AWS 快速入门

On this page

将 crossplane 连接到 AWS，利用 Upbound AWS Provider 从 Kubernetes 创建和管理云资源。

本指南分为两部分:

第 1 部分将介绍如何安装 crossplane、配置 Provider 以实现以下功能

这表明 crossplane 可以与 AWS 通信。

第二部分展示了如何使用 crossplane 构建和访问自定义 API。

先决条件

本快速入门需要

至少有 2 GB 内存的 Kubernetes 集群
在 Kubernetes 集群中创建 pod 和 secrets 的权限
版本为 3.2.0 或更高的helm
具有创建 S3 存储桶权限的 AWS 账户
AWS 访问密钥

安装 crossplane

crossplane 可安装到现有的 Kubernetes 集群中。

Tip

如果没有 Kubernetes 集群，请使用 Kind在本地创建一个。

安装 crossplane helm 图表

Helm 使 crossplane 能够通过 Helm Chart 安装其所有 Kubernetes 组件。

启用 crossplane 舵图资源库:

1helm repo add \
2crossplane-stable https://charts.crossplane.io/stable
3helm repo update

运行 Helm 模拟运行，查看 Helm 安装的所有 crossplane 组件。

1helm install crossplane \
2crossplane-stable/crossplane \
3--dry-run --debug \
4--namespace crossplane-system \
5--create-namespace

   1helm install crossplane \
   2crossplane-stable/crossplane \
   3--dry-run --debug \
   4--namespace crossplane-system \
   5--create-namespace
   6install.go:214: [debug] Original chart version: ""
   7install.go:231: [debug] CHART PATH: /Users/plumbis/Library/Caches/helm/repository/crossplane-1.14.4.tgz
   8
   9NAME: crossplane
  10LAST DEPLOYED: Fri Dec 15 11:12:42 2023
  11NAMESPACE: crossplane-system
  12STATUS: pending-install
  13REVISION: 1
  14TEST SUITE: None
  15USER-SUPPLIED VALUES:
  16{}
  17
  18COMPUTED VALUES:
  19affinity: {}
  20args: []
  21configuration:
  22  packages: []
  23customAnnotations: {}
  24customLabels: {}
  25deploymentStrategy: RollingUpdate
  26extraEnvVarsCrossplane: {}
  27extraEnvVarsRBACManager: {}
  28extraObjects: []
  29extraVolumeMountsCrossplane: {}
  30extraVolumesCrossplane: {}
  31hostNetwork: false
  32image:
  33  pullPolicy: IfNotPresent
  34  repository: xpkg.upbound.io/crossplane/crossplane
  35  tag: ""
  36imagePullSecrets: {}
  37leaderElection: true
  38metrics:
  39  enabled: false
  40nodeSelector: {}
  41packageCache:
  42  configMap: ""
  43  medium: ""
  44  pvc: ""
  45  sizeLimit: 20Mi
  46podSecurityContextCrossplane: {}
  47podSecurityContextRBACManager: {}
  48priorityClassName: ""
  49provider:
  50  packages: []
  51rbacManager:
  52  affinity: {}
  53  args: []
  54  deploy: true
  55  leaderElection: true
  56  nodeSelector: {}
  57  replicas: 1
  58  skipAggregatedClusterRoles: false
  59  tolerations: []
  60registryCaBundleConfig:
  61  key: ""
  62  name: ""
  63replicas: 1
  64resourcesCrossplane:
  65  limits:
  66    cpu: 100m
  67    memory: 512Mi
  68  requests:
  69    cpu: 100m
  70    memory: 256Mi
  71resourcesRBACManager:
  72  limits:
  73    cpu: 100m
  74    memory: 512Mi
  75  requests:
  76    cpu: 100m
  77    memory: 256Mi
  78securityContextCrossplane:
  79  allowPrivilegeEscalation: false
  80  readOnlyRootFilesystem: true
  81  runAsGroup: 65532
  82  runAsUser: 65532
  83securityContextRBACManager:
  84  allowPrivilegeEscalation: false
  85  readOnlyRootFilesystem: true
  86  runAsGroup: 65532
  87  runAsUser: 65532
  88serviceAccount:
  89  customAnnotations: {}
  90tolerations: []
  91webhooks:
  92  enabled: true
  93
  94HOOKS:
  95MANIFEST:
  96---
  97# Source: crossplane/templates/rbac-manager-serviceaccount.yaml
  98apiVersion: v1
  99kind: ServiceAccount
 100metadata:
 101  name: rbac-manager
 102  namespace: crossplane-system
 103  labels:
 104    app: crossplane
 105    helm.sh/chart: crossplane-1.14.4
 106    app.kubernetes.io/managed-by: Helm
 107    app.kubernetes.io/component: cloud-infrastructure-controller
 108    app.kubernetes.io/part-of: crossplane
 109    app.kubernetes.io/name: crossplane
 110    app.kubernetes.io/instance: crossplane
 111    app.kubernetes.io/version: "1.14.4"
 112---
 113# Source: crossplane/templates/serviceaccount.yaml
 114apiVersion: v1
 115kind: ServiceAccount
 116metadata:
 117  name: crossplane
 118  namespace: crossplane-system
 119  labels:
 120    app: crossplane
 121    helm.sh/chart: crossplane-1.14.4
 122    app.kubernetes.io/managed-by: Helm
 123    app.kubernetes.io/component: cloud-infrastructure-controller
 124    app.kubernetes.io/part-of: crossplane
 125    app.kubernetes.io/name: crossplane
 126    app.kubernetes.io/instance: crossplane
 127    app.kubernetes.io/version: "1.14.4"
 128---
 129# Source: crossplane/templates/secret.yaml
 130# The reason this is created empty and filled by the init container is we want
 131# to manage the lifecycle of the secret via Helm. This way whenever Crossplane
 132# is deleted, the secret is deleted as well.
 133apiVersion: v1
 134kind: Secret
 135metadata:
 136  name: crossplane-root-ca
 137  namespace: crossplane-system
 138type: Opaque
 139---
 140# Source: crossplane/templates/secret.yaml
 141# The reason this is created empty and filled by the init container is we want
 142# to manage the lifecycle of the secret via Helm. This way whenever Crossplane
 143# is deleted, the secret is deleted as well.
 144apiVersion: v1
 145kind: Secret
 146metadata:
 147  name: crossplane-tls-server
 148  namespace: crossplane-system
 149type: Opaque
 150---
 151# Source: crossplane/templates/secret.yaml
 152# The reason this is created empty and filled by the init container is we want
 153# to manage the lifecycle of the secret via Helm. This way whenever Crossplane
 154# is deleted, the secret is deleted as well.
 155apiVersion: v1
 156kind: Secret
 157metadata:
 158  name: crossplane-tls-client
 159  namespace: crossplane-system
 160type: Opaque
 161---
 162# Source: crossplane/templates/clusterrole.yaml
 163apiVersion: rbac.authorization.k8s.io/v1
 164kind: ClusterRole
 165metadata:
 166  name: crossplane
 167  labels:
 168    app: crossplane
 169    helm.sh/chart: crossplane-1.14.4
 170    app.kubernetes.io/managed-by: Helm
 171    app.kubernetes.io/component: cloud-infrastructure-controller
 172    app.kubernetes.io/part-of: crossplane
 173    app.kubernetes.io/name: crossplane
 174    app.kubernetes.io/instance: crossplane
 175    app.kubernetes.io/version: "1.14.4"
 176aggregationRule:
 177  clusterRoleSelectors:
 178  - matchLabels:
 179      rbac.crossplane.io/aggregate-to-crossplane: "true"
 180---
 181# Source: crossplane/templates/clusterrole.yaml
 182apiVersion: rbac.authorization.k8s.io/v1
 183kind: ClusterRole
 184metadata:
 185  name: crossplane:system:aggregate-to-crossplane
 186  labels:
 187    app: crossplane
 188    helm.sh/chart: crossplane-1.14.4
 189    app.kubernetes.io/managed-by: Helm
 190    app.kubernetes.io/component: cloud-infrastructure-controller
 191    app.kubernetes.io/part-of: crossplane
 192    app.kubernetes.io/name: crossplane
 193    app.kubernetes.io/instance: crossplane
 194    app.kubernetes.io/version: "1.14.4"
 195    crossplane.io/scope: "system"
 196    rbac.crossplane.io/aggregate-to-crossplane: "true"
 197rules:
 198- apiGroups:
 199  - ""
 200  resources:
 201  - events
 202  verbs:
 203  - create
 204  - update
 205  - patch
 206  - delete
 207- apiGroups:
 208  - apiextensions.k8s.io
 209  resources:
 210  - customresourcedefinitions
 211  - customresourcedefinitions/status
 212  verbs:
 213  - "*"
 214- apiGroups:
 215  - ""
 216  resources:
 217  - secrets
 218  verbs:
 219  - get
 220  - list
 221  - watch
 222  - create
 223  - update
 224  - patch
 225  - delete
 226- apiGroups:
 227  - ""
 228  resources:
 229  - serviceaccounts
 230  - services
 231  verbs:
 232  - "*"
 233- apiGroups:
 234  - apiextensions.crossplane.io
 235  - pkg.crossplane.io
 236  - secrets.crossplane.io
 237  resources:
 238  - "*"
 239  verbs:
 240  - "*"
 241- apiGroups:
 242  - extensions
 243  - apps
 244  resources:
 245  - deployments
 246  verbs:
 247  - get
 248  - list
 249  - create
 250  - update
 251  - patch
 252  - delete
 253  - watch
 254- apiGroups:
 255  - ""
 256  - coordination.k8s.io
 257  resources:
 258  - configmaps
 259  - leases
 260  verbs:
 261  - get
 262  - list
 263  - create
 264  - update
 265  - patch
 266  - watch
 267  - delete
 268- apiGroups:
 269  - admissionregistration.k8s.io
 270  resources:
 271  - validatingwebhookconfigurations
 272  - mutatingwebhookconfigurations
 273  verbs:
 274  - get
 275  - list
 276  - create
 277  - update
 278  - patch
 279  - watch
 280  - delete
 281---
 282# Source: crossplane/templates/rbac-manager-allowed-provider-permissions.yaml
 283apiVersion: rbac.authorization.k8s.io/v1
 284kind: ClusterRole
 285metadata:
 286  name: crossplane:allowed-provider-permissions
 287  labels:
 288    app: crossplane
 289    helm.sh/chart: crossplane-1.14.4
 290    app.kubernetes.io/managed-by: Helm
 291    app.kubernetes.io/component: cloud-infrastructure-controller
 292    app.kubernetes.io/part-of: crossplane
 293    app.kubernetes.io/name: crossplane
 294    app.kubernetes.io/instance: crossplane
 295    app.kubernetes.io/version: "1.14.4"
 296aggregationRule:
 297  clusterRoleSelectors:
 298  - matchLabels:
 299      rbac.crossplane.io/aggregate-to-allowed-provider-permissions: "true"
 300---
 301# Source: crossplane/templates/rbac-manager-clusterrole.yaml
 302apiVersion: rbac.authorization.k8s.io/v1
 303kind: ClusterRole
 304metadata:
 305  name: crossplane-rbac-manager
 306  labels:
 307    app: crossplane
 308    helm.sh/chart: crossplane-1.14.4
 309    app.kubernetes.io/managed-by: Helm
 310    app.kubernetes.io/component: cloud-infrastructure-controller
 311    app.kubernetes.io/part-of: crossplane
 312    app.kubernetes.io/name: crossplane
 313    app.kubernetes.io/instance: crossplane
 314    app.kubernetes.io/version: "1.14.4"
 315rules:
 316- apiGroups:
 317  - ""
 318  resources:
 319  - events
 320  verbs:
 321  - create
 322  - update
 323  - patch
 324  - delete
 325- apiGroups:
 326  - ""
 327  resources:
 328  - namespaces
 329  verbs:
 330  - get
 331  - list
 332  - watch
 333- apiGroups:
 334    - apps
 335  resources:
 336    - deployments
 337  verbs:
 338    - get
 339    - list
 340    - watch
 341# The RBAC manager creates a series of RBAC roles for each namespace it sees.
 342# These RBAC roles are controlled (in the owner reference sense) by the namespace.
 343# The RBAC manager needs permission to set finalizers on Namespaces in order to
 344# create resources that block their deletion when the
 345# OwnerReferencesPermissionEnforcement admission controller is enabled.
 346# See https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
 347- apiGroups:
 348  - ""
 349  resources:
 350  - namespaces/finalizers
 351  verbs:
 352  - update
 353- apiGroups:
 354  - apiextensions.crossplane.io
 355  resources:
 356  - compositeresourcedefinitions
 357  verbs:
 358  - get
 359  - list
 360  - watch
 361# The RBAC manager creates a series of RBAC cluster roles for each XRD it sees.
 362# These cluster roles are controlled (in the owner reference sense) by the XRD.
 363# The RBAC manager needs permission to set finalizers on XRDs in order to
 364# create resources that block their deletion when the
 365# OwnerReferencesPermissionEnforcement admission controller is enabled.
 366# See https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
 367- apiGroups:
 368  - apiextensions.crossplane.io
 369  resources:
 370  - compositeresourcedefinitions/finalizers
 371  verbs:
 372  - update
 373- apiGroups:
 374  - pkg.crossplane.io
 375  resources:
 376  - providerrevisions
 377  verbs:
 378  - get
 379  - list
 380  - watch
 381# The RBAC manager creates a series of RBAC cluster roles for each ProviderRevision
 382# it sees. These cluster roles are controlled (in the owner reference sense) by the
 383# ProviderRevision. The RBAC manager needs permission to set finalizers on
 384# ProviderRevisions in order to create resources that block their deletion when the
 385# OwnerReferencesPermissionEnforcement admission controller is enabled.
 386# See https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
 387- apiGroups:
 388  - pkg.crossplane.io
 389  resources:
 390  - providerrevisions/finalizers
 391  verbs:
 392  - update
 393- apiGroups:
 394  - apiextensions.k8s.io
 395  resources:
 396  - customresourcedefinitions
 397  verbs:
 398  - get
 399  - list
 400  - watch
 401- apiGroups:
 402  - rbac.authorization.k8s.io
 403  resources:
 404  - clusterroles
 405  - roles
 406  verbs:
 407  - get
 408  - list
 409  - watch
 410  - create
 411  - update
 412  - patch
 413  # The RBAC manager may grant access it does not have.
 414  - escalate
 415- apiGroups:
 416  - rbac.authorization.k8s.io
 417  resources:
 418  - clusterroles
 419  verbs:
 420  - bind
 421- apiGroups:
 422  - rbac.authorization.k8s.io
 423  resources:
 424  - clusterrolebindings
 425  verbs:
 426  - "*"
 427- apiGroups:
 428  - ""
 429  - coordination.k8s.io
 430  resources:
 431  - configmaps
 432  - leases
 433  verbs:
 434  - get
 435  - list
 436  - create
 437  - update
 438  - patch
 439  - watch
 440  - delete
 441---
 442# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
 443apiVersion: rbac.authorization.k8s.io/v1
 444kind: ClusterRole
 445metadata:
 446  name: crossplane-admin
 447  labels:
 448    app: crossplane
 449    helm.sh/chart: crossplane-1.14.4
 450    app.kubernetes.io/managed-by: Helm
 451    app.kubernetes.io/component: cloud-infrastructure-controller
 452    app.kubernetes.io/part-of: crossplane
 453    app.kubernetes.io/name: crossplane
 454    app.kubernetes.io/instance: crossplane
 455    app.kubernetes.io/version: "1.14.4"
 456aggregationRule:
 457  clusterRoleSelectors:
 458  - matchLabels:
 459      rbac.crossplane.io/aggregate-to-admin: "true"
 460---
 461# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
 462apiVersion: rbac.authorization.k8s.io/v1
 463kind: ClusterRole
 464metadata:
 465  name: crossplane-edit
 466  labels:
 467    app: crossplane
 468    helm.sh/chart: crossplane-1.14.4
 469    app.kubernetes.io/managed-by: Helm
 470    app.kubernetes.io/component: cloud-infrastructure-controller
 471    app.kubernetes.io/part-of: crossplane
 472    app.kubernetes.io/name: crossplane
 473    app.kubernetes.io/instance: crossplane
 474    app.kubernetes.io/version: "1.14.4"
 475aggregationRule:
 476  clusterRoleSelectors:
 477  - matchLabels:
 478      rbac.crossplane.io/aggregate-to-edit: "true"
 479---
 480# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
 481apiVersion: rbac.authorization.k8s.io/v1
 482kind: ClusterRole
 483metadata:
 484  name: crossplane-view
 485  labels:
 486    app: crossplane
 487    helm.sh/chart: crossplane-1.14.4
 488    app.kubernetes.io/managed-by: Helm
 489    app.kubernetes.io/component: cloud-infrastructure-controller
 490    app.kubernetes.io/part-of: crossplane
 491    app.kubernetes.io/name: crossplane
 492    app.kubernetes.io/instance: crossplane
 493    app.kubernetes.io/version: "1.14.4"
 494aggregationRule:
 495  clusterRoleSelectors:
 496  - matchLabels:
 497      rbac.crossplane.io/aggregate-to-view: "true"
 498---
 499# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
 500apiVersion: rbac.authorization.k8s.io/v1
 501kind: ClusterRole
 502metadata:
 503  name: crossplane-browse
 504  labels:
 505    app: crossplane
 506    helm.sh/chart: crossplane-1.14.4
 507    app.kubernetes.io/managed-by: Helm
 508    app.kubernetes.io/component: cloud-infrastructure-controller
 509    app.kubernetes.io/part-of: crossplane
 510    app.kubernetes.io/name: crossplane
 511    app.kubernetes.io/instance: crossplane
 512    app.kubernetes.io/version: "1.14.4"
 513aggregationRule:
 514  clusterRoleSelectors:
 515  - matchLabels:
 516      rbac.crossplane.io/aggregate-to-browse: "true"
 517---
 518# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
 519apiVersion: rbac.authorization.k8s.io/v1
 520kind: ClusterRole
 521metadata:
 522  name: crossplane:aggregate-to-admin
 523  labels:
 524    rbac.crossplane.io/aggregate-to-admin: "true"
 525    app: crossplane
 526    helm.sh/chart: crossplane-1.14.4
 527    app.kubernetes.io/managed-by: Helm
 528    app.kubernetes.io/component: cloud-infrastructure-controller
 529    app.kubernetes.io/part-of: crossplane
 530    app.kubernetes.io/name: crossplane
 531    app.kubernetes.io/instance: crossplane
 532    app.kubernetes.io/version: "1.14.4"
 533rules:
 534# Crossplane administrators have access to view events.
 535- apiGroups: [""]
 536  resources: [events]
 537  verbs: [get, list, watch]
 538# Crossplane administrators must create provider credential secrets, and may
 539# need to read or otherwise interact with connection secrets. They may also need
 540# to create or annotate namespaces.
 541- apiGroups: [""]
 542  resources: [secrets, namespaces]
 543  verbs: ["*"]
 544# Crossplane administrators have access to view the roles that they may be able
 545# to grant to other subjects.
 546- apiGroups: [rbac.authorization.k8s.io]
 547  resources: [clusterroles, roles]
 548  verbs: [get, list, watch]
 549# Crossplane administrators have access to grant the access they have to other
 550# subjects.
 551- apiGroups: [rbac.authorization.k8s.io]
 552  resources: [clusterrolebindings, rolebindings]
 553  verbs: ["*"]
 554# Crossplane administrators have full access to built in Crossplane types.
 555- apiGroups:
 556  - apiextensions.crossplane.io
 557  resources: ["*"]
 558  verbs: ["*"]
 559- apiGroups:
 560  - pkg.crossplane.io
 561  resources: ["*"]
 562  verbs: ["*"]
 563# Crossplane administrators have access to view CRDs in order to debug XRDs.
 564- apiGroups: [apiextensions.k8s.io]
 565  resources: [customresourcedefinitions]
 566  verbs: [get, list, watch]
 567---
 568# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
 569apiVersion: rbac.authorization.k8s.io/v1
 570kind: ClusterRole
 571metadata:
 572  name: crossplane:aggregate-to-edit
 573  labels:
 574    rbac.crossplane.io/aggregate-to-edit: "true"
 575    app: crossplane
 576    helm.sh/chart: crossplane-1.14.4
 577    app.kubernetes.io/managed-by: Helm
 578    app.kubernetes.io/component: cloud-infrastructure-controller
 579    app.kubernetes.io/part-of: crossplane
 580    app.kubernetes.io/name: crossplane
 581    app.kubernetes.io/instance: crossplane
 582    app.kubernetes.io/version: "1.14.4"
 583rules:
 584# Crossplane editors have access to view events.
 585- apiGroups: [""]
 586  resources: [events]
 587  verbs: [get, list, watch]
 588# Crossplane editors must create provider credential secrets, and may need to
 589# read or otherwise interact with connection secrets.
 590- apiGroups: [""]
 591  resources: [secrets]
 592  verbs: ["*"]
 593# Crossplane editors may see which namespaces exist, but not edit them.
 594- apiGroups: [""]
 595  resources: [namespaces]
 596  verbs: [get, list, watch]
 597# Crossplane editors have full access to built in Crossplane types.
 598- apiGroups:
 599  - apiextensions.crossplane.io
 600  resources: ["*"]
 601  verbs: ["*"]
 602- apiGroups:
 603  - pkg.crossplane.io
 604  resources: ["*"]
 605  verbs: ["*"]
 606---
 607# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
 608apiVersion: rbac.authorization.k8s.io/v1
 609kind: ClusterRole
 610metadata:
 611  name: crossplane:aggregate-to-view
 612  labels:
 613    rbac.crossplane.io/aggregate-to-view: "true"
 614    app: crossplane
 615    helm.sh/chart: crossplane-1.14.4
 616    app.kubernetes.io/managed-by: Helm
 617    app.kubernetes.io/component: cloud-infrastructure-controller
 618    app.kubernetes.io/part-of: crossplane
 619    app.kubernetes.io/name: crossplane
 620    app.kubernetes.io/instance: crossplane
 621    app.kubernetes.io/version: "1.14.4"
 622rules:
 623# Crossplane viewers have access to view events.
 624- apiGroups: [""]
 625  resources: [events]
 626  verbs: [get, list, watch]
 627# Crossplane viewers may see which namespaces exist.
 628- apiGroups: [""]
 629  resources: [namespaces]
 630  verbs: [get, list, watch]
 631# Crossplane viewers have read-only access to built in Crossplane types.
 632- apiGroups:
 633  - apiextensions.crossplane.io
 634  resources: ["*"]
 635  verbs: [get, list, watch]
 636- apiGroups:
 637  - pkg.crossplane.io
 638  resources: ["*"]
 639  verbs: [get, list, watch]
 640---
 641# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
 642apiVersion: rbac.authorization.k8s.io/v1
 643kind: ClusterRole
 644metadata:
 645  name: crossplane:aggregate-to-browse
 646  labels:
 647    rbac.crossplane.io/aggregate-to-browse: "true"
 648    app: crossplane
 649    helm.sh/chart: crossplane-1.14.4
 650    app.kubernetes.io/managed-by: Helm
 651    app.kubernetes.io/component: cloud-infrastructure-controller
 652    app.kubernetes.io/part-of: crossplane
 653    app.kubernetes.io/name: crossplane
 654    app.kubernetes.io/instance: crossplane
 655    app.kubernetes.io/version: "1.14.4"
 656rules:
 657# Crossplane browsers have access to view events.
 658- apiGroups: [""]
 659  resources: [events]
 660  verbs: [get, list, watch]
 661# Crossplane browsers have read-only access to compositions and XRDs. This
 662# allows them to discover and select an appropriate composition when creating a
 663# resource claim.
 664- apiGroups:
 665  - apiextensions.crossplane.io
 666  resources: ["*"]
 667  verbs: [get, list, watch]
 668---
 669# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
 670# The below ClusterRoles are aggregated to the namespaced RBAC roles created by
 671# the Crossplane RBAC manager when it is running in --manage=All mode.
 672apiVersion: rbac.authorization.k8s.io/v1
 673kind: ClusterRole
 674metadata:
 675  name: crossplane:aggregate-to-ns-admin
 676  labels:
 677    rbac.crossplane.io/aggregate-to-ns-admin: "true"
 678    rbac.crossplane.io/base-of-ns-admin: "true"
 679    app: crossplane
 680    helm.sh/chart: crossplane-1.14.4
 681    app.kubernetes.io/managed-by: Helm
 682    app.kubernetes.io/component: cloud-infrastructure-controller
 683    app.kubernetes.io/part-of: crossplane
 684    app.kubernetes.io/name: crossplane
 685    app.kubernetes.io/instance: crossplane
 686    app.kubernetes.io/version: "1.14.4"
 687rules:
 688# Crossplane namespace admins have access to view events.
 689- apiGroups: [""]
 690  resources: [events]
 691  verbs: [get, list, watch]
 692# Crossplane namespace admins may need to read or otherwise interact with
 693# resource claim connection secrets.
 694- apiGroups: [""]
 695  resources: [secrets]
 696  verbs: ["*"]
 697# Crossplane namespace admins have access to view the roles that they may be
 698# able to grant to other subjects.
 699- apiGroups: [rbac.authorization.k8s.io]
 700  resources: [roles]
 701  verbs: [get, list, watch]
 702# Crossplane namespace admins have access to grant the access they have to other
 703# subjects.
 704- apiGroups: [rbac.authorization.k8s.io]
 705  resources: [rolebindings]
 706  verbs: ["*"]
 707---
 708# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
 709apiVersion: rbac.authorization.k8s.io/v1
 710kind: ClusterRole
 711metadata:
 712  name: crossplane:aggregate-to-ns-edit
 713  labels:
 714    rbac.crossplane.io/aggregate-to-ns-edit: "true"
 715    rbac.crossplane.io/base-of-ns-edit: "true"
 716    app: crossplane
 717    helm.sh/chart: crossplane-1.14.4
 718    app.kubernetes.io/managed-by: Helm
 719    app.kubernetes.io/component: cloud-infrastructure-controller
 720    app.kubernetes.io/part-of: crossplane
 721    app.kubernetes.io/name: crossplane
 722    app.kubernetes.io/instance: crossplane
 723    app.kubernetes.io/version: "1.14.4"
 724rules:
 725# Crossplane namespace editors have access to view events.
 726- apiGroups: [""]
 727  resources: [events]
 728  verbs: [get, list, watch]
 729# Crossplane namespace editors may need to read or otherwise interact with
 730# resource claim connection secrets.
 731- apiGroups: [""]
 732  resources: [secrets]
 733  verbs: ["*"]
 734---
 735# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
 736apiVersion: rbac.authorization.k8s.io/v1
 737kind: ClusterRole
 738metadata:
 739  name: crossplane:aggregate-to-ns-view
 740  labels:
 741    rbac.crossplane.io/aggregate-to-ns-view: "true"
 742    rbac.crossplane.io/base-of-ns-view: "true"
 743    app: crossplane
 744    helm.sh/chart: crossplane-1.14.4
 745    app.kubernetes.io/managed-by: Helm
 746    app.kubernetes.io/component: cloud-infrastructure-controller
 747    app.kubernetes.io/part-of: crossplane
 748    app.kubernetes.io/name: crossplane
 749    app.kubernetes.io/instance: crossplane
 750    app.kubernetes.io/version: "1.14.4"
 751rules:
 752# Crossplane namespace viewers have access to view events.
 753- apiGroups: [""]
 754  resources: [events]
 755  verbs: [get, list, watch]
 756---
 757# Source: crossplane/templates/clusterrolebinding.yaml
 758apiVersion: rbac.authorization.k8s.io/v1
 759kind: ClusterRoleBinding
 760metadata:
 761  name: crossplane
 762  labels:
 763    app: crossplane
 764    helm.sh/chart: crossplane-1.14.4
 765    app.kubernetes.io/managed-by: Helm
 766    app.kubernetes.io/component: cloud-infrastructure-controller
 767    app.kubernetes.io/part-of: crossplane
 768    app.kubernetes.io/name: crossplane
 769    app.kubernetes.io/instance: crossplane
 770    app.kubernetes.io/version: "1.14.4"
 771roleRef:
 772  apiGroup: rbac.authorization.k8s.io
 773  kind: ClusterRole
 774  name: crossplane
 775subjects:
 776- kind: ServiceAccount
 777  name: crossplane
 778  namespace: crossplane-system
 779---
 780# Source: crossplane/templates/rbac-manager-clusterrolebinding.yaml
 781apiVersion: rbac.authorization.k8s.io/v1
 782kind: ClusterRoleBinding
 783metadata:
 784  name: crossplane-rbac-manager
 785  labels:
 786    app: crossplane
 787    helm.sh/chart: crossplane-1.14.4
 788    app.kubernetes.io/managed-by: Helm
 789    app.kubernetes.io/component: cloud-infrastructure-controller
 790    app.kubernetes.io/part-of: crossplane
 791    app.kubernetes.io/name: crossplane
 792    app.kubernetes.io/instance: crossplane
 793    app.kubernetes.io/version: "1.14.4"
 794roleRef:
 795  apiGroup: rbac.authorization.k8s.io
 796  kind: ClusterRole
 797  name: crossplane-rbac-manager
 798subjects:
 799- kind: ServiceAccount
 800  name: rbac-manager
 801  namespace: crossplane-system
 802---
 803# Source: crossplane/templates/rbac-manager-managed-clusterroles.yaml
 804apiVersion: rbac.authorization.k8s.io/v1
 805kind: ClusterRoleBinding
 806metadata:
 807  name: crossplane-admin
 808  labels:
 809    app: crossplane
 810    helm.sh/chart: crossplane-1.14.4
 811    app.kubernetes.io/managed-by: Helm
 812    app.kubernetes.io/component: cloud-infrastructure-controller
 813    app.kubernetes.io/part-of: crossplane
 814    app.kubernetes.io/name: crossplane
 815    app.kubernetes.io/instance: crossplane
 816    app.kubernetes.io/version: "1.14.4"
 817roleRef:
 818  apiGroup: rbac.authorization.k8s.io
 819  kind: ClusterRole
 820  name: crossplane-admin
 821subjects:
 822- apiGroup: rbac.authorization.k8s.io
 823  kind: Group
 824  name: crossplane:masters
 825---
 826# Source: crossplane/templates/service.yaml
 827apiVersion: v1
 828kind: Service
 829metadata:
 830  name: crossplane-webhooks
 831  namespace: crossplane-system
 832  labels:
 833    app: crossplane
 834    release: crossplane
 835    helm.sh/chart: crossplane-1.14.4
 836    app.kubernetes.io/managed-by: Helm
 837    app.kubernetes.io/component: cloud-infrastructure-controller
 838    app.kubernetes.io/part-of: crossplane
 839    app.kubernetes.io/name: crossplane
 840    app.kubernetes.io/instance: crossplane
 841    app.kubernetes.io/version: "1.14.4"
 842spec:
 843  selector:
 844    app: crossplane
 845    release: crossplane
 846  ports:
 847  - protocol: TCP
 848    port: 9443
 849    targetPort: 9443
 850---
 851# Source: crossplane/templates/deployment.yaml
 852apiVersion: apps/v1
 853kind: Deployment
 854metadata:
 855  name: crossplane
 856  namespace: crossplane-system
 857  labels:
 858    app: crossplane
 859    release: crossplane
 860    helm.sh/chart: crossplane-1.14.4
 861    app.kubernetes.io/managed-by: Helm
 862    app.kubernetes.io/component: cloud-infrastructure-controller
 863    app.kubernetes.io/part-of: crossplane
 864    app.kubernetes.io/name: crossplane
 865    app.kubernetes.io/instance: crossplane
 866    app.kubernetes.io/version: "1.14.4"
 867spec:
 868  replicas: 1
 869  selector:
 870    matchLabels:
 871      app: crossplane
 872      release: crossplane
 873  strategy:
 874    type: RollingUpdate
 875  template:
 876    metadata:
 877      labels:
 878        app: crossplane
 879        release: crossplane
 880        helm.sh/chart: crossplane-1.14.4
 881        app.kubernetes.io/managed-by: Helm
 882        app.kubernetes.io/component: cloud-infrastructure-controller
 883        app.kubernetes.io/part-of: crossplane
 884        app.kubernetes.io/name: crossplane
 885        app.kubernetes.io/instance: crossplane
 886        app.kubernetes.io/version: "1.14.4"
 887    spec:
 888      serviceAccountName: crossplane
 889      hostNetwork: false
 890      initContainers:
 891        - image: "xpkg.upbound.io/crossplane/crossplane:v1.14.4"
 892          args:
 893          - core
 894          - init
 895          imagePullPolicy: IfNotPresent
 896          name: crossplane-init
 897          resources:
 898            limits:
 899              cpu: 100m
 900              memory: 512Mi
 901            requests:
 902              cpu: 100m
 903              memory: 256Mi
 904          securityContext:
 905            allowPrivilegeEscalation: false
 906            readOnlyRootFilesystem: true
 907            runAsGroup: 65532
 908            runAsUser: 65532
 909          env:
 910          - name: GOMAXPROCS
 911            valueFrom:
 912              resourceFieldRef:
 913                containerName: crossplane-init
 914                resource: limits.cpu
 915                divisor: "1"
 916          - name: GOMEMLIMIT
 917            valueFrom:
 918              resourceFieldRef:
 919                containerName: crossplane-init
 920                resource: limits.memory
 921                divisor: "1"
 922          - name: POD_NAMESPACE
 923            valueFrom:
 924              fieldRef:
 925                fieldPath: metadata.namespace
 926          - name: POD_SERVICE_ACCOUNT
 927            valueFrom:
 928              fieldRef:
 929                fieldPath: spec.serviceAccountName
 930          - name: "WEBHOOK_SERVICE_NAME"
 931            value: crossplane-webhooks
 932          - name: "WEBHOOK_SERVICE_NAMESPACE"
 933            valueFrom:
 934              fieldRef:
 935                fieldPath: metadata.namespace
 936          - name: "WEBHOOK_SERVICE_PORT"
 937            value: "9443"
 938          - name: "TLS_CA_SECRET_NAME"
 939            value: crossplane-root-ca
 940          - name: "TLS_SERVER_SECRET_NAME"
 941            value: crossplane-tls-server
 942          - name: "TLS_CLIENT_SECRET_NAME"
 943            value: crossplane-tls-client
 944      containers:
 945      - image: "xpkg.upbound.io/crossplane/crossplane:v1.14.4"
 946        args:
 947        - core
 948        - start
 949        imagePullPolicy: IfNotPresent
 950        name: crossplane
 951        resources:
 952            limits:
 953              cpu: 100m
 954              memory: 512Mi
 955            requests:
 956              cpu: 100m
 957              memory: 256Mi
 958        startupProbe:
 959          failureThreshold: 30
 960          periodSeconds: 2
 961          tcpSocket:
 962            port: readyz
 963        ports:
 964        - name: readyz
 965          containerPort: 8081
 966        - name: webhooks
 967          containerPort: 9443
 968        securityContext:
 969            allowPrivilegeEscalation: false
 970            readOnlyRootFilesystem: true
 971            runAsGroup: 65532
 972            runAsUser: 65532
 973        env:
 974          - name: GOMAXPROCS
 975            valueFrom:
 976              resourceFieldRef:
 977                containerName: crossplane
 978                resource: limits.cpu
 979          - name: GOMEMLIMIT
 980            valueFrom:
 981              resourceFieldRef:
 982                containerName: crossplane
 983                resource: limits.memory
 984          - name: POD_NAMESPACE
 985            valueFrom:
 986              fieldRef:
 987                fieldPath: metadata.namespace
 988          - name: POD_SERVICE_ACCOUNT
 989            valueFrom:
 990              fieldRef:
 991                fieldPath: spec.serviceAccountName
 992          - name: LEADER_ELECTION
 993            value: "true"
 994          - name: "TLS_SERVER_SECRET_NAME"
 995            value: crossplane-tls-server
 996          - name: "TLS_SERVER_CERTS_DIR"
 997            value: /tls/server
 998          - name: "TLS_CLIENT_SECRET_NAME"
 999            value: crossplane-tls-client
1000          - name: "TLS_CLIENT_CERTS_DIR"
1001            value: /tls/client
1002        volumeMounts:
1003          - mountPath: /cache
1004            name: package-cache
1005          - mountPath: /tls/server
1006            name: tls-server-certs
1007          - mountPath: /tls/client
1008            name: tls-client-certs
1009      volumes:
1010      - name: package-cache
1011        emptyDir:
1012          medium:
1013          sizeLimit: 20Mi
1014      - name: tls-server-certs
1015        secret:
1016          secretName: crossplane-tls-server
1017      - name: tls-client-certs
1018        secret:
1019          secretName: crossplane-tls-client
1020---
1021# Source: crossplane/templates/rbac-manager-deployment.yaml
1022apiVersion: apps/v1
1023kind: Deployment
1024metadata:
1025  name: crossplane-rbac-manager
1026  namespace: crossplane-system
1027  labels:
1028    app: crossplane-rbac-manager
1029    release: crossplane
1030    helm.sh/chart: crossplane-1.14.4
1031    app.kubernetes.io/managed-by: Helm
1032    app.kubernetes.io/component: cloud-infrastructure-controller
1033    app.kubernetes.io/part-of: crossplane
1034    app.kubernetes.io/name: crossplane
1035    app.kubernetes.io/instance: crossplane
1036    app.kubernetes.io/version: "1.14.4"
1037spec:
1038  replicas: 1
1039  selector:
1040    matchLabels:
1041      app: crossplane-rbac-manager
1042      release: crossplane
1043  strategy:
1044    type: RollingUpdate
1045  template:
1046    metadata:
1047      labels:
1048        app: crossplane-rbac-manager
1049        release: crossplane
1050        helm.sh/chart: crossplane-1.14.4
1051        app.kubernetes.io/managed-by: Helm
1052        app.kubernetes.io/component: cloud-infrastructure-controller
1053        app.kubernetes.io/part-of: crossplane
1054        app.kubernetes.io/name: crossplane
1055        app.kubernetes.io/instance: crossplane
1056        app.kubernetes.io/version: "1.14.4"
1057    spec:
1058      serviceAccountName: rbac-manager
1059      initContainers:
1060      - image: "xpkg.upbound.io/crossplane/crossplane:v1.14.4"
1061        args:
1062        - rbac
1063        - init
1064        imagePullPolicy: IfNotPresent
1065        name: crossplane-init
1066        resources:
1067            limits:
1068              cpu: 100m
1069              memory: 512Mi
1070            requests:
1071              cpu: 100m
1072              memory: 256Mi
1073        securityContext:
1074            allowPrivilegeEscalation: false
1075            readOnlyRootFilesystem: true
1076            runAsGroup: 65532
1077            runAsUser: 65532
1078        env:
1079          - name: GOMAXPROCS
1080            valueFrom:
1081              resourceFieldRef:
1082                containerName: crossplane-init
1083                resource: limits.cpu
1084          - name: GOMEMLIMIT
1085            valueFrom:
1086              resourceFieldRef:
1087                containerName: crossplane-init
1088                resource: limits.memory
1089      containers:
1090      - image: "xpkg.upbound.io/crossplane/crossplane:v1.14.4"
1091        args:
1092        - rbac
1093        - start
1094        - --manage=Basic
1095        - --provider-clusterrole=crossplane:allowed-provider-permissions
1096        imagePullPolicy: IfNotPresent
1097        name: crossplane
1098        resources:
1099            limits:
1100              cpu: 100m
1101              memory: 512Mi
1102            requests:
1103              cpu: 100m
1104              memory: 256Mi
1105        securityContext:
1106            allowPrivilegeEscalation: false
1107            readOnlyRootFilesystem: true
1108            runAsGroup: 65532
1109            runAsUser: 65532
1110        env:
1111          - name: GOMAXPROCS
1112            valueFrom:
1113              resourceFieldRef:
1114                containerName: crossplane
1115                resource: limits.cpu
1116          - name: GOMEMLIMIT
1117            valueFrom:
1118              resourceFieldRef:
1119                containerName: crossplane
1120                resource: limits.memory
1121          - name: LEADER_ELECTION
1122            value: "true"
1123
1124NOTES:
1125Release: crossplane
1126
1127Chart Name: crossplane
1128Chart Description: Crossplane is an open source Kubernetes add-on that enables platform teams to assemble infrastructure from multiple vendors, and expose higher level self-service APIs for application teams to consume.
1129Chart Version: 1.14.4
1130Chart Application Version: 1.14.4
1131
1132Kube Version: v1.27.3

使用 helm install 安装 crossplane 组件。

1helm install crossplane \
2crossplane-stable/crossplane \
3--namespace crossplane-system \
4--create-namespace

使用 kubectl get pods 验证是否已安装 crossplane。

1kubectl get pods -n crossplane-system
2NAME READY STATUS RESTARTS AGE
3crossplane-d4cd8d784-ldcgb 1/1 Running 0 54s
4crossplane-rbac-manager-84769b574-6mw6f 1/1 Running 0 54s

安装 crossplane 会创建新的 Kubernetes API 端点。使用 kubectl api-resources | grep crossplane 查看新的 API 端点。

 1kubectl api-resources  | grep crossplane
 2compositeresourcedefinitions xrd,xrds apiextensions.crossplane.io/v1 false CompositeResourceDefinition
 3compositionrevisions comprev apiextensions.crossplane.io/v1 false CompositionRevision
 4compositions comp apiextensions.crossplane.io/v1 false Composition
 5environmentconfigs envcfg apiextensions.crossplane.io/v1alpha1 false EnvironmentConfig
 6usages apiextensions.crossplane.io/v1alpha1 false Usage
 7configurationrevisions pkg.crossplane.io/v1 false ConfigurationRevision
 8configurations pkg.crossplane.io/v1 false Configuration
 9controllerconfigs pkg.crossplane.io/v1alpha1 false ControllerConfig
10deploymentruntimeconfigs pkg.crossplane.io/v1beta1 false DeploymentRuntimeConfig
11functionrevisions pkg.crossplane.io/v1beta1 false FunctionRevision
12functions pkg.crossplane.io/v1beta1 false Function
13locks pkg.crossplane.io/v1beta1 false Lock
14providerrevisions pkg.crossplane.io/v1 false ProviderRevision
15providers pkg.crossplane.io/v1 false Provider
16storeconfigs secrets.crossplane.io/v1alpha1 false StoreConfig

安装 AWS Providers

用 Kubernetes 配置文件将 AWS S3 Provider 安装到 Kubernetes 集群中。

1cat <<EOF | kubectl apply -f -
2apiVersion: pkg.crossplane.io/v1
3kind: Provider
4metadata:
5  name: provider-aws-s3
6spec:
7  package: xpkg.upbound.io/upbound/provider-aws-s3:v0.47.0
8EOF

The Crossplane Provider这些 CRD 允许你直接在 Kubernetes 中创建 AWS 资源。

使用 kubectl get providers 验证已安装的 Provider。

1kubectl get providers
2NAME INSTALLED HEALTHY PACKAGE AGE
3provider-aws-s3 True True xpkg.upbound.io/upbound/provider-aws-s3:v0.47.0 97s
4upbound-provider-family-aws True True xpkg.upbound.io/upbound/provider-family-aws:v0.47.0 88s

S3 Provider 会安装第二个 Provider，即upbound-provider-family-aws。该家族提供程序管理所有 AWS 家族提供程序对 AWS 的身份验证。

您可以使用 kubectl get crds 查看新的 CRD。每个 CRD 都映射到 crossplane 可以调配和管理的唯一 AWS 服务。

Tip

请查看 Upbound Marketplace 中所有支持的 CRD 的详细信息。

为 AWS 创建 Kubernetes secrets

Provider 需要凭据来创建和管理 AWS 资源。 Provider 使用 Kubernetes Secret 将凭据连接到 Provider。

从 AWS 密钥对中生成 Kubernetes Secret，然后配置 Provider 以使用它。

生成 AWS 密钥对文件

对于基本用户身份验证，请使用 AWS Access keys 密钥对文件。

Tip

AWS 文档](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-creds) 提供了有关如何生成 AWS 访问密钥的信息。

创建包含 AWS 账户 aws_access_key_id 和 aws_secret_access_key 的文本文件。

1[default]
2aws_access_key_id = 
3aws_secret_access_key =

将此文本文件保存为 aws-credentials.txt.

Tip

AWS Provider 文档的身份验证部分介绍了其他身份验证方法。

使用 AWS 凭据创建 Kubernetes secret

Kubernetes 通用 secret 有名称和内容。使用kubectl create secret生成名为aws-secret的 名称空间中名为namespace 中名为 aws-secret 的secret对象。

被引用时使用 --从文件参数将值设置为 aws-credentials.txt文件的内容。

1kubectl create secret \
2generic aws-secret \
3-n crossplane-system \
4--from-file=creds=./aws-credentials.txt

使用 kubectl describe secret 查看secret

Tip

如果文本文件中有额外的空白，大小可能会更大。

 1kubectl describe secret aws-secret -n crossplane-system
 2Name:         aws-secret
 3Namespace:    crossplane-system
 4Labels:       <none>
 5Annotations:  <none>
 6
 7Type:  Opaque
 8
 9Data
10====
11creds:  114 bytes

创建一个 ProviderConfig

A ProviderConfig自定义 AWS Provider 的设置。

应用ProviderConfig与该 Kubernetes 配置文件一起使用:

 1cat <<EOF | kubectl apply -f -
 2apiVersion: aws.upbound.io/v1beta1
 3kind: ProviderConfig
 4metadata:
 5  name: default
 6spec:
 7  credentials:
 8    source: Secret
 9    secretRef:
10      namespace: crossplane-system
11      name: aws-secret
12      key: creds
13EOF

这会将保存为 Kubernetes secret 的 AWS 凭据作为secretRef.

规格.凭据.secretRef.名称spec.credentials.secretRef.name值是包含 AWS 凭据的 Kubernetes secret 的名称，在spec.credentials.secretRef.namespace 中包含 AWS 凭据的 Kubernetes 密钥名称。.

创建托管资源

受管资源是指 Crossplane 在 Kubernetes 集群之外创建和管理的任何资源。

本指南使用 crossplane 创建 AWS S3 存储桶。

S3 存储桶是一种_受管资源_。

Tip

AWS S3 存储桶名称必须是全局唯一的。为生成唯一名称，示例使用了随机散列。任何唯一名称都可以接受。

 1cat <<EOF | kubectl create -f -
 2apiVersion: s3.aws.upbound.io/v1beta1
 3kind: Bucket
 4metadata:
 5  generateName: crossplane-bucket-
 6spec:
 7  forProvider:
 8    region: us-east-2
 9  providerConfigRef:
10    name: default
11EOF

版本 apiVersion和类型来自 Provider 的 CRD。

元数据 metadata.name值是在 AWS 中创建的 S3 存储桶的名称。本示例在$bucket变量中使用生成的名称 “crossplane-bucket- “。

规格 spec.forProvider.region告诉 AWS 在部署资源时要使用哪个 AWS 区域。

区域可以是任何 AWS 区域端点代码。

使用 kubectl get buckets 来验证 crossplane 是否创建了水桶。

Tip

当 READY 和 SYNCED 值为 True 时，crossplane 会创建存储桶。这可能需要长达 5 分钟的时间。

1kubectl get buckets
2NAME READY SYNCED EXTERNAL-NAME AGE
3crossplane-bucket-hhdzh True True crossplane-bucket-hhdzh 5s

删除托管资源

在关闭 Kubernetes 集群之前，删除刚刚创建的 S3 存储桶。

使用 kubectl delete bucket<bucketname> 删除水桶。

1kubectl delete bucket crossplane-bucket-hhdzh
2bucket.s3.aws.upbound.io "crossplane-bucket-hhdzh" deleted

下一步

继续第二部分来创建和被 crossplane 引用的自定义 API。
在Provider CRD reference中探索 Crossplane 可以配置的 AWS 资源。
加入Crossplane Slack，与Crossplane用户和贡献者建立联系。

AWS 快速入门

先决条件

安装 crossplane

安装 crossplane helm 图表

View the Helm dry-run

安装 AWS Providers

为 AWS 创建 Kubernetes secrets

生成 AWS 密钥对文件

使用 AWS 凭据创建 Kubernetes secret

创建一个 ProviderConfig

创建托管资源

删除托管资源

下一步