Authentication

The Upbound Official Kubernetes Provider supports many authentication methods.

Upbound Identity

Note
This method of authentication is only supported in control planes running on Upbound Cloud Spaces

Use this auth mechanism when you want to use a control plane with provider-kubernetes to interact with Upbound APIs. Upbound Identity can be configured to use the following to authenticate with Upbound:

  • a user’s personal access token (PAT)
  • a token generated from a robot

Create an access token

This method creates a Robot, the Upbound-equivalent of a service account, and uses it’s identity to authenticate and perform actions.

  1. Login to Upbound
up login
  1. Create a robot
up robot create "provider-kubernetes" --description="Robot used for authenticating to Upbound by provider-kubernetes"
  1. Create and store an access token for this robot as an environment variable:
export UPBOUND_TOKEN=$(up robot token create "provider-kubernetes" "provider-kubernetes-token" --output=-| awk -F': ' '/Token:/ {print $2}')
  1. Assign the robot to a team and use Upbound RBAC to grant the team a role for permissions.

Create a personal access token and store it as an environment variable.

export UPBOUND_TOKEN=""

Generate a kubeconfig for Upbound APIs

Upbound APIs are Kubernetes-compatible. Generate a kubeconfig for the context you want to interact with:

Set the desired context path below depending on your use case. Generate a kubeconfig according to the token method you followed in the prior section.

  1. Login to Upbound with the robot access token:
up login -t $UPBOUND_TOKEN
  1. Set your Upbound context:
up ctx $@<org>/<space>>/<group>/<control-plane>$@
up ctx . -f - > upbound-context.yaml
  1. Login to Upbound:
up login
  1. Set your Upbound context:
up ctx $@<org>/<space>>/<group>/<control-plane>$@
up ctx . -f - > upbound-context.yaml

Store the generated context as an environment variable:

export CONTROLPLANE_CONFIG=upbound-context.yaml

Create secrets to store configs

In the control plane where you’ve installed provider-kubernetes, store the tokens created in the earlier step as secrets:

kubectl -n crossplane-system create secret generic cluster-config --from-file=kubeconfig=$CONTROLPLANE_CONFIG
kubectl -n crossplane-system create secret generic upbound-credentials --from-literal=token=$UPBOUND_TOKEN

Create a ProviderConfig

Create a ProviderConfig to set the provider authentication method to UpboundTokens .

Supply the cluster-config and upbound-credentials secrets created in the earlier section.

Tip
To apply Upbound based authentication by default name the ProviderConfig default .
apiVersion: kubernetes.crossplane.io/v1alpha1
kind: ProviderConfig
metadata:
  name: default
spec:
  credentials:
    secretRef:
      key: kubeconfig
      name: cluster-config
      namespace: crossplane-system
    source: Secret
  identity:
    secretRef:
      key: token
      name: upbound-credentials
      namespace: crossplane-system
    source: Secret
    type: UpboundTokens

Injected Identity

Use this auth mechanism when you want to configure a control plane to use provider-kubernetes to manage or interact with resources in itself. Injected Identity configures the provider to use a cluster-admin role defined in itself.

Create a ProviderConfig

Create a ProviderConfig to set the provider authentication method to InjectedIdentity .

Tip
To apply Injected Identity authentication by default name the ProviderConfig default .
apiVersion: kubernetes.crossplane.io/v1alpha1
kind: ProviderConfig
metadata:
  name: default
spec:
  credentials:
    source: InjectedIdentity

Create a DeploymentRuntimeConfig

Create a ClusteRoleBinding and DeploymentRuntimeConfig to allow the provider to be granted the cluster-admin role.

apiVersion: pkg.crossplane.io/v1beta1
kind: DeploymentRuntimeConfig
metadata:
  name: provider-kubernetes
spec:
  serviceAccountTemplate:
    metadata:
      name: provider-kubernetes
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: provider-kubernetes-cluster-admin
subjects:
  - kind: ServiceAccount
    name: provider-kubernetes
    namespace: crossplane-system
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io

Reference this DeploymentRuntimeConfig to complete the configuration of the provider:

apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
  name: provider-kubernetes
spec:
  package: xpkg.upbound.io/upbound/provider-kubernetes:v0.16.0
  runtimeConfigRef:
    apiVersion: pkg.crossplane.io/v1beta1
    kind: DeploymentRuntimeConfig
    name: provider-kubernetes

Other auth mechanisms

Read the provider-kubernetes examples for examples of how to configure the provider with other auth mechanisms.

Upbound
Crafted with love from our globally distributed team.
© 2025 Upbound, Inc.
Product
Upbound
Universal Crossplane
Marketplace
Request Demo
Partner Program
Learn
Documentation
FAQs
Company
About Us
Careers
Blog
Contact Us
More
Terms & Conditions
Privacy Policy