Installing Crossplane & a provider

The core + a cloud provider package.

Intermediate12 min · lesson 2 of 12

Crossplane has two layers: the core, installed into a Kubernetes cluster (usually via its Helm chart), and providers, which are packages that add support for a specific platform — provider-aws, provider-gcp, provider-azure, and many others. The core gives you the composition and packaging machinery; a provider gives you the actual CRDs for that platform’s resources.

terminal
$ helm install crossplane crossplane-stable/crossplane \
--namespace crossplane-system --create-namespace
$ kubectl get pods -n crossplane-system
NAME READY STATUS
crossplane-7d... 1/1 Running
# install a provider as a package
$ kubectl apply -f - <<EOF
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata: { name: provider-aws-s3 }
spec: { package: xpkg.upbound.io/upbound/provider-aws-s3:v1 }
EOF

Providers bring CRDs

Installing a provider registers its custom resource definitions, so the cluster suddenly knows about dozens or hundreds of new kinds — Bucket, Instance, Vpc. You can watch them appear, and from then on those cloud resources are first-class Kubernetes objects you get, describe, and apply. Modern AWS/Azure/GCP providers are split into families (per-service packages) so you install only the services you use rather than one giant provider.

terminal
$ kubectl get providers
NAME INSTALLED HEALTHY
provider-aws-s3 True True
$ kubectl api-resources | grep s3.aws
bucket s3.aws.upbound.io/v1beta1 Bucket # a new CRD, ready to use
Providers are packages — pin and trust them
A Crossplane provider is an OCI package that runs in your control plane with cloud credentials; installing one is a supply-chain decision. Pin providers to a specific version (not a floating tag), install from a registry you trust, and prefer official providers — a malicious or compromised provider package has the same reach as the credentials you give it.