RBAC, policy & guardrails

Least privilege on the control plane.

Advanced14 min · lesson 11 of 12

Crossplane concentrates enormous power in one cluster: it holds cloud credentials and continuously provisions infrastructure, so its own access control is the security story. Two layers matter. Kubernetes RBAC governs who can create claims, composites, and providers — a developer should be able to file a claim in their namespace but never install a provider or edit a composition. And the cloud-side IAM the ProviderConfig assumes bounds what Crossplane can do at all.

LAYERS OF GUARDRAILS
Kubernetes RBAC (who can act)
Devs: claims only
file in their namespace
Platform only: providers, compositions, XRDs
Admission policy (what is allowed)
Kyverno / OPA
validates before Crossplane acts
Required labels, allowed regions, no public networking
Cloud IAM (blast radius)
ProviderConfig role
least-privilege, per environment
Dev role cannot touch prod
RBAC controls who acts, policy validates what, IAM caps how far a mistake can reach.
rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata: { namespace: team-orders, name: claim-author }
rules:
- apiGroups: ["acme.io"]
resources: ["postgresinstances"] # claims only — not XRs, not compositions
verbs: ["get", "list", "create", "delete"]
# developers get this; only platform admins can touch compositions/providers/XRDs

Guardrails beyond RBAC

Layer policy on top. An admission policy engine (Kyverno, OPA/Gatekeeper) can enforce rules on the composites and claims themselves — required labels, allowed regions, forbidden public networking — before Crossplane acts. Scope each ProviderConfig’s cloud role to least privilege so even a mistaken composition cannot exceed it, and separate environments so a dev-namespace claim cannot provision into prod accounts.

terminal
# who can install providers? that list should be tiny.
$ kubectl auth can-i create providers.pkg.crossplane.io \
--as=system:serviceaccount:team-orders:default
no # good — a dev SA cannot install packages into the control plane
Installing a provider or editing a composition is control-plane admin
Whoever can install providers/functions or edit compositions and ProviderConfigs effectively controls what your cloud credentials do — that is admin over your infrastructure, not a routine permission. Restrict those verbs to a small platform team, gate the manifests through GitOps review, and audit changes to them; treat the composition/provider layer as privileged as the cloud IAM behind it.