[hasheddan]

> It also raises the level of configuration abstraction for application developers without raising the level of access control abstraction.

This may be the most interesting point in this post. Terraform (and cloud provider APIs for that matter) are not built for developer self-service, not because they are complicated, but because the developer must be given credentials to perform the granular operations, even if they are interfacing with a higher-level interface. Crossplane flips this model by instead saying that the developer is only given permission to perform operations at the interface they are interacting with and the operator (in this case a Kubernetes controller) that satisfies the high-level request by performing granular operations is given permissions for those operations. This greatly simplifies the model for both the platform builder and the platform consumer. The builder is responsible for defining the interface and exposing it to consumers. The consumer knows that if they have RBAC on an abstraction, the underlying operations can be performed on their behalf.