Crossplane v2.3.0 ships a high-fidelity local render engine, per-resource reconciliation control, alpha Provider deletion protection, and multiple security dependency bumps including Go stdlib CVE fixes.
securityGo stdlib CVEs fixed — pull the new image
Go was bumped to 1.25.10 specifically to address stdlib CVEs, on top of several other dependency security patches (grpc, go-git, go-jose, cloudflare/circl, golang.org/x/net). Update your Crossplane deployment to v2.3.0 promptly; if you mirror images internally, make sure the new digest is pulled before rolling out.
breakingUpdate API import paths and bookmark the new CLI repo
If you import Crossplane APIs in Go code, change `github.com/crossplane/crossplane/v2/apis` to `github.com/crossplane/crossplane/apis/v2` and note that `v1.Resource*` types are now `v2.ClusterManagedResource*`. Pin your CLI tooling to the new `github.com/crossplane/cli` repo — version numbers will diverge from core after this release, so update any scripts or CI pipelines that assumed aligned versioning.
breakingUpgrade sequentially from v2.2 — do not skip minor versions
Crossplane migrates CRDs on upgrade, and skipping minor versions can leave the API server in an inconsistent state. If you are on v1.20, that branch receives extended support but you should plan your migration to v2.x. Always follow the sequential upgrade path documented in the Crossplane upgrade guide.
enhancementUse per-resource poll annotations to reduce API server load
Set `crossplane.io/poll-interval: 24h` on stable, infrequently-changing XRs to dramatically cut reconcile frequency. Pair it with `crossplane.io/reconcile-requested-at` to trigger on-demand reconciliation when needed. This is available immediately for XRs; for managed resources, wait for your providers to release versions based on crossplane-runtime v2.3.0 before relying on it.
enhancementEnable Provider deletion protection in non-prod first
The new `--enable-provider-deletion-protection` alpha flag auto-creates `ClusterUsage` resources that block Provider deletion while managed resources exist. Useful safety net in shared clusters. Enable it in staging environments first to validate that your existing `ClusterUsage` webhook setup handles the auto-created resources correctly before rolling to production.
Key changes (6)
- APIs module split: `github.com/crossplane/crossplane/apis/v2` is now a separate Go module; external consumers must update import paths
- Crossplane CLI (`crank`) moved to its own repo (`github.com/crossplane/cli`) with an independent release schedule starting after v2.3.0
- High-fidelity `crossplane render` now runs the real composite reconciler instead of a parallel reimplementation, so local output matches actual cluster behavior
- New per-resource annotations `crossplane.io/poll-interval` and `crossplane.io/reconcile-requested-at` give fine-grained reconciliation control (XRs immediately; managed resources need provider update to crossplane-runtime v2.3.0)
- Alpha Provider deletion protection via `--enable-provider-deletion-protection` blocks accidental Provider removal while managed resources still exist
- Multiple security dependency updates: Go bumped to 1.25.10 fixing stdlib CVEs, plus grpc, go-git, go-jose, cloudflare/circl, and others