Crossplane

Universal control plane for managing infrastructure and cloud resources via Kubernetes APIs.

Crossplane extends Kubernetes with CRDs that let you provision and manage external infrastructure (cloud resources, SaaS APIs, IaC runners) using standard Kubernetes manifests. It is used in this cluster primarily to run OpenTofu workspaces via the upbound/provider-opentofu, enabling infrastructure-as-code pipelines that are GitOps-driven and managed by Flux.

Alternatives considered

Self Hosted

Tool	Open Source	Full Features	Notes
ACK (AWS Controllers for Kubernetes)	Yes	Yes	AWS-specific; no multi-cloud
Config Connector	Yes	Yes	GCP-specific
Terraform / OpenTofu	Yes	Yes	Not Kubernetes-native; Crossplane can wrap it

Installation

Architecture

HelmRelease crossplane in namespace crossplane-system, chart version 2.2.0 from https://charts.crossplane.io/stable. Deploys the Crossplane core controller and RBAC manager. No providers are installed by the Helm chart itself — providers are managed separately via crossplane-extras.

Security

No explicit securityContext set in the HelmRelease values. RBAC manager runs cluster-wide. Resource limits: 512Mi memory / 500m CPU for both crossplane and rbac-manager. The namespace has the label secrets.k8up: "true" for k8up backup inclusion.

Updates

Managed by Renovate. Chart version is semver-pinned (2.2.0).

Administration

Usage

The Crossplane control plane watches for Composite Resource and Managed Resource objects. Providers installed via crossplane-extras (e.g. provider-opentofu) extend it with additional resource types. Operators create Provider, Function, and composition resources to define and instantiate infrastructure. The go-templating and auto-ready functions support composition pipelines.

Cluster-specific deviations from the above live in the per-cluster README — see k8s/infrastructure/talos/controllers/crossplane/README.md.

Cluster Deployment

Crossplane — Talos cluster

Cluster-specific notes only. General product info, "why we use it", and alternatives live in docusaurus/docs/platform/crossplane.mdx.

Deviations from defaults

Defaults live in docusaurus/docs/platform/crossplane.mdx — document anything this cluster does differently here, with a one-line reason.

Kubernetes Metadata

HelmRelease: crossplane@2.3.1
HelmRepo: crossplane-stable (https://charts.crossplane.io/stable)

Rendered manifests (kustomize build)

apiVersion: v1
data:
  values.yaml: |
    provider:
      defaultActivations: []

    resourcesCrossplane:
      limits:
        cpu: 500m
        memory: 512Mi
      requests:
        cpu: 100m
        memory: 256Mi

    rbacManager:
      resources:
        limits:
          cpu: 500m
          memory: 512Mi
        requests:
          cpu: 100m
          memory: 256Mi
kind: ConfigMap
metadata:
  name: crossplane-values-592g26c5tg
  namespace: crossplane-system

Alternatives considered​

Installation​

Architecture​

Security​

Updates​

Administration​

Usage​

Cluster Deployment​

Deviations from defaults​