Beyond Terraform: Building a Self-Healing Cloud Control Plane with Crossplane and Kubernetes

Discover how Crossplane and Kubernetes evolve Infrastructure as Code into a self-healing control plane, eliminating drift and empowering platform engineering teams.

Photo by Phuc-Thanh Mai Vo on Unsplash

For the last decade, Terraform has been the undisputed king of Infrastructure as Code (IaC). It allowed us to escape the nightmare of clicking through web consoles and gave us the power of version-controlled infrastructure. We wrote HCL, we ran terraform apply, and we felt like wizards.

But there is a subtle flaw in the traditional IaC model: it is a fire-and-forget mechanism. Once Terraform provisions a database or a load balancer, its job is effectively done until you run it again. But what happens in between? What happens when a junior dev manually changes a security group in the AWS console? What happens when 'configuration drift' silently creeps in?

At Nohatek, we believe the future of cloud infrastructure isn't just about provisioning; it's about reconciling. It is time to move beyond static scripts and build a Self-Healing Cloud Control Plane. By combining the power of Kubernetes with Crossplane, we can shift from Infrastructure as Code to Infrastructure as Data, creating systems that not only deploy themselves but actively monitor and fix themselves.

Declarative configuration: Past, present, and future – Control Plane Day with Crossplane 2023 - Crossplane

The 'Fire and Forget' Dilemma: Why Terraform Isn't Enough

bonfire near rocks under gray clouds during daytime — Photo by hossein saberi on Unsplash

To understand the value of a control plane, we first need to look at the limitations of standard IaC tools. Terraform operates on a client-side model. It relies on a state file (usually stored in S3 or Terraform Cloud) to understand what the world should look like. When you run a pipeline, it compares that state file to reality and makes changes.

The problem is that Terraform is only aware of the state of your infrastructure when you explicitly tell it to run.

If an incident occurs at 3:00 AM because a configuration was changed manually, Terraform won't save you unless you have a scheduled job running constantly—which risks locking state files and creating race conditions. This is known as Configuration Drift.

Furthermore, traditional IaC often creates a bottleneck. Developers need resources, but they aren't infrastructure experts. They open a ticket, the DevOps team writes the Terraform module, applies it, and hands over credentials. This friction slows down innovation and turns the DevOps team into a service desk rather than a platform engineering team.

Enter Crossplane: The Kubernetes Control Loop for Cloud

Fluffy white clouds float in a bright blue sky. — Photo by Iqro Rinaldi on Unsplash

Kubernetes (K8s) won the container orchestration war because of its Control Loop. You tell K8s: 'I want 3 replicas of this app.' K8s constantly checks: 'Do I have 3? No, I have 2. I will spin one up.' It is constantly reconciling the Desired State with the Actual State.

Crossplane extends this superpower beyond containers to cloud resources. It allows you to provision AWS S3 buckets, Google Cloud SQL instances, or Azure VNets using Kubernetes YAML manifests. It turns your Kubernetes cluster into a Universal Control Plane.

Why is this revolutionary?

Continuous Reconciliation (Self-Healing): If someone deletes a Crossplane-managed firewall rule in the cloud console, Crossplane detects the drift within seconds and recreates it automatically. No human intervention required.
Unified API: Developers don't need to learn HCL for infrastructure and YAML for apps. Everything is a Kubernetes object. They can manage a database exactly how they manage a Pod.
GitOps Native: Since everything is a K8s manifest, you can use ArgoCD or Flux to manage your entire cloud footprint.

Building the Platform: Compositions and Abstractions

Title: [Estudo de perspectiva]: [escadaria vista de ângulo superior] Creator: Date: 1700 Publisher: Centro Português de Serigrafia Providing institution: National Library of Portugal Aggregator: National Register for Digital Objects Providing Country: Portugal Public Domain [Estudo de perspectiva]: [escadaria vista de ângulo superior] - 1700 - National Library of Portugal, Portugal - Public Domain. — Photo by Europeana on Unsplash

The real magic of Crossplane isn't just mapping 1:1 with cloud resources (e.g., creating an RDSInstance object). The real power lies in Compositions (XRs). This is where Platform Engineering shines.

As a CTO or Lead Architect, you don't want every developer defining the specific IOPS, engine version, and VPC peering settings for every database. You want to offer them a 'Golden Path.'

With Crossplane, you can define a Composite Resource Definition (XRD) called NohatekDatabase. You can define that when a developer requests a NohatekDatabase of size small, Crossplane automatically:

Provisions an AWS RDS instance with specific cost-optimized tiers.
Creates a Kubernetes Secret with the connection details.
Sets up the necessary Security Groups.
Configures the subnet placement.

Here is a conceptual look at how a developer claims a resource:

apiVersion: nohatek.com/v1alpha1
kind: NohatekDatabase
metadata:
  name: my-microservice-db
  namespace: payments-team
spec:
  parameters:
    storageGB: 20
    engine: postgres

The developer writes 8 lines of YAML. The Control Plane handles the hundreds of lines of cloud configuration complexity in the background. This is Abstracted Infrastructure at its finest.

The Business Case: Velocity, Governance, and Cost

A close up of a tall metal pole — Photo by since 2008 on Unsplash

Adopting a Control Plane approach isn't just a cool tech upgrade; it drives significant business value for companies scaling their digital footprint.

1. Developer Velocity

By shifting to a self-service model via Kubernetes APIs, developers get their infrastructure immediately. They stay in their flow state, deploying full-stack environments via a single Helm chart or git commit. This reduces time-to-market for new features.

2. Governance and Compliance

With tools like Open Policy Agent (OPA) or Kyverno sitting alongside Crossplane, you can enforce policies before infrastructure is ever created. You can block the creation of public S3 buckets or expensive GPU instances at the API level. Security is no longer an audit afterthought; it is baked into the request pipeline.

3. Multi-Cloud Agility

Crossplane allows you to write a Composition that is cloud-agnostic. A PostgresDB claim could provision an RDS instance in AWS for production, but a Cloud SQL instance in GCP for analytics, without the developer needing to change their request manifest. This reduces vendor lock-in and increases strategic flexibility.

Terraform will always have a place in the ecosystem, particularly for bootstrapping the initial clusters. However, for dynamic, application-centric infrastructure, the industry is moving toward Control Planes.

Building a self-healing cloud environment with Crossplane and Kubernetes reduces operational toil, eliminates configuration drift, and empowers developers with true self-service capabilities. It transforms your infrastructure from a static map into a living, breathing organism that defends its own state.

Ready to evolve your cloud strategy? At Nohatek, we specialize in helping organizations build robust Platform Engineering practices and self-healing infrastructure. Whether you are looking to optimize your Kubernetes journey or build a custom internal developer platform (IDP), our team is ready to help.

Contact us today to schedule a consultation.