Crossplane in GitOps & securing it
Argo/Flux drive infra; protect the plane.
Crossplane and GitOps are a natural pair: because infrastructure is now Kubernetes objects, Argo CD or Flux can manage it exactly like application manifests — Git is the desired state, the GitOps controller syncs it into the cluster, and Crossplane reconciles it into the cloud. Every infrastructure change becomes a reviewed, audited pull request, and the cluster continuously self-heals toward what Git says.
Securing the whole chain
The chain is only as safe as its weakest link, so harden all of it: protect the Git repo (branch protection, signed commits, review), lock down the GitOps controller’s access, keep Crossplane’s RBAC and cloud IAM least-privilege, and scan the manifests (kubeconform, policy checks) in CI before merge. Store provider credentials via workload identity, not committed secrets, and keep connection secrets out of Git entirely.