Crossplane in GitOps & securing it

Argo/Flux drive infra; protect the plane.

Advanced12 min · lesson 12 of 12

Crossplane and GitOps are a natural pair: because infrastructure is now Kubernetes objects, Argo CD or Flux can manage it exactly like application manifests — Git is the desired state, the GitOps controller syncs it into the cluster, and Crossplane reconciles it into the cloud. Every infrastructure change becomes a reviewed, audited pull request, and the cluster continuously self-heals toward what Git says.

Git to cloud, two reconcile loops
1PR merged
claims/compositions in Git
2Argo/Flux
syncs manifests to cluster
3Crossplane
reconciles to the cloud
4infra
self-healing, audited
Two controllers chain: GitOps keeps the cluster matching Git; Crossplane keeps the cloud matching the cluster.

Securing the whole chain

The chain is only as safe as its weakest link, so harden all of it: protect the Git repo (branch protection, signed commits, review), lock down the GitOps controller’s access, keep Crossplane’s RBAC and cloud IAM least-privilege, and scan the manifests (kubeconform, policy checks) in CI before merge. Store provider credentials via workload identity, not committed secrets, and keep connection secrets out of Git entirely.

The Git repo now provisions your cloud
In this model, merge access to the infrastructure repo is the ability to create and destroy cloud resources — so protect it like production: required reviews, signed commits, CODEOWNERS on compositions and ProviderConfigs, and CI policy scanning as a merge gate. A GitOps pipeline that turns a merge into cloud changes deserves the same rigor as the CI/CD supply-chain course prescribes.