GCP Quickstart
On this page
Connect Crossplane to GCP to create and manage cloud resources from Kubernetes with the Upbound GCP Provider.
This guide is in two parts:
- Part 1 walks through installing Crossplane, configuring the provider to authenticate to GCP and creating a Managed Resource in GCP directly from your Kubernetes cluster. This shows Crossplane can communicate with GCP.
- Part 2 shows how to build and access a custom API with Crossplane.
Prerequisites
This quickstart requires:
- a Kubernetes cluster with at least 2 GB of RAM
- permissions to create pods and secrets in the Kubernetes cluster
- Helm version v3.2.0 or later
- a GCP account with permissions to create a storage bucket
- GCP account keys
- GCP Project ID
Install Crossplane
Crossplane installs into an existing Kubernetes cluster.
Tip
If you don’t have a Kubernetes cluster create one locally with Kind.
Install the Crossplane Helm chart
Helm enables Crossplane to install all its Kubernetes components through a Helm Chart.
Enable the Crossplane Helm Chart repository:
Run the Helm dry-run to see all the Crossplane components Helm installs.
1helm install crossplane \
2crossplane-stable/crossplane \
3--dry-run --debug \
4--namespace crossplane-system \
5--create-namespace
1helm install crossplane \
2crossplane-stable/crossplane \
3--dry-run --debug \
4--namespace crossplane-system \
5--create-namespace
6install.go:200: [debug] Original chart version: ""
7install.go:217: [debug] CHART PATH: /home/vagrant/.cache/helm/repository/crossplane-1.13.0.tgz
8
9NAME: crossplane
10LAST DEPLOYED: Fri Jul 28 13:57:41 2023
11NAMESPACE: crossplane-system
12STATUS: pending-install
13REVISION: 1
14TEST SUITE: None
15USER-SUPPLIED VALUES:
16{}
17
18COMPUTED VALUES:
19affinity: {}
20args: []
21configuration:
22 packages: []
23customAnnotations: {}
24customLabels: {}
25deploymentStrategy: RollingUpdate
26extraEnvVarsCrossplane: {}
27extraEnvVarsRBACManager: {}
28extraVolumeMountsCrossplane: {}
29extraVolumesCrossplane: {}
30hostNetwork: false
31image:
32 pullPolicy: IfNotPresent
33 repository: crossplane/crossplane
34 tag: ""
35imagePullSecrets: {}
36leaderElection: true
37metrics:
38 enabled: false
39nodeSelector: {}
40packageCache:
41 configMap: ""
42 medium: ""
43 pvc: ""
44 sizeLimit: 20Mi
45podSecurityContextCrossplane: {}
46podSecurityContextRBACManager: {}
47priorityClassName: ""
48provider:
49 packages: []
50rbacManager:
51 affinity: {}
52 args: []
53 deploy: true
54 leaderElection: true
55 managementPolicy: Basic
56 nodeSelector: {}
57 replicas: 1
58 skipAggregatedClusterRoles: false
59 tolerations: []
60registryCaBundleConfig:
61 key: ""
62 name: ""
63replicas: 1
64resourcesCrossplane:
65 limits:
66 cpu: 100m
67 memory: 512Mi
68 requests:
69 cpu: 100m
70 memory: 256Mi
71resourcesRBACManager:
72 limits:
73 cpu: 100m
74 memory: 512Mi
75 requests:
76 cpu: 100m
77 memory: 256Mi
78securityContextCrossplane:
79 allowPrivilegeEscalation: false
80 readOnlyRootFilesystem: true
81 runAsGroup: 65532
82 runAsUser: 65532
83securityContextRBACManager:
84 allowPrivilegeEscalation: false
85 readOnlyRootFilesystem: true
86 runAsGroup: 65532
87 runAsUser: 65532
88serviceAccount:
89 customAnnotations: {}
90tolerations: []
91webhooks:
92 enabled: true
93xfn:
94 args: []
95 cache:
96 configMap: ""
97 medium: ""
98 pvc: ""
99 sizeLimit: 1Gi
100 enabled: false
101 extraEnvVars: {}
102 image:
103 pullPolicy: IfNotPresent
104 repository: crossplane/xfn
105 tag: ""
106 resources:
107 limits:
108 cpu: 2000m
109 memory: 2Gi
110 requests:
111 cpu: 1000m
112 memory: 1Gi
113 securityContext:
114 allowPrivilegeEscalation: false
115 capabilities:
116 add:
117 - SETUID
118 - SETGID
119 readOnlyRootFilesystem: true
120 runAsGroup: 65532
121 runAsUser: 65532
122 seccompProfile:
123 type: Unconfined
124
125HOOKS:
126MANIFEST:
127---
128# Source: crossplane/templates/rbac-manager-serviceaccount.yaml
129apiVersion: v1
130kind: ServiceAccount
131metadata:
132 name: rbac-manager
133 namespace: crossplane-system
134 labels:
135 app: crossplane
136 helm.sh/chart: crossplane-1.13.0
137 app.kubernetes.io/managed-by: Helm
138 app.kubernetes.io/component: cloud-infrastructure-controller
139 app.kubernetes.io/part-of: crossplane
140 app.kubernetes.io/name: crossplane
141 app.kubernetes.io/instance: crossplane
142 app.kubernetes.io/version: "1.13.0"
143---
144# Source: crossplane/templates/serviceaccount.yaml
145apiVersion: v1
146kind: ServiceAccount
147metadata:
148 name: crossplane
149 namespace: crossplane-system
150 labels:
151 app: crossplane
152 helm.sh/chart: crossplane-1.13.0
153 app.kubernetes.io/managed-by: Helm
154 app.kubernetes.io/component: cloud-infrastructure-controller
155 app.kubernetes.io/part-of: crossplane
156 app.kubernetes.io/name: crossplane
157 app.kubernetes.io/instance: crossplane
158 app.kubernetes.io/version: "1.13.0"
159---
160# Source: crossplane/templates/secret.yaml
161# The reason this is created empty and filled by the init container is that it's
162# mounted by the actual container, so if it wasn't created by Helm, then the
163# deployment wouldn't be deployed at all with secret to mount not found error.
164# In addition, Helm would delete this secret after uninstallation so the new
165# installation of Crossplane would use its own certificate.
166apiVersion: v1
167kind: Secret
168metadata:
169 name: webhook-tls-secret
170 namespace: crossplane-system
171type: Opaque
172---
173# Source: crossplane/templates/clusterrole.yaml
174apiVersion: rbac.authorization.k8s.io/v1
175kind: ClusterRole
176metadata:
177 name: crossplane
178 labels:
179 app: crossplane
180 helm.sh/chart: crossplane-1.13.0
181 app.kubernetes.io/managed-by: Helm
182 app.kubernetes.io/component: cloud-infrastructure-controller
183 app.kubernetes.io/part-of: crossplane
184 app.kubernetes.io/name: crossplane
185 app.kubernetes.io/instance: crossplane
186 app.kubernetes.io/version: "1.13.0"
187aggregationRule:
188 clusterRoleSelectors:
189 - matchLabels:
190 rbac.crossplane.io/aggregate-to-crossplane: "true"
191---
192# Source: crossplane/templates/clusterrole.yaml
193apiVersion: rbac.authorization.k8s.io/v1
194kind: ClusterRole
195metadata:
196 name: crossplane:system:aggregate-to-crossplane
197 labels:
198 app: crossplane
199 helm.sh/chart: crossplane-1.13.0
200 app.kubernetes.io/managed-by: Helm
201 app.kubernetes.io/component: cloud-infrastructure-controller
202 app.kubernetes.io/part-of: crossplane
203 app.kubernetes.io/name: crossplane
204 app.kubernetes.io/instance: crossplane
205 app.kubernetes.io/version: "1.13.0"
206 crossplane.io/scope: "system"
207 rbac.crossplane.io/aggregate-to-crossplane: "true"
208rules:
209- apiGroups:
210 - ""
211 resources:
212 - events
213 verbs:
214 - create
215 - update
216 - patch
217 - delete
218- apiGroups:
219 - apiextensions.k8s.io
220 resources:
221 - customresourcedefinitions
222 verbs:
223 - "*"
224- apiGroups:
225 - ""
226 resources:
227 - secrets
228 verbs:
229 - get
230 - list
231 - watch
232 - create
233 - update
234 - patch
235 - delete
236- apiGroups:
237 - ""
238 resources:
239 - serviceaccounts
240 - services
241 verbs:
242 - "*"
243- apiGroups:
244 - apiextensions.crossplane.io
245 - pkg.crossplane.io
246 - secrets.crossplane.io
247 resources:
248 - "*"
249 verbs:
250 - "*"
251- apiGroups:
252 - extensions
253 - apps
254 resources:
255 - deployments
256 verbs:
257 - get
258 - list
259 - create
260 - update
261 - patch
262 - delete
263 - watch
264- apiGroups:
265 - ""
266 - coordination.k8s.io
267 resources:
268 - configmaps
269 - leases
270 verbs:
271 - get
272 - list
273 - create
274 - update
275 - patch
276 - watch
277 - delete
278- apiGroups:
279 - admissionregistration.k8s.io
280 resources:
281 - validatingwebhookconfigurations
282 - mutatingwebhookconfigurations
283 verbs:
284 - get
285 - list
286 - create
287 - update
288 - patch
289 - watch
290 - delete
291---
292# Source: crossplane/templates/rbac-manager-allowed-provider-permissions.yaml
293apiVersion: rbac.authorization.k8s.io/v1
294kind: ClusterRole
295metadata:
296 name: crossplane:allowed-provider-permissions
297 labels:
298 app: crossplane
299 helm.sh/chart: crossplane-1.13.0
300 app.kubernetes.io/managed-by: Helm
301 app.kubernetes.io/component: cloud-infrastructure-controller
302 app.kubernetes.io/part-of: crossplane
303 app.kubernetes.io/name: crossplane
304 app.kubernetes.io/instance: crossplane
305 app.kubernetes.io/version: "1.13.0"
306aggregationRule:
307 clusterRoleSelectors:
308 - matchLabels:
309 rbac.crossplane.io/aggregate-to-allowed-provider-permissions: "true"
310---
311# Source: crossplane/templates/rbac-manager-clusterrole.yaml
312apiVersion: rbac.authorization.k8s.io/v1
313kind: ClusterRole
314metadata:
315 name: crossplane-rbac-manager
316 labels:
317 app: crossplane
318 helm.sh/chart: crossplane-1.13.0
319 app.kubernetes.io/managed-by: Helm
320 app.kubernetes.io/component: cloud-infrastructure-controller
321 app.kubernetes.io/part-of: crossplane
322 app.kubernetes.io/name: crossplane
323 app.kubernetes.io/instance: crossplane
324 app.kubernetes.io/version: "1.13.0"
325rules:
326- apiGroups:
327 - ""
328 resources:
329 - events
330 verbs:
331 - create
332 - update
333 - patch
334 - delete
335- apiGroups:
336 - ""
337 resources:
338 - namespaces
339 - serviceaccounts
340 verbs:
341 - get
342 - list
343 - watch
344# The RBAC manager creates a series of RBAC roles for each namespace it sees.
345# These RBAC roles are controlled (in the owner reference sense) by the namespace.
346# The RBAC manager needs permission to set finalizers on Namespaces in order to
347# create resources that block their deletion when the
348# OwnerReferencesPermissionEnforcement admission controller is enabled.
349# See https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
350- apiGroups:
351 - ""
352 resources:
353 - namespaces/finalizers
354 verbs:
355 - update
356- apiGroups:
357 - apiextensions.crossplane.io
358 resources:
359 - compositeresourcedefinitions
360 verbs:
361 - get
362 - list
363 - watch
364# The RBAC manager creates a series of RBAC cluster roles for each XRD it sees.
365# These cluster roles are controlled (in the owner reference sense) by the XRD.
366# The RBAC manager needs permission to set finalizers on XRDs in order to
367# create resources that block their deletion when the
368# OwnerReferencesPermissionEnforcement admission controller is enabled.
369# See https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
370- apiGroups:
371 - apiextensions.crossplane.io
372 resources:
373 - compositeresourcedefinitions/finalizers
374 verbs:
375 - update
376- apiGroups:
377 - pkg.crossplane.io
378 resources:
379 - providerrevisions
380 verbs:
381 - get
382 - list
383 - watch
384# The RBAC manager creates a series of RBAC cluster roles for each ProviderRevision
385# it sees. These cluster roles are controlled (in the owner reference sense) by the
386# ProviderRevision. The RBAC manager needs permission to set finalizers on
387# ProviderRevisions in order to create resources that block their deletion when the
388# OwnerReferencesPermissionEnforcement admission controller is enabled.
389# See https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
390- apiGroups:
391 - pkg.crossplane.io
392 resources:
393 - providerrevisions/finalizers
394 verbs:
395 - update
396- apiGroups:
397 - apiextensions.k8s.io
398 resources:
399 - customresourcedefinitions
400 verbs:
401 - get
402 - list
403 - watch
404- apiGroups:
405 - rbac.authorization.k8s.io
406 resources:
407 - clusterroles
408 - roles
409 verbs:
410 - get
411 - list
412 - watch
413 - create
414 - update
415 - patch
416 # The RBAC manager may grant access it does not have.
417 - escalate
418- apiGroups:
419 - rbac.authorization.k8s.io
420 resources:
421 - clusterroles
422 verbs:
423 - bind
424- apiGroups:
425 - rbac.authorization.k8s.io
426 resources:
427 - clusterrolebindings
428 verbs:
429 - "*"
430- apiGroups:
431 - ""
432 - coordination.k8s.io
433 resources:
434 - configmaps
435 - leases
436 verbs:
437 - get
438 - list
439 - create
440 - update
441 - patch
442 - watch
443 - delete
444---
445# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
446apiVersion: rbac.authorization.k8s.io/v1
447kind: ClusterRole
448metadata:
449 name: crossplane-admin
450 labels:
451 app: crossplane
452 helm.sh/chart: crossplane-1.13.0
453 app.kubernetes.io/managed-by: Helm
454 app.kubernetes.io/component: cloud-infrastructure-controller
455 app.kubernetes.io/part-of: crossplane
456 app.kubernetes.io/name: crossplane
457 app.kubernetes.io/instance: crossplane
458 app.kubernetes.io/version: "1.13.0"
459aggregationRule:
460 clusterRoleSelectors:
461 - matchLabels:
462 rbac.crossplane.io/aggregate-to-admin: "true"
463---
464# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
465apiVersion: rbac.authorization.k8s.io/v1
466kind: ClusterRole
467metadata:
468 name: crossplane-edit
469 labels:
470 app: crossplane
471 helm.sh/chart: crossplane-1.13.0
472 app.kubernetes.io/managed-by: Helm
473 app.kubernetes.io/component: cloud-infrastructure-controller
474 app.kubernetes.io/part-of: crossplane
475 app.kubernetes.io/name: crossplane
476 app.kubernetes.io/instance: crossplane
477 app.kubernetes.io/version: "1.13.0"
478aggregationRule:
479 clusterRoleSelectors:
480 - matchLabels:
481 rbac.crossplane.io/aggregate-to-edit: "true"
482---
483# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
484apiVersion: rbac.authorization.k8s.io/v1
485kind: ClusterRole
486metadata:
487 name: crossplane-view
488 labels:
489 app: crossplane
490 helm.sh/chart: crossplane-1.13.0
491 app.kubernetes.io/managed-by: Helm
492 app.kubernetes.io/component: cloud-infrastructure-controller
493 app.kubernetes.io/part-of: crossplane
494 app.kubernetes.io/name: crossplane
495 app.kubernetes.io/instance: crossplane
496 app.kubernetes.io/version: "1.13.0"
497aggregationRule:
498 clusterRoleSelectors:
499 - matchLabels:
500 rbac.crossplane.io/aggregate-to-view: "true"
501---
502# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
503apiVersion: rbac.authorization.k8s.io/v1
504kind: ClusterRole
505metadata:
506 name: crossplane-browse
507 labels:
508 app: crossplane
509 helm.sh/chart: crossplane-1.13.0
510 app.kubernetes.io/managed-by: Helm
511 app.kubernetes.io/component: cloud-infrastructure-controller
512 app.kubernetes.io/part-of: crossplane
513 app.kubernetes.io/name: crossplane
514 app.kubernetes.io/instance: crossplane
515 app.kubernetes.io/version: "1.13.0"
516aggregationRule:
517 clusterRoleSelectors:
518 - matchLabels:
519 rbac.crossplane.io/aggregate-to-browse: "true"
520---
521# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
522apiVersion: rbac.authorization.k8s.io/v1
523kind: ClusterRole
524metadata:
525 name: crossplane:aggregate-to-admin
526 labels:
527 rbac.crossplane.io/aggregate-to-admin: "true"
528 app: crossplane
529 helm.sh/chart: crossplane-1.13.0
530 app.kubernetes.io/managed-by: Helm
531 app.kubernetes.io/component: cloud-infrastructure-controller
532 app.kubernetes.io/part-of: crossplane
533 app.kubernetes.io/name: crossplane
534 app.kubernetes.io/instance: crossplane
535 app.kubernetes.io/version: "1.13.0"
536rules:
537# Crossplane administrators have access to view events.
538- apiGroups: [""]
539 resources: [events]
540 verbs: [get, list, watch]
541# Crossplane administrators must create provider credential secrets, and may
542# need to read or otherwise interact with connection secrets. They may also need
543# to create or annotate namespaces.
544- apiGroups: [""]
545 resources: [secrets, namespaces]
546 verbs: ["*"]
547# Crossplane administrators have access to view the roles that they may be able
548# to grant to other subjects.
549- apiGroups: [rbac.authorization.k8s.io]
550 resources: [clusterroles, roles]
551 verbs: [get, list, watch]
552# Crossplane administrators have access to grant the access they have to other
553# subjects.
554- apiGroups: [rbac.authorization.k8s.io]
555 resources: [clusterrolebindings, rolebindings]
556 verbs: ["*"]
557# Crossplane administrators have full access to built in Crossplane types.
558- apiGroups:
559 - apiextensions.crossplane.io
560 resources: ["*"]
561 verbs: ["*"]
562- apiGroups:
563 - pkg.crossplane.io
564 resources: [locks, providers, configurations, providerrevisions, configurationrevisions]
565 verbs: ["*"]
566# Crossplane administrators have access to view CRDs in order to debug XRDs.
567- apiGroups: [apiextensions.k8s.io]
568 resources: [customresourcedefinitions]
569 verbs: [get, list, watch]
570---
571# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
572apiVersion: rbac.authorization.k8s.io/v1
573kind: ClusterRole
574metadata:
575 name: crossplane:aggregate-to-edit
576 labels:
577 rbac.crossplane.io/aggregate-to-edit: "true"
578 app: crossplane
579 helm.sh/chart: crossplane-1.13.0
580 app.kubernetes.io/managed-by: Helm
581 app.kubernetes.io/component: cloud-infrastructure-controller
582 app.kubernetes.io/part-of: crossplane
583 app.kubernetes.io/name: crossplane
584 app.kubernetes.io/instance: crossplane
585 app.kubernetes.io/version: "1.13.0"
586rules:
587# Crossplane editors have access to view events.
588- apiGroups: [""]
589 resources: [events]
590 verbs: [get, list, watch]
591# Crossplane editors must create provider credential secrets, and may need to
592# read or otherwise interact with connection secrets.
593- apiGroups: [""]
594 resources: [secrets]
595 verbs: ["*"]
596# Crossplane editors may see which namespaces exist, but not edit them.
597- apiGroups: [""]
598 resources: [namespaces]
599 verbs: [get, list, watch]
600# Crossplane editors have full access to built in Crossplane types.
601- apiGroups:
602 - apiextensions.crossplane.io
603 resources: ["*"]
604 verbs: ["*"]
605- apiGroups:
606 - pkg.crossplane.io
607 resources: [locks, providers, configurations, providerrevisions, configurationrevisions]
608 verbs: ["*"]
609---
610# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
611apiVersion: rbac.authorization.k8s.io/v1
612kind: ClusterRole
613metadata:
614 name: crossplane:aggregate-to-view
615 labels:
616 rbac.crossplane.io/aggregate-to-view: "true"
617 app: crossplane
618 helm.sh/chart: crossplane-1.13.0
619 app.kubernetes.io/managed-by: Helm
620 app.kubernetes.io/component: cloud-infrastructure-controller
621 app.kubernetes.io/part-of: crossplane
622 app.kubernetes.io/name: crossplane
623 app.kubernetes.io/instance: crossplane
624 app.kubernetes.io/version: "1.13.0"
625rules:
626# Crossplane viewers have access to view events.
627- apiGroups: [""]
628 resources: [events]
629 verbs: [get, list, watch]
630# Crossplane viewers may see which namespaces exist.
631- apiGroups: [""]
632 resources: [namespaces]
633 verbs: [get, list, watch]
634# Crossplane viewers have read-only access to built in Crossplane types.
635- apiGroups:
636 - apiextensions.crossplane.io
637 resources: ["*"]
638 verbs: [get, list, watch]
639- apiGroups:
640 - pkg.crossplane.io
641 resources: [locks, providers, configurations, providerrevisions, configurationrevisions]
642 verbs: [get, list, watch]
643---
644# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
645apiVersion: rbac.authorization.k8s.io/v1
646kind: ClusterRole
647metadata:
648 name: crossplane:aggregate-to-browse
649 labels:
650 rbac.crossplane.io/aggregate-to-browse: "true"
651 app: crossplane
652 helm.sh/chart: crossplane-1.13.0
653 app.kubernetes.io/managed-by: Helm
654 app.kubernetes.io/component: cloud-infrastructure-controller
655 app.kubernetes.io/part-of: crossplane
656 app.kubernetes.io/name: crossplane
657 app.kubernetes.io/instance: crossplane
658 app.kubernetes.io/version: "1.13.0"
659rules:
660# Crossplane browsers have access to view events.
661- apiGroups: [""]
662 resources: [events]
663 verbs: [get, list, watch]
664# Crossplane browsers have read-only access to compositions and XRDs. This
665# allows them to discover and select an appropriate composition when creating a
666# resource claim.
667- apiGroups:
668 - apiextensions.crossplane.io
669 resources: ["*"]
670 verbs: [get, list, watch]
671---
672# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
673# The below ClusterRoles are aggregated to the namespaced RBAC roles created by
674# the Crossplane RBAC manager when it is running in --manage=All mode.
675apiVersion: rbac.authorization.k8s.io/v1
676kind: ClusterRole
677metadata:
678 name: crossplane:aggregate-to-ns-admin
679 labels:
680 rbac.crossplane.io/aggregate-to-ns-admin: "true"
681 rbac.crossplane.io/base-of-ns-admin: "true"
682 app: crossplane
683 helm.sh/chart: crossplane-1.13.0
684 app.kubernetes.io/managed-by: Helm
685 app.kubernetes.io/component: cloud-infrastructure-controller
686 app.kubernetes.io/part-of: crossplane
687 app.kubernetes.io/name: crossplane
688 app.kubernetes.io/instance: crossplane
689 app.kubernetes.io/version: "1.13.0"
690rules:
691# Crossplane namespace admins have access to view events.
692- apiGroups: [""]
693 resources: [events]
694 verbs: [get, list, watch]
695# Crossplane namespace admins may need to read or otherwise interact with
696# resource claim connection secrets.
697- apiGroups: [""]
698 resources: [secrets]
699 verbs: ["*"]
700# Crossplane namespace admins have access to view the roles that they may be
701# able to grant to other subjects.
702- apiGroups: [rbac.authorization.k8s.io]
703 resources: [roles]
704 verbs: [get, list, watch]
705# Crossplane namespace admins have access to grant the access they have to other
706# subjects.
707- apiGroups: [rbac.authorization.k8s.io]
708 resources: [rolebindings]
709 verbs: ["*"]
710---
711# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
712apiVersion: rbac.authorization.k8s.io/v1
713kind: ClusterRole
714metadata:
715 name: crossplane:aggregate-to-ns-edit
716 labels:
717 rbac.crossplane.io/aggregate-to-ns-edit: "true"
718 rbac.crossplane.io/base-of-ns-edit: "true"
719 app: crossplane
720 helm.sh/chart: crossplane-1.13.0
721 app.kubernetes.io/managed-by: Helm
722 app.kubernetes.io/component: cloud-infrastructure-controller
723 app.kubernetes.io/part-of: crossplane
724 app.kubernetes.io/name: crossplane
725 app.kubernetes.io/instance: crossplane
726 app.kubernetes.io/version: "1.13.0"
727rules:
728# Crossplane namespace editors have access to view events.
729- apiGroups: [""]
730 resources: [events]
731 verbs: [get, list, watch]
732# Crossplane namespace editors may need to read or otherwise interact with
733# resource claim connection secrets.
734- apiGroups: [""]
735 resources: [secrets]
736 verbs: ["*"]
737---
738# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
739apiVersion: rbac.authorization.k8s.io/v1
740kind: ClusterRole
741metadata:
742 name: crossplane:aggregate-to-ns-view
743 labels:
744 rbac.crossplane.io/aggregate-to-ns-view: "true"
745 rbac.crossplane.io/base-of-ns-view: "true"
746 app: crossplane
747 helm.sh/chart: crossplane-1.13.0
748 app.kubernetes.io/managed-by: Helm
749 app.kubernetes.io/component: cloud-infrastructure-controller
750 app.kubernetes.io/part-of: crossplane
751 app.kubernetes.io/name: crossplane
752 app.kubernetes.io/instance: crossplane
753 app.kubernetes.io/version: "1.13.0"
754rules:
755# Crossplane namespace viewers have access to view events.
756- apiGroups: [""]
757 resources: [events]
758 verbs: [get, list, watch]
759---
760# Source: crossplane/templates/clusterrolebinding.yaml
761apiVersion: rbac.authorization.k8s.io/v1
762kind: ClusterRoleBinding
763metadata:
764 name: crossplane
765 labels:
766 app: crossplane
767 helm.sh/chart: crossplane-1.13.0
768 app.kubernetes.io/managed-by: Helm
769 app.kubernetes.io/component: cloud-infrastructure-controller
770 app.kubernetes.io/part-of: crossplane
771 app.kubernetes.io/name: crossplane
772 app.kubernetes.io/instance: crossplane
773 app.kubernetes.io/version: "1.13.0"
774roleRef:
775 apiGroup: rbac.authorization.k8s.io
776 kind: ClusterRole
777 name: crossplane
778subjects:
779- kind: ServiceAccount
780 name: crossplane
781 namespace: crossplane-system
782---
783# Source: crossplane/templates/rbac-manager-clusterrolebinding.yaml
784apiVersion: rbac.authorization.k8s.io/v1
785kind: ClusterRoleBinding
786metadata:
787 name: crossplane-rbac-manager
788 labels:
789 app: crossplane
790 helm.sh/chart: crossplane-1.13.0
791 app.kubernetes.io/managed-by: Helm
792 app.kubernetes.io/component: cloud-infrastructure-controller
793 app.kubernetes.io/part-of: crossplane
794 app.kubernetes.io/name: crossplane
795 app.kubernetes.io/instance: crossplane
796 app.kubernetes.io/version: "1.13.0"
797roleRef:
798 apiGroup: rbac.authorization.k8s.io
799 kind: ClusterRole
800 name: crossplane-rbac-manager
801subjects:
802- kind: ServiceAccount
803 name: rbac-manager
804 namespace: crossplane-system
805---
806# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
807apiVersion: rbac.authorization.k8s.io/v1
808kind: ClusterRoleBinding
809metadata:
810 name: crossplane-admin
811 labels:
812 app: crossplane
813 helm.sh/chart: crossplane-1.13.0
814 app.kubernetes.io/managed-by: Helm
815 app.kubernetes.io/component: cloud-infrastructure-controller
816 app.kubernetes.io/part-of: crossplane
817 app.kubernetes.io/name: crossplane
818 app.kubernetes.io/instance: crossplane
819 app.kubernetes.io/version: "1.13.0"
820roleRef:
821 apiGroup: rbac.authorization.k8s.io
822 kind: ClusterRole
823 name: crossplane-admin
824subjects:
825- apiGroup: rbac.authorization.k8s.io
826 kind: Group
827 name: crossplane:masters
828---
829# Source: crossplane/templates/service.yaml
830apiVersion: v1
831kind: Service
832metadata:
833 name: crossplane-webhooks
834 namespace: crossplane-system
835 labels:
836 app: crossplane
837 release: crossplane
838 helm.sh/chart: crossplane-1.13.0
839 app.kubernetes.io/managed-by: Helm
840 app.kubernetes.io/component: cloud-infrastructure-controller
841 app.kubernetes.io/part-of: crossplane
842 app.kubernetes.io/name: crossplane
843 app.kubernetes.io/instance: crossplane
844 app.kubernetes.io/version: "1.13.0"
845spec:
846 selector:
847 app: crossplane
848 release: crossplane
849 ports:
850 - protocol: TCP
851 port: 9443
852 targetPort: 9443
853---
854# Source: crossplane/templates/deployment.yaml
855apiVersion: apps/v1
856kind: Deployment
857metadata:
858 name: crossplane
859 namespace: crossplane-system
860 labels:
861 app: crossplane
862 release: crossplane
863 helm.sh/chart: crossplane-1.13.0
864 app.kubernetes.io/managed-by: Helm
865 app.kubernetes.io/component: cloud-infrastructure-controller
866 app.kubernetes.io/part-of: crossplane
867 app.kubernetes.io/name: crossplane
868 app.kubernetes.io/instance: crossplane
869 app.kubernetes.io/version: "1.13.0"
870spec:
871 replicas: 1
872 selector:
873 matchLabels:
874 app: crossplane
875 release: crossplane
876 strategy:
877 type: RollingUpdate
878 template:
879 metadata:
880 labels:
881 app: crossplane
882 release: crossplane
883 helm.sh/chart: crossplane-1.13.0
884 app.kubernetes.io/managed-by: Helm
885 app.kubernetes.io/component: cloud-infrastructure-controller
886 app.kubernetes.io/part-of: crossplane
887 app.kubernetes.io/name: crossplane
888 app.kubernetes.io/instance: crossplane
889 app.kubernetes.io/version: "1.13.0"
890 spec:
891 securityContext:
892 {}
893 serviceAccountName: crossplane
894 hostNetwork: false
895 initContainers:
896 - image: "crossplane/crossplane:v1.13.0"
897 args:
898 - core
899 - init
900 imagePullPolicy: IfNotPresent
901 name: crossplane-init
902 resources:
903 limits:
904 cpu: 100m
905 memory: 512Mi
906 requests:
907 cpu: 100m
908 memory: 256Mi
909 securityContext:
910 allowPrivilegeEscalation: false
911 readOnlyRootFilesystem: true
912 runAsGroup: 65532
913 runAsUser: 65532
914 env:
915 - name: GOMAXPROCS
916 valueFrom:
917 resourceFieldRef:
918 containerName: crossplane-init
919 resource: limits.cpu
920 - name: GOMEMLIMIT
921 valueFrom:
922 resourceFieldRef:
923 containerName: crossplane-init
924 resource: limits.memory
925 - name: POD_NAMESPACE
926 valueFrom:
927 fieldRef:
928 fieldPath: metadata.namespace
929 - name: POD_SERVICE_ACCOUNT
930 valueFrom:
931 fieldRef:
932 fieldPath: spec.serviceAccountName
933 - name: "WEBHOOK_TLS_SECRET_NAME"
934 value: webhook-tls-secret
935 - name: "WEBHOOK_SERVICE_NAME"
936 value: crossplane-webhooks
937 - name: "WEBHOOK_SERVICE_NAMESPACE"
938 valueFrom:
939 fieldRef:
940 fieldPath: metadata.namespace
941 - name: "WEBHOOK_SERVICE_PORT"
942 value: "9443"
943 containers:
944 - image: "crossplane/crossplane:v1.13.0"
945 args:
946 - core
947 - start
948 imagePullPolicy: IfNotPresent
949 name: crossplane
950 resources:
951 limits:
952 cpu: 100m
953 memory: 512Mi
954 requests:
955 cpu: 100m
956 memory: 256Mi
957 ports:
958 - name: webhooks
959 containerPort: 9443
960 securityContext:
961 allowPrivilegeEscalation: false
962 readOnlyRootFilesystem: true
963 runAsGroup: 65532
964 runAsUser: 65532
965 env:
966 - name: GOMAXPROCS
967 valueFrom:
968 resourceFieldRef:
969 containerName: crossplane
970 resource: limits.cpu
971 - name: GOMEMLIMIT
972 valueFrom:
973 resourceFieldRef:
974 containerName: crossplane
975 resource: limits.memory
976 - name: POD_NAMESPACE
977 valueFrom:
978 fieldRef:
979 fieldPath: metadata.namespace
980 - name: POD_SERVICE_ACCOUNT
981 valueFrom:
982 fieldRef:
983 fieldPath: spec.serviceAccountName
984 - name: LEADER_ELECTION
985 value: "true"
986 - name: "WEBHOOK_TLS_SECRET_NAME"
987 value: webhook-tls-secret
988 - name: "WEBHOOK_TLS_CERT_DIR"
989 value: /webhook/tls
990 volumeMounts:
991 - mountPath: /cache
992 name: package-cache
993 - mountPath: /webhook/tls
994 name: webhook-tls-secret
995 volumes:
996 - name: package-cache
997 emptyDir:
998 medium:
999 sizeLimit: 20Mi
1000 - name: webhook-tls-secret
1001 secret:
1002 # NOTE(muvaf): The tls.crt is used both by the server (requires it to
1003 # be a single cert) and the caBundle fields of webhook configs and CRDs
1004 # which can accept a whole bundle of certificates. In order to meet
1005 # the requirements of both, we require a single certificate instead of
1006 # a bundle.
1007 # It's assumed that initializer generates this anyway, so it should be
1008 # fine.
1009 secretName: webhook-tls-secret
1010---
1011# Source: crossplane/templates/rbac-manager-deployment.yaml
1012apiVersion: apps/v1
1013kind: Deployment
1014metadata:
1015 name: crossplane-rbac-manager
1016 namespace: crossplane-system
1017 labels:
1018 app: crossplane-rbac-manager
1019 release: crossplane
1020 helm.sh/chart: crossplane-1.13.0
1021 app.kubernetes.io/managed-by: Helm
1022 app.kubernetes.io/component: cloud-infrastructure-controller
1023 app.kubernetes.io/part-of: crossplane
1024 app.kubernetes.io/name: crossplane
1025 app.kubernetes.io/instance: crossplane
1026 app.kubernetes.io/version: "1.13.0"
1027spec:
1028 replicas: 1
1029 selector:
1030 matchLabels:
1031 app: crossplane-rbac-manager
1032 release: crossplane
1033 strategy:
1034 type: RollingUpdate
1035 template:
1036 metadata:
1037 labels:
1038 app: crossplane-rbac-manager
1039 release: crossplane
1040 helm.sh/chart: crossplane-1.13.0
1041 app.kubernetes.io/managed-by: Helm
1042 app.kubernetes.io/component: cloud-infrastructure-controller
1043 app.kubernetes.io/part-of: crossplane
1044 app.kubernetes.io/name: crossplane
1045 app.kubernetes.io/instance: crossplane
1046 app.kubernetes.io/version: "1.13.0"
1047 spec:
1048 securityContext:
1049 {}
1050 serviceAccountName: rbac-manager
1051 initContainers:
1052 - image: "crossplane/crossplane:v1.13.0"
1053 args:
1054 - rbac
1055 - init
1056 imagePullPolicy: IfNotPresent
1057 name: crossplane-init
1058 resources:
1059 limits:
1060 cpu: 100m
1061 memory: 512Mi
1062 requests:
1063 cpu: 100m
1064 memory: 256Mi
1065 securityContext:
1066 allowPrivilegeEscalation: false
1067 readOnlyRootFilesystem: true
1068 runAsGroup: 65532
1069 runAsUser: 65532
1070 env:
1071 - name: GOMAXPROCS
1072 valueFrom:
1073 resourceFieldRef:
1074 containerName: crossplane-init
1075 resource: limits.cpu
1076 - name: GOMEMLIMIT
1077 valueFrom:
1078 resourceFieldRef:
1079 containerName: crossplane-init
1080 resource: limits.memory
1081 containers:
1082 - image: "crossplane/crossplane:v1.13.0"
1083 args:
1084 - rbac
1085 - start
1086 - --manage=Basic
1087 - --provider-clusterrole=crossplane:allowed-provider-permissions
1088 imagePullPolicy: IfNotPresent
1089 name: crossplane
1090 resources:
1091 limits:
1092 cpu: 100m
1093 memory: 512Mi
1094 requests:
1095 cpu: 100m
1096 memory: 256Mi
1097 securityContext:
1098 allowPrivilegeEscalation: false
1099 readOnlyRootFilesystem: true
1100 runAsGroup: 65532
1101 runAsUser: 65532
1102 env:
1103 - name: GOMAXPROCS
1104 valueFrom:
1105 resourceFieldRef:
1106 containerName: crossplane
1107 resource: limits.cpu
1108 - name: GOMEMLIMIT
1109 valueFrom:
1110 resourceFieldRef:
1111 containerName: crossplane
1112 resource: limits.memory
1113 - name: LEADER_ELECTION
1114 value: "true"
1115
1116NOTES:
1117Release: crossplane
1118
1119Chart Name: crossplane
1120Chart Description: Crossplane is an open source Kubernetes add-on that enables platform teams to assemble infrastructure from multiple vendors, and expose higher level self-service APIs for application teams to consume.
1121Chart Version: 1.13.0
1122Chart Application Version: 1.13.0
1123
1124Kube Version: v1.27.4
Install the Crossplane components using helm install.
1helm install crossplane \
2crossplane-stable/crossplane \
3--namespace crossplane-system \
4--create-namespace
Verify Crossplane installed with kubectl get pods.
1kubectl get pods -n crossplane-system
2NAME READY STATUS RESTARTS AGE
3crossplane-d4cd8d784-ldcgb 1/1 Running 0 54s
4crossplane-rbac-manager-84769b574-6mw6f 1/1 Running 0 54s
Installing Crossplane creates new Kubernetes API end-points.
Look at the new API end-points with kubectl api-resources | grep crossplane.
1kubectl api-resources | grep crossplane
2compositeresourcedefinitions xrd,xrds apiextensions.crossplane.io/v1 false CompositeResourceDefinition
3compositionrevisions comprev apiextensions.crossplane.io/v1 false CompositionRevision
4compositions comp apiextensions.crossplane.io/v1 false Composition
5environmentconfigs envcfg apiextensions.crossplane.io/v1alpha1 false EnvironmentConfig
6configurationrevisions pkg.crossplane.io/v1 false ConfigurationRevision
7configurations pkg.crossplane.io/v1 false Configuration
8controllerconfigs pkg.crossplane.io/v1alpha1 false ControllerConfig
9locks pkg.crossplane.io/v1beta1 false Lock
10providerrevisions pkg.crossplane.io/v1 false ProviderRevision
11providers pkg.crossplane.io/v1 false Provider
12storeconfigs secrets.crossplane.io/v1alpha1 false StoreConfig
Install the GCP provider
Install the provider into the Kubernetes cluster with a Kubernetes configuration file.
1cat <<EOF | kubectl apply -f -
2apiVersion: pkg.crossplane.io/v1
3kind: Provider
4metadata:
5 name: provider-gcp-storage
6spec:
7 package: xpkg.upbound.io/upbound/provider-gcp-storage:v0.35.0
8EOF
The Crossplane
Verify the provider installed with kubectl get providers.
1kubectl get providers
2NAME INSTALLED HEALTHY PACKAGE AGE
3provider-gcp-storage True True xpkg.upbound.io/upbound/provider-gcp-storage:v0.35.0 14m
4upbound-provider-family-gcp True True xpkg.upbound.io/upbound/provider-family-gcp:v0.35.0 14m
The Storage Provider installs a second Provider, the
The family provider manages authentication to GCP across all GCP family
Providers.
You can view the new CRDs with kubectl get crds.
Every CRD maps to a unique GCP service Crossplane can provision and manage.
Tip
See details about all the supported CRDs in the
Upbound Marketplace.
Create a Kubernetes secret for GCP
The provider requires credentials to create and manage GCP resources. Providers use a Kubernetes Secret to connect the credentials to the provider.
First generate a Kubernetes Secret from a Google Cloud service account JSON file and then configure the Provider to use it.
Generate a GCP service account JSON file
For basic user authentication, use a Google Cloud service account JSON file.
Tip
The
GCP documentation
provides information on how to generate a service account JSON file.
Save this JSON file as gcp-credentials.json
Create a Kubernetes secret with the GCP credentials
A Kubernetes generic secret has a name and contents. Use
Use the
1kubectl create secret \
2generic gcp-secret \
3-n crossplane-system \
4--from-file=creds=./gcp-credentials.json
View the secret with kubectl describe secret
Note
The file size may be a different depending on the contents.
1kubectl describe secret gcp-secret -n crossplane-system
2Name: gcp-secret
3Namespace: crossplane-system
4Labels: <none>
5Annotations: <none>
6
7Type: Opaque
8
9Data
10====
11creds: 2330 bytes
Create a ProviderConfig
A ProviderConfig customizes the settings of the GCP Provider.
Include your
Tip
Find your GCP project ID from the
project_id field of the
gcp-credentials.json file.Apply the
1cat <<EOF | kubectl apply -f -
2apiVersion: gcp.upbound.io/v1beta1
3kind: ProviderConfig
4metadata:
5 name: default
6spec:
7 projectID:
8 credentials:
9 source: Secret
10 secretRef:
11 namespace: crossplane-system
12 name: gcp-secret
13 key: creds
14EOF
This attaches the GCP credentials, saved as a Kubernetes secret, as a
The
Create a managed resource
A managed resource is anything Crossplane creates and manages outside of the
Kubernetes cluster. This example creates a GCP storage bucket with Crossplane.
The storage bucket is a managed resource.
Note
To generate a unique name use
generateName name.Create the Bucket with the following command:
1cat <<EOF | kubectl create -f -
2apiVersion: storage.gcp.upbound.io/v1beta1
3kind: Bucket
4metadata:
5 generateName: crossplane-bucket-
6 labels:
7 docs.crossplane.io/example: provider-gcp
8spec:
9 forProvider:
10 location: US
11 providerConfigRef:
12 name: default
13EOF
The
The
For a
Use kubectl get bucket to verify Crossplane created the bucket.
Tip
Crossplane created the bucket when the values
This may take up to 5 minutes.
READY and SYNCED are True.This may take up to 5 minutes.
1kubectl get bucket
2NAME READY SYNCED EXTERNAL-NAME AGE
3crossplane-bucket-8b7gw True True crossplane-bucket-8b7gw 2m2s
Delete the managed resource
Before shutting down your Kubernetes cluster, delete the GCP bucket just created.
Use kubectl delete bucket to remove the bucket.
Tip
Use the
--selector flag to delete by label instead of by name.1kubectl delete bucket --selector docs.crossplane.io/example=provider-gcp
2bucket.storage.gcp.upbound.io "crossplane-bucket-8b7gw" deleted
Next steps
- Continue to part 2 to create a Crossplane Composite Resource and Claim.
- Explore GCP resources that can Crossplane can configure in the Provider CRD reference.
- Join the Crossplane Slack and connect with Crossplane users and contributors.