The Best Way To Run Crossplane: With Upbound Cloud Spaces

October 1, 2024

Markus Schweig

Read time: 7 mins

Share:

Upbound Cloud Spaces is the most attractive hosting option for running Crossplane. Let’s explore why.

Building or Buying

Before diving into all the options, I wanted to talk about the benefits of investing in provider-hosted cloud platform management infrastructure. Several years ago, I witnessed the industry shift from self-managed, built, configured, and operated Kubernetes clusters to using GKE, EKS, and AKS. I followed the same path, and for good reason. The managed Kubernetes versions reduced administrative overhead and associated costs as soon as they were stable and enterprise-ready. Over 73% of the global Kubernetes footprint is now provider-managed. The average total cost of ownership of self-managed Kubernetes is estimated to be 3 times more than the cloud provider-managed versions. Ask yourself how many enterprises would use KOPS as their first choice today to create and manage their own Kubernetes clusters.

With Upbound Cloud Spaces, a similar opportunity exists to shift from self-operated Crossplane to a managed solution. Organizations will prefer to consume their cloud platform foundation as a software service, rather than take on the cost & risk of building it themselves. This way, they can focus on customizing the unique aspects of their cloud platform services. For a great discussion on the advantages of fully managed cloud services, check out the article, On The Future Of Cloud Services And BYOC.

Introducing Upbound

Upbound is a resource lifecycle management platform based on the highly successful Crossplane CNCF project. Upbound provides an easy-to-use, scalable hosting environment for Crossplane that offers enterprise grade features while reducing total cost of ownership (TCO).

Upbound solves infrastructure as code management in a fresh new way with a control plane paradigm. It is based on Crossplane that extends the Kubernetes resource model. This allows it to offer resource lifecycle management services. Crossplane interacts with external resources through provider controllers. Unlike other IaC solutions, it frequently reconciles the desired resource state and corrects drift.

Upbound customers are international businesses building cloud platforms for their application and development teams. Upbound enables platform engineers to create custom APIs that their developers can use to request cloud resources. With this capability platform creators can increase developer productivity and speed up their company’s innovation. See Key Metrics for Cloud Platform Performance: From SLOs to Developer Experience and Choosing The Right Tools To Craft Your Cloud-Native Strategy.

Hosting Options

Upbound provides three different hosting options for managed control planes:

Cloud Spaces

Merit

Cloud Spaces provides a foundational infrastructure for running hundreds of Crossplane control planes per Space with ease. Each Crossplane control plane powers the management of thousands of cloud resources. The Upbound API and the up CLI allow users to control and navigate the cloud resources in meaningful ways.

Running open-source Crossplane alone involves setting up its core and access control pods, installing and maintaining providers, functions, and associated resources across the various management cluster namespaces, and operating the Kubernetes management cluster itself. You’d also be missing out on value-added out-of-the-box enterprise features that are not part of the open-source Crossplane project.

On the other hand, Upbound Cloud Spaces delights customers because It simply manages the above components for them in a healthy, secure, and enterprise-grade way. Customers do not need to worry about the details of the architecture or the compliance of their infrastructure management platform. In addition, Upbound offers built-in enterprise features that are described below.

Features

This hosting option simplifies platform creator workflows. Upbound Cloud Spaces makes it easy to create new control planes through a management console, an API, a CLI or from another control plane using a Crossplane provider-kubernetes controller. Each control plane resides in a group. If no custom group is specified, the control plane will be created in the default group. Groups can be created as needed. Control plane access is governed by role based access controls (RBAC).

Allowing your control planes to manage the lifecycle of your resources in your cloud accounts is a breeze. All that is needed is the setup of an identity provider and an identity access management role with a trust policy for your control plane. You will be up and running in no time, enjoying a graph view of your resource claims.

A convenient sidebar menu provides quick access to relevant aspects of your resource interactions. Want to know which resource claims are running, what composite resources they created and from which managed resources? Everything is here, down to events to inform about state changes, potential errors and successes.

Upbound takes care of keeping the control planes running. It is on call for you. Upbound Cloud Spaces is a fully managed offering. There is ticket support not only for your tool ecosystem but also assistance for creating your own Crossplane configurations. Reference configurations are available in the Upbound marketplace for your convenience. They are a fantastic starting point for composing your own platform architecture.

Creating a new control plane in Upbound Cloud Spaces is faster than a major cloud provider takes to deliver a Kubernetes management cluster. I have seen them come alive and achieve readiness in under 2 minutes. Your control planes are backed up, and there is an OpenTelemetry endpoint to allow you to observe your control planes with your preferred choice of visualization and alert management.

The Grafana dashboard below shows time to first reconcile and readiness, time to delete, and drift catch in addition to managed resource sync and ready status for those resources under management by your control plane.

The next dashboard breaks out the resource deletion times, after deleting claims that are composed of multiple managed resource types.

Upbound Cloud Spaces supports integration with external secrets stores like AWS Secrets Manager and Azure KeyVault. This allows you to securely use your secrets when accessing protected resources.

There is a wickedly fast query API that puts a big smile on my face, and that leaves native Kubernetes standing in the dust. This API is super useful when obtaining status information for managed resources.

The up managed resources query returned in 0.647 seconds compared to 13.371 seconds for the same query using kubectl.

A common scenario among Upbound Spaces customers is the use of the Managed Control Plane connector. It allows your Kubernetes application clusters to talk with your Upbound Spaces control planes. With it you can claim resources on your application cluster, such as a SQL database, that will then be requested by your Upbound Spaces control plane from the cloud provider.

Control planes can be grouped and there is role based control plane access control for your teams. This allows customers to operate within the frame of one Upbound organization.

For anyone with security concerns, Upbound is SOC 2 Type II certified.

The use of Upbound Cloud Spaces is cost optimized, only asking for a small hourly resource reconciliation fee. This is a great value compared to building, maintaining and operating everything that Cloud Spaces offers yourself. The charge model is familiar to those who consume cloud resources from major providers. Upbound Cloud Spaces lets you focus on building your custom platforms on top of it and delight your own customers.

Self Hosted Connected Spaces

Merit

Upbound hosting options have excellent support. Your custom cloud platform creator experience is optimized for ease of use and speed of innovation. The Self Hosted Spaces reference architecture is available on github. This repository contains a reference implementation for deploying Crossplane at scale to serve multiple business units.

Features

The Self Hosted Connected Spaces option offers the benefits of the same Upbound management console that we explored with Cloud Spaces. This self hosted option is for those who must have single tenancy. This requires you to bring your own cloud account to run the bundled Upbound hosting package on your own Kubernetes cluster. With that you have plenty of freedom to set up your own governance, compliance, corporate guidance, and custom connectivity.

There is a pragmatic set of enterprise features that assists with day 2 operations, including

  • Ticket support
  • Control plane backups
  • External secret store support
  • Fast query API
  • OpenTelemetry observability endpoint
  • and MCP Connector.

Self Hosted Disconnected Spaces

Some organizations are required to run in air-gapped environments. This is common for insurance companies, banks, and those that handle sensitive data. For this purpose, Upbound offers Self-Hosted Disconnected Spaces. They are the best choice for privacy and single tenancy, but you do not get to connect to the Upbound UI.

The Space API offers the following group version kind options. It is designed to interact with Upbound Spaces in a declarative way from a control plane that can also manage other control planes in Spaces.

Conclusion

Upbound Spaces is the perfect landing point. It helps customers to focus their energy and effort on building their custom resource management platforms.

There is lots to love here, and it will be Upbound’s pleasure to give you a live demo when you contact us. If you are already familiar with Crossplane, sign up for a free trial. To get the most out of it, follow the getting started guide and use the Crossplane community slack to get your questions answered during your self service period.

Crossplane has an amazing community of skilled helpful engineers working for reputable companies from all around the world.

Try It For Yourself

Set yourself a goal to do the following.

Subscribe to the Upbound Newsletter