Crossplane MCP server

Crossplane extends Kubernetes to build control planes for cloud infrastructure and services. An AI agent with access to Crossplane can define custom infrastructure APIs, compose resources across cloud providers, manage package versions, and automate infrastructure operations without writing Kubernetes manifests directly.

Setting up an MCP server

This article covers the standard steps for creating an MCP server in AI Gateway and connecting it to an AI client. The steps are the same for every integration — application-specific details (API credentials, OAuth endpoints, and scopes) are covered in the individual application pages.

Before you begin

You'll need:

• Access to AI Gateway with permission to create MCP servers
• API credentials for the application you're connecting (see the relevant application page for what to collect)

Create an MCP server

Find the API in the catalog

1. Sign in to AI Gateway and select MCP Servers from the left navigation.
2. Select New MCP Server.
3. Search for the application you want to connect, then select it from the catalog.

Configure the server

1. Enter a Name for your server — something descriptive that identifies both the application and its purpose.
2. Enter a Description so your team knows what the server is for.
3. Set the Timeout value. 30 seconds works for most APIs; increase to 60 seconds for APIs that return large payloads.
4. Toggle Production mode on if this server will be used in a live workflow.
5. Select Next.

Configure authentication

Enter the authentication details for the application. This varies by service — see the Authentication section of the relevant application page for the specific credentials, OAuth URLs, and scopes to use.

Configure security

1. Set any Rate limits appropriate for your use case and the API's own limits.
2. Enable Logging if you want AI Gateway to record requests and responses for auditing.
3. Select Next.

Deploy

Review the summary, then select Deploy. AI Gateway provisions the server and provides a server URL you'll use when configuring your AI client.

---

Connect to an AI client

Once your server is deployed, you'll need to add it to the AI client your team uses. Select your client for setup instructions:

• Claude Desktop
• Claude Code
• Cursor
• VS Code
• Windsurf

Tips

• You can create multiple MCP servers for the same application — for example, a read-only server for reporting agents and a read-write server for automation workflows.
• If you're unsure which OAuth scopes to request, start with the minimum read-only set and add write scopes only when needed. Most application pages include scope recommendations.
• You can edit a server's name, description, timeout, and security settings after deployment without redeploying.

Authentication

Crossplane uses Bearer token authentication through Kubernetes service account tokens. Create a service account in your Kubernetes cluster with RBAC permissions for Crossplane API groups: apiextensions.crossplane.io, pkg.crossplane.io, ops.crossplane.io, and protection.crossplane.io.

Value	Setting
API token header	Authorization: Bearer YOUR_TOKEN
Base URL	https://k8s-api.your-company.com

Available tools

This MCP server enables composite resource management, package operations, infrastructure automation, and resource protection across multi-cloud Kubernetes deployments.

Tool	Description
Create XRD	Create a CompositeResourceDefinition for custom infrastructure abstractions
List XRDs	Retrieve all composite resource definitions in the cluster
Get XRD	Retrieve specific XRD configuration and schema
Update XRD	Modify XRD to add fields or change validation rules
Delete XRD	Remove a composite resource definition
Create composition	Create a composition mapping custom APIs to managed resources
List compositions	Retrieve all compositions in the cluster
Get composition	Retrieve composition template and configuration
Update composition	Modify composition resource mappings or patches
Delete composition	Remove a composition
List composition revisions	Retrieve version history of a composition
Install provider	Install a cloud provider package (AWS, Azure, GCP, etc.)
List providers	Retrieve all installed providers and their status
Get provider	Retrieve provider details and installed CRDs
Uninstall provider	Remove a provider package
Install configuration	Install a configuration package for reference platforms
List configurations	Retrieve all installed configuration packages
Get configuration	Retrieve configuration details and version
List configuration revisions	Retrieve version history of a configuration
Create environment config	Create shared configuration data for compositions
List environment configs	Retrieve all environment configurations
Get environment config	Retrieve specific environment configuration
Create operation	Create a one-time infrastructure operation
Create cron operation	Create a scheduled recurring infrastructure operation
List operations	Retrieve all operations in the cluster
Get operation status	Retrieve status and results of an operation
Create usage	Create a resource dependency protection entry
List usages	Retrieve all resource dependency tracking entries
Get usage	Retrieve dependency details for a resource

Tips

Create dedicated service accounts with only the RBAC permissions your integration needs. Don't use cluster admin tokens for automation.

Test new compositions in a non-production cluster before applying to production. Compositions define how custom APIs translate to infrastructure.

Use specific provider versions instead of latest to ensure predictable behavior. Test provider upgrades in staging before rolling to production.

Store shared configuration in EnvironmentConfigs like VPC IDs and security groups. This avoids hardcoding values and enables reuse across compositions.

Create Usages for production-critical resources like VPCs and databases. This prevents accidental deletion of infrastructure that other resources depend on.

---