CONCEPT Cited by 1 source
Universal resource provisioning¶
Universal resource provisioning is the abstraction of every external cloud / SaaS resource as a declarative object in one uniform control plane, reconciled by a controller that continuously drives observed state toward declared state. Crossplane is the canonical realization on top of Kubernetes: every AWS / GCP / Azure / SaaS resource becomes a Kubernetes custom resource with its own controller; the K8s API surface, RBAC, and event model become the common substrate for all infrastructure.
Why this is a distinct primitive from plan-and-apply IaC¶
Terraform-class IaC (HCL + explicit state + plan + apply) and universal-resource-provisioning (K8s API + controller-reconciled CRs) look similar at the YAML / HCL layer but differ structurally:
| Axis | Plan-and-apply IaC | Universal resource provisioning |
|---|---|---|
| State | Explicit state file | Kubernetes API (etcd) |
| Reconciliation | Run-triggered | Continuous controller loop |
| Drift handling | Re-plan + re-apply | Controller auto-corrects |
| API | CLI + HCL | K8s API + CRDs + kubectl |
| RBAC | Cloud IAM | Kubernetes RBAC |
| Composability | Modules | XRDs + Compositions |
| Fits GitOps? | Adapter needed | Native |
The second column inherits the Kubernetes control-loop pattern for infrastructure. That makes GitOps (via systems/argocd) work for infrastructure identically to how it works for applications — the same PR reviews, the same continuous sync, the same drift alerts.
Load-bearing consequences¶
- Drift detection is free. If someone clicks in the AWS console to add a rule the controller didn't declare, the controller will reconcile it back out on its next tick.
- RBAC unifies. "Who can modify production RDS instances" and "who can modify production Deployments" become the same K8s RBAC question, not two separate questions in two separate tools.
- Admission control applies. Policy gates (OPA Gatekeeper) run on infrastructure CRs with the same machinery that gates application objects — uniform enforcement surface.
- Composition is a first-class primitive. patterns/crossplane-composition lets you bundle N resources behind one CR; no IaC-module templating language needed.
Trade-offs¶
- Cost of owning a K8s cluster as the control plane. If you didn't already run Kubernetes, standing one up just to manage infrastructure is a meaningful investment. The pattern shines when you already run K8s (Catalyst runs it for both platform services and application workloads).
- Controller latency + backoff semantics become the provisioning SLO. A buggy controller or a provider-rate-limit storm degrades infrastructure provisioning cluster-wide.
- Ecosystem maturity varies by provider. Large clouds have well-maintained Crossplane providers; niche SaaS may not.
Seen in¶
- sources/2026-02-26-aws-santander-catalyst-platform-engineering — Santander Catalyst explicitly describes Crossplane as "a universal resource provisioner that Santander uses to manage resources across multiple cloud providers consistently and declaratively." The stacks catalog (XRDs + Compositions) is the composability surface built on top; the headline provisioning- time collapse (90 days → hours / minutes) is the business outcome. Control plane cluster on EKS hosts the Crossplane controllers.
Related¶
- systems/crossplane — the canonical K8s-based realization
- patterns/crossplane-composition — the XRDs + Compositions composability pattern
- concepts/control-plane-data-plane-separation — universal resource provisioning is an explicit control-plane
- concepts/gitops — natural pairing (same K8s API surface)
- systems/terraform — the plan-and-apply IaC alternative