/component: cloud-infrastructure-controller
175 app.kubernetes.io/part-of: crossplane
176 app.kubernetes.io/name: crossplane
177 app.kubernetes.io/instance: crossplane
178 app.kubernetes.io/version: "1.15.0"
179aggregationRule:
180 clusterRoleSelectors:
181 - matchLabels:
182 rbac.crossplane.io/aggregate-to-crossplane: "true"
183---
184# Source: crossplane/templates/clusterrole.yaml
185apiVersion: rbac.authorization.k8s.io/v1
186kind: ClusterRole
187metadata:
188 name: crossplane:system:aggregate-to-crossplane
189 labels:
190 app: crossplane
191 helm.sh/chart: crossplane-1.15.0
192 app.kubernetes.io/managed-by: Helm
193 app.kubernetes.io/component: cloud-infrastructure-controller
194 app.kubernetes.io/part-of: crossplane
195 app.kubernetes.io/name: crossplane
196 app.kubernetes.io/instance: crossplane
197 app.kubernetes.io/version: "1.15.0"
198 crossplane.io/scope: "system"
199 rbac.crossplane.io/aggregate-to-crossplane: "true"
200rules:
201- apiGroups:
202 - ""
203 resources:
204 - events
205 verbs:
206 - create
207 - update
208 - patch
209 - delete
210- apiGroups:
211 - apiextensions.k8s.io
212 resources:
213 - customresourcedefinitions
214 - customresourcedefinitions/status
215 verbs:
216 - "*"
217- apiGroups:
218 - ""
219 resources:
220 - secrets
221 verbs:
222 - get
223 - list
224 - watch
225 - create
226 - update
227 - patch
228 - delete
229- apiGroups:
230 - ""
231 resources:
232 - serviceaccounts
233 - services
234 verbs:
235 - "*"
236- apiGroups:
237 - apiextensions.crossplane.io
238 - pkg.crossplane.io
239 - secrets.crossplane.io
240 resources:
241 - "*"
242 verbs:
243 - "*"
244- apiGroups:
245 - extensions
246 - apps
247 resources:
248 - deployments
249 verbs:
250 - get
251 - list
252 - create
253 - update
254 - patch
255 - delete
256 - watch
257- apiGroups:
258 - ""
259 - coordination.k8s.io
260 resources:
261 - configmaps
262 - leases
263 verbs:
264 - get
265 - list
266 - create
267 - update
268 - patch
269 - watch
270 - delete
271- apiGroups:
272 - admissionregistration.k8s.io
273 resources:
274 - validatingwebhookconfigurations
275 - mutatingwebhookconfigurations
276 verbs:
277 - get
278 - list
279 - create
280 - update
281 - patch
282 - watch
283 - delete
284---
285# Source: crossplane/templates/rbac-manager-allowed-provider-permissions.yaml
286apiVersion: rbac.authorization.k8s.io/v1
287kind: ClusterRole
288metadata:
289 name: crossplane:allowed-provider-permissions
290 labels:
291 app: crossplane
292 helm.sh/chart: crossplane-1.15.0
293 app.kubernetes.io/managed-by: Helm
294 app.kubernetes.io/component: cloud-infrastructure-controller
295 app.kubernetes.io/part-of: crossplane
296 app.kubernetes.io/name: crossplane
297 app.kubernetes.io/instance: crossplane
298 app.kubernetes.io/version: "1.15.0"
299aggregationRule:
300 clusterRoleSelectors:
301 - matchLabels:
302 rbac.crossplane.io/aggregate-to-allowed-provider-permissions: "true"
303---
304# Source: crossplane/templates/rbac-manager-clusterrole.yaml
305apiVersion: rbac.authorization.k8s.io/v1
306kind: ClusterRole
307metadata:
308 name: crossplane-rbac-manager
309 labels:
310 app: crossplane
311 helm.sh/chart: crossplane-1.15.0
312 app.kubernetes.io/managed-by: Helm
313 app.kubernetes.io/component: cloud-infrastructure-controller
314 app.kubernetes.io/part-of: crossplane
315 app.kubernetes.io/name: crossplane
316 app.kubernetes.io/instance: crossplane
317 app.kubernetes.io/version: "1.15.0"
318rules:
319- apiGroups:
320 - ""
321 resources:
322 - events
323 verbs:
324 - create
325 - update
326 - patch
327 - delete
328- apiGroups:
329 - ""
330 resources:
331 - namespaces
332 verbs:
333 - get
334 - list
335 - watch
336- apiGroups:
337 - apps
338 resources:
339 - deployments
340 verbs:
341 - get
342 - list
343 - watch
344# The RBAC manager creates a series of RBAC roles for each namespace it sees.
345# These RBAC roles are controlled (in the owner reference sense) by the namespace.
346# The RBAC manager needs permission to set finalizers on Namespaces in order to
347# create resources that block their deletion when the
348# OwnerReferencesPermissionEnforcement admission controller is enabled.
349# See https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
350- apiGroups:
351 - ""
352 resources:
353 - namespaces/finalizers
354 verbs:
355 - update
356- apiGroups:
357 - apiextensions.crossplane.io
358 resources:
359 - compositeresourcedefinitions
360 verbs:
361 - get
362 - list
363 - watch
364# The RBAC manager creates a series of RBAC cluster roles for each XRD it sees.
365# These cluster roles are controlled (in the owner reference sense) by the XRD.
366# The RBAC manager needs permission to set finalizers on XRDs in order to
367# create resources that block their deletion when the
368# OwnerReferencesPermissionEnforcement admission controller is enabled.
369# See https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
370- apiGroups:
371 - apiextensions.crossplane.io
372 resources:
373 - compositeresourcedefinitions/finalizers
374 verbs:
375 - update
376- apiGroups:
377 - pkg.crossplane.io
378 resources:
379 - providerrevisions
380 verbs:
381 - get
382 - list
383 - watch
384# The RBAC manager creates a series of RBAC cluster roles for each ProviderRevision
385# it sees. These cluster roles are controlled (in the owner reference sense) by the
386# ProviderRevision. The RBAC manager needs permission to set finalizers on
387# ProviderRevisions in order to create resources that block their deletion when the
388# OwnerReferencesPermissionEnforcement admission controller is enabled.
389# See https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
390- apiGroups:
391 - pkg.crossplane.io
392 resources:
393 - providerrevisions/finalizers
394 verbs:
395 - update
396- apiGroups:
397 - apiextensions.k8s.io
398 resources:
399 - customresourcedefinitions
400 verbs:
401 - get
402 - list
403 - watch
404- apiGroups:
405 - rbac.authorization.k8s.io
406 resources:
407 - clusterroles
408 - roles
409 verbs:
410 - get
411 - list
412 - watch
413 - create
414 - update
415 - patch
416 # The RBAC manager may grant access it does not have.
417 - escalate
418- apiGroups:
419 - rbac.authorization.k8s.io
420 resources:
421 - clusterroles
422 verbs:
423 - bind
424- apiGroups:
425 - rbac.authorization.k8s.io
426 resources:
427 - clusterrolebindings
428 verbs:
429 - "*"
430- apiGroups:
431 - ""
432 - coordination.k8s.io
433 resources:
434 - configmaps
435 - leases
436 verbs:
437 - get
438 - list
439 - create
440 - update
441 - patch
442 - watch
443 - delete
444---
445# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
446apiVersion: rbac.authorization.k8s.io/v1
447kind: ClusterRole
448metadata:
449 name: crossplane-admin
450 labels:
451 app: crossplane
452 helm.sh/chart: crossplane-1.15.0
453 app.kubernetes.io/managed-by: Helm
454 app.kubernetes.io/component: cloud-infrastructure-controller
455 app.kubernetes.io/part-of: crossplane
456 app.kubernetes.io/name: crossplane
457 app.kubernetes.io/instance: crossplane
458 app.kubernetes.io/version: "1.15.0"
459aggregationRule:
460 clusterRoleSelectors:
461 - matchLabels:
462 rbac.crossplane.io/aggregate-to-admin: "true"
463---
464# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
465apiVersion: rbac.authorization.k8s.io/v1
466kind: ClusterRole
467metadata:
468 name: crossplane-edit
469 labels:
470 app: crossplane
471 helm.sh/chart: crossplane-1.15.0
472 app.kubernetes.io/managed-by: Helm
473 app.kubernetes.io/component: cloud-infrastructure-controller
474 app.kubernetes.io/part-of: crossplane
475 app.kubernetes.io/name: crossplane
476 app.kubernetes.io/instance: crossplane
477 app.kubernetes.io/version: "1.15.0"
478aggregationRule:
479 clusterRoleSelectors:
480 - matchLabels:
481 rbac.crossplane.io/aggregate-to-edit: "true"
482---
483# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
484apiVersion: rbac.authorization.k8s.io/v1
485kind: ClusterRole
486metadata:
487 name: crossplane-view
488 labels:
489 app: crossplane
490 helm.sh/chart: crossplane-1.15.0
491 app.kubernetes.io/managed-by: Helm
492 app.kubernetes.io/component: cloud-infrastructure-controller
493 app.kubernetes.io/part-of: crossplane
494 app.kubernetes.io/name: crossplane
495 app.kubernetes.io/instance: crossplane
496 app.kubernetes.io/version: "1.15.0"
497aggregationRule:
498 clusterRoleSelectors:
499 - matchLabels:
500 rbac.crossplane.io/aggregate-to-view: "true"
501---
502# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
503apiVersion: rbac.authorization.k8s.io/v1
504kind: ClusterRole
505metadata:
506 name: crossplane-browse
507 labels:
508 app: crossplane
509 helm.sh/chart: crossplane-1.15.0
510 app.kubernetes.io/managed-by: Helm
511 app.kubernetes.io/component: cloud-infrastructure-controller
512 app.kubernetes.io/part-of: crossplane
513 app.kubernetes.io/name: crossplane
514 app.kubernetes.io/instance: crossplane
515 app.kubernetes.io/version: "1.15.0"
516aggregationRule:
517 clusterRoleSelectors:
518 - matchLabels:
519 rbac.crossplane.io/aggregate-to-browse: "true"
520---
521# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
522apiVersion: rbac.authorization.k8s.io/v1
523kind: ClusterRole
524metadata:
525 name: crossplane:aggregate-to-admin
526 labels:
527 rbac.crossplane.io/aggregate-to-admin: "true"
528 app: crossplane
529 helm.sh/chart: crossplane-1.15.0
530 app.kubernetes.io/managed-by: Helm
531 app.kubernetes.io/component: cloud-infrastructure-controller
532 app.kubernetes.io/part-of: crossplane
533 app.kubernetes.io/name: crossplane
534 app.kubernetes.io/instance: crossplane
535 app.kubernetes.io/version: "1.15.0"
536rules:
537# Crossplane administrators have access to view events.
538- apiGroups: [""]
539 resources: [events]
540 verbs: [get, list, watch]
541# Crossplane administrators must create provider credential secrets, and may
542# need to read or otherwise interact with connection secrets. They may also need
543# to create or annotate namespaces.
544- apiGroups: [""]
545 resources: [secrets, namespaces]
546 verbs: ["*"]
547# Crossplane administrators have access to view the roles that they may be able
548# to grant to other subjects.
549- apiGroups: [rbac.authorization.k8s.io]
550 resources: [clusterroles, roles]
551 verbs: [get, list, watch]
552# Crossplane administrators have access to grant the access they have to other
553# subjects.
554- apiGroups: [rbac.authorization.k8s.io]
555 resources: [clusterrolebindings, rolebindings]
556 verbs: ["*"]
557# Crossplane administrators have full access to built in Crossplane types.
558- apiGroups:
559 - apiextensions.crossplane.io
560 resources: ["*"]
561 verbs: ["*"]
562- apiGroups:
563 - pkg.crossplane.io
564 resources: ["*"]
565 verbs: ["*"]
566# Crossplane administrators have access to view CRDs in order to debug XRDs.
567- apiGroups: [apiextensions.k8s.io]
568 resources: [customresourcedefinitions]
569 verbs: [get, list, watch]
570---
571# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
572apiVersion: rbac.authorization.k8s.io/v1
573kind: ClusterRole
574metadata:
575 name: crossplane:aggregate-to-edit
576 labels:
577 rbac.crossplane.io/aggregate-to-edit: "true"
578 app: crossplane
579 helm.sh/chart: crossplane-1.15.0
580 app.kubernetes.io/managed-by: Helm
581 app.kubernetes.io/component: cloud-infrastructure-controller
582 app.kubernetes.io/part-of: crossplane
583 app.kubernetes.io/name: crossplane
584 app.kubernetes.io/instance: crossplane
585 app.kubernetes.io/version: "1.15.0"
586rules:
587# Crossplane editors have access to view events.
588- apiGroups: [""]
589 resources: [events]
590 verbs: [get, list, watch]
591# Crossplane editors must create provider credential secrets, and may need to
592# read or otherwise interact with connection secrets.
593- apiGroups: [""]
594 resources: [secrets]
595 verbs: ["*"]
596# Crossplane editors may see which namespaces exist, but not edit them.
597- apiGroups: [""]
598 resources: [namespaces]
599 verbs: [get, list, watch]
600# Crossplane editors have full access to built in Crossplane types.
601- apiGroups:
602 - apiextensions.crossplane.io
603 resources: ["*"]
604 verbs: ["*"]
605- apiGroups:
606 - pkg.crossplane.io
607 resources: ["*"]
608 verbs: ["*"]
609---
610# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
611apiVersion: rbac.authorization.k8s.io/v1
612kind: ClusterRole
613metadata:
614 name: crossplane:aggregate-to-view
615 labels:
616 rbac.crossplane.io/aggregate-to-view: "true"
617 app: crossplane
618 helm.sh/chart: crossplane-1.15.0
619 app.kubernetes.io/managed-by: Helm
620 app.kubernetes.io/component: cloud-infrastructure-controller
621 app.kubernetes.io/part-of: crossplane
622 app.kubernetes.io/name: crossplane
623 app.kubernetes.io/instance: crossplane
624 app.kubernetes.io/version: "1.15.0"
625rules:
626# Crossplane viewers have access to view events.
627- apiGroups: [""]
628 resources: [events]
629 verbs: [get, list, watch]
630# Crossplane viewers may see which namespaces exist.
631- apiGroups: [""]
632 resources: [namespaces]
633 verbs: [get, list, watch]
634# Crossplane viewers have read-only access to built in Crossplane types.
635- apiGroups:
636 - apiextensions.crossplane.io
637 resources: ["*"]
638 verbs: [get, list, watch]
639- apiGroups:
640 - pkg.crossplane.io
641 resources: ["*"]
642 verbs: [get, list, watch]
643---
644# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
645apiVersion: rbac.authorization.k8s.io/v1
646kind: ClusterRole
647metadata:
648 name: crossplane:aggregate-to-browse
649 labels:
650 rbac.crossplane.io/aggregate-to-browse: "true"
651 app: crossplane
652 helm.sh/chart: crossplane-1.15.0
653 app.kubernetes.io/managed-by: Helm
654 app.kubernetes.io/component: cloud-infrastructure-controller
655 app.kubernetes.io/part-of: crossplane
656 app.kubernetes.io/name: crossplane
657 app.kubernetes.io/instance: crossplane
658 app.kubernetes.io/version: "1.15.0"
659rules:
660# Crossplane browsers have access to view events.
661- apiGroups: [""]
662 resources: [events]
663 verbs: [get, list, watch]
664# Crossplane browsers have read-only access to compositions and XRDs. This
665# allows them to discover and select an appropriate composition when creating a
666# resource claim.
667- apiGroups:
668 - apiextensions.crossplane.io
669 resources: ["*"]
670 verbs: [get, list, watch]
671---
672# Source: crossplane/templates/clusterrolebinding.yaml
673apiVersion: rbac.authorization.k8s.io/v1
674kind: ClusterRoleBinding
675metadata:
676 name: crossplane
677 labels:
678 app: crossplane
679 helm.sh/chart: crossplane-1.15.0
680 app.kubernetes.io/managed-by: Helm
681 app.kubernetes.io/component: cloud-infrastructure-controller
682 app.kubernetes.io/part-of: crossplane
683 app.kubernetes.io/name: crossplane
684 app.kubernetes.io/instance: crossplane
685 app.kubernetes.io/version: "1.15.0"
686roleRef:
687 apiGroup: rbac.authorization.k8s.io
688 kind: ClusterRole
689 name: crossplane
690subjects:
691- kind: ServiceAccount
692 name: crossplane
693 namespace: default
694---
695# Source: crossplane/templates/rbac-manager-clusterrolebinding.yaml
696apiVersion: rbac.authorization.k8s.io/v1
697kind: ClusterRoleBinding
698metadata:
699 name: crossplane-rbac-manager
700 labels:
701 app: crossplane
702 helm.sh/chart: crossplane-1.15.0
703 app.kubernetes.io/managed-by: Helm
704 app.kubernetes.io/component: cloud-infrastructure-controller
705 app.kubernetes.io/part-of: crossplane
706 app.kubernetes.io/name: crossplane
707 app.kubernetes.io/instance: crossplane
708 app.kubernetes.io/version: "1.15.0"
709roleRef:
710 apiGroup: rbac.authorization.k8s.io
711 kind: ClusterRole
712 name: crossplane-rbac-manager
713subjects:
714- kind: ServiceAccount
715 name: rbac-manager
716 namespace: default
717---
718# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
719apiVersion: rbac.authorization.k8s.io/v1
720kind: ClusterRoleBinding
721metadata:
722 name: crossplane-admin
723 labels:
724 app: crossplane
725 helm.sh/chart: crossplane-1.15.0
726 app.kubernetes.io/managed-by: Helm
727 app.kubernetes.io/component: cloud-infrastructure-controller
728 app.kubernetes.io/part-of: crossplane
729 app.kubernetes.io/name: crossplane
730 app.kubernetes.io/instance: crossplane
731 app.kubernetes.io/version: "1.15.0"
732roleRef:
733 apiGroup: rbac.authorization.k8s.io
734 kind: ClusterRole
735 name: crossplane-admin
736subjects:
737- apiGroup: rbac.authorization.k8s.io
738 kind: Group
739 name: crossplane:masters
740---
741# Source: crossplane/templates/service.yaml
742apiVersion: v1
743kind: Service
744metadata:
745 name: crossplane-webhooks
746 namespace: default
747 labels:
748 app: crossplane
749 release: crossplane
750 helm.sh/chart: crossplane-1.15.0
751 app.kubernetes.io/managed-by: Helm
752 app.kubernetes.io/component: cloud-infrastructure-controller
753 app.kubernetes.io/part-of: crossplane
754 app.kubernetes.io/name: crossplane
755 app.kubernetes.io/instance: crossplane
756 app.kubernetes.io/version: "1.15.0"
757spec:
758 selector:
759 app: crossplane
760 release: crossplane
761 ports:
762 - protocol: TCP
763 port: 9443
764 targetPort: 9443
765---
766# Source: crossplane/templates/deployment.yaml
767apiVersion: apps/v1
768kind: Deployment
769metadata:
770 name: crossplane
771 namespace: default
772 labels:
773 app: crossplane
774 release: crossplane
775 helm.sh/chart: crossplane-1.15.0
776 app.kubernetes.io/managed-by: Helm
777 app.kubernetes.io/component: cloud-infrastructure-controller
778 app.kubernetes.io/part-of: crossplane
779 app.kubernetes.io/name: crossplane
780 app.kubernetes.io/instance: crossplane
781 app.kubernetes.io/version: "1.15.0"
782spec:
783 replicas: 1
784 selector:
785 matchLabels:
786 app: crossplane
787 release: crossplane
788 strategy:
789 type: RollingUpdate
790 template:
791 metadata:
792 labels:
793 app: crossplane
794 release: crossplane
795 helm.sh/chart: crossplane-1.15.0
796 app.kubernetes.io/managed-by: Helm
797 app.kubernetes.io/component: cloud-infrastructure-controller
798 app.kubernetes.io/part-of: crossplane
799 app.kubernetes.io/name: crossplane
800 app.kubernetes.io/instance: crossplane
801 app.kubernetes.io/version: "1.15.0"
802 spec:
803 serviceAccountName: crossplane
804 hostNetwork: false
805 initContainers:
806 - image: "xpkg.crossplane.io/crossplane/crossplane:v1.15.0"
807 args:
808 - core
809 - init
810 imagePullPolicy: IfNotPresent
811 name: crossplane-init
812 resources:
813 limits:
814 cpu: 100m
815 memory: 512Mi
816 requests:
817 cpu: 100m
818 memory: 256Mi
819 securityContext:
820 allowPrivilegeEscalation: false
821 readOnlyRootFilesystem: true
822 runAsGroup: 65532
823 runAsUser: 65532
824 env:
825 - name: GOMAXPROCS
826 valueFrom:
827 resourceFieldRef:
828 containerName: crossplane-init
829 resource: limits.cpu
830 divisor: "1"
831 - name: GOMEMLIMIT
832 valueFrom:
833 resourceFieldRef:
834 containerName: crossplane-init
835 resource: limits.memory
836 divisor: "1"
837 - name: POD_NAMESPACE
838 valueFrom:
839 fieldRef:
840 fieldPath: metadata.namespace
841 - name: POD_SERVICE_ACCOUNT
842 valueFrom:
843 fieldRef:
844 fieldPath: spec.serviceAccountName
845 - name: "WEBHOOK_SERVICE_NAME"
846 value: crossplane-webhooks
847 - name: "WEBHOOK_SERVICE_NAMESPACE"
848 valueFrom:
849 fieldRef:
850 fieldPath: metadata.namespace
851 - name: "WEBHOOK_SERVICE_PORT"
852 value: "9443"
853 - name: "TLS_CA_SECRET_NAME"
854 value: crossplane-root-ca
855 - name: "TLS_SERVER_SECRET_NAME"
856 value: crossplane-tls-server
857 - name: "TLS_CLIENT_SECRET_NAME"
858 value: crossplane-tls-client
859 containers:
860 - image: "xpkg.crossplane.io/crossplane/crossplane:v1.15.0"
861 args:
862 - core
863 - start
864 imagePullPolicy: IfNotPresent
865 name: crossplane
866 resources:
867 limits:
868 cpu: 100m
869 memory: 512Mi
870 requests:
871 cpu: 100m
872 memory: 256Mi
873 startupProbe:
874 failureThreshold: 30
875 periodSeconds: 2
876 tcpSocket:
877 port: readyz
878 ports:
879 - name: readyz
880 containerPort: 8081
881 - name: webhooks
882 containerPort: 9443
883 securityContext:
884 allowPrivilegeEscalation: false
885 readOnlyRootFilesystem: true
886 runAsGroup: 65532
887 runAsUser: 65532
888 env:
889 - name: GOMAXPROCS
890 valueFrom:
891 resourceFieldRef:
892 containerName: crossplane
893 resource: limits.cpu
894 divisor: "1"
895 - name: GOMEMLIMIT
896 valueFrom:
897 resourceFieldRef:
898 containerName: crossplane
899 resource: limits.memory
900 divisor: "1"
901 - name: POD_NAMESPACE
902 valueFrom:
903 fieldRef:
904 fieldPath: metadata.namespace
905 - name: POD_SERVICE_ACCOUNT
906 valueFrom:
907 fieldRef:
908 fieldPath: spec.serviceAccountName
909 - name: LEADER_ELECTION
910 value: "true"
911 - name: "TLS_SERVER_SECRET_NAME"
912 value: crossplane-tls-server
913 - name: "TLS_SERVER_CERTS_DIR"
914 value: /tls/server
915 - name: "TLS_CLIENT_SECRET_NAME"
916 value: crossplane-tls-client
917 - name: "TLS_CLIENT_CERTS_DIR"
918 value: /tls/client
919 volumeMounts:
920 - mountPath: /cache
921 name: package-cache
922 - mountPath: /tls/server
923 name: tls-server-certs
924 - mountPath: /tls/client
925 name: tls-client-certs
926 volumes:
927 - name: package-cache
928 emptyDir:
929 medium:
930 sizeLimit: 20Mi
931 - name: tls-server-certs
932 secret:
933 secretName: crossplane-tls-server
934 - name: tls-client-certs
935 secret:
936 secretName: crossplane-tls-client
937---
938# Source: crossplane/templates/rbac-manager-deployment.yaml
939apiVersion: apps/v1
940kind: Deployment
941metadata:
942 name: crossplane-rbac-manager
943 namespace: default
944 labels:
945 app: crossplane-rbac-manager
946 release: crossplane
947 helm.sh/chart: crossplane-1.15.0
948 app.kubernetes.io/managed-by: Helm
949 app.kubernetes.io/component: cloud-infrastructure-controller
950 app.kubernetes.io/part-of: crossplane
951 app.kubernetes.io/name: crossplane
952 app.kubernetes.io/instance: crossplane
953 app.kubernetes.io/version: "1.15.0"
954spec:
955 replicas: 1
956 selector:
957 matchLabels:
958 app: crossplane-rbac-manager
959 release: crossplane
960 strategy:
961 type: RollingUpdate
962 template:
963 metadata:
964 labels:
965 app: crossplane-rbac-manager
966 release: crossplane
967 helm.sh/chart: crossplane-1.15.0
968 app.kubernetes.io/managed-by: Helm
969 app.kubernetes.io/component: cloud-infrastructure-controller
970 app.kubernetes.io/part-of: crossplane
971 app.kubernetes.io/name: crossplane
972 app.kubernetes.io/instance: crossplane
973 app.kubernetes.io/version: "1.15.0"
974 spec:
975 serviceAccountName: rbac-manager
976 initContainers:
977 - image: "xpkg.crossplane.io/crossplane/crossplane:v1.15.0"
978 args:
979 - rbac
980 - init
981 imagePullPolicy: IfNotPresent
982 name: crossplane-init
983 resources:
984 limits:
985 cpu: 100m
986 memory: 512Mi
987 requests:
988 cpu: 100m
989 memory: 256Mi
990 securityContext:
991 allowPrivilegeEscalation: false
992 readOnlyRootFilesystem: true
993 runAsGroup: 65532
994 runAsUser: 65532
995 env:
996 - name: GOMAXPROCS
997 valueFrom:
998 resourceFieldRef:
999 containerName: crossplane-init
1000 resource: limits.cpu
1001 - name: GOMEMLIMIT
1002 valueFrom:
1003 resourceFieldRef:
1004 containerName: crossplane-init
1005 resource: limits.memory
1006 containers:
1007 - image: "xpkg.crossplane.io/crossplane/crossplane:v1.15.0"
1008 args:
1009 - rbac
1010 - start
1011 - --provider-clusterrole=crossplane:allowed-provider-permissions
1012 imagePullPolicy: IfNotPresent
1013 name: crossplane
1014 resources:
1015 limits:
1016 cpu: 100m
1017 memory: 512Mi
1018 requests:
1019 cpu: 100m
1020 memory: 256Mi
1021 securityContext:
1022 allowPrivilegeEscalation: false
1023 readOnlyRootFilesystem: true
1024 runAsGroup: 65532
1025 runAsUser: 65532
1026 env:
1027 - name: GOMAXPROCS
1028 valueFrom:
1029 resourceFieldRef:
1030 containerName: crossplane
1031 resource: limits.cpu
1032 - name: GOMEMLIMIT
1033 valueFrom:
1034 resourceFieldRef:
1035 containerName: crossplane
1036 resource: limits.memory
1037 - name: LEADER_ELECTION
1038 value: "true"
1039
1040NOTES:
1041Release: crossplane
1042
1043Chart Name: crossplane
1044Chart Description: Crossplane is an open source Kubernetes add-on that enables platform teams to assemble infrastructure from multiple vendors, and expose higher level self-service APIs for application teams to consume.
1045Chart Version: 1.15.0
1046Chart Application Version: 1.15.0
1047
1048Kube Version: v1.27.3
Install the Crossplane components using helm install.
1helm install crossplane \
2crossplane-stable/crossplane \
3--namespace crossplane-system \
4--create-namespace
Verify Crossplane installed with kubectl get pods.
1kubectl get pods -n crossplane-system
2NAME READY STATUS RESTARTS AGE
3crossplane-d4cd8d784-ldcgb 1/1 Running 0 54s
4crossplane-rbac-manager-84769b574-6mw6f 1/1 Running 0 54s
Installing Crossplane creates new Kubernetes API end-points.
Look at the new API end-points with kubectl api-resources | grep crossplane.
1kubectl api-resources | grep crossplane
2compositeresourcedefinitions xrd,xrds apiextensions.crossplane.io/v1 false CompositeResourceDefinition
3compositionrevisions comprev apiextensions.crossplane.io/v1 false CompositionRevision
4compositions comp apiextensions.crossplane.io/v1 false Composition
5environmentconfigs envcfg apiextensions.crossplane.io/v1beta1 false EnvironmentConfig
6usages apiextensions.crossplane.io/v1alpha1 false Usage
7configurationrevisions pkg.crossplane.io/v1 false ConfigurationRevision
8configurations pkg.crossplane.io/v1 false Configuration
9controllerconfigs pkg.crossplane.io/v1alpha1 false ControllerConfig
10deploymentruntimeconfigs pkg.crossplane.io/v1beta1 false DeploymentRuntimeConfig
11functionrevisions pkg.crossplane.io/v1beta1 false FunctionRevision
12functions pkg.crossplane.io/v1beta1 false Function
13locks pkg.crossplane.io/v1beta1 false Lock
14providerrevisions pkg.crossplane.io/v1 false ProviderRevision
15providers pkg.crossplane.io/v1 false Provider
16storeconfigs secrets.crossplane.io/v1alpha1 false StoreConfig
Install the AWS provider
Install the AWS S3 provider into the Kubernetes cluster with a Kubernetes configuration file.
1cat <<EOF | kubectl apply -f -
2apiVersion: pkg.crossplane.io/v1
3kind: Provider
4metadata:
5 name: provider-aws-s3
6spec:
7 package: xpkg.crossplane.io/crossplane-contrib/provider-aws-s3:v1.21.1
8EOF
The Crossplane
Verify the provider installed with kubectl get providers.
1kubectl get providers
2NAME INSTALLED HEALTHY PACKAGE AGE
3crossplane-contrib-provider-family-aws True True xpkg.crossplane.io/crossplane-contrib/provider-family-aws:v1.21.1 30s
4provider-aws-s3 True True xpkg.crossplane.io/crossplane-contrib/provider-aws-s3:v1.21.1 34s
The S3 Provider installs a second Provider, the
The family provider manages authentication to AWS across all AWS family
Providers.
You can view the new CRDs with kubectl get crds.
Every CRD maps to a unique AWS service Crossplane can provision and manage.
Tip
See details about all the supported CRDs in the
provider examples.
Create a Kubernetes secret for AWS
The provider requires credentials to create and manage AWS resources.
Providers use a Kubernetes Secret to connect the credentials to the provider.
Generate a Kubernetes Secret from your AWS key-pair and then configure the Provider to use it.
Generate an AWS key-pair file
For basic user authentication, use an AWS Access keys key-pair file.
Tip
The AWS documentation
provides information on how to generate AWS Access keys.
Create a text file containing the AWS account aws_access_key_id and aws_secret_access_key.
Save this text file as aws-credentials.txt.
Tip
The Authentication section of the AWS Provider documentation describes other authentication methods.
Create a Kubernetes secret with the AWS credentials
A Kubernetes generic secret has a name and contents.
Use
to generate the secret object named
in the
Use the
1kubectl create secret \
2generic aws-secret \
3-n crossplane-system \
4--from-file=creds=./aws-credentials.txt
View the secret with kubectl describe secret
Tip
The size may be larger if there are extra blank spaces in your text file.
1kubectl describe secret aws-secret -n crossplane-system
2Name: aws-secret
3Namespace: crossplane-system
4Labels: <none>
5Annotations: <none>
6
7Type: Opaque
8
9Data
10====
11creds: 114 bytes
Create a ProviderConfig
A
Apply the
1cat <<EOF | kubectl apply -f -
2apiVersion: aws.upbound.io/v1beta1
3kind: ProviderConfig
4metadata:
5 name: default
6spec:
7 credentials:
8 source: Secret
9 secretRef:
10 namespace: crossplane-system
11 name: aws-secret
12 key: creds
13EOF
This attaches the AWS credentials, saved as a Kubernetes secret, as a
The
Create a managed resource
A managed resource is anything Crossplane creates and manages outside of the Kubernetes cluster.
This guide creates an AWS S3 bucket with Crossplane.
The S3 bucket is a managed resource.
Tip
AWS S3 bucket names must be globally unique. To generate a unique name the example uses a random hash.
Any unique name is acceptable.
1cat <<EOF | kubectl create -f -
2apiVersion: s3.aws.upbound.io/v1beta1
3kind: Bucket
4metadata:
5 generateName: crossplane-bucket-
6spec:
7 forProvider:
8 region: us-east-2
9 providerConfigRef:
10 name: default
11EOF
The
The
This example uses the generated name crossplane-bucket-<hash> in the
The
The region can be any AWS Regional endpoint code.
Use kubectl get buckets to verify Crossplane created the bucket.
Tip
Crossplane created the bucket when the values
This may take up to 5 minutes.
READY and SYNCED are True.This may take up to 5 minutes.
1kubectl get buckets
2NAME READY SYNCED EXTERNAL-NAME AGE
3crossplane-bucket-hhdzh True True crossplane-bucket-hhdzh 5s
Delete the managed resource
Before shutting down your Kubernetes cluster, delete the S3 bucket just created.
Use kubectl delete bucket <bucketname> to remove the bucket.
1kubectl delete bucket crossplane-bucket-hhdzh
2bucket.s3.aws.upbound.io "crossplane-bucket-hhdzh" deleted
Next steps
- Continue to part 2 to create and use a custom API with Crossplane.
- Explore AWS resources that Crossplane can configure in the provider CRD reference.
- Join the Crossplane Slack and connect with Crossplane users and contributors.