crossplane
/
docs
mirror of https://github.com/crossplane/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #911 from QuadmanSWE/docs-beware-crossplane-default-access 

Wrote about crossplanes default limited access to third party custom …
This commit is contained in:
Nic Cope 2025-04-10 17:41:46 -07:00 committed by GitHub
parent 9f943f4f21 a2bc8cd8d2
commit b0585a0002
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 27 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
content/v2.0-preview/whats-new/_index.md
View File

@ -207,6 +207,33 @@ compose-pg@{animate: true}
This opens composition to exciting new use cases - for example building custom
app models with Crossplane.
### Beware Crossplane's default access
Crossplane by default can only access a limited set of kubernetes resources beyond what gets configured by any providers.
To grant access to additional resource resource types, create additional `ClusterRoles` and include them in the default Crossplane `ClusterRole` through [aggregation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles). Crossplane's default ClusterRole aggregates using a selector for the label `rbac.crossplane.io/aggregate-to-crossplane: "true"`
If you don't include this you may experience RBAC issues composing third party custom resources.
Here is an example of allowing Crossplane handle the lifecycle of CloudNativePG PostgreSQL `Cluster`.
``` yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cnpg:aggregate-to-crossplane
labels:
app: crossplane
rbac.crossplane.io/aggregate-to-crossplane: "true"
rules:
- apiGroups:
- postgresql.cnpg.io
resources:
- clusters
verbs:
- "*"
```
## Backward compatibility
Crossplane v2 makes the following breaking changes: