Now Upbound Official Packages Meet The Most Demanding Enterprise Requirements

Today, we are announcing some crucial updates to Upbound’s Official Packages.

Building on the success of Upbound's official packages program, we’re improving official packages, making them more secure, ensuring they’re ready for the most secure enterprise deployments, and adding support for Upbound's new development tooling. We’re also changing how these packages are released and supported by Upbound. Read on to learn more.

A Brief History of Upbound Official Packages

Upbound created the Official Package program almost two years ago to ensure users adopting Crossplane can rely on high-quality providers, functions, and other Crossplane extensions. Our investment in this program has led to the wide adoption of official packages by the Crossplane community and Upbound customers and partners. In 2023, we introduced family providers in response to the increasing number of CRDs and to improve their performance running in  Kubernetes clusters. Given their importance to the Crossplane ecosystem, and in light of HashiCorp’s BUSL changes, we followed in September of 2023 by donating the source code of these packages and the tooling around them to the CNCF, removing any long-term viability concerns.

Today, these official packages have become the de facto standard for production deployments of Crossplane. More than half of the millions of downloads a month from the Upbound Marketplace are attributed to these official packages.

Meeting the Strongest Security Requirements

Crossplane is being adopted by companies in highly regulated industries such as banking, insurance, healthcare, and government.  As a result, we will be  meeting more stringent requirements for software security. Today, I’m excited to announce that all our official packages will now adhere to the following standards:

• Built from streamlined distroless images to reduce potential attack surface area
• Published with an SBOM to assist with vulnerability tracking and reduce software supply chain risks
• Upbound now signs packages that  can be verified by Crossplane, Upbound, and any industry standard tooling
• Upbound will publish an SLA for CVE remediation

These improved Official Packages are available for free to community users as well as Upbound customers. We are also making available FIPS-compliant versions of providers upon request by Upbound paid customers.

Supporting Upbound Development Tooling

I’m also excited to announce that, as of today, all Upbound Official Providers will support the rich development experience unveiled today. New releases of official providers will support VSCode code completion, schema validation, and linting. Upbound will ensure that these providers consistently support popular  languages and devex tooling improvements.

These changes are available for free to community users as well as Upbound customers.

Updated Access, Maintenance and Support Policy

Today, we are also updating our access, maintenance, and support policy for official packages to ensure that enterprises can reliably run these packages within their production environments.

Upbound will maintain released versions of an official package for 12 months, and provide access for an additional 6 months after the maintenance period. We offer support entitlements within the maintenance window (12-months) that include break-fix issues, adding or updating resources, as offering roadmap assurance. We are committed to testing all versions of these packages across different environments, supporting versions of Crossplane, fixing issues (including CVEs), and backporting changes as needed within the maintenance window. We believe these policies will ensure enterprises can rely on high-quality packages within their production environment.

Starting today, Upbound will begin charging for supporting official packages to help subsidize the significant effort and costs of maintaining these packages to enterprise standards. Our approach is designed to balance the needs of the community while ensuring that enterprises with stringent security and support requirements pay for these benefits.

Community members will always be able to access the latest version of a given official package for free, including patch releases and security fixes. Updates to non-breaking Official Packages (minor and patch releases) will be made available immediately, and prior versions will be removed. When major updates to official packages are released, the previous version will be available for another 30 days to ensure that the community has enough time to upgrade.

Upbound paid customers with active subscriptions will have access to all versions within the maintenance window (12 months of maintenance, followed by 6 months of access). Upbound customers at the Enterprise or Business Critical tiers or with a UXP subscription will also have support entitlements within the maintenance window.

This approach will ensure the long-term sustainability of official packages while ensuring that the Crossplane community continues to have access to the same high-quality and secure releases.