CLI Reference
This documentation is for the up CLI v0.46.0.
The latest version of up can be installed by running:
curl -sL "https://cli.upbound.io" | sh
up​
The Upbound CLI
Please report issues and feature requests at https://github.com/upbound/upbound.
Usage​
up <command> [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--help | -h | Show context-sensitive help. |
--format | Format for get/list commands. Can be: json, yaml, default | |
--quiet | -q | Suppress all informational output. Command results will still be printed. |
--silent | Suppress all output. | |
--pretty | Pretty print output. |
up completion​
Generate shell autocompletions
Usage​
up completion [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--uninstall |
up composition​
Manage Compositions.
Usage​
up composition <command> [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--domain | Root Upbound domain. Overrides the current profile's domain. | |
--profile | Profile used to execute command. | |
--account | -a | Deprecated. Use organization instead. |
--organization | Organization used to execute command. Overrides the current profile's organization. | |
--ca-bundle | Path to CA bundle file to prepend to existing CAs | |
--insecure-skip-tls-verify | [INSECURE] Skip verifying TLS certificates. | |
--debug | -d | [INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens. |
--override-api-endpoint | Overrides the default API endpoint. | |
--override-auth-endpoint | Overrides the default auth endpoint. | |
--override-proxy-endpoint | Overrides the default proxy endpoint. | |
--override-registry-endpoint | Overrides the default registry endpoint. | |
--override-accounts-endpoint | Overrides the default accounts endpoint. | |
--kubeconfig | Override default kubeconfig path. | |
--kubecontext | Override default kubeconfig context. |
up composition generate​
Generate a Composition.
The generate command creates a composition and adds the required function
packages to the project as dependencies.
Examples​
Generate a composition from a CompositeResourceDefinition (XRD) and save output
to apis/xnetworks/composition.yaml:
up composition generate apis/xnetwork/definition.yaml
Generate a composition from a Composite Resource (XR) and save output to
apis/xnetworks/composition.yaml:
up composition generate examples/xnetwork/xnetwork.yaml
Generate a composition from a Composite Resource (XR), prefixing the
metadata.name with aws and save output to
apis/xnetworks/composition-aws.yaml:
up composition generate examples/network/network-aws.yaml --name aws
Generate a composition from a Composite Resource (XR) with a custom plural form
and save output to apis/xdatabases/composition.yaml:
up composition generate examples/xdatabase/database.yaml --plural postgreses
Generate a composition from a Composite Resource (XR) using a ResourceGraphDefinition:
up composition generate examples/xnetwork/xnetwork.yaml --input rgd --input-file rgd/network.yaml
Usage​
up composition generate <resource> [flags]
Arguments​
| Argument | Description |
|---|---|
<resource> | File path to Composite Resource Claim (XRC) or Composite Resource (XR) or CompositeResourceDefinition (XRD). |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--name | Name for the new composition. | |
--plural | Optional custom plural for the CompositeTypeRef.Kind | |
--input | Input format: rgd or ResourceGraphDefinition. | |
--input-file | Path to input file (e.g., ResourceGraphDefinition file). | |
--path | Optional path to the output file where the generated Composition will be saved. | |
--project-file | -f | Path to project definition file. |
--output | -o | Output format for the results: 'file' to save to a file, 'yaml' to print XRD in YAML format, 'json' to print XRD in JSON format. |
--cache-dir | Directory used for caching dependency images. |
up composition render​
Run a composition locally to render an XR into composed resources.
The render command shows you what composed resources Crossplane would create
by printing them to stdout. It also prints any changes that would be made to the
status of the XR. It doesn't talk to Crossplane. Instead it runs the Composition
Function pipeline specified by the Composition locally, and uses that to render
the XR.
Examples​
Simulate creating a new XR:
up composition render composition.yaml xr.yaml
Simulate updating an XR that already exists:
up composition render composition.yaml xr.yaml \
--observed-resources=existing-observed-resources.yaml
Pass context values to the Function pipeline:
up composition render composition.yaml xr.yaml \
--context-values=apiextensions.crossplane.io/environment='{"key": "value"}'
Pass extra resources requested by functions in the pipeline:
up composition render composition.yaml xr.yaml \
--extra-resources=extra-resources.yaml
Pass credentials needed by functions in the pipeline:
up composition render composition.yaml xr.yaml \
--function-credentials=credentials.yaml
Override function annotations for a remote Docker daemon.
DOCKER_HOST=tcp://192.168.1.100:2376 up composition render composition.yaml xr.yaml \
--function-annotations render.crossplane.io/runtime-docker-publish-address=0.0.0.0 \
--function-annotations render.crossplane.io/runtime-docker-target=192.168.1.100
Docker Configuration​
The render command uses Docker (or any Docker-compatible container runtime) to run composition functions. Configure the Docker connection using these standard environment variables:
DOCKER_HOST: Docker daemon socket (e.g.,unix:///var/run/docker.sock)DOCKER_API_VERSION: Docker API version to useDOCKER_CERT_PATH: Path to Docker TLS certificatesDOCKER_TLS_VERIFY: Enable TLS verification (1 or 0)
Usage​
up composition render <composition> <composite-resource> [flags]
Arguments​
| Argument | Description |
|---|---|
<composition> | A YAML file specifying the Composition to use to render the Composite Resource (XR). |
<composite-resource> | A YAML file specifying the Composite Resource (XR) to render. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--xrd | A YAML file specifying the CompositeResourceDefinition (XRD) to validate the XR against. | |
--context-files | Comma-separated context key-value pairs to pass to the Function pipeline. Values must be files containing JSON. | |
--context-values | Comma-separated context key-value pairs to pass to the Function pipeline. Values must be JSON. Keys take precedence over --context-files. | |
--include-function-results | -r | Include informational and warning messages from Functions in the rendered output as resources of kind: Result. |
--include-full-xr | -x | Include a direct copy of the input XR's spec and metadata fields in the rendered output. |
--observed-resources | -o | A YAML file or directory of YAML files specifying the observed state of composed resources. |
--extra-resources | -e | A YAML file or directory of YAML files specifying extra resources to pass to the Function pipeline. |
--include-context | -c | Include the context in the rendered output as a resource of kind: Context. |
--function-credentials | A YAML file or directory of YAML files specifying credentials to use for Functions to render the XR. | |
--function-annotations | Override function annotations for all functions. Can be repeated. | |
--timeout | How long to run before timing out. | |
--max-concurrency | Maximum number of functions to build at once. | |
--project-file | -f | Path to project definition file. |
--cache-dir | Directory used for caching dependency images. | |
--no-build-cache | Don't cache image layers while building. | |
--build-cache-dir | Path to the build cache directory. |
up config​
Manage global configuration settings.
Usage​
up config <command> [flags]
up config get​
Get configuration values.
The get command shows global configuration values for the up CLI.
Configuration Keys​
telemetry.disabled: Controls whether anonymous telemetry is collected.
Usage​
up config get
up config set​
Set configuration values.
The set command sets a global configuration value for the up CLI.
Configuration Keys​
telemetry.disabled: Set to true to disable collection of anonymous telemetry.
Examples​
Disable collection of anonymous telemetry:
up config set telemetry.disabled true
Usage​
up config set <key> <value>
Arguments​
| Argument | Description |
|---|---|
<key> | Configuration key to set. |
<value> | Configuration value to set. |
up controlplane​
Interact with control planes.
Usage​
up controlplane <command> [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--domain | Root Upbound domain. Overrides the current profile's domain. | |
--profile | Profile used to execute command. | |
--account | -a | Deprecated. Use organization instead. |
--organization | Organization used to execute command. Overrides the current profile's organization. | |
--ca-bundle | Path to CA bundle file to prepend to existing CAs | |
--insecure-skip-tls-verify | [INSECURE] Skip verifying TLS certificates. | |
--debug | -d | [INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens. |
--override-api-endpoint | Overrides the default API endpoint. | |
--override-auth-endpoint | Overrides the default auth endpoint. | |
--override-proxy-endpoint | Overrides the default proxy endpoint. | |
--override-registry-endpoint | Overrides the default registry endpoint. | |
--override-accounts-endpoint | Overrides the default accounts endpoint. | |
--kubeconfig | Override default kubeconfig path. | |
--kubecontext | Override default kubeconfig context. |
up controlplane api-connector​
Connect an App Cluster to a control plane using API Connector.
Usage​
up controlplane api-connector <command> [flags]
up controlplane api-connector install​
Install api-connector into an consumer cluster.
The install command installs the API Connector into a consumer cluster.
Note that the API Connector is a preview feature, under active development and subject to breaking changes. Production use is not recommended.
Examples​
Install the API Connector into the consumer cluster and connect it to the control plane referred to by the current context:
up controlplane api-connector install --consumer-kubeconfig /path/to/kubeconfig
Install the API Connector into the cluster and connect it to the control plane referred to by the current context using the provided robot name for authentication:
up controlplane api-connector install --consumer-kubeconfig /path/to/kubeconfig \
--robot-name upbound-robot-name
Install the API Connector into the cluster but do not provision a
ClusterConnection resource or create a robot for authentication:
up controlplane api-connector install --consumer-kubeconfig /path/to/kubeconfig \
--skip-connection
Usage​
up controlplane api-connector install [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--set | Set parameters. | |
--file | -f | Parameters file. |
--bundle | Local bundle path. | |
--upgrade | Upgrade or downgrade the API Connector to --version, even if it is already installed. | |
--version | Version of the API Connector to install. If not provided, the latest, known to CLI, will be installed. | |
--name | Name of the related objects for named connection. If not provided, control plane name will be used with api-connector prefix. | |
--upbound-token | API token used to authenticate to the provider control plane. Mutually exclusive with --robot-name. | |
--skip-connection | Skip secret and connection initialization to the control plane. If provided, the connector will be installed without connecting to the control plane. | |
--consumer-kubeconfig | Path to the kubeconfig file for the consumer cluster. If not provided, the default kubeconfig resolution will be used. | |
--consumer-context | Context to use in the kubeconfig file. If not provided, the current context will be used. | |
--helm-directory | Directory to store the Helm chart. If not provided, the default will be used. |
up controlplane api-connector uninstall​
Uninstall api-connector from an consumer cluster.
The uninstall command uninstalls the API Connector from a cluster.
Examples​
Uninstall the API Connector from the cluster but leave the connections and secrets in place:
up controlplane api-connector uninstall --target-kubeconfig kubeconfig-path-for-deployment-cluster
Uninstall the API Connector from the cluster and delete the connections and secrets. API objects created by the API Connector initial installation will not be deleted:
up controlplane api-connector uninstall --all --target-kubeconfig kubeconfig-path-for-deployment-cluster
Usage​
up controlplane api-connector uninstall --consumer-kubeconfig=STRING [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--consumer-kubeconfig | Required Path to the kubeconfig file for the consumer cluster. If not provided, the default kubeconfig resolution will be used. | |
--consumer-context | Context to use in the kubeconfig file. If not provided, the current context will be used. | |
--all | Uninstall all resources including the connectors and secrets. If not provided, only the connector will be uninstalled. |
up controlplane configuration​
Manage Configurations.
Usage​
up controlplane configuration <command> [flags]
up controlplane configuration install​
Install a Configuration.
Usage​
up controlplane configuration install <package> [flags]
Arguments​
| Argument | Description |
|---|---|
<package> | Reference to the Configuration. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--name | Name of Configuration. | |
--package-pull-secrets | List of secrets used to pull Configuration. | |
--wait | -w | Wait duration for successful Configuration installation. |
up controlplane connector​
Connect an App Cluster to a control plane using MCP Connector.
Usage​
up controlplane connector <command> [flags]
up controlplane connector install​
Install mcp-connector into an App Cluster.
Usage​
up controlplane connector install <name> <namespace> [flags]
Arguments​
| Argument | Description |
|---|---|
<name> | Name of control plane. |
<namespace> | Namespace in the control plane where the claims of the cluster will be stored. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--set | Set parameters. | |
--file | -f | Parameters file. |
--bundle | Local bundle path. | |
--token | API token used to authenticate. If not provided, a new robot and a token will be created. | |
--cluster-name | Name of the cluster connecting to the control plane. If not provided, the namespace argument value will be used. | |
--installation-namespace | -n | Kubernetes namespace for MCP Connector. Default is kube-system. |
--control-plane-secret | Name of the secret that contains the kubeconfig for a control plane. |
up controlplane connector uninstall​
Uninstall mcp-connector from an App Cluster.
Usage​
up controlplane connector uninstall <namespace> [flags]
Arguments​
| Argument | Description |
|---|---|
<namespace> | Namespace in the control plane where the claims of the cluster will be stored. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--cluster-name | Name of the cluster connecting to the control plane. If not provided, the namespace argument value will be used. | |
--installation-namespace | -n | Kubernetes namespace for MCP Connector. Default is kube-system. |
up controlplane create​
Create a Spaces control plane.
Usage​
up controlplane create <name> [flags]
Arguments​
| Argument | Description |
|---|---|
<name> | Name of control plane. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--group | -g | The control plane group that the control plane is contained in. This defaults to the group specified in the current context |
--crossplane-version | The version of Universal Crossplane to use. The default depends on the selected auto-upgrade channel. | |
--crossplane-channel | The Crossplane auto-upgrade channel to use. Must be one of: None, Patch, Stable, Rapid | |
--secret-name | The name of the control plane's secret. Defaults to 'kubeconfig-{control plane name}'. Only applicable for Space control planes. |
up controlplane delete​
Delete a Spaces control plane.
Usage​
up controlplane delete <name> [flags]
Arguments​
| Argument | Description |
|---|---|
<name> | Name of control plane. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--group | -g | The control plane group that the control plane is contained in. This defaults to the group specified in the current context |
up controlplane function​
Manage Functions.
Usage​
up controlplane function <command> [flags]
up controlplane function install​
Install a Function.
Usage​
up controlplane function install <package> [flags]
Arguments​
| Argument | Description |
|---|---|
<package> | Reference to the Function. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--name | Name of Function. | |
--package-pull-secrets | List of secrets used to pull Function. | |
--wait | -w | Wait duration for successful Function installation. |
up controlplane get​
Get a single Spaces control plane.
Usage​
up controlplane get <name> [flags]
Arguments​
| Argument | Description |
|---|---|
<name> | Name of control plane. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--group | -g | The control plane group that the control plane is contained in. This defaults to the group specified in the current context |
up controlplane list​
List control planes in a Space.
Usage​
up controlplane list [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--all-groups | -A | List control planes across all groups. |
--group | -g | The control plane group that the control plane is contained in. This defaults to the group specified in the current context |
up controlplane migration​
Migrate control planes to Upbound Managed Control Planes.
The migration command seamlessly migrates control plane resources from
Crossplane or Upbound Crossplane (UXP) environments to Managed Control Planes in
Upbound Spaces.
This command simplifies the process of transferring your existing Crossplane configurations and states into the Upbound platform, ensuring a smooth transition with minimal downtime.
For detailed information on each command and its options, use the --help flag
with the specific command (e.g., up controlplane migration export --help).
Usage​
up controlplane migration <command> [flags]
up controlplane migration export​
The 'export' command is used to export the current state of a Crossplane or Universal Crossplane (xp/uxp) control plane into an archive file. This file can then be used for migration to Upbound Managed Control Planes.
The export command exports resources from a Crossplane or Upbound Crossplane
(UXP) cluster to a tarball, for migration to an Upbound Managed Control Plane.
Use the available options to customize the export process, such as specifying the output file path, including or excluding specific resources and namespaces, and deciding whether to pause claim,composite,managed resources before exporting.
Examples​
Pause all claims, composites, and managed resources before exporting the control
plane state. The state is exported to the default archive file named
xp-state.tar.gz. Resources that were already paused will be annotated with
migration.upbound.io/already-paused: "true" to preserve their paused state
during the import process:
up migration export --pause-before-export
Export the control plane state to a file called my-export.tar.gz:
up migration export --output=my-export.tar.gz
Export the control plane state from only the provided namespaces to the default
file, xp-state.tar.gz, with the additional resources specified:
up migration export --include-extra-resources="customresource.group" \
--include-namespaces="crossplane-system,team-a,team-b"
Usage​
up controlplane migration export [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--yes | When set to true, automatically accepts any confirmation prompts that may appear during the export process. | |
--output | -o | Specifies the file path where the exported archive will be saved. Defaults to 'xp-state.tar.gz'. |
--include-extra-resources | A list of extra resource types to include in the export in "resource.group" format in addition to all Crossplane resources. By default, it includes namespaces, configmaps, secrets. | |
--exclude-resources | A list of resource types to exclude from the export in "resource.group" format. No resources are excluded by default. | |
--include-namespaces | A list of specific namespaces to include in the export. If not specified, all namespaces are included by default. | |
--exclude-namespaces | A list of specific namespaces to exclude from the export. Defaults to 'kube-system', 'kube-public', 'kube-node-lease', and 'local-path-storage'. | |
--pause-before-export | When set to true, pauses all claim,composite and managed resources before starting the export process. This can help ensure a consistent state for the export. Defaults to false. |
up controlplane migration import​
The 'import' command imports a control plane state from an archive file into an Upbound managed control plane.
The import command imports resources from an exported bundle into a Managed
Control Plane.
By default, all managed resources will be paused during the import process for possible manual inspection/validation. You can use the --unpause-after-import flag to automatically unpause all claim,composite,managed resources after the import process completes.
Examples​
Automatically import the control plane state from my-export.tar.gz. Claim and
composite resources that were paused during export will remain paused. Managed
resources will be paused. If they were already paused during export, the
annotation migration.upbound.io/already-paused: "true" will be added to
preserve their paused state:
up migration import --input=`my-export.tar.gz`
Automatically import and unpause claims, composites, and managed resources after
importing them. Resources with the annotation
migration.upbound.io/already-paused: "true" will remain paused:
up migration import --unpause-after-import
Automatically import and unpause claims, composites, and managed resources after
importing them. The metadata.name of claims will be adjusted for MCP Connector
compatibility, and the corresponding composite's claimRef will also be
updated. Resources annotated with migration.upbound.io/already-paused: "true"
will remain paused:
up migration import --unpause-after-import --mcp-connector-claim-namespace=default \
--mcp-connector-cluster-id=my-cluster-id
Usage​
up controlplane migration import [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--yes | When set to true, automatically accepts any confirmation prompts that may appear during the import process. | |
--input | -i | Specifies the file path or directory of the archive to be imported. The default path is 'xp-state.tar.gz'. |
--unpause-after-import | When set to true, automatically unpauses all managed resources that were paused during the import process. This helps in resuming normal operations post-import. Defaults to false, requiring manual unpausing of resources if needed. | |
--mcp-connector-cluster-id | MCP Connector cluster ID. Required for importing claims supported my MCP Connector. | |
--mcp-connector-claim-namespace | MCP Connector claim namespace. Required for importing claims supported by MCP Connector. | |
--skip-target-check | When set to true, skips the check for a local or managed control plane during import. |
up controlplane migration pause-toggle​
The 'pause-toggle' command is used to pause or unpause resources affected by a migration, ensuring that only migration-induced pauses are undone.
The pause-toggle command allows you to manage the paused state of resources
after a migration attempt.
- When
--pause=true, all resources in the target control plane will be paused due to a faulty migration. This is useful after runningmigration import --unpause-after-import=trueand discovering issues in the target. - When
--pause=false, only resources paused during the migration will be unpaused in the source control plane, ensuring that pre-existing paused resources remain unchanged.
Examples​
Pause all resources in the target control plane after a migration if the import caused issues. Useful for stopping resources in a faulty target environment:
up migration pause-toggle --pause=true
Unpause only the resources that were paused in the source control plane due to migration. This is helpful when reverting migration-induced pauses in the source after a failed import to the target.
up migration pause-toggle --pause=false
Usage​
up controlplane migration pause-toggle [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--pause | Set to 'true' to pause all resources in the target control plane after a faulty migration, or 'false' to remove the paused annotation in the source control plane after a failed migration. | |
--yes | When set to true, automatically accepts any confirmation prompts that may appear during the process. |
up controlplane oidc-auth​
Create OIDC ProviderConfig in a Spaces control plane and Cloud Resources.
Usage​
up controlplane oidc-auth <command> [flags]
up controlplane oidc-auth aws​
Create OIDC ProviderConfig and AWS Resources
The oidc-auth command sets up OIDC authentication between an Upbound Cloud
Control Plane and AWS using an AWS IAM Identity Provider.
This command requires the AWS CLI.
Examples​
Check if the IAM IdentityProvider proidc.upbound.io exists and create it if
needed. Create an IAM Role trusted by the identity provider and attach the
AdministratorAccess policy. Configure the control plane with a
ProviderConfig for provider-aws:
up ctp oidc-auth aws example-project-aws-up-cli arn:aws:iam::aws:policy/AdministratorAccess
Check if the IAM IdentityProvider proidc.upbound.io exists and create it if
needed. Create an IAM Role with a trust policy using a wildcard match
(StringLike) on sub. Useful for allowing access from multiple control planes
matching the pattern:
up ctp oidc-auth aws example-project-aws-up-cli arn:aws:iam::aws:policy/AdministratorAccess \
--sub 'example-*'
Check if the IAM IdentityProvider example.upbound.io exists and create it if
needed. Create an IAM Role trusted by the specified identity provider and attach
the AdministratorAccess policy. Configure the control plane with the
appropriate ProviderConfig for provider-aws:
up ctp oidc-auth aws example-project-aws-up-cli arn:aws:iam::aws:policy/AdministratorAccess \
--oidc-provider-name example.upbound.io
Show the AWS CLI commands that would be executed to set up OIDC without actually running them:
up ctp oidc-auth aws example-project-aws-up-cli arn:aws:iam::aws:policy/AdministratorAccess \
--dry-run
Usage​
up controlplane oidc-auth aws <name> <policy> [flags]
Arguments​
| Argument | Description |
|---|---|
<name> | AWS IAM Role Name |
<policy> | AWS IAM Policy ARN |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--oidc-provider-name | AWS Identity Provider - OIDC Provider Name | |
--provider-config-name | Provider AWS ProviderConfigName | |
--sub | Define the control plane name that the IAM Role trust policy will use in the 'sub' claim. Supports wildcards (using StringLike). | |
--yes | When set to true, automatically accepts any confirmation prompts. | |
--dry-run | Print what changes would be made but do not take action. |
up controlplane provider​
Manage Providers.
Usage​
up controlplane provider <command> [flags]
up controlplane provider install​
Install a Provider.
Usage​
up controlplane provider install <package> [flags]
Arguments​
| Argument | Description |
|---|---|
<package> | Reference to the Provider. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--name | Name of Provider. | |
--package-pull-secrets | List of secrets used to pull Provider. | |
--wait | -w | Wait duration for successful Provider installation. |
up controlplane pull-secret​
Manage package pull secrets.
Usage​
up controlplane pull-secret <command> [flags]
up controlplane pull-secret create​
Create a package pull secret.
Usage​
up controlplane pull-secret create <name> [flags]
Arguments​
| Argument | Description |
|---|---|
<name> | Name of the pull secret. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--file | -f | Path to credentials file. Credentials from profile are used if not specified. |
--namespace | -n | Kubernetes namespace for pull secret. |
up controlplane simulate​
Alias for 'up controlplane simulation create'.
Usage​
up controlplane simulate --changeset=CHANGESET,... <source-name> [flags]
Arguments​
| Argument | Description |
|---|---|
<source-name> | Name of source control plane. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--group | -g | The control plane group that the control plane is contained in. This defaults to the group specified in the current context |
--simulation-name | -n | The name of the simulation resource |
--changeset | -f | Required Path to the resources that will be applied as part of the simulation. Can either be a single file or a directory |
--recursive | -r | Process the directory used in -f, --changeset recursively. |
--complete-after | The maximum amount of time the simulated control plane should run before ending the simulation | |
--fail-on | Fail and exit with a code of '1' if a certain condition is met | |
--output | -o | Output the results of the simulation to the provided file. Defaults to standard out if not specified |
--wait | Wait for the simulation to complete. If set to false, the command will exit immediately after the changeset is applied | |
--terminate-on-finish | Terminate the simulation after the completion criteria is met |
up controlplane simulation​
Manage control plane simulations.
The simulation command manages control plane simulations. Simulations allow
you to see what changes would occur in a control plane after applying a set of
changes.
Examples​
Create a new simulation for the specified control plane, wait for the simulation to complete, then shows results:
up controlplane simulation create control-plane-name
List all simulations for the current context:
up controlplane simulation list
Delete a simulation, removing the simulation results and resources:
up controlplane simulation delete simulation-name
Usage​
up controlplane simulation <command> [flags]
up controlplane simulation create​
Start a new control plane simulation and wait for the results.
Usage​
up controlplane simulation create --changeset=CHANGESET,... <source-name> [flags]
Arguments​
| Argument | Description |
|---|---|
<source-name> | Name of source control plane. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--group | -g | The control plane group that the control plane is contained in. This defaults to the group specified in the current context |
--simulation-name | -n | The name of the simulation resource |
--changeset | -f | Required Path to the resources that will be applied as part of the simulation. Can either be a single file or a directory |
--recursive | -r | Process the directory used in -f, --changeset recursively. |
--complete-after | The maximum amount of time the simulated control plane should run before ending the simulation | |
--fail-on | Fail and exit with a code of '1' if a certain condition is met | |
--output | -o | Output the results of the simulation to the provided file. Defaults to standard out if not specified |
--wait | Wait for the simulation to complete. If set to false, the command will exit immediately after the changeset is applied | |
--terminate-on-finish | Terminate the simulation after the completion criteria is met |
up controlplane simulation delete​
Delete a control plane simulation.
Usage​
up controlplane simulation delete <name> [flags]
Arguments​
| Argument | Description |
|---|---|
<name> | Name of the simulation. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--group | -g | The group that the simulation is contained in. This defaults to the group specified in the current context |
up controlplane simulation list​
List control plane simulations for the account.
Usage​
up controlplane simulation list [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--all-groups | -A | List simulations across all groups. |
--group | -g | The group that the simulation is contained in. This defaults to the group specified in the current context |
up ctx​
Select an Upbound kubeconfig context.
Usage​
up ctx [<argument>] [flags]
Arguments​
| Argument | Description |
|---|---|
<argument> | Optional .. to move to the parent, '-' for the previous context, '.' for the current context, or any relative path. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--domain | Root Upbound domain. Overrides the current profile's domain. | |
--profile | Profile used to execute command. | |
--account | -a | Deprecated. Use organization instead. |
--organization | Organization used to execute command. Overrides the current profile's organization. | |
--ca-bundle | Path to CA bundle file to prepend to existing CAs | |
--insecure-skip-tls-verify | [INSECURE] Skip verifying TLS certificates. | |
--debug | -d | [INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens. |
--override-api-endpoint | Overrides the default API endpoint. | |
--override-auth-endpoint | Overrides the default auth endpoint. | |
--override-proxy-endpoint | Overrides the default proxy endpoint. | |
--override-registry-endpoint | Overrides the default registry endpoint. | |
--override-accounts-endpoint | Overrides the default accounts endpoint. | |
--kubeconfig | Override default kubeconfig path. | |
--kubecontext | Override default kubeconfig context. | |
--short | -s | Short output. |
--context | Kubernetes context to operate on. | |
--file | -f | Kubeconfig to modify when saving a new context. Overrides the --kubeconfig flag. Use '-' to write to standard output. |
up dependency​
Manage configuration dependencies.
The dependency command manages dependencies of the project in the current
directory. It caches package information in a local file system cache (by
default in ~/.up/cache) and manages language schemas that can be used for
building functions.
Usage​
up dependency <command> [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--domain | Root Upbound domain. Overrides the current profile's domain. | |
--profile | Profile used to execute command. | |
--account | -a | Deprecated. Use organization instead. |
--organization | Organization used to execute command. Overrides the current profile's organization. | |
--ca-bundle | Path to CA bundle file to prepend to existing CAs | |
--insecure-skip-tls-verify | [INSECURE] Skip verifying TLS certificates. | |
--debug | -d | [INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens. |
--override-api-endpoint | Overrides the default API endpoint. | |
--override-auth-endpoint | Overrides the default auth endpoint. | |
--override-proxy-endpoint | Overrides the default proxy endpoint. | |
--override-registry-endpoint | Overrides the default registry endpoint. | |
--override-accounts-endpoint | Overrides the default accounts endpoint. | |
--kubeconfig | Override default kubeconfig path. | |
--kubecontext | Override default kubeconfig context. |
up dependency add​
Add a dependency to the current project.
The add command retrieves a Crossplane package from a specified registry with
an optional version tag and adds it to a project as a dependency. Language
schemas will be added to the project if the package provides them.
API dependencies can be added using the --api flag. This automatically
generates schemas for the dependency.
Examples​
Retrieve the latest available version of the EKS provider, add all CRDs to the
cache folder, and place language schemas in the project's .up/ folder:
up dependency add xpkg.upbound.io/upbound/provider-aws-eks
Retrieves the latest available version greater than v1.1.0 of the
platform-ref-aws configuration, add all XRDs to the cache folder, and place
language schemas in the project's .up/ folder:
up dependency add 'xpkg.upbound.io/upbound/platform-ref-aws:>v1.1.0'
Retrieves version v0.4.1 of function-status-transformer:
up dependency add 'xpkg.upbound.io/crossplane-contrib/function-status-transformer:>v0.4.1'
Add core resources from Kubernetes v1.33.0 as an API dependency, adding language
schemas to the project's .up/ folder:
up dependency add --api k8s:v1.33.0
Add a specific CRD from an HTTP URL as an API dependency, adding language
schemas to the project's .up/ folder:
up dependency add --api https://raw.githubusercontent.com/cert-manager/cert-manager/refs/heads/master/deploy/crds/cert-manager.io_certificaterequests.yaml
Add CRDs from a git repository as an API dependency, adding language schemas to
the project's .up/ folder:
up dependency add --api https://github.com/kubernetes-sigs/cluster-api \
--git-ref=release-1.11 --git-path=config/crd/bases
Usage​
up dependency add <package> [flags]
Arguments​
| Argument | Description |
|---|---|
<package> | Package to be added. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--project-file | -f | Path to project definition file. |
--api | Treat the dependency as an API dependency (k8s or CRD). | |
--git-ref | Git ref for CRD dependencies (branch, tag, or commit SHA). If provided, the CRD will be fetched from git. | |
--git-path | Path within the git repository for CRD dependencies. | |
--cache-dir | Directory used for caching package images. |
up dependency clean-cache​
Clean the dependency cache.
The clean-cache command removes all cached package images from the local cache
directory. This can help free up disk space or resolve issues with corrupted
cache entries.
Examples​
Clean the default cache directory (~/.up/cache/), removing all cached package images:
up dependency clean-cache
Clean a custom cache directory, for example in a CI/CD environment where a shared cache is used:
up dependency clean-cache --cache-dir /path/to/cache
Usage​
up dependency clean-cache [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--cache-dir | Directory used for caching package images. |
up dependency update-cache​
Update the dependency cache for the current project.
The update-cache command updates the local dependency cache for the current
project. It downloads and caches all dependencies specified in the project's
upbound.yaml file.
Examples​
up dependency update-cache
Updates cache for all dependencies in upbound.yaml. Uses default cache directory (~/.up/cache/).
up dependency update-cache --cache-dir `path/to/cache`
Updates cache using a custom cache directory. Useful for CI/CD environments.
up dependency update-cache -f `custom-project.yaml`
Updates cache for dependencies in a custom project file. Default is upbound.yaml.
Usage​
up dependency update-cache [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--project-file | -f | Path to project definition file. |
--cache-dir | Directory used for caching package images. | |
--git-token | Token for git HTTPS authentication (GitHub PAT, GitLab token, etc.). | |
--git-username | Username for git HTTPS authentication. Use your Bitbucket username for Bitbucket app passwords. |
up example​
Manage Claim(XRC) or Composite Resource(XR).
Usage​
up example <command> [flags]
up example generate​
Generate an Example Composite Resource (XR) or Claim (XRC)
The generate command is used to create an example Composite Resource (XR) or
Composite Resource Claim (XRC). For v2 projects only Composite Resources (XRs)
are supported. XRs are namespace-scoped by default, but you can choose
cluster-scoped using the --scope=cluster flag.
Examples​
Creates an example Composite Resource (XR) or Composite Resource Claim (XRC) resource using an interactive wizard:
up example generate
Create an example named example in the namespace default using an
interactive wizard to collect additional inputs:
up example generate --name example --namespace default
Create an example Composite Resource Claim (XRC) with specified api-group, api-version, kind, and name, using an interactive wizard to collect additional inputs:
up example generate --type claim --api-group platform.example.com \
--api-version v1beta1 --kind Cluster --name example
Create an example Composite Resource (XR) or Composite Resource Claim (XRC) based on the fields and default values in an existing CompositeResourceDefinition (XRD). Use an interactive wizard to collect inputs:
up example generate apis/xnetworks/definition.yaml
Create an example Composite Resource (XR) based on the fields and default values in an existing CompositeResourceDefinition (XRD). Use an interactive wizard to collect inputs:
up example generate apis/xnetworks/definition.yaml --type xr
Usage​
up example generate [<xrd-file-path>] [flags]
Arguments​
| Argument | Description |
|---|---|
<xrd-file-path> | Optional Specifies the path to the Composite Resource Definition (XRD) file used to generate an example resource. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--path | Specifies the path to the output file where the Composite Resource (XR) or Composite Resource Claim (XRC) will be saved. | |
--output | -o | Specifies the output format for the results. Use 'file' to save to a file, 'yaml' to display the Composite Resource (XR) or Composite Resource Claim (XRC) in YAML format, or 'json' to display in JSON format. |
--type | Specifies the type of resource to create: 'xrc' for Composite Resource Claim (XRC), 'xr' for Composite Resource (XR). | |
--scope | Specifies the XR scope (v2 only). | |
--api-group | Specifies the API group for the resource. | |
--api-version | Specifies the API version for the resource. | |
--kind | Specifies the Kind of the resource. | |
--name | Specifies the Name of the resource. | |
--namespace | Specifies the Namespace of the resource. | |
--project-file | -f | Path to project definition file. |
up function​
Manage Functions.
Usage​
up function <command> [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--domain | Root Upbound domain. Overrides the current profile's domain. | |
--profile | Profile used to execute command. | |
--account | -a | Deprecated. Use organization instead. |
--organization | Organization used to execute command. Overrides the current profile's organization. | |
--ca-bundle | Path to CA bundle file to prepend to existing CAs | |
--insecure-skip-tls-verify | [INSECURE] Skip verifying TLS certificates. | |
--debug | -d | [INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens. |
--override-api-endpoint | Overrides the default API endpoint. | |
--override-auth-endpoint | Overrides the default auth endpoint. | |
--override-proxy-endpoint | Overrides the default proxy endpoint. | |
--override-registry-endpoint | Overrides the default registry endpoint. | |
--override-accounts-endpoint | Overrides the default accounts endpoint. | |
--kubeconfig | Override default kubeconfig path. | |
--kubecontext | Override default kubeconfig context. |
up function generate​
Generate an Function for a Composition.
The generate command creates an embedded function in the specified language,
and optionally adds it to a composition or operation pipeline.
Examples​
Create a function with the default language (go-templating) in the folder
functions/fn1:
up function generate fn1
Create a Python function in the folder functions/fn2:
up function generate fn2 --language python
Create a KCL function in the folder functions/compose-xcluster and add it as a
composition pipeline step in the given composition file:
up function generate compose-xcluster apis/xcluster/composition.yaml --language kcl
Creates a Go function in the folder functions/check-pod-logs and add it as a
pipeline step to the operation in operations/watch-pods/operation.yaml:
up function generate check-pod-logs operations/watch-pods/operation.yaml --language go
Usage​
up function generate <name> [<pipeline-path>] [flags]
Arguments​
| Argument | Description |
|---|---|
<name> | Name for the new Function. |
<pipeline-path> | Optional Path to a composition or operation that will use the new function. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--project-file | -f | Path to project definition file. |
--repository | Repository for the built package. Overrides the repository specified in the project file. | |
--cache-dir | Directory used for caching dependency images. | |
--language | -l | Language for function. |
up group​
Interact with groups inside Spaces.
The group command interacts with groups within the current Space. Use the up profile command to switch between different Upbound profiles and the up ctx
command to switch between Spaces within a Cloud profile.
Examples​
List all groups in the current Space:
up group list
Create a new group named my-group to organize control planes within a Space:
up group create my-group
Get details about a specific group called my-group, including configuration
and metadata:
up group get my-group
Delete the group called my-group, which must not be protected:
up group delete my-group
Usage​
up group <command> [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--domain | Root Upbound domain. Overrides the current profile's domain. | |
--profile | Profile used to execute command. | |
--account | -a | Deprecated. Use organization instead. |
--organization | Organization used to execute command. Overrides the current profile's organization. | |
--ca-bundle | Path to CA bundle file to prepend to existing CAs | |
--insecure-skip-tls-verify | [INSECURE] Skip verifying TLS certificates. | |
--debug | -d | [INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens. |
--override-api-endpoint | Overrides the default API endpoint. | |
--override-auth-endpoint | Overrides the default auth endpoint. | |
--override-proxy-endpoint | Overrides the default proxy endpoint. | |
--override-registry-endpoint | Overrides the default registry endpoint. | |
--override-accounts-endpoint | Overrides the default accounts endpoint. | |
--kubeconfig | Override default kubeconfig path. | |
--kubecontext | Override default kubeconfig context. |
up group create​
Create a group.
Usage​
up group create <name> [flags]
Arguments​
| Argument | Description |
|---|---|
<name> | Name of group. |
up group delete​
Delete a group.
Usage​
up group delete <name> [flags]
Arguments​
| Argument | Description |
|---|---|
<name> | Name of group. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--force | Force the deletion of the group. |
up group get​
Get a group.
Usage​
up group get <name> [flags]
Arguments​
| Argument | Description |
|---|---|
<name> | Name of group. |
up group list​
List groups in the space.
Usage​
up group list [flags]
up help​
Show help.
Usage​
up help [flags]
up license​
Show license information.
Usage​
up license [flags]
up login​
Login to Upbound. Will attempt to launch a web browser by default. Use --username and --password flags for automations.
The login command authenticates with Upbound Cloud and stores session
credentials.
Authentication Methods​
- Web Browser (default) - Opens browser for OAuth authentication
- Device Code - Use --use-device-code for headless environments
- Username/Password - Provide --username and --password flags
- Personal Access Token or Robot Token - Provide --token flag
The command creates or updates a profile with the authenticated session. If no
profile name is specified, it uses the currently active profile. A profile named
default will be created if no profiles exist.
Examples​
Open a browser for OAuth authentication (recommended):
up login
Prompt for password and authenticate with credentials:
up login --username=user@example.com
Authenticate using a personal access token.
up login --token=upat_xxxxx
Use the device code flow for headless/remote environments:
up login --use-device-code
Authenticate and create or update the production profile:
up login --profile=production --organization=my-org
Usage​
up login [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--domain | Root Upbound domain. Overrides the current profile's domain. | |
--profile | Profile used to execute command. | |
--account | -a | Deprecated. Use organization instead. |
--organization | Organization used to execute command. Overrides the current profile's organization. | |
--ca-bundle | Path to CA bundle file to prepend to existing CAs | |
--insecure-skip-tls-verify | [INSECURE] Skip verifying TLS certificates. | |
--debug | -d | [INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens. |
--override-api-endpoint | Overrides the default API endpoint. | |
--override-auth-endpoint | Overrides the default auth endpoint. | |
--override-proxy-endpoint | Overrides the default proxy endpoint. | |
--override-registry-endpoint | Overrides the default registry endpoint. | |
--override-accounts-endpoint | Overrides the default accounts endpoint. | |
--kubeconfig | Override default kubeconfig path. | |
--kubecontext | Override default kubeconfig context. | |
--username | -u | Username used to execute command. |
--password | -p | Password for specified user. '-' to read from stdin. |
--token | -t | Upbound API token (personal access token) used to execute command. '-' to read from stdin. |
--use-device-code | Use authentication flow based on device code. We will also use this if it can't launch a browser in your behalf, e.g. in remote SSH | |
--qr-code | Display a QR code for the login URL when using the device code login flow. |
up logout​
Logout of Upbound.
The logout command invalidates the current session and removes stored
credentials.
This command:
- Invalidates the session token with Upbound Cloud
- Removes the session token from the local profile configuration
- Keeps the profile configuration intact (only removes authentication)
Note that this affects only a single profile. Other profiles remain authenticated.
After logout, you can log back in using up login to re-authenticate with the
same profile.
Examples​
Log out the active profile:
up logout
Log out the production profile:
up logout --profile=production
Usage​
up logout [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--domain | Root Upbound domain. Overrides the current profile's domain. | |
--profile | Profile used to execute command. | |
--account | -a | Deprecated. Use organization instead. |
--organization | Organization used to execute command. Overrides the current profile's organization. | |
--ca-bundle | Path to CA bundle file to prepend to existing CAs | |
--insecure-skip-tls-verify | [INSECURE] Skip verifying TLS certificates. | |
--debug | -d | [INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens. |
--override-api-endpoint | Overrides the default API endpoint. | |
--override-auth-endpoint | Overrides the default auth endpoint. | |
--override-proxy-endpoint | Overrides the default proxy endpoint. | |
--override-registry-endpoint | Overrides the default registry endpoint. | |
--override-accounts-endpoint | Overrides the default accounts endpoint. | |
--kubeconfig | Override default kubeconfig path. | |
--kubecontext | Override default kubeconfig context. |
up operation​
Manage Operations.
Usage​
up operation <command> [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--domain | Root Upbound domain. Overrides the current profile's domain. | |
--profile | Profile used to execute command. | |
--account | -a | Deprecated. Use organization instead. |
--organization | Organization used to execute command. Overrides the current profile's organization. | |
--ca-bundle | Path to CA bundle file to prepend to existing CAs | |
--insecure-skip-tls-verify | [INSECURE] Skip verifying TLS certificates. | |
--debug | -d | [INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens. |
--override-api-endpoint | Overrides the default API endpoint. | |
--override-auth-endpoint | Overrides the default auth endpoint. | |
--override-proxy-endpoint | Overrides the default proxy endpoint. | |
--override-registry-endpoint | Overrides the default registry endpoint. | |
--override-accounts-endpoint | Overrides the default accounts endpoint. | |
--kubeconfig | Override default kubeconfig path. | |
--kubecontext | Override default kubeconfig context. |
up operation generate​
Generate an Operation.
The generate command creates a new, empty operation.
Examples​
Generates a new, empty, one-shot operation named my-operation:
up operation generate my-operation
Generate a new, empty cron operation named my-operation that runs every hour:
up operation generate my-operation --cron "0 0 * * *"
Generate a new, empty watch operation named my-operation triggered by changes
to Deployments in the namespace my-namespace:
up operation generate my-operation --watch-group-version-kind "apps/v1/Deployment" \
--watch-namespace "my-namespace"
Generate a new operation named claude-pod-watcher that invokes a Claude prompt
when pods in the default namespace change:
up operation generate claude-pod-watcher --watch-group-version-kind "apps/v1/Pod" \
--watch-namespace "default" --functions xpkg.upbound.io/upbound/function-claude
Usage​
up operation generate <name> [flags]
Arguments​
| Argument | Description |
|---|---|
<name> | Name for the new operation. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--path | Optional path to the output file where the generated Operation will be saved. | |
--project-file | -f | Path to project definition file. |
--output | -o | Output format for the results: 'file' to save to a file, 'yaml' to print the Operation in YAML format, 'json' to print the operation in JSON format. |
--cache-dir | Directory used for caching dependency images. | |
--cron | Cron schedule for the operation. | |
--watch-labels | Labels to match on the resource. | |
--watch-group-version-kind | The GVK of resources to watch. For example, 'apps/v1/Deployment'. | |
--watch-namespace | The namespace in which to watch resources. | |
--functions | Comma-separated list of functions to call in the generated operation's pipeline. |
up operation render​
Render an Operation.
The render command shows you what resources an Operation would create or mutate
by printing them to stdout. It also prints any changes that would be made to the
status of the Operation. It doesn't talk to Crossplane. Instead it runs the Operation
Function pipeline specified by the Operation locally, and uses that to render
the Operation.
Examples​
Render an Operation:
up operation render operations/op1/operation.yaml
Pass context values to the Function pipeline:
up operation render operations/op1/operation.yaml \
--context-values=apiextensions.crossplane.io/environment='{"key": "value"}'
Pass required resources requested by functions in the pipeline:
up operation render operations/op1/operation.yaml \
--required-resources=required-resources.yaml
Pass credentials needed by functions in the pipeline:
up operation render operations/op1/operation.yaml \
--function-credentials=credentials.yaml
Include function results and context in the output:
up operation render operations/op1/operation.yaml -f -c
Include the full Operation with original spec and metadata:
up operation render operations/op1/operation.yaml -o
Override function annotations for remote Docker daemon.
DOCKER_HOST=tcp://192.168.1.100:2376 up operation render operations/op1/operation.yaml \
--function-annotations render.crossplane.io/runtime-docker-publish-address=0.0.0.0 \
--function-annotations render.crossplane.io/runtime-docker-target=192.168.1.100
Docker Configuration​
The render command uses Docker (or any Docker-compatible container runtime) to run operation functions. Configure the Docker connection using these standard environment variables:
DOCKER_HOST: Docker daemon socket (e.g.,unix:///var/run/docker.sock)DOCKER_API_VERSION: Docker API version to useDOCKER_CERT_PATH: Path to Docker TLS certificatesDOCKER_TLS_VERIFY: Enable TLS verification (1 or 0)
Usage​
up operation render <operation> [flags]
Arguments​
| Argument | Description |
|---|---|
<operation> | A YAML file specifying the Operation to render. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--required-resources | -r | A YAML file or directory of YAML files specifying required resources that functions can request. |
--watched-resource | -w | A YAML file specifying the watched resource for WatchOperation rendering. The resource is also added to required resources. |
--context-files | Comma-separated context key-value pairs to pass to the Function pipeline. Values must be files containing JSON. | |
--context-values | Comma-separated context key-value pairs to pass to the Function pipeline. Values must be JSON. Keys take precedence over --context-files. | |
--include-function-results | -f | Include informational and warning messages from Functions in the rendered output as resources of kind: Result. |
--include-full-operation | -o | Include the full Operation with original spec and metadata in the rendered output. |
--include-context | -c | Include the context in the rendered output as a resource of kind: Context. |
--function-credentials | A YAML file or directory of YAML files specifying credentials to use for Functions to render the Operation. | |
--function-annotations | Override function annotations for all functions. Can be repeated. | |
--timeout | How long to run before timing out. | |
--max-concurrency | Maximum number of functions to build at once. | |
--project-file | -p | Path to project definition file. |
--cache-dir | Directory used for caching dependency images. | |
--no-build-cache | Don't cache image layers while building. | |
--build-cache-dir | Path to the build cache directory. |
up organization​
Interact with Upbound organizations.
Usage​
up organization <command> [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--domain | Root Upbound domain. Overrides the current profile's domain. | |
--profile | Profile used to execute command. | |
--account | -a | Deprecated. Use organization instead. |
--organization | Organization used to execute command. Overrides the current profile's organization. | |
--ca-bundle | Path to CA bundle file to prepend to existing CAs | |
--insecure-skip-tls-verify | [INSECURE] Skip verifying TLS certificates. | |
--debug | -d | [INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens. |
--override-api-endpoint | Overrides the default API endpoint. | |
--override-auth-endpoint | Overrides the default auth endpoint. | |
--override-proxy-endpoint | Overrides the default proxy endpoint. | |
--override-registry-endpoint | Overrides the default registry endpoint. | |
--override-accounts-endpoint | Overrides the default accounts endpoint. | |
--kubeconfig | Override default kubeconfig path. | |
--kubecontext | Override default kubeconfig context. |
up organization create​
Create an organization.
Usage​
up organization create <name> [flags]
Arguments​
| Argument | Description |
|---|---|
<name> | Name of organization. |
up organization delete​
Delete an organization.
Usage​
up organization delete <name> [flags]
Arguments​
| Argument | Description |
|---|---|
<name> | Name of organization. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--force | Force deletion of the organization. |
up organization get​
Get an organization.
Usage​
up organization get <name> [flags]
Arguments​
| Argument | Description |
|---|---|
<name> | Name of organization. |
up organization list​
List organizations.
Usage​
up organization list [flags]
up organization token​
Generates an organization-scoped token to authenticate with a Cloud space.
Usage​
up organization token <name> [flags]
Arguments​
| Argument | Description |
|---|---|
<name> | Name of organization. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--token | -t | Token used to execute command. Overrides the token present in the profile. |
up organization user​
Manage organization users.
Usage​
up organization user <command> [flags]
up organization user invite​
Invite a user to the organization.
Usage​
up organization user invite <org-name> <email> [flags]
Arguments​
| Argument | Description |
|---|---|
<org-name> | Name of the organization. |
<email> | Email address of the user to invite. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--permission | -p | Role of the user to invite (owner or member). |
up organization user list​
List users of an organization.
Usage​
up organization user list <org-name>
Arguments​
| Argument | Description |
|---|---|
<org-name> | Name of the organization. |
up organization user remove​
Remove a member from the organization.
Usage​
up organization user remove <org-name> <user> [flags]
Arguments​
| Argument | Description |
|---|---|
<org-name> | Name of the organization. |
<user> | Username or email of the user to remove. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--force | Force removal of the member. |
up profile​
Manage configuration profiles.
Usage​
up profile <command> [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--domain | Root Upbound domain. Overrides the current profile's domain. | |
--profile | Profile used to execute command. | |
--account | -a | Deprecated. Use organization instead. |
--organization | Organization used to execute command. Overrides the current profile's organization. | |
--ca-bundle | Path to CA bundle file to prepend to existing CAs | |
--insecure-skip-tls-verify | [INSECURE] Skip verifying TLS certificates. | |
--debug | -d | [INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens. |
--override-api-endpoint | Overrides the default API endpoint. | |
--override-auth-endpoint | Overrides the default auth endpoint. | |
--override-proxy-endpoint | Overrides the default proxy endpoint. | |
--override-registry-endpoint | Overrides the default registry endpoint. | |
--override-accounts-endpoint | Overrides the default accounts endpoint. | |
--kubeconfig | Override default kubeconfig path. | |
--kubecontext | Override default kubeconfig context. |
up profile create​
Create a new Upbound profile.
The create command creates a new Upbound profile with the specified
configuration.
Profile Types​
- cloud - Profile for connecting to Upbound Cloud (default)
- disconnected - Profile for disconnected Spaces environments using local kubeconfig
The command automatically switches to the newly created profile unless
--use=false is specified. For cloud profiles, an organization must be provided
via the --organization flag. Cloud profiles can also be created using up login.
Examples​
Create a new, logged out cloud profile named my-profile for organization
my-org:
up profile create my-profile --organization=my-org
Create a new disconnected profile named local-dev using the current kubeconfig
context:
up profile create local-dev --type=disconnected
Create a new disconnected profile named local-dev using the kubeconfig context
called my-space:
up profile create local-dev --type=disconnected --kubecontext=my-space
Create a new profile but don't make it the current profile:
up profile create staging --organization=my-org --use=false
Usage​
up profile create <name> [flags]
Arguments​
| Argument | Description |
|---|---|
<name> | Name of the profile to create. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--use | Use the new profile after it's created. Defaults to true. | |
--type | Type of profile to create: cloud or disconnected. |
up profile current​
Get the current active Upbound profile.
The current command displays the currently active Upbound profile and its
configuration.
This command outputs JSON-formatted information about the active profile, including:
- Profile name
- Profile type (cloud or disconnected)
- Organization (for cloud profiles)
- Domain configuration
- Other profile settings (with sensitive data redacted)
Examples​
Show the current active profile configuration in JSON format:
up profile current
Usage​
up profile current [flags]
up profile delete​
Delete an existing Upbound profile.
The delete command removes an Upbound profile from the configuration.
This command permanently deletes the specified profile and all its associated configuration. The profile cannot be recovered after deletion.
Examples​
Deletes the profile named staging:
up profile delete staging
Usage​
up profile delete <name> [flags]
Arguments​
| Argument | Description |
|---|---|
<name> | Name of the profile to delete. |
up profile list​
List all configured Upbound profiles.
The list command displays all configured Upbound profiles in a table format.
Output Columns​
- CURRENT: Indicates the active profile with an asterisk (*)
- NAME: The name of each profile
- TYPE: Profile type (cloud or disconnected)
- ORGANIZATION: The organization associated with the profile (may be empty for disconnected profiles)
The profiles are listed in alphabetical order by name.
Examples​
Show all configured profiles:
up profile list
Usage​
up profile list [flags]
up profile rename​
Rename an existing Upbound profile.
The rename command changes the name of an existing Upbound profile.
This command renames a profile while preserving all its configuration settings. If the profile being renamed is currently active, it remains active after renaming.
The new name must not conflict with any existing profile names.
Examples​
Rename the profile dev to development:
up profile rename dev development
Usage​
up profile rename <from> <to> [flags]
Arguments​
| Argument | Description |
|---|---|
<from> | Name of the profile to rename. |
<to> | New name for the profile. |
up profile set​
Set configuration values for the current profile.
The set command updates configuration values for an Upbound profile.
Available Keys​
- organization - Sets the organization for the current profile
Examples​
Set the default organization to my-org for the current profile:
up profile set organization `my-org`
Set the default organization to other-org for the profile called production:
up profile set organization my-org --profile=production
Usage​
up profile set <key> <value> [flags]
Arguments​
| Argument | Description |
|---|---|
<key> | The configuration key to set. |
<value> | The configuration value to set. |
up profile use​
Switch to a different Upbound profile.
The use command switches the active Upbound profile and updates the current
kubeconfig context.
This command:
- Sets the specified profile as the default profile
- Updates the kubeconfig to use the last context selected with the profile
- Preserves any existing kubeconfig context information from the profile
Note that if the profile has no associated kubeconfig context (e.g., because up ctx has never been used with the profile), only the profile switch occurs
without kubeconfig updates.
Examples​
Switch to the production profile and update the kubeconfig context:
up profile use production
Usage​
up profile use <name> [flags]
Arguments​
| Argument | Description |
|---|---|
<name> | Name of the Profile to use. |
up profile view​
View all Upbound profiles in JSON format.
The view command displays all configured Upbound profiles in JSON format.
This command outputs detailed information about all profiles, including:
- Profile names as keys
- Profile configuration details (with sensitive data redacted)
- Profile type, organization, domain, and other settings
The output is formatted as indented JSON for easy reading and processing.
Examples​
Show all profiles in JSON format:
up profile view
Use jq to show only the production profile:
up profile view | jq '.["production"]'
Usage​
up profile view [flags]
up project​
Manage Upbound development projects.
Usage​
up project <command> [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--domain | Root Upbound domain. Overrides the current profile's domain. | |
--profile | Profile used to execute command. | |
--account | -a | Deprecated. Use organization instead. |
--organization | Organization used to execute command. Overrides the current profile's organization. | |
--ca-bundle | Path to CA bundle file to prepend to existing CAs | |
--insecure-skip-tls-verify | [INSECURE] Skip verifying TLS certificates. | |
--debug | -d | [INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens. |
--override-api-endpoint | Overrides the default API endpoint. | |
--override-auth-endpoint | Overrides the default auth endpoint. | |
--override-proxy-endpoint | Overrides the default proxy endpoint. | |
--override-registry-endpoint | Overrides the default registry endpoint. | |
--override-accounts-endpoint | Overrides the default accounts endpoint. | |
--kubeconfig | Override default kubeconfig path. | |
--kubecontext | Override default kubeconfig context. |
up project ai​
Generate AI tooling for a project.
Usage​
up project ai <command> [flags]
up project ai configure-tools​
Generate AI tooling configurations for the project.
The configure-tools command generates configuration to make commonly-used AI
development tools more effective at working in an Upbound project.
Supported Tools​
- Claude Code
- Cursor
- Gemini CLI
Examples​
Create GEMINI.md and .gemini/settings.json:
up project ai configure-tools --gemini-cli
Create CLAUDE.md, .claude/settings.json, and .mcp.json:
up project ai configure-tools --claude-code
Create .cursor:
up project ai configure-tools --cursor
Create configuration for all three tools:
up project ai configure-tools --gemini-cli --claude-code --cursor
Usage​
up project ai configure-tools [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--project-file | -f | Path to project definition file. |
--gemini-cli | Generate gemini CLI configurations. | |
--claude-code | Generate claude code CLI configurations. | |
--cursor | Generate cursor configurations. | |
--copilot | Generate GitHub Copilot configurations. |
up project build​
Build a project into a Crossplane package.
Usage​
up project build [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--project-file | -f | Path to project definition file. |
--repository | Repository for the built package. Overrides the repository specified in the project file. | |
--output-dir | -o | Path to the output directory, where packages will be written. |
--no-build-cache | Don't cache image layers while building. | |
--build-cache-dir | Path to the build cache directory. | |
--max-concurrency | Maximum number of functions to build at once. | |
--cache-dir | Directory used for caching dependencies. | |
--git-token | Token for git HTTPS authentication (GitHub PAT, GitLab token, etc.). | |
--git-username | Username for git HTTPS authentication. Use your Bitbucket username for Bitbucket app passwords. |
up project init​
Initialize a new project.
This command initializes a new project. By default, it will start a wizard to
help you create a new project. The project will be created in a new directory
named after the project. You can specify which template to use with the
--template flag along with the --language flag.
Supported Languages​
The following slugs are accepted as arguments by the --langauge and
--test-language flags:
| Language | Slug |
|---|---|
| Go | go |
| Go Templates | go-templating |
| KCL | kcl |
| Python | python |
Examples​
Initialize a project called my-new-project using the AWS S3 bucket example
with Python functions and tests:
up project init my-new-project --template project-template-aws \
--language python
Initialize a project called my-new-project with Go functions and Python tests:
up project init my-new-project --template project-template-aws \
--language go --test-language python
Initialize a project using a public template repository at a specific ref:
up project init my-new-project \
--template 'https://github.com/upbound/project-template-aws@main' \
--language kcl
Initialize a project from a template using Git token authentication:
up project init my-new-project \
--template 'https://github.com/template/project-template-private.git' \
--language kcl \
--username 'username' \
--password 'token'
Initialize a project from a template using SSH authentication:
up project init my-new-project \
--template 'git@github.com:upbound/project-template-private.git' \
--language kcl \
--ssh-key /Users/username/.ssh/id_rsa
Initialize a new project from a private template using SSH authentication with an SSH key password:
up project init my-new-project \
--template 'git@github.com:upbound/project-template-private.git' \
--language kcl \
--ssh-key /Users/username/.ssh/id_rsa \
--password 'ssh-key-password'
Usage​
up project init <name> [flags]
Arguments​
| Argument | Description |
|---|---|
<name> | The name of the new project to initialize. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--directory | The directory to initialize. It must be empty. It will be created if it doesn't exist. | |
--scratch | Create a new project from scratch. | |
--template | -t | The template to use to initialize the new project. |
--values | Values to use for templating the project. | |
--state-file | Path to wizard state file. | |
--language | -l | The language to use to initialize the new project. |
--test-language | The language to use for tests in the new project. | |
--ssh-key | Optional. Specify an SSH key for authentication when initializing the new package. Used when transport protocol is 'ssh'. | |
--username | Optional. Specify a username for authentication. Used when transport protocol is 'https' and an SSH key is not provided, or with an SSH key when the transport protocol is 'ssh'. | |
--password | Optional. Specify a password for authentication. Used with the username when the transport protocol is 'https', or with an SSH key that requires a passphrase when the transport protocol is 'ssh'. |
up project move​
Update the repository for a project
Usage​
up project move <new-repository> [flags]
Arguments​
| Argument | Description |
|---|---|
<new-repository> | The new repository for the project. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--project-file | -f | Path to the project definition file. |
up project push​
Push a project's packages to the Upbound Marketplace.
Usage​
up project push [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--project-file | -f | Path to project definition file. |
--repository | Repository to push to. Overrides the repository specified in the project file. | |
--tag | -t | Tag for the built package. If not provided, a semver tag will be generated. |
--package-file | Package file to push. Discovered by default based on repository and tag. | |
--max-concurrency | Maximum number of functions to build at once. | |
--public | Create new repositories with public visibility. |
up project run​
Run a project on a development control plane for testing.
The run command builds and runs a project on a development control plane for
testing.
This command:
- Builds all embedded functions defined in the project
- Creates or uses an existing development control plane
- Pushes packages to the container registry
- Installs the project configuration on the control plane
- Updates kubeconfig to use the development control plane
Development Control Planes​
There are two kinds of development control planes:
- Local development control planes, which run in a KIND cluster on the development machine.
- Cloud development control planes, which run in Upbound Cloud Spaces.
Cloud development control planes are used by default when the current up
context is an Upbound Cloud Space. Use up ctx to update the current context.
Local development control planes are used by default otherwise, and can be
explicitly requested using the --local flag.
Local development control planes always use UXP v2.0 or newer, defaulting to the
latest version available. The default UXP version for cloud development control
planes depends on your project version: v1.x for v1alpha1 projects or v2.x for
v2alpha1 projects. The default version can be overridden with the
--control-plane-version flag.
It is also possible to run a project on an arbitrary UXP cluster referenced by
the current kubeconfig context by using the --use-current-context flag. Note
that this can be destructive, as it will create resources and install packages
in your cluster; it is not recommended to use up project run on shared or
production clusters.
Examples​
Run the project using the default development control plane type (see above):
up project run
Run the project on a control plane with a specific name, using the default type. The control plane will be created if it doesn't exist:
up project run --control-plane-name=my-dev-cp
Force a local development control plane to be used instead of a cloud development control plane:
up project run --local
Create a local development control plane with an ingress controller enabled. The Web UI will be accessible at localhost on a randomly assigned port:
up project run --local --ingress
Create a local development control plane with ingress mapped to specific port. The Web UI will be accessible at http://127-0-0-1.nip.io:8080:
up project run --local --ingress --ingress-port=8080:80
Run a project using the current kubeconfig context:
up project run --use-current-context
Override the repository specified in the project file to push to a different container registry. Note that when using a local development control plane packages are side-loaded, avoiding the need to push:
up project run --repository=xpkg.upbound.io/example/my-project
Run on a Spaces control plane with a specific name, allowing a non-development control plane to be used. This works with disconnected Spaces as well as Cloud Spaces:
up project run --force --control-plane-name=my-cp
Override the default UXP version used for a Spaces development control plane, for example to test a v1 project on a v2 control plane:
up project run --control-plane-version=v1.20.1-up.1
Apply imageconfig.yaml before installing the configuration and
providerconfig.yaml after installing the configuration:
up project run --init-resources=imageconfig.yaml --extra-resources=providerconfig.yaml
Usage​
up project run [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--project-file | -f | Path to project definition file. |
--repository | Repository for the built package. Overrides the repository specified in the project file. | |
--no-build-cache | Don't cache image layers while building. | |
--build-cache-dir | Path to the build cache directory. | |
--max-concurrency | Maximum number of functions to build and push at once. | |
--control-plane-group | The control plane group that the control plane to use is contained in. This defaults to the group specified in the current context. | |
--control-plane-name | Name of the control plane to use. It will be created if not found. Defaults to the project name. | |
--control-plane-version | Version of Crossplane to use for the control plane. By default, the latest compatible version will be used. | |
--skip-control-plane-check | Allow running on a non-development control plane. | |
--local | Use a local dev control plane, even if Spaces is available. | |
--local-registry-path | Directory to use for local registry images. The default is system-dependent. | |
--no-update-kubeconfig | Do not update kubeconfig to use the dev control plane as its current context. | |
--use-current-context | Run the project with the current kubeconfig context rather than creating a new dev control plane. | |
--cache-dir | Directory used for caching dependencies. | |
--public | Create new repositories with public visibility. | |
--timeout | Maximum time to wait for the project to become ready in the control plane. Set to zero to wait forever. | |
--ingress | Enable ingress controller for the local dev control plane. | |
--ingress-port | Port mapping for the local dev control plane (e.g., '8080:80'). If not specified, a random available port will be selected when ingress is enabled. | |
--cluster-admin | Allow Crossplane cluster admin privileges in the local dev control plane. Defaults to true. | |
--init-resources | Paths to additional resource manifests that should be applied before installing the project. | |
--extra-resources | Paths to additional resource manifests that should be applied after installing the project. |
up project simulate​
Run a project as a simulation against an existing control plane.
Usage​
up project simulate <source-control-plane-name> [flags]
Arguments​
| Argument | Description |
|---|---|
<source-control-plane-name> | Name of the source control plane |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--project-file | -f | Path to project definition file. |
--repository | Repository for the built package. Overrides the repository specified in the project file. | |
--no-build-cache | Don't cache image layers while building. | |
--build-cache-dir | Path to the build cache directory. | |
--max-concurrency | Maximum number of functions to build and push at once. | |
--name | -n | The name of the simulation resource |
--tag | An existing tag of the project to simulate. If not specified, defaults to building and pushing a new version | |
--output | -o | Output the results of the simulation to the provided file. Defaults to standard out if not specified |
--terminate-on-finish | Terminate the simulation after the completion criteria is met | |
--wait | Wait until the simulation completes and output the difference. | |
--complete-after | The amount of time the simulated control plane should run before ending the simulation | |
--control-plane-group | -g | The control plane group that the control plane to use is contained in. This defaults to the group specified in the current context. |
--cache-dir | Directory used for caching dependencies. | |
--public | Create new repositories with public visibility. | |
--timeout | Maximum time to wait for the project to become ready in the control plane. Set to zero to wait forever. |
up project simulation​
Manage project simulations.
The simulate command manages project simulations. Simulations allow you to see
what changes would occur in a control plane after applying the latest version of
an Upbound project.
Examples​
Create a new simulation for the specified control plane, wait for the simulation to complete, then show results:
up project simulate create control-plane-name
Force completion of an in-progress project simulation (for example, because a simulation is stuck or taking too long):
up project simulate complete simulation-name
Delete a simulation, removing the simulation results and resources:
up project simulate delete simulation-name
Usage​
up project simulation <command> [flags]
up project simulation complete​
Force complete an in-progress project simulation
Usage​
up project simulation complete <name> [flags]
Arguments​
| Argument | Description |
|---|---|
<name> | The name of the simulation resource |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--project-file | -f | Path to project definition file. |
--output | -o | Output the results of the simulation to the provided file. Defaults to standard out if not specified |
--terminate-on-finish | Terminate the simulation after the completion criteria is met | |
--control-plane-group | -g | The control plane group that the control plane to use is contained in. This defaults to the group specified in the current context. |
up project simulation create​
Start a new project simulation and wait for the results.
Usage​
up project simulation create <source-control-plane-name> [flags]
Arguments​
| Argument | Description |
|---|---|
<source-control-plane-name> | Name of the source control plane |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--project-file | -f | Path to project definition file. |
--repository | Repository for the built package. Overrides the repository specified in the project file. | |
--no-build-cache | Don't cache image layers while building. | |
--build-cache-dir | Path to the build cache directory. | |
--max-concurrency | Maximum number of functions to build and push at once. | |
--name | -n | The name of the simulation resource |
--tag | An existing tag of the project to simulate. If not specified, defaults to building and pushing a new version | |
--output | -o | Output the results of the simulation to the provided file. Defaults to standard out if not specified |
--terminate-on-finish | Terminate the simulation after the completion criteria is met | |
--wait | Wait until the simulation completes and output the difference. | |
--complete-after | The amount of time the simulated control plane should run before ending the simulation | |
--control-plane-group | -g | The control plane group that the control plane to use is contained in. This defaults to the group specified in the current context. |
--cache-dir | Directory used for caching dependencies. | |
--public | Create new repositories with public visibility. | |
--timeout | Maximum time to wait for the project to become ready in the control plane. Set to zero to wait forever. |
up project simulation delete​
Delete a control plane simulation.
Usage​
up project simulation delete <name> [flags]
Arguments​
| Argument | Description |
|---|---|
<name> | The name of the simulation resource |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--project-file | -f | Path to project definition file. |
--control-plane-group | -g | The control plane group that the control plane to use is contained in. This defaults to the group specified in the current context. |
up project stop​
Tear down a development control plane started by the run command.
Usage​
up project stop [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--project-file | -f | Path to project definition file. |
--control-plane-group | The control plane group that the control plane to use is contained in. This defaults to the group specified in the current context. | |
--control-plane-name | Name of the control plane to stop. Defaults to the project name. | |
--skip-control-plane-check | Allow stopping a non-development control plane. | |
--force | Do not ask for confirmation before stopping the control plane. | |
--local | Find and stop a local dev control plane, even if Spaces is available. |
up project upgrade​
Upgrade a project to a newer API version.
The upgrade command upgrades a project to a newer API version.
Examples​
Upgrade the project in the current directory to the latest supported version:
up project upgrade
Upgrade a project with a custom project file name:
up project upgrade --project-file custom-project.yaml
Supported Upgrade Paths​
v1alpha1→v2alpha1: Adds Crossplane v2 features.
Usage​
up project upgrade [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--project-file | -f | Path to project definition file. |
up repository​
Interact with repositories.
Usage​
up repository <command> [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--domain | Root Upbound domain. Overrides the current profile's domain. | |
--profile | Profile used to execute command. | |
--account | -a | Deprecated. Use organization instead. |
--organization | Organization used to execute command. Overrides the current profile's organization. | |
--ca-bundle | Path to CA bundle file to prepend to existing CAs | |
--insecure-skip-tls-verify | [INSECURE] Skip verifying TLS certificates. | |
--debug | -d | [INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens. |
--override-api-endpoint | Overrides the default API endpoint. | |
--override-auth-endpoint | Overrides the default auth endpoint. | |
--override-proxy-endpoint | Overrides the default proxy endpoint. | |
--override-registry-endpoint | Overrides the default registry endpoint. | |
--override-accounts-endpoint | Overrides the default accounts endpoint. | |
--kubeconfig | Override default kubeconfig path. | |
--kubecontext | Override default kubeconfig context. |
up repository create​
Create a repository.
Usage​
up repository create <name> [flags]
Arguments​
| Argument | Description |
|---|---|
<name> | Name of repository. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--private | Make the new repository private. | |
--publish | Enable Upbound Marketplace listing page for the new repository. |
up repository delete​
Delete a repository.
Usage​
up repository delete <name> [flags]
Arguments​
| Argument | Description |
|---|---|
<name> | Name of repository. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--force | Force deletion of repository. |
up repository get​
Get a repository for the account.
Usage​
up repository get <name> [flags]
Arguments​
| Argument | Description |
|---|---|
<name> | Name of repo. |
up repository list​
List repositories for the account.
Usage​
up repository list [flags]
up repository permission​
Manage permissions of a repository for a team in the account.
Usage​
up repository permission <command> [flags]
up repository permission grant​
Grant repository permission for a team.
Usage​
up repository permission grant <team-name> <repository-name> <permission>
Arguments​
| Argument | Description |
|---|---|
<team-name> | Name of team. |
<repository-name> | Name of repository. |
<permission> | Permission type (admin, read, write, view). |
up repository permission list​
List all repository permissions for teams.
Usage​
up repository permission list <team-name>
Arguments​
| Argument | Description |
|---|---|
<team-name> | Name of the team. |
up repository permission revoke​
Revoke repository permission from a team.
Usage​
up repository permission revoke <team-name> <repository-name> [flags]
Arguments​
| Argument | Description |
|---|---|
<team-name> | Name of team. |
<repository-name> | Name of repository. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--force | Force the revoke of the repository permission even if conflicts exist. |
up repository update​
Update a repository.
Usage​
up repository update --private --publish <name> [flags]
Arguments​
| Argument | Description |
|---|---|
<name> | Name of repository. Required. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--private | Required The desired repository visibility. Required. | |
--publish | Required The desired repository publishing policy. Required. | |
--force | Force the repository update. |
up resource​
Gather information about resources in a cluster or control plane.
Usage​
up resource <command> [flags]
up resource count​
Count Crossplane resources in a cluster.
The up resource count command counts Crossplane resources in a Kubernetes cluster,
providing a summary of managed resources, composite resources, claims, and composed resources.
Usage​
up resource count [flags]
Examples​
# Count resources using the current kubeconfig context
up resource count
# Count resources using a specific kubeconfig file
up resource count --kubeconfig /path/to/kubeconfig
# Count resources using a specific context
up resource count --context my-cluster-context
# Output in JSON format
up resource count --format json
# Output in YAML format
up resource count --format yaml
Resource Types​
The command counts the following Crossplane resource types:
- Managed Resources: Resources directly managed by Crossplane providers (e.g., S3 Buckets, RDS Instances)
- Composite Resources (XRs): Custom resources defined by CompositeResourceDefinitions
- Composite Resource Claims (XRCs): Namespace-scoped claims for composite resources
- Composed Resources: Resources that are part of a composite resource's composition
- Total Resources: Sum of all counted resources
Notes​
- Resources are deduplicated to avoid double-counting
- ProviderConfig and related resources are excluded from the count
- The command discovers resources by examining CRDs owned by Crossplane providers and CompositeResourceDefinitions
Usage​
up resource count [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--kubeconfig | Path to kubeconfig file. | |
--context | Kubeconfig context to use. |
up robot​
Interact with robots.
Usage​
up robot <command> [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--domain | Root Upbound domain. Overrides the current profile's domain. | |
--profile | Profile used to execute command. | |
--account | -a | Deprecated. Use organization instead. |
--organization | Organization used to execute command. Overrides the current profile's organization. | |
--ca-bundle | Path to CA bundle file to prepend to existing CAs | |
--insecure-skip-tls-verify | [INSECURE] Skip verifying TLS certificates. | |
--debug | -d | [INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens. |
--override-api-endpoint | Overrides the default API endpoint. | |
--override-auth-endpoint | Overrides the default auth endpoint. | |
--override-proxy-endpoint | Overrides the default proxy endpoint. | |
--override-registry-endpoint | Overrides the default registry endpoint. | |
--override-accounts-endpoint | Overrides the default accounts endpoint. | |
--kubeconfig | Override default kubeconfig path. | |
--kubecontext | Override default kubeconfig context. |
up robot create​
Create a robot.
Usage​
up robot create <name> [flags]
Arguments​
| Argument | Description |
|---|---|
<name> | Name of robot. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--description | Description of robot. |
up robot delete​
Delete a robot.
Usage​
up robot delete <name> [flags]
Arguments​
| Argument | Description |
|---|---|
<name> | Name of robot. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--force | Force delete robot even if conflicts exist. |
up robot get​
Get a robot for the account.
Usage​
up robot get <name> [flags]
Arguments​
| Argument | Description |
|---|---|
<name> | Name of robot. |
up robot list​
List robots for the account.
Usage​
up robot list [flags]
up robot team​
Interact with robot teams.
Usage​
up robot team <command> [flags]
up robot team join​
Add the robot to a team.
Usage​
up robot team join <team-name> <robot-name>
Arguments​
| Argument | Description |
|---|---|
<team-name> | Name of team. |
<robot-name> | Name of robot. |
up robot team leave​
Remove the robot from a team.
Usage​
up robot team leave <team-name> <robot-name> [flags]
Arguments​
| Argument | Description |
|---|---|
<team-name> | Name of team. |
<robot-name> | Name of robot. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--force | Force the removal of a robot from a team even if conflicts exist. |
up robot team list​
List all teams the robot is a member of.
Usage​
up robot team list <robot-name>
Arguments​
| Argument | Description |
|---|---|
<robot-name> | Name of robot. |
up robot token​
Interact with robot tokens.
Usage​
up robot token <command> [flags]
up robot token create​
Create a token for the robot.
Usage​
up robot token create <robot-name> <token-name> [flags]
Arguments​
| Argument | Description |
|---|---|
<robot-name> | Name of robot. |
<token-name> | Name of token. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--file | -f | file to write Token JSON, Use '-' to write to standard output. |
up robot token delete​
Delete a token for the robot.
Usage​
up robot token delete <robot-name> <token-name> [flags]
Arguments​
| Argument | Description |
|---|---|
<robot-name> | Name of robot. |
<token-name> | Name of token. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--force | Force delete token even if conflicts exist. |
up robot token get​
Get a token for the robot.
Usage​
up robot token get <robot-name> <token-name>
Arguments​
| Argument | Description |
|---|---|
<robot-name> | Name of robot. |
<token-name> | Name of token. |
up robot token list​
List the tokens for the robot.
Usage​
up robot token list <robot-name>
Arguments​
| Argument | Description |
|---|---|
<robot-name> | Name of robot. |
up space​
Interact with Spaces.
Usage​
up space <command> [flags]
up space billing​
Usage​
up space billing <command>
up space billing export​
Export a billing report for submission to Upbound.
The export command collects billing data from cloud storage and creates a
billing report.
The storage location for the billing data used to create the report is supplied
using the optional --provider, --bucket, and --endpoint flags. If these
flags are missing, their values will be retrieved from the Spaces cluster from
your kubeconfig. Set --endpoint="" to use the storage provider's default
endpoint without checking your Spaces cluster for a custom endpoint.
Credentials and other storage provider configuration are supplied according to the instructions for each provider below.
AWS S3​
Supply configuration by setting these environment variables: AWS_REGION,
AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY. For more options, see the
documentation at
https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/welcome.html
GCP Cloud Storage​
Supply credentials by setting the environment variable
GOOGLE_APPLICATION_CREDENTIALS with the location of a credential JSON
file. For more options, see the documentation at
https://cloud.google.com/docs/authentication/application-default-credentials.
Azure Blob Storage​
Supply configuration by setting these environment variables: AZURE_TENANT_ID,
AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET. For more options, see the
documentation at
https://learn.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication.
Examples​
Export a billing report for January 2024 from AWS S3 and write it to a file
called upbound_billing_report.tgz in the current directory:
up space billing export --provider=aws --bucket=my-bucket --account=my-account --billing-month=2024-01
Export a billing report for a custom date range from GCP Cloud Storage. Note that the date range is inclusive (Jan 1-15, 2024):
up space billing export --provider=gcp --bucket=my-bucket --account=my-account --billing-custom=2024-01-01/2024-01-15
Export a billing report for February 2024 from Azure Blob Storage and write it
to a custom output location, report.tgz:
up space billing export --provider=azure --bucket=my-container --azure-storage-account=storage-account --account=my-account --billing-month=2024-02 -o report.tgz
Usage​
up space billing export --provider=PROVIDER --bucket=STRING --account=STRING --billing-month=TIME --billing-custom=BILLING-CUSTOM [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--out | -o | Name of the output file. |
--provider | Required Storage provider. Must be one of: aws, gcp, azure. | |
--bucket | Required Storage bucket. | |
--endpoint | Custom storage endpoint. | |
--account | Required Name of the Upbound account whose billing report is being collected. | |
--azure-storage-account | Name of the Azure storage account. Required for --provider=azure. | |
--billing-month | Required Export a report for a billing period of one calendar month. Format: 2006-01. | |
--billing-custom | Required Export a report for a custom billing period. Date range is inclusive. Format: 2006-01-02/2006-01-02. | |
--force-incomplete | Export a report for an incomplete billing period. |
up space billing report​
Manage billing reports.
Usage​
up space billing report <command>
up space billing report update​
Create or update an existing billing report by merging data from a local billing report tarball.
This command takes a billing report produced by 'up space billing export' and adds its data to a target billing report. An existing target report is updated in place. If the target report doesn't exist, it will be created using the data from the source tarball.
The target report can be stored on the local file system or in cloud storage.
Credentials and other storage provider configuration are supplied according to the instructions for each provider below.
AWS S3​
Supply configuration by setting these environment variables: AWS_REGION, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY. For more options, see the documentation at https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/welcome.html
GCP Cloud Storage​
Supply credentials by setting the environment variable GOOGLE_APPLICATION_CREDENTIALS with the location of a credential JSON file. For more options, see the documentation at https://cloud.google.com/docs/authentication/application-default-credentials.
Examples​
Update a local billing report with data from a new export:
up space billing report update existing_report.tgz new_data.tgz
Update a billing report stored in AWS S3:
up space billing report update reports/existing_report.tgz new_data.tgz --provider=aws --bucket=my-bucket
Update a report in GCP Cloud Storage:
up space billing report update reports/existing_report.tgz new_data.tgz --provider=gcp --bucket=my-bucket
Usage​
up space billing report update <target> <source> [flags]
Arguments​
| Argument | Description |
|---|---|
<target> | Path to billing report to update (local file path or cloud storage object key). |
<source> | Path to local billing report containing new data. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--provider | Storage provider (required for cloud storage). Must be one of: aws, gcp. | |
--bucket | Storage bucket (required for cloud storage). | |
--endpoint | Custom storage endpoint. |
up space connect​
Connect an Upbound Space to the Upbound web console.
Usage​
up space connect [<space>] [flags]
Arguments​
| Argument | Description |
|---|---|
<space> | Optional Name of the Upbound Space. If name is not a supplied, one is generated. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--domain | Root Upbound domain. Overrides the current profile's domain. | |
--profile | Profile used to execute command. | |
--account | -a | Deprecated. Use organization instead. |
--organization | Organization used to execute command. Overrides the current profile's organization. | |
--ca-bundle | Path to CA bundle file to prepend to existing CAs | |
--insecure-skip-tls-verify | [INSECURE] Skip verifying TLS certificates. | |
--debug | -d | [INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens. |
--override-api-endpoint | Overrides the default API endpoint. | |
--override-auth-endpoint | Overrides the default auth endpoint. | |
--override-proxy-endpoint | Overrides the default proxy endpoint. | |
--override-registry-endpoint | Overrides the default registry endpoint. | |
--override-accounts-endpoint | Overrides the default accounts endpoint. | |
--kubeconfig | Override default kubeconfig path. | |
--kubecontext | Override default kubeconfig context. | |
--registry-repository | Set registry for where to pull OCI artifacts from. This is an OCI registry reference, i.e. a URL without the scheme or protocol prefix. | |
--registry-endpoint | Set registry endpoint, including scheme, for authentication. | |
--token-file | File containing authentication token. Expecting a JSON file. Example: {"accessId": " | |
--registry-username | Set the registry username. | |
--registry-password | Set the registry password. | |
--robot-token | The Upbound robot token contents used to authenticate the connection. | |
--up-environment | Override the default Upbound Environment. |
up space destroy​
Remove the Upbound Spaces deployment.
Usage​
up space destroy [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--domain | Root Upbound domain. Overrides the current profile's domain. | |
--profile | Profile used to execute command. | |
--account | -a | Deprecated. Use organization instead. |
--organization | Organization used to execute command. Overrides the current profile's organization. | |
--ca-bundle | Path to CA bundle file to prepend to existing CAs | |
--insecure-skip-tls-verify | [INSECURE] Skip verifying TLS certificates. | |
--debug | -d | [INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens. |
--override-api-endpoint | Overrides the default API endpoint. | |
--override-auth-endpoint | Overrides the default auth endpoint. | |
--override-proxy-endpoint | Overrides the default proxy endpoint. | |
--override-registry-endpoint | Overrides the default registry endpoint. | |
--override-accounts-endpoint | Overrides the default accounts endpoint. | |
--kubeconfig | Override default kubeconfig path. | |
--kubecontext | Override default kubeconfig context. | |
--registry-repository | Set registry for where to pull OCI artifacts from. This is an OCI registry reference, i.e. a URL without the scheme or protocol prefix. | |
--registry-endpoint | Set registry endpoint, including scheme, for authentication. | |
--yes-really-delete-space-and-all-data | Bypass safety checks and destroy Spaces | |
--orphan | Remove Space components but retain Control Planes and data |
up space disconnect​
Disconnect an Upbound Space from the Upbound web console.
Usage​
up space disconnect [<space>] [flags]
Arguments​
| Argument | Description |
|---|---|
<space> | Optional Name of the Upbound Space. If name is not a supplied, it will be determined from the connection info in the space. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--domain | Root Upbound domain. Overrides the current profile's domain. | |
--profile | Profile used to execute command. | |
--account | -a | Deprecated. Use organization instead. |
--organization | Organization used to execute command. Overrides the current profile's organization. | |
--ca-bundle | Path to CA bundle file to prepend to existing CAs | |
--insecure-skip-tls-verify | [INSECURE] Skip verifying TLS certificates. | |
--debug | -d | [INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens. |
--override-api-endpoint | Overrides the default API endpoint. | |
--override-auth-endpoint | Overrides the default auth endpoint. | |
--override-proxy-endpoint | Overrides the default proxy endpoint. | |
--override-registry-endpoint | Overrides the default registry endpoint. | |
--override-accounts-endpoint | Overrides the default accounts endpoint. | |
--kubeconfig | Override default kubeconfig path. | |
--kubecontext | Override default kubeconfig context. | |
--registry-repository | Set registry for where to pull OCI artifacts from. This is an OCI registry reference, i.e. a URL without the scheme or protocol prefix. | |
--registry-endpoint | Set registry endpoint, including scheme, for authentication. |
up space init​
Initialize an Upbound Spaces deployment.
Usage​
up space init <version> [flags]
Arguments​
| Argument | Description |
|---|---|
<version> | Upbound Spaces version to install. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--domain | Root Upbound domain. Overrides the current profile's domain. | |
--profile | Profile used to execute command. | |
--account | -a | Deprecated. Use organization instead. |
--organization | Organization used to execute command. Overrides the current profile's organization. | |
--ca-bundle | Path to CA bundle file to prepend to existing CAs | |
--insecure-skip-tls-verify | [INSECURE] Skip verifying TLS certificates. | |
--debug | -d | [INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens. |
--override-api-endpoint | Overrides the default API endpoint. | |
--override-auth-endpoint | Overrides the default auth endpoint. | |
--override-proxy-endpoint | Overrides the default proxy endpoint. | |
--override-registry-endpoint | Overrides the default registry endpoint. | |
--override-accounts-endpoint | Overrides the default accounts endpoint. | |
--kubeconfig | Override default kubeconfig path. | |
--kubecontext | Override default kubeconfig context. | |
--set | Set parameters. | |
--file | -f | Parameters file. |
--bundle | Local bundle path. | |
--registry-repository | Set registry for where to pull OCI artifacts from. This is an OCI registry reference, i.e. a URL without the scheme or protocol prefix. | |
--registry-endpoint | Set registry endpoint, including scheme, for authentication. | |
--token-file | File containing authentication token. Expecting a JSON file. Example: {"accessId": " | |
--registry-username | Set the registry username. | |
--registry-password | Set the registry password. | |
--yes | Answer yes to all questions | |
--public-ingress | For AKS,EKS,GKE expose ingress publically |
up space license​
Usage​
up space license <command> [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--domain | Root Upbound domain. Overrides the current profile's domain. | |
--profile | Profile used to execute command. | |
--account | -a | Deprecated. Use organization instead. |
--organization | Organization used to execute command. Overrides the current profile's organization. | |
--ca-bundle | Path to CA bundle file to prepend to existing CAs | |
--insecure-skip-tls-verify | [INSECURE] Skip verifying TLS certificates. | |
--debug | -d | [INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens. |
--override-api-endpoint | Overrides the default API endpoint. | |
--override-auth-endpoint | Overrides the default auth endpoint. | |
--override-proxy-endpoint | Overrides the default proxy endpoint. | |
--override-registry-endpoint | Overrides the default registry endpoint. | |
--override-accounts-endpoint | Overrides the default accounts endpoint. | |
--kubeconfig | Override default kubeconfig path. | |
--kubecontext | Override default kubeconfig context. |
up space license apply​
Apply a Space license from a license file.
Usage​
up space license apply <license-file> [flags]
Arguments​
| Argument | Description |
|---|---|
<license-file> | File containing the license key. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--namespace | Namespace in which to create the license key secret. |
up space license remove​
Remove the Space license.
Usage​
up space license remove [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--force | Do not ask for confirmation before removing the license. |
up space license show​
Show the Space license.
Usage​
up space license show [flags]
up space list​
List all accessible spaces in Upbound.
Usage​
up space list [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--domain | Root Upbound domain. Overrides the current profile's domain. | |
--profile | Profile used to execute command. | |
--account | -a | Deprecated. Use organization instead. |
--organization | Organization used to execute command. Overrides the current profile's organization. | |
--ca-bundle | Path to CA bundle file to prepend to existing CAs | |
--insecure-skip-tls-verify | [INSECURE] Skip verifying TLS certificates. | |
--debug | -d | [INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens. |
--override-api-endpoint | Overrides the default API endpoint. | |
--override-auth-endpoint | Overrides the default auth endpoint. | |
--override-proxy-endpoint | Overrides the default proxy endpoint. | |
--override-registry-endpoint | Overrides the default registry endpoint. | |
--override-accounts-endpoint | Overrides the default accounts endpoint. | |
--kubeconfig | Override default kubeconfig path. | |
--kubecontext | Override default kubeconfig context. |
up space mirror​
Managing the mirroring of artifacts to local storage or private container registries.
The mirror command mirrors all required OCI artifacts for a specific Spaces
version.
Examples​
Mirror all artifacts for Spaces version 1.9.0 into a local directory as
.tar.gz files, using the token file for authentication:
up space mirror -v 1.9.0 --output-dir=/tmp/output --token-file=upbound-token.json
Mirror all artifacts for Spaces version 1.9.0 to a specified container registry,
using the token file for authentication. Note that you must log in to the mirror
registry first using a command like docker login myregistry.io:
up space mirror -v 1.9.0 --destination-registry=myregistry.io --token-file=upbound-token.json
Print the artifacts that would be mirrored into a local directory for Spaces version 1.9.0, using the token file for authentication. A request is made to the Upbound registry to confirm network access:
up space mirror -v 1.9.0 --output-dir=/tmp/output --token-file=upbound-token.json --dry-run
Usage​
up space mirror --version=STRING [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--registry-repository | Set registry for where to pull OCI artifacts from. This is an OCI registry reference, i.e. a URL without the scheme or protocol prefix. | |
--registry-endpoint | Set registry endpoint, including scheme, for authentication. | |
--token-file | File containing authentication token. Expecting a JSON file. Example: {"accessId": " | |
--registry-username | Set the registry username. | |
--registry-password | Set the registry password. | |
--output-dir | -t | The local directory path where exported artifacts will be saved as .tgz files. |
--destination-registry | -d | The target container registry where the artifacts will be mirrored. |
--version | -v | Required The specific Spaces version for which the artifacts will be mirrored. |
--dry-run | Print what would be mirrored but do not take action. |
up space upgrade​
Upgrade the Upbound Spaces deployment.
Usage​
up space upgrade <version> [flags]
Arguments​
| Argument | Description |
|---|---|
<version> | Upbound Spaces version to upgrade to. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--domain | Root Upbound domain. Overrides the current profile's domain. | |
--profile | Profile used to execute command. | |
--account | -a | Deprecated. Use organization instead. |
--organization | Organization used to execute command. Overrides the current profile's organization. | |
--ca-bundle | Path to CA bundle file to prepend to existing CAs | |
--insecure-skip-tls-verify | [INSECURE] Skip verifying TLS certificates. | |
--debug | -d | [INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens. |
--override-api-endpoint | Overrides the default API endpoint. | |
--override-auth-endpoint | Overrides the default auth endpoint. | |
--override-proxy-endpoint | Overrides the default proxy endpoint. | |
--override-registry-endpoint | Overrides the default registry endpoint. | |
--override-accounts-endpoint | Overrides the default accounts endpoint. | |
--kubeconfig | Override default kubeconfig path. | |
--kubecontext | Override default kubeconfig context. | |
--set | Set parameters. | |
--file | -f | Parameters file. |
--bundle | Local bundle path. | |
--registry-repository | Set registry for where to pull OCI artifacts from. This is an OCI registry reference, i.e. a URL without the scheme or protocol prefix. | |
--registry-endpoint | Set registry endpoint, including scheme, for authentication. | |
--token-file | File containing authentication token. Expecting a JSON file. Example: {"accessId": " | |
--registry-username | Set the registry username. | |
--registry-password | Set the registry password. | |
--yes | Answer yes to all questions | |
--rollback | Rollback to previously installed version on failed upgrade. |
up support-bundle​
Collect support bundles for troubleshooting.
Usage​
up support-bundle <command> [flags]
up support-bundle collect​
Collect a support bundle from the current kube context.
The up support-bundle collect command allows you to collect diagnostic information from
your Kubernetes cluster or control plane for troubleshooting purposes.
Usage​
up support-bundle collect [flags]
Examples​
# Collect a support bundle with default settings
up support-bundle collect
# Collect a support bundle to a specific location
up support-bundle collect --output /tmp/my-support-bundle.tar.gz
# Collect a support bundle with a custom configuration file
up support-bundle collect --config my-config.yaml
# Collect a support bundle from specific namespaces
# By default, crossplane-system, upbound-system, and namespaces labeled with
# internal.spaces.upbound.io/controlplane-name or spaces.upbound.io/group are included.
up support-bundle collect --include-namespaces crossplane-system,upbound-system
# Include namespaces using glob patterns
up support-bundle collect --include-namespaces upbound-*
# Exclude certain namespaces from the support bundle
up support-bundle collect --exclude-namespaces kube-system
# Exclude namespaces using glob patterns
up support-bundle collect --exclude-namespaces upbound-*
# Collect only Crossplane resources (no logs, only CRDs and custom resources)
up support-bundle collect --crossplane-resources-only
Configuration File​
You can provide a custom SupportBundle configuration file using the --config flag.
The configuration file can include both the SupportBundle spec and Redactors in a
single file using multi-document YAML format (separated by ---).
When using --config, the --include-namespaces and --exclude-namespaces flags
are ignored. The namespaces specified in the configuration file will be used instead.
To generate a template configuration file that you can customize, use the
up support-bundle template command:
# Generate a template and save it to a file
up support-bundle template > my-config.yaml
# Then use it with the collect command
up support-bundle collect --config my-config.yaml
Security​
All sensitive information is automatically redacted from the support bundle, including:
- Kubernetes secrets
- Passwords
- API keys
- IPv4 addresses in logs
- ConfigMap data fields
- EnvironmentConfig data fields
- Other sensitive data
This ensures that support bundles can be safely shared for troubleshooting purposes. You can customize redactors by including them in your configuration file as a separate YAML document.
Important: Before sharing a support bundle, always verify that no sensitive data remains in the bundle. While automatic redaction covers common cases, you should review the bundle contents to ensure all sensitive information has been properly removed.
Usage​
up support-bundle collect [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--kubeconfig | -k | Path to the kubeconfig file. If not provided, the default kubeconfig resolution will be used. |
--include-namespaces | Namespaces to include in the support bundle. When not specified, collects crossplane-system, upbound-system, and namespaces labeled with internal.spaces.upbound.io/controlplane-name or spaces.upbound.io/group. Supports glob patterns (e.g., upbound-*). Multiple patterns can be specified. | |
--exclude-namespaces | Namespaces to exclude from the support bundle. Supports glob patterns (e.g., upbound-* to exclude all namespaces starting with "upbound-"). Multiple patterns can be specified. | |
--config | -c | Path to a SupportBundle YAML configuration file. If provided, this will be used instead of the default configuration. Redactors can be included in the same file as a separate YAML document (multi-document YAML). |
--output | -o | Output file path for the support bundle archive. If not specified, a timestamped filename will be used (e.g., upbound-support-bundle-20250105-163905.tar.gz). |
--crossplane-resources-only | -x | Collect only Crossplane CRDs and custom resources. When this flag is set, log collectors are excluded and only Crossplane-related resources are included in the bundle. |
up support-bundle serve​
Serve support bundle files via a local Kubernetes API server for live viewing.
The up support-bundle serve command serves support bundle files over HTTP for live viewing.
It starts a local Kubernetes API server (not a full cluster), imports the support bundle resources,
and provides a kubeconfig file that allows you to interact with the bundle using standard
Kubernetes tools like kubectl or k9s.
Note: This runs only the API server for viewing collected data, no workloads are actually running.
Usage​
up support-bundle serve [path] [flags]
Examples​
# Serve a support bundle tar.gz file
up support-bundle serve ./upbound-support-bundle.tar.gz
# Serve on a custom port
up support-bundle serve --port 9090
# Specify a custom kubeconfig output path
up support-bundle serve --kubeconfig-path ./my-kubeconfig
Viewing the Bundle​
Once the server is running, you can use standard Kubernetes tools to view the bundle contents:
kubectl --kubeconfig=./support-bundle-kubeconfig get pods --all-namespaces
kubectl --kubeconfig=./support-bundle-kubeconfig get all -A
kubectl --kubeconfig=./support-bundle-kubeconfig logs <pod-name> -n <namespace>
Usage​
up support-bundle serve [<path>] [flags]
Arguments​
| Argument | Description |
|---|---|
<path> | Optional Path to support bundle directory or archive. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--host | Host to serve on. | |
--port | Port to serve on. 0 means a random port will be chosen. | |
--kubeconfig-path | -k | Where to write the kubeconfig file. |
--envtest-arch | -a | Arch value for Kubernetes API Server assets. |
--debug | -d | Enable debug output. |
up support-bundle template​
Output the default SupportBundle YAML configuration template.
The up support-bundle template command outputs the default SupportBundle YAML configuration
template that can be used as a starting point for custom support bundle configurations.
Usage​
up support-bundle template [flags]
Examples​
# Output the default support bundle template
up support-bundle template
# Output a template with specific namespaces
up support-bundle template --include-namespaces crossplane-system,upbound-system
# Save the template to a file
up support-bundle template > my-support-bundle-config.yaml
# Use the configuration file with the collect command
up support-bundle collect --config my-support-bundle-config.yaml
Usage​
up support-bundle template [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--kubeconfig | -k | Path to the kubeconfig file. If not provided, the default kubeconfig resolution will be used. |
--include-namespaces | Namespaces to include in the support bundle. When not specified, collects crossplane-system, upbound-system, and namespaces labeled with internal.spaces.upbound.io/controlplane-name or spaces.upbound.io/group. Supports glob patterns (e.g., upbound-*). Multiple patterns can be specified. | |
--exclude-namespaces | Namespaces to exclude from the support bundle. Supports glob patterns (e.g., upbound-* to exclude all namespaces starting with "upbound-"). Multiple patterns can be specified. |
up team​
Interact with teams.
Usage​
up team <command> [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--domain | Root Upbound domain. Overrides the current profile's domain. | |
--profile | Profile used to execute command. | |
--account | -a | Deprecated. Use organization instead. |
--organization | Organization used to execute command. Overrides the current profile's organization. | |
--ca-bundle | Path to CA bundle file to prepend to existing CAs | |
--insecure-skip-tls-verify | [INSECURE] Skip verifying TLS certificates. | |
--debug | -d | [INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens. |
--override-api-endpoint | Overrides the default API endpoint. | |
--override-auth-endpoint | Overrides the default auth endpoint. | |
--override-proxy-endpoint | Overrides the default proxy endpoint. | |
--override-registry-endpoint | Overrides the default registry endpoint. | |
--override-accounts-endpoint | Overrides the default accounts endpoint. | |
--kubeconfig | Override default kubeconfig path. | |
--kubecontext | Override default kubeconfig context. |
up team create​
Create a team.
Usage​
up team create <name> [flags]
Arguments​
| Argument | Description |
|---|---|
<name> | Name of Team. |
up team delete​
Delete a team.
Usage​
up team delete <name> [flags]
Arguments​
| Argument | Description |
|---|---|
<name> | Name of team. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--force | Force delete team even if conflicts exist. |
up team get​
Get a team.
Usage​
up team get <name> [flags]
Arguments​
| Argument | Description |
|---|---|
<name> | Name of team. |
up team list​
List teams.
Usage​
up team list [flags]
up test​
Manage and run tests for projects.
Usage​
up test <command> [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--domain | Root Upbound domain. Overrides the current profile's domain. | |
--profile | Profile used to execute command. | |
--account | -a | Deprecated. Use organization instead. |
--organization | Organization used to execute command. Overrides the current profile's organization. | |
--ca-bundle | Path to CA bundle file to prepend to existing CAs | |
--insecure-skip-tls-verify | [INSECURE] Skip verifying TLS certificates. | |
--debug | -d | [INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens. |
--override-api-endpoint | Overrides the default API endpoint. | |
--override-auth-endpoint | Overrides the default auth endpoint. | |
--override-proxy-endpoint | Overrides the default proxy endpoint. | |
--override-registry-endpoint | Overrides the default registry endpoint. | |
--override-accounts-endpoint | Overrides the default accounts endpoint. | |
--kubeconfig | Override default kubeconfig path. | |
--kubecontext | Override default kubeconfig context. |
up test generate​
Generate a Test for a project.
The generate command creates tests in the specified language.
Supported languages: kcl (default), python, go, go-templating, yaml
Examples​
Create a composition test with the default language (KCL) in the folder
tests/test-xstoragebucket:
up test generate xstoragebucket
Create a composition test in Python and write it to the folder
tests/test-xstoragebucket:
up test generate xstoragebucket --language python
Create an e2e test in Python and write it to the folder
tests/e2etest-xstoragebucket:
up test generate xstoragebucket --language python --e2e
Create a composition test in raw YAML and write it
to the folder tests/test-xstoragebucket:
up test generate xstoragebucket --language yaml
Usage​
up test generate <name> [flags]
Arguments​
| Argument | Description |
|---|---|
<name> | Name for the new Function. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--project-file | -f | Path to project definition file. |
--cache-dir | Directory used for caching dependency images. | |
--language | -l | Language for test. |
--e2e | create e2e tests | |
--operation | create operation tests |
up test run​
Run project tests.
The run command executes project tests. By default, only composition tests are
executed; with the --e2e flag, only e2e tests are executed.
Examples​
Run all composition tests located in the 'tests/' directory:
up test run tests/*
Override function annotations for a remote Docker daemon:
DOCKER_HOST=tcp://192.168.1.100:2376 up test run tests/* \
--function-annotations render.crossplane.io/runtime-docker-publish-address=0.0.0.0 \
--function-annotations render.crossplane.io/runtime-docker-target=192.168.1.100
Run all end-to-end (e2e) tests located in the 'tests/' directory:
up test run tests/* --e2e
Run all operation tests located in the 'tests/' directory:
up test run tests/* --operation
Run e2e tests in tests/ while specifying custom paths for the kubectl
binary:
up test run tests/* --e2e --kubectl=.tools/kubectl
Run e2e tests in tests/, overriding the default control plane version:
up test run tests/* --e2e --control-plane-version=v2.0.2-up.5
Skip cleanup after e2e test completion by setting skipDelete: true in the test
spec. This leaves the control plane and all test resources (including claims and
managed resources) intact for manual inspection and debugging:
apiVersion: meta.dev.upbound.io/v1alpha1
kind: E2ETest
metadata:
name: my-test
spec:
skipDelete: true # Skip all cleanup after test completion
manifests:
- apiVersion: example.com/v1
kind: MyResource
# ...
Note: The --skip-control-plane-cleanup flag is different - it keeps the
control plane running but still deletes test manifests (claims/XRs) after the
test completes. Use skipDelete: true in the test spec if you want to preserve
the test manifests as well.
Usage​
up test run <patterns> ... [flags]
Arguments​
| Argument | Description |
|---|---|
<patterns> | The path to the test manifests |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--project-file | -f | Path to project definition file. |
--repository | Repository for the built package. Overrides the repository specified in the project file. | |
--no-build-cache | Don't cache image layers while building. | |
--build-cache-dir | Path to the build cache directory. | |
--max-concurrency | Maximum number of functions to build and push at once. | |
--control-plane-group | The control plane group that the control plane to use is contained in. This defaults to the group specified in the current context. | |
--control-plane-name-prefix | Prefix of the control plane name to use. It will be created if not found. | |
--control-plane-version | Version of Crossplane to use for the control plane. By default, the latest compatible version will be used. | |
--skip-control-plane-check | Allow running on a non-development control plane. | |
--local | Use a local dev control plane, even if Spaces is available. | |
--cluster-admin | Allow Crossplane cluster admin privileges in the local dev control plane. Defaults to true. | |
--local-registry-path | Directory to use for local registry images. The default is system-dependent. | |
--skip-control-plane-cleanup | Skip cleanup of the control plane after the test run. | |
--use-current-context | Run the project with the current kubeconfig context rather than creating a new dev control plane. | |
--cache-dir | Directory used for caching dependencies. | |
--function-annotations | Override function annotations for all functions (compositionTests and operationTests). Can be repeated. | |
--kubectl | Absolute path to the kubectl binary. Defaults to the one in $PATH. | |
--public | Create new repositories with public visibility. | |
--e2e | Run E2E tests | |
--operation | Run Operation tests |
up token​
Interact with personal access tokens.
Usage​
up token <command> [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--domain | Root Upbound domain. Overrides the current profile's domain. | |
--profile | Profile used to execute command. | |
--account | -a | Deprecated. Use organization instead. |
--organization | Organization used to execute command. Overrides the current profile's organization. | |
--ca-bundle | Path to CA bundle file to prepend to existing CAs | |
--insecure-skip-tls-verify | [INSECURE] Skip verifying TLS certificates. | |
--debug | -d | [INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens. |
--override-api-endpoint | Overrides the default API endpoint. | |
--override-auth-endpoint | Overrides the default auth endpoint. | |
--override-proxy-endpoint | Overrides the default proxy endpoint. | |
--override-registry-endpoint | Overrides the default registry endpoint. | |
--override-accounts-endpoint | Overrides the default accounts endpoint. | |
--kubeconfig | Override default kubeconfig path. | |
--kubecontext | Override default kubeconfig context. |
up token create​
Create a personal access token for the current user.
Usage​
up token create <token-name> [flags]
Arguments​
| Argument | Description |
|---|---|
<token-name> | Name of token. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--file | -f | file to write Token JSON, Use '-' to write to standard output. |
up token delete​
Delete a personal access token for the current user.
Usage​
up token delete <token-name> [flags]
Arguments​
| Argument | Description |
|---|---|
<token-name> | Name of token. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--force | Force delete token even if conflicts exist. |
up token get​
Get a personal access token for the current user.
Usage​
up token get <token-name> [flags]
Arguments​
| Argument | Description |
|---|---|
<token-name> | Name of token. |
up token list​
Get all personal access tokens for the current user.
Usage​
up token list [flags]
up uxp​
Interact with UXP.
Usage​
up uxp <command> [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--domain | Root Upbound domain. Overrides the current profile's domain. | |
--profile | Profile used to execute command. | |
--account | -a | Deprecated. Use organization instead. |
--organization | Organization used to execute command. Overrides the current profile's organization. | |
--ca-bundle | Path to CA bundle file to prepend to existing CAs | |
--insecure-skip-tls-verify | [INSECURE] Skip verifying TLS certificates. | |
--debug | -d | [INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens. |
--override-api-endpoint | Overrides the default API endpoint. | |
--override-auth-endpoint | Overrides the default auth endpoint. | |
--override-proxy-endpoint | Overrides the default proxy endpoint. | |
--override-registry-endpoint | Overrides the default registry endpoint. | |
--override-accounts-endpoint | Overrides the default accounts endpoint. | |
--kubeconfig | Override default kubeconfig path. | |
--kubecontext | Override default kubeconfig context. |
up uxp install​
Install UXP.
Usage​
up uxp install [<version>] [flags]
Arguments​
| Argument | Description |
|---|---|
<version> | Optional UXP version to install. Should be >= 2.0.0-up.0, use the helm chart to install uxp v1. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--set | Set parameters. | |
--file | -f | Parameters file. |
--bundle | Local bundle path. | |
--unstable | Allow installing unstable versions. | |
--disable-web-ui | Disable the UXP web UI. | |
--cluster-admin | Install UXP with cluster admin permissions. NOT FOR PRODUCTION PURPOSES. |
up uxp license​
Manage UXP licenses.
Usage​
up uxp license <command> [flags]
up uxp license apply​
Apply a UXP license to a control plane. Specify either a license file or use --dev for development clusters.
Usage​
up uxp license apply [<license-file>] [flags]
Arguments​
| Argument | Description |
|---|---|
<license-file> | Optional File containing the license key (required unless using --dev). |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--dev | Apply embedded development license for single-node kind clusters. | |
--namespace | Namespace in which to create the license key secret. |
up uxp license remove​
Remove the UXP license from a control plane.
Usage​
up uxp license remove [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--force | Do not ask for confirmation before removing the license. |
up uxp license show​
Show the UXP license for a control plane.
Usage​
up uxp license show
up uxp uninstall​
Uninstall UXP.
Usage​
up uxp uninstall [flags]
up uxp upgrade​
Upgrade UXP.
Usage​
up uxp upgrade [<version>] [flags]
Arguments​
| Argument | Description |
|---|---|
<version> | Optional UXP version to upgrade. Should be >= 2.0.0-up.0, use the helm chart to install uxp v1. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--set | Set parameters. | |
--file | -f | Parameters file. |
--bundle | Local bundle path. | |
--rollback | Rollback to previously installed version on failed upgrade. | |
--force | Force upgrade even if versions are incompatible. | |
--unstable | Allow installing unstable versions. |
up uxp web-ui​
Manage the UXP web UI.
Usage​
up uxp web-ui <command> [flags]
up uxp web-ui disable​
Disable the UXP web UI.
Usage​
up uxp web-ui disable [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--unstable | Allow upgrading unstable chart versions. |
up uxp web-ui enable​
Enable the UXP web UI.
Usage​
up uxp web-ui enable [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--unstable | Allow upgrading unstable chart versions. |
up uxp web-ui open​
Open the UXP web UI.
Usage​
up uxp web-ui open [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--host | Host to listen on for port-forward. | |
--port | Port to listen on for port-forward (0 for automatic selection). | |
--browser | Open the web UI in a browser window. |
up version​
Show current version.
The version command prints the current version of up as well as the Space or
UXP cluster referenced by the current context.
Usage​
up version [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--domain | Root Upbound domain. Overrides the current profile's domain. | |
--profile | Profile used to execute command. | |
--account | -a | Deprecated. Use organization instead. |
--organization | Organization used to execute command. Overrides the current profile's organization. | |
--ca-bundle | Path to CA bundle file to prepend to existing CAs | |
--insecure-skip-tls-verify | [INSECURE] Skip verifying TLS certificates. | |
--debug | -d | [INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens. |
--override-api-endpoint | Overrides the default API endpoint. | |
--override-auth-endpoint | Overrides the default auth endpoint. | |
--override-proxy-endpoint | Overrides the default proxy endpoint. | |
--override-registry-endpoint | Overrides the default registry endpoint. | |
--override-accounts-endpoint | Overrides the default accounts endpoint. | |
--kubeconfig | Override default kubeconfig path. | |
--kubecontext | Override default kubeconfig context. | |
--client | If true, shows client version only (no server required). |
up xpkg​
Deprecated. Please migrate to up project or use the crossplane CLI.
This command is deprecated and will be removed in a future release.
To build Crossplane packages with up, use the project commands. To work with non-project Crossplane packages, use the Crossplane CLI.
Usage​
up xpkg <command> [flags]
up xpkg append​
Append additional files to an xpkg.
The append command creates a tarball from a local directory of additional
package assets, such as images or documentation, and appends them to a remote
package.
If your remote image is already signed, this command will invalidate current signatures and the updated image will need to be re-signed.
Examples​
Add all files from ./extensions to a remote image and create a new index with
the extensions included:
up alpha xpkg-append --extensions-root=./extensions \
registry.example.com/my-organization/my-repo@sha256:digest
Add documentation files to a package and save to a different tag, preserving the original package at the source reference:
up alpha xpkg-append --extensions-root=./docs \
--destination=registry.example.com/my-organization/my-repo:v1.0.1 \
registry.example.com/my-organization/my-repo@sha256:digest
Usage​
up xpkg append <remote-ref> [flags]
Arguments​
| Argument | Description |
|---|---|
<remote-ref> | The fully qualified remote image reference |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--domain | Root Upbound domain. Overrides the current profile's domain. | |
--profile | Profile used to execute command. | |
--account | -a | Deprecated. Use organization instead. |
--organization | Organization used to execute command. Overrides the current profile's organization. | |
--ca-bundle | Path to CA bundle file to prepend to existing CAs | |
--insecure-skip-tls-verify | [INSECURE] Skip verifying TLS certificates. | |
--debug | -d | [INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens. |
--override-api-endpoint | Overrides the default API endpoint. | |
--override-auth-endpoint | Overrides the default auth endpoint. | |
--override-proxy-endpoint | Overrides the default proxy endpoint. | |
--override-registry-endpoint | Overrides the default registry endpoint. | |
--override-accounts-endpoint | Overrides the default accounts endpoint. | |
--kubeconfig | Override default kubeconfig path. | |
--kubecontext | Override default kubeconfig context. | |
--destination | Optional OCI reference to write to. If not set, the command will modify the input reference. | |
--extensions-root | An optional directory of arbitrary files for additional consumers of the package. |
up xpkg batch​
Batch build and push a family of service-scoped provider packages.
Usage​
up xpkg batch --family-base-image=STRING --provider-name=STRING --family-package-url-format=STRING [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--domain | Root Upbound domain. Overrides the current profile's domain. | |
--profile | Profile used to execute command. | |
--account | -a | Deprecated. Use organization instead. |
--organization | Organization used to execute command. Overrides the current profile's organization. | |
--ca-bundle | Path to CA bundle file to prepend to existing CAs | |
--insecure-skip-tls-verify | [INSECURE] Skip verifying TLS certificates. | |
--debug | -d | [INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens. |
--override-api-endpoint | Overrides the default API endpoint. | |
--override-auth-endpoint | Overrides the default auth endpoint. | |
--override-proxy-endpoint | Overrides the default proxy endpoint. | |
--override-registry-endpoint | Overrides the default registry endpoint. | |
--override-accounts-endpoint | Overrides the default accounts endpoint. | |
--kubeconfig | Override default kubeconfig path. | |
--kubecontext | Override default kubeconfig context. | |
--family-base-image | Required Family image used as the base for the smaller provider packages. | |
--provider-name | Required Provider name, such as provider-aws to be used while formatting smaller provider package repositories. | |
--family-package-url-format | Required Family package URL format to be used for the smaller provider packages. Must be a valid OCI image URL with the format specifier "%s", which will be substituted with | |
--smaller-providers | Smaller provider names to build and push, such as ec2, eks or config. | |
--concurrency | Maximum number of packages to process concurrently. Setting it to 0 puts no limit on the concurrency, i.e., all packages are processed in parallel. | |
--push-retry | Number of retries when pushing a provider package fails. | |
--platform | Platforms to build the packages for. Each platform should use the | |
--provider-bin-root | -p | Provider binary paths root. Smaller provider binaries should reside under the platform directories in this folder. |
--output-dir | -o | Path of the package output directory. |
--store-packages | Smaller provider names whose provider package should be stored under the package output directory specified with the --output-dir option. | |
--package-metadata-template | Smaller provider metadata template. The template variables {{ .Service }} and {{ .Name }} will be substituted when the template is executed among with the supplied template variable substitutions. | |
--template-var | Smaller provider metadata template variables to be used for the specified template. | |
--examples-group-override | Overrides for the location of the example manifests folder of a smaller provider. | |
--crd-group-override | Overrides for the locations of the CRD folders of the smaller providers. | |
--package-repo-override | Overrides for the package repository names of the smaller providers. | |
--providers-with-auth-ext | Smaller provider names for which we need to configure the authentication extension. | |
--examples-root | -e | Path to package examples directory. |
--crd-root | Path to package CRDs directory. | |
--auth-ext | Path to an authentication extension file. | |
--ignore | Paths to exclude from the smaller provider packages. | |
--create | Create repository on push if it does not exist. | |
--build-only | Only build the smaller provider packages and do not attempt to push them to a package repository. | |
--provider-name-suffix-for-push | Suffix for provider name during pushing the packages. This suffix is added to the end of the provider name. If there is a service name for the corresponded provider, then the suffix will be added to the base provider name and the service-scoped name will be after this suffix. Examples: provider-family-aws-suffix, provider-aws-suffix-s3 |
up xpkg build​
Build a package, by default from the current directory.
This command is deprecated and will be removed in a future release.
To build Crossplane packages with up, use the project commands. To work with non-project Crossplane packages, use the Crossplane CLI.
Usage​
up xpkg build [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--name | [DEPRECATED: use --output] Name of the package to be built. Uses name in crossplane.yaml if not specified. Does not correspond to package tag. | |
--output | -o | Path for package output. |
--controller | Controller image used as base for package. | |
--package-root | -f | Path to package directory. |
--examples-root | -e | Path to package examples directory. |
--helm-root | -h | Path to helm directory. |
--auth-ext | -a | Path to an authentication extension file. |
--ignore | Paths, specified relative to --package-root, to exclude from the package. |
up xpkg push​
Push a package.
Usage​
up xpkg push <tag> [flags]
Arguments​
| Argument | Description |
|---|---|
<tag> | Tag of the package to be pushed. Must be a valid OCI image tag. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--domain | Root Upbound domain. Overrides the current profile's domain. | |
--profile | Profile used to execute command. | |
--account | -a | Deprecated. Use organization instead. |
--organization | Organization used to execute command. Overrides the current profile's organization. | |
--ca-bundle | Path to CA bundle file to prepend to existing CAs | |
--insecure-skip-tls-verify | [INSECURE] Skip verifying TLS certificates. | |
--debug | -d | [INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens. |
--override-api-endpoint | Overrides the default API endpoint. | |
--override-auth-endpoint | Overrides the default auth endpoint. | |
--override-proxy-endpoint | Overrides the default proxy endpoint. | |
--override-registry-endpoint | Overrides the default registry endpoint. | |
--override-accounts-endpoint | Overrides the default accounts endpoint. | |
--kubeconfig | Override default kubeconfig path. | |
--kubecontext | Override default kubeconfig context. | |
--package | -f | Path to packages. If not specified and only one package exists in current directory it will be used. |
--create | Create repository on push if it does not exist. |
up xpkg xp-extract​
Extract package contents into a Crossplane cache compatible format. Fetches from a remote registry by default.
Usage​
up xpkg xp-extract [<package>] [flags]
Arguments​
| Argument | Description |
|---|---|
<package> | Optional Name of the package to extract. Must be a valid OCI image tag or a path if using --from-xpkg. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--domain | Root Upbound domain. Overrides the current profile's domain. | |
--profile | Profile used to execute command. | |
--account | -a | Deprecated. Use organization instead. |
--organization | Organization used to execute command. Overrides the current profile's organization. | |
--ca-bundle | Path to CA bundle file to prepend to existing CAs | |
--insecure-skip-tls-verify | [INSECURE] Skip verifying TLS certificates. | |
--debug | -d | [INSECURE] Run with debug logging. Repeat to increase verbosity. Output might contain confidential data like tokens. |
--override-api-endpoint | Overrides the default API endpoint. | |
--override-auth-endpoint | Overrides the default auth endpoint. | |
--override-proxy-endpoint | Overrides the default proxy endpoint. | |
--override-registry-endpoint | Overrides the default registry endpoint. | |
--override-accounts-endpoint | Overrides the default accounts endpoint. | |
--kubeconfig | Override default kubeconfig path. | |
--kubecontext | Override default kubeconfig context. | |
--from-daemon | Indicates that the image should be fetched from the Docker daemon. | |
--from-xpkg | Indicates that the image should be fetched from a local xpkg. If package is not specified and only one exists in current directory it will be used. | |
--output | -o | Package output file path. Extension must be .gz or will be replaced. |
up xpls​
Start xpls language server.
Usage​
up xpls <command> [flags]
up xpls serve​
run a server for Crossplane definitions using the Language Server Protocol.
Usage​
up xpls serve [flags]
Flags​
| Flag | Short Form | Description |
|---|---|---|
--cache | Directory path for dependency schema cache. | |
--verbose | Run server with verbose logging. |
up xrd​
Manage XRDs from Composite Resources(XR) or Claims(XRC).
Usage​
up xrd <command> [flags]
up xrd convert​
Convert an XRD to CRDs for validation purposes.
The convert command converts a CompositeResourceDefinition (XRD) to CRDs
(CustomResourceDefinitions) for validation purposes. This enables validation of
claims against schemas in CI workflows without needing to apply resources to a
control plane cluster.
The command always generates a Composite Resource (XR) CRD from the XRD.
For v1 XRDs: If the XRD defines claim names, a Claim CRD will also be generated.
For v2 XRDs: CRDs are generated based on the scope specified in the XRD (Cluster-scoped or Namespaced)
Examples​
Convert an XRD to CRDs and save them in the current directory:
up xrd convert path/to/xrd.yaml
Convert an XRD to CRDs and save them in a specific output directory:
up xrd convert path/to/xrd.yaml -o ./generated-crds
For v1 XRDs:
xwebapps.platform.example.com.yaml- Composite Resource (XR) CRDwebapps.platform.example.com.yaml- Claim CRD (if claim names are defined)
For v2 XRDs:
webapps.platform.example.com.yaml
Usage​
up xrd convert <file> [flags]
Arguments​
| Argument | Description |
|---|---|
<file> | Path to the XRD file to convert. |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--output-dir | -o | Directory where the generated CRD files will be saved. |
up xrd generate​
Generate an XRD from a Composite Resource (XR) or Claim (XRC).
The generate command creates a CompositeResourceDefinition (XRD) from a given
Composite Resource (XR) and generates associated language models for function
usage.
Examples​
Generate a CompositeResourceDefinition (XRD) based on the specified Composite Resource and save it to the default APIs folder in the project:
up xrd generate examples/cluster/example.yaml
Generate a CompositeResourceDefinition (XRD) with a specified plural form, useful for cases where automatic pluralization may not be accurate (e.g., "postgres"):
up xrd generate examples/postgres/example.yaml --plural postgreses
Generate a CompositeResourceDefinition (XRD) and save it to a custom path within the project's default APIs folder:
up xrd generate examples/postgres/example.yaml --path database/definition.yaml
Generate a CompositeResourceDefinition (XRD) from a ResourceGraphDefinition:
up xrd generate rgd/network.yaml --input rgd
Generate a CompositeResourceDefinition (XRD) from SimpleSchema:
up xrd generate simpleschema/network.yaml --input SimpleSchema
Usage​
up xrd generate <file> [flags]
Arguments​
| Argument | Description |
|---|---|
<file> | Path to the file containing the Composite Resource (XR) or Composite Resource Claim (XRC). |
Flags​
| Flag | Short Form | Description |
|---|---|---|
--cache-dir | Directory used for caching dependency images. | |
--path | Path to the output file where the Composite Resource Definition (XRD) will be saved. | |
--plural | Optional custom plural form for the Composite Resource Definition (XRD). | |
--output | -o | Output format for the results: 'file' to save to a file, 'yaml' to print XRD in YAML format, 'json' to print XRD in JSON format. |
--input | Input format: xr (default), rgd, ResourceGraphDefinition, or SimpleSchema. | |
--project-file | -f | Path to project definition file. |