Crossplane Cloud Control Plane Cheat Sheet

Updated 2026-05-22

Crossplane is a CNCF-graduated, Kubernetes-native framework that turns any cluster into a universal control plane for provisioning and managing cloud infrastructure — on AWS, Azure, GCP, and beyond — using pure Kubernetes APIs and GitOps workflows. Unlike traditional IaC tools that run imperatively, Crossplane continuously reconciles declared state with real cloud resources, detecting and correcting drift automatically. The key mental model is that Crossplane doesn't just create resources once; it owns them, meaning any out-of-band change is reverted — a powerful guarantee for production environments but one that demands deliberate use of managementPolicies and deletionPolicy to avoid surprises.

What This Cheat Sheet Covers

This topic spans 17 focused tables and 121 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.

Table 1: Core Concepts and ArchitectureTable 2: Installing and Configuring CrossplaneTable 3: Managed Resource Fields and LifecycleTable 4: CompositeResourceDefinitions (XRDs)Table 5: Compositions and Pipeline ModeTable 6: Composition Functions EcosystemTable 7: Providers — Installing, Configuring, and UpgradingTable 8: ManagedResourceActivationPolicy (MRAP) — Selective Resource ActivationTable 9: Usages — Deletion Protection and OrderingTable 10: Drift Detection and ReconciliationTable 11: Package Management and ConfigurationsTable 12: GitOps Integration — ArgoCD and FluxTable 13: Operations — Declarative Day-Two WorkflowsTable 14: Troubleshooting and DebuggingTable 15: Crossplane vs Terraform vs PulumiTable 16: Upbound Spaces and Universal Crossplane (UXP)Table 17: Security — RBAC, Secrets, and Multi-Tenancy

Table 1: Core Concepts and Architecture

Crossplane's architecture builds on Kubernetes controllers and CRDs; every cloud resource maps to a custom Kubernetes object. Understanding these seven foundational object types — and how they compose into a layered API — is the prerequisite for all practical work.

Concept	Example	Description
Managed Resource (MR)	`apiVersion: s3.aws.m.upbound.io/v1beta1` `kind: Bucket` `spec:` `forProvider:` `region: us-east-2`	• Kubernetes object representing one external cloud resource • the Provider reconciles it against the real infrastructure
Provider	`apiVersion: pkg.crossplane.io/v1` `kind: Provider` `spec:` `package: xpkg.crossplane.io/crossplane-contrib/provider-aws-s3:v2.0.0`	OCI package that installs CRDs and runs a controller pod to manage external resources for one cloud or service.
ProviderConfig (ProviderConfig / ClusterProviderConfig)	`apiVersion: aws.m.upbound.io/v1beta1` `kind: ProviderConfig` `spec:` `credentials:` `source: Secret` `secretRef: {name: aws-creds}`	• Stores authentication credentials for a Provider • `ProviderConfig` is namespace-scoped, `ClusterProviderConfig` is cluster-wide
CompositeResourceDefinition (XRD)	`apiVersion: apiextensions.crossplane.io/v2` `kind: CompositeResourceDefinition` `metadata:` `name: mydatabases.example.org` `spec:` `scope: Namespaced`	Registers a new custom API in the cluster (like a CRD) that defines the schema for a Composite Resource.

Table 1: Core Concepts and Architecture

Concept	Example	Description
Managed Resource (MR)	`apiVersion: s3.aws.m.upbound.io/v1beta1` `kind: Bucket` `spec:` `forProvider:` `region: us-east-2`	• Kubernetes object representing one external cloud resource • the Provider reconciles it against the real infrastructure
Provider	`apiVersion: pkg.crossplane.io/v1` `kind: Provider` `spec:` `package: xpkg.crossplane.io/crossplane-contrib/provider-aws-s3:v2.0.0`	OCI package that installs CRDs and runs a controller pod to manage external resources for one cloud or service.
ProviderConfig (ProviderConfig / ClusterProviderConfig)	`apiVersion: aws.m.upbound.io/v1beta1` `kind: ProviderConfig` `spec:` `credentials:` `source: Secret` `secretRef: {name: aws-creds}`	• Stores authentication credentials for a Provider • `ProviderConfig` is namespace-scoped, `ClusterProviderConfig` is cluster-wide
CompositeResourceDefinition (XRD)	`apiVersion: apiextensions.crossplane.io/v2` `kind: CompositeResourceDefinition` `metadata:` `name: mydatabases.example.org` `spec:` `scope: Namespaced`	Registers a new custom API in the cluster (like a CRD) that defines the schema for a Composite Resource.