mirror of https://github.com/crossplane/docs.git
32 KiB
32 KiB
| tocHidden | searchExclude |
|---|---|
| true | true |
Install Crossplane
Crossplane installs into an existing Kubernetes cluster.
{{< hint type="tip" >}} If you don't have a Kubernetes cluster create one locally with Kind. {{< /hint >}}
Install the Crossplane Helm chart
Helm enables Crossplane to install all its Kubernetes components through a Helm Chart.
Enable the Crossplane Helm Chart repository:
helm repo add \
crossplane-stable https://charts.crossplane.io/stable
helm repo update
Run the Helm dry-run to see all the Crossplane components Helm installs.
helm install crossplane \
crossplane-stable/crossplane \
--dry-run --debug \
--namespace crossplane-system \
--create-namespace
{{<expand "View the Helm dry-run" >}}
helm install crossplane \
crossplane-stable/crossplane \
--dry-run --debug \
--namespace crossplane-system \
--create-namespace
install.go:214: [debug] Original chart version: ""
install.go:216: [debug] setting version to >0.0.0-0
install.go:231: [debug] CHART PATH: /Users/plumbis/Library/Caches/helm/repository/crossplane-1.15.0.tgz
NAME: crossplane
LAST DEPLOYED: Mon Feb 12 14:46:15 2024
NAMESPACE: default
STATUS: pending-install
REVISION: 1
TEST SUITE: None
USER-SUPPLIED VALUES:
{}
COMPUTED VALUES:
affinity: {}
args: []
configuration:
packages: []
customAnnotations: {}
customLabels: {}
deploymentStrategy: RollingUpdate
extraEnvVarsCrossplane: {}
extraEnvVarsRBACManager: {}
extraObjects: []
extraVolumeMountsCrossplane: {}
extraVolumesCrossplane: {}
function:
packages: []
hostNetwork: false
image:
pullPolicy: IfNotPresent
repository: xpkg.crossplane.io/crossplane/crossplane
tag: ""
imagePullSecrets: {}
leaderElection: true
metrics:
enabled: false
nodeSelector: {}
packageCache:
configMap: ""
medium: ""
pvc: ""
sizeLimit: 20Mi
podSecurityContextCrossplane: {}
podSecurityContextRBACManager: {}
priorityClassName: ""
provider:
packages: []
rbacManager:
affinity: {}
args: []
deploy: true
leaderElection: true
nodeSelector: {}
replicas: 1
skipAggregatedClusterRoles: false
tolerations: []
registryCaBundleConfig:
key: ""
name: ""
replicas: 1
resourcesCrossplane:
limits:
cpu: 100m
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
resourcesRBACManager:
limits:
cpu: 100m
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
securityContextCrossplane:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsGroup: 65532
runAsUser: 65532
securityContextRBACManager:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsGroup: 65532
runAsUser: 65532
serviceAccount:
customAnnotations: {}
tolerations: []
webhooks:
enabled: true
HOOKS:
MANIFEST:
---
# Source: crossplane/templates/rbac-manager-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: rbac-manager
namespace: default
labels:
app: crossplane
helm.sh/chart: crossplane-1.15.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.15.0"
---
# Source: crossplane/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: crossplane
namespace: default
labels:
app: crossplane
helm.sh/chart: crossplane-1.15.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.15.0"
---
# Source: crossplane/templates/secret.yaml
# The reason this is created empty and filled by the init container is we want
# to manage the lifecycle of the secret via Helm. This way whenever Crossplane
# is deleted, the secret is deleted as well.
apiVersion: v1
kind: Secret
metadata:
name: crossplane-root-ca
namespace: default
type: Opaque
---
# Source: crossplane/templates/secret.yaml
# The reason this is created empty and filled by the init container is we want
# to manage the lifecycle of the secret via Helm. This way whenever Crossplane
# is deleted, the secret is deleted as well.
apiVersion: v1
kind: Secret
metadata:
name: crossplane-tls-server
namespace: default
type: Opaque
---
# Source: crossplane/templates/secret.yaml
# The reason this is created empty and filled by the init container is we want
# to manage the lifecycle of the secret via Helm. This way whenever Crossplane
# is deleted, the secret is deleted as well.
apiVersion: v1
kind: Secret
metadata:
name: crossplane-tls-client
namespace: default
type: Opaque
---
# Source: crossplane/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: crossplane
labels:
app: crossplane
helm.sh/chart: crossplane-1.15.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.15.0"
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.crossplane.io/aggregate-to-crossplane: "true"
---
# Source: crossplane/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: crossplane:system:aggregate-to-crossplane
labels:
app: crossplane
helm.sh/chart: crossplane-1.15.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.15.0"
crossplane.io/scope: "system"
rbac.crossplane.io/aggregate-to-crossplane: "true"
rules:
- apiGroups:
- ""
resources:
- events
verbs:
- create
- update
- patch
- delete
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
- customresourcedefinitions/status
verbs:
- "*"
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- serviceaccounts
- services
verbs:
- "*"
- apiGroups:
- apiextensions.crossplane.io
- pkg.crossplane.io
- secrets.crossplane.io
resources:
- "*"
verbs:
- "*"
- apiGroups:
- extensions
- apps
resources:
- deployments
verbs:
- get
- list
- create
- update
- patch
- delete
- watch
- apiGroups:
- ""
- coordination.k8s.io
resources:
- configmaps
- leases
verbs:
- get
- list
- create
- update
- patch
- watch
- delete
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
- mutatingwebhookconfigurations
verbs:
- get
- list
- create
- update
- patch
- watch
- delete
---
# Source: crossplane/templates/rbac-manager-allowed-provider-permissions.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: crossplane:allowed-provider-permissions
labels:
app: crossplane
helm.sh/chart: crossplane-1.15.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.15.0"
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.crossplane.io/aggregate-to-allowed-provider-permissions: "true"
---
# Source: crossplane/templates/rbac-manager-clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: crossplane-rbac-manager
labels:
app: crossplane
helm.sh/chart: crossplane-1.15.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.15.0"
rules:
- apiGroups:
- ""
resources:
- events
verbs:
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- deployments
verbs:
- get
- list
- watch
# The RBAC manager creates a series of RBAC roles for each namespace it sees.
# These RBAC roles are controlled (in the owner reference sense) by the namespace.
# The RBAC manager needs permission to set finalizers on Namespaces in order to
# create resources that block their deletion when the
# OwnerReferencesPermissionEnforcement admission controller is enabled.
# See https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups:
- ""
resources:
- namespaces/finalizers
verbs:
- update
- apiGroups:
- apiextensions.crossplane.io
resources:
- compositeresourcedefinitions
verbs:
- get
- list
- watch
# The RBAC manager creates a series of RBAC cluster roles for each XRD it sees.
# These cluster roles are controlled (in the owner reference sense) by the XRD.
# The RBAC manager needs permission to set finalizers on XRDs in order to
# create resources that block their deletion when the
# OwnerReferencesPermissionEnforcement admission controller is enabled.
# See https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups:
- apiextensions.crossplane.io
resources:
- compositeresourcedefinitions/finalizers
verbs:
- update
- apiGroups:
- pkg.crossplane.io
resources:
- providerrevisions
verbs:
- get
- list
- watch
# The RBAC manager creates a series of RBAC cluster roles for each ProviderRevision
# it sees. These cluster roles are controlled (in the owner reference sense) by the
# ProviderRevision. The RBAC manager needs permission to set finalizers on
# ProviderRevisions in order to create resources that block their deletion when the
# OwnerReferencesPermissionEnforcement admission controller is enabled.
# See https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups:
- pkg.crossplane.io
resources:
- providerrevisions/finalizers
verbs:
- update
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterroles
- roles
verbs:
- get
- list
- watch
- create
- update
- patch
# The RBAC manager may grant access it does not have.
- escalate
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterroles
verbs:
- bind
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
verbs:
- "*"
- apiGroups:
- ""
- coordination.k8s.io
resources:
- configmaps
- leases
verbs:
- get
- list
- create
- update
- patch
- watch
- delete
---
# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: crossplane-admin
labels:
app: crossplane
helm.sh/chart: crossplane-1.15.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.15.0"
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.crossplane.io/aggregate-to-admin: "true"
---
# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: crossplane-edit
labels:
app: crossplane
helm.sh/chart: crossplane-1.15.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.15.0"
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.crossplane.io/aggregate-to-edit: "true"
---
# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: crossplane-view
labels:
app: crossplane
helm.sh/chart: crossplane-1.15.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.15.0"
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.crossplane.io/aggregate-to-view: "true"
---
# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: crossplane-browse
labels:
app: crossplane
helm.sh/chart: crossplane-1.15.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.15.0"
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.crossplane.io/aggregate-to-browse: "true"
---
# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: crossplane:aggregate-to-admin
labels:
rbac.crossplane.io/aggregate-to-admin: "true"
app: crossplane
helm.sh/chart: crossplane-1.15.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.15.0"
rules:
# Crossplane administrators have access to view events.
- apiGroups: [""]
resources: [events]
verbs: [get, list, watch]
# Crossplane administrators must create provider credential secrets, and may
# need to read or otherwise interact with connection secrets. They may also need
# to create or annotate namespaces.
- apiGroups: [""]
resources: [secrets, namespaces]
verbs: ["*"]
# Crossplane administrators have access to view the roles that they may be able
# to grant to other subjects.
- apiGroups: [rbac.authorization.k8s.io]
resources: [clusterroles, roles]
verbs: [get, list, watch]
# Crossplane administrators have access to grant the access they have to other
# subjects.
- apiGroups: [rbac.authorization.k8s.io]
resources: [clusterrolebindings, rolebindings]
verbs: ["*"]
# Crossplane administrators have full access to built in Crossplane types.
- apiGroups:
- apiextensions.crossplane.io
resources: ["*"]
verbs: ["*"]
- apiGroups:
- pkg.crossplane.io
resources: ["*"]
verbs: ["*"]
# Crossplane administrators have access to view CRDs in order to debug XRDs.
- apiGroups: [apiextensions.k8s.io]
resources: [customresourcedefinitions]
verbs: [get, list, watch]
---
# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: crossplane:aggregate-to-edit
labels:
rbac.crossplane.io/aggregate-to-edit: "true"
app: crossplane
helm.sh/chart: crossplane-1.15.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.15.0"
rules:
# Crossplane editors have access to view events.
- apiGroups: [""]
resources: [events]
verbs: [get, list, watch]
# Crossplane editors must create provider credential secrets, and may need to
# read or otherwise interact with connection secrets.
- apiGroups: [""]
resources: [secrets]
verbs: ["*"]
# Crossplane editors may see which namespaces exist, but not edit them.
- apiGroups: [""]
resources: [namespaces]
verbs: [get, list, watch]
# Crossplane editors have full access to built in Crossplane types.
- apiGroups:
- apiextensions.crossplane.io
resources: ["*"]
verbs: ["*"]
- apiGroups:
- pkg.crossplane.io
resources: ["*"]
verbs: ["*"]
---
# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: crossplane:aggregate-to-view
labels:
rbac.crossplane.io/aggregate-to-view: "true"
app: crossplane
helm.sh/chart: crossplane-1.15.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.15.0"
rules:
# Crossplane viewers have access to view events.
- apiGroups: [""]
resources: [events]
verbs: [get, list, watch]
# Crossplane viewers may see which namespaces exist.
- apiGroups: [""]
resources: [namespaces]
verbs: [get, list, watch]
# Crossplane viewers have read-only access to built in Crossplane types.
- apiGroups:
- apiextensions.crossplane.io
resources: ["*"]
verbs: [get, list, watch]
- apiGroups:
- pkg.crossplane.io
resources: ["*"]
verbs: [get, list, watch]
---
# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: crossplane:aggregate-to-browse
labels:
rbac.crossplane.io/aggregate-to-browse: "true"
app: crossplane
helm.sh/chart: crossplane-1.15.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.15.0"
rules:
# Crossplane browsers have access to view events.
- apiGroups: [""]
resources: [events]
verbs: [get, list, watch]
# Crossplane browsers have read-only access to compositions and XRDs. This
# allows them to discover and select an appropriate composition when creating a
# resource claim.
- apiGroups:
- apiextensions.crossplane.io
resources: ["*"]
verbs: [get, list, watch]
---
# Source: crossplane/templates/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: crossplane
labels:
app: crossplane
helm.sh/chart: crossplane-1.15.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.15.0"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: crossplane
subjects:
- kind: ServiceAccount
name: crossplane
namespace: default
---
# Source: crossplane/templates/rbac-manager-clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: crossplane-rbac-manager
labels:
app: crossplane
helm.sh/chart: crossplane-1.15.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.15.0"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: crossplane-rbac-manager
subjects:
- kind: ServiceAccount
name: rbac-manager
namespace: default
---
# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: crossplane-admin
labels:
app: crossplane
helm.sh/chart: crossplane-1.15.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.15.0"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: crossplane-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: crossplane:masters
---
# Source: crossplane/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: crossplane-webhooks
namespace: default
labels:
app: crossplane
release: crossplane
helm.sh/chart: crossplane-1.15.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.15.0"
spec:
selector:
app: crossplane
release: crossplane
ports:
- protocol: TCP
port: 9443
targetPort: 9443
---
# Source: crossplane/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: crossplane
namespace: default
labels:
app: crossplane
release: crossplane
helm.sh/chart: crossplane-1.15.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.15.0"
spec:
replicas: 1
selector:
matchLabels:
app: crossplane
release: crossplane
strategy:
type: RollingUpdate
template:
metadata:
labels:
app: crossplane
release: crossplane
helm.sh/chart: crossplane-1.15.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.15.0"
spec:
serviceAccountName: crossplane
hostNetwork: false
initContainers:
- image: "xpkg.crossplane.io/crossplane/crossplane:v1.15.0"
args:
- core
- init
imagePullPolicy: IfNotPresent
name: crossplane-init
resources:
limits:
cpu: 100m
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsGroup: 65532
runAsUser: 65532
env:
- name: GOMAXPROCS
valueFrom:
resourceFieldRef:
containerName: crossplane-init
resource: limits.cpu
divisor: "1"
- name: GOMEMLIMIT
valueFrom:
resourceFieldRef:
containerName: crossplane-init
resource: limits.memory
divisor: "1"
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: "WEBHOOK_SERVICE_NAME"
value: crossplane-webhooks
- name: "WEBHOOK_SERVICE_NAMESPACE"
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: "WEBHOOK_SERVICE_PORT"
value: "9443"
- name: "TLS_CA_SECRET_NAME"
value: crossplane-root-ca
- name: "TLS_SERVER_SECRET_NAME"
value: crossplane-tls-server
- name: "TLS_CLIENT_SECRET_NAME"
value: crossplane-tls-client
containers:
- image: "xpkg.crossplane.io/crossplane/crossplane:v1.15.0"
args:
- core
- start
imagePullPolicy: IfNotPresent
name: crossplane
resources:
limits:
cpu: 100m
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
startupProbe:
failureThreshold: 30
periodSeconds: 2
tcpSocket:
port: readyz
ports:
- name: readyz
containerPort: 8081
- name: webhooks
containerPort: 9443
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsGroup: 65532
runAsUser: 65532
env:
- name: GOMAXPROCS
valueFrom:
resourceFieldRef:
containerName: crossplane
resource: limits.cpu
divisor: "1"
- name: GOMEMLIMIT
valueFrom:
resourceFieldRef:
containerName: crossplane
resource: limits.memory
divisor: "1"
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: LEADER_ELECTION
value: "true"
- name: "TLS_SERVER_SECRET_NAME"
value: crossplane-tls-server
- name: "TLS_SERVER_CERTS_DIR"
value: /tls/server
- name: "TLS_CLIENT_SECRET_NAME"
value: crossplane-tls-client
- name: "TLS_CLIENT_CERTS_DIR"
value: /tls/client
volumeMounts:
- mountPath: /cache
name: package-cache
- mountPath: /tls/server
name: tls-server-certs
- mountPath: /tls/client
name: tls-client-certs
volumes:
- name: package-cache
emptyDir:
medium:
sizeLimit: 20Mi
- name: tls-server-certs
secret:
secretName: crossplane-tls-server
- name: tls-client-certs
secret:
secretName: crossplane-tls-client
---
# Source: crossplane/templates/rbac-manager-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: crossplane-rbac-manager
namespace: default
labels:
app: crossplane-rbac-manager
release: crossplane
helm.sh/chart: crossplane-1.15.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.15.0"
spec:
replicas: 1
selector:
matchLabels:
app: crossplane-rbac-manager
release: crossplane
strategy:
type: RollingUpdate
template:
metadata:
labels:
app: crossplane-rbac-manager
release: crossplane
helm.sh/chart: crossplane-1.15.0
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: cloud-infrastructure-controller
app.kubernetes.io/part-of: crossplane
app.kubernetes.io/name: crossplane
app.kubernetes.io/instance: crossplane
app.kubernetes.io/version: "1.15.0"
spec:
serviceAccountName: rbac-manager
initContainers:
- image: "xpkg.crossplane.io/crossplane/crossplane:v1.15.0"
args:
- rbac
- init
imagePullPolicy: IfNotPresent
name: crossplane-init
resources:
limits:
cpu: 100m
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsGroup: 65532
runAsUser: 65532
env:
- name: GOMAXPROCS
valueFrom:
resourceFieldRef:
containerName: crossplane-init
resource: limits.cpu
- name: GOMEMLIMIT
valueFrom:
resourceFieldRef:
containerName: crossplane-init
resource: limits.memory
containers:
- image: "xpkg.crossplane.io/crossplane/crossplane:v1.15.0"
args:
- rbac
- start
- --provider-clusterrole=crossplane:allowed-provider-permissions
imagePullPolicy: IfNotPresent
name: crossplane
resources:
limits:
cpu: 100m
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsGroup: 65532
runAsUser: 65532
env:
- name: GOMAXPROCS
valueFrom:
resourceFieldRef:
containerName: crossplane
resource: limits.cpu
- name: GOMEMLIMIT
valueFrom:
resourceFieldRef:
containerName: crossplane
resource: limits.memory
- name: LEADER_ELECTION
value: "true"
NOTES:
Release: crossplane
Chart Name: crossplane
Chart Description: Crossplane is an open source Kubernetes add-on that enables platform teams to assemble infrastructure from multiple vendors, and expose higher level self-service APIs for application teams to consume.
Chart Version: 1.15.0
Chart Application Version: 1.15.0
Kube Version: v1.27.3
{{< /expand >}}
Install the Crossplane components using helm install.
helm install crossplane \
crossplane-stable/crossplane \
--namespace crossplane-system \
--create-namespace
Verify Crossplane installed with kubectl get pods.
kubectl get pods -n crossplane-system
NAME READY STATUS RESTARTS AGE
crossplane-d4cd8d784-ldcgb 1/1 Running 0 54s
crossplane-rbac-manager-84769b574-6mw6f 1/1 Running 0 54s
Installing Crossplane creates new Kubernetes API end-points.
Look at the new API end-points with kubectl api-resources | grep crossplane.
kubectl api-resources | grep crossplane
compositeresourcedefinitions xrd,xrds apiextensions.crossplane.io/v1 false CompositeResourceDefinition
compositionrevisions comprev apiextensions.crossplane.io/v1 false CompositionRevision
compositions comp apiextensions.crossplane.io/v1 false Composition
environmentconfigs envcfg apiextensions.crossplane.io/v1beta1 false EnvironmentConfig
usages apiextensions.crossplane.io/v1alpha1 false Usage
configurationrevisions pkg.crossplane.io/v1 false ConfigurationRevision
configurations pkg.crossplane.io/v1 false Configuration
controllerconfigs pkg.crossplane.io/v1alpha1 false ControllerConfig
deploymentruntimeconfigs pkg.crossplane.io/v1beta1 false DeploymentRuntimeConfig
functionrevisions pkg.crossplane.io/v1beta1 false FunctionRevision
functions pkg.crossplane.io/v1beta1 false Function
locks pkg.crossplane.io/v1beta1 false Lock
providerrevisions pkg.crossplane.io/v1 false ProviderRevision
providers pkg.crossplane.io/v1 false Provider
storeconfigs secrets.crossplane.io/v1alpha1 false StoreConfig