A Journey To Modernizing a Regulated Cloud Control Plane

Channel	CNCF [Cloud Native Computing Foundation]
Speakers	Pranita Praveen (Macquarie) & Steven Borrelli (Upbound)
Event	KubeCon 2025
Duration	26:23

Crossplane ArgoCD GitOps Kubernetes Multicloud Regulated

TL;DR

Macquarie Group, a global financial services company, modernized their cloud control plane by migrating from traditional pipelines to a Crossplane-based architecture with GitOps principles. The solution provides continuous reconciliation, multi-cloud support (AWS, GCP, Azure), and dramatically improved developer experience through automated policy checks and compliance validation directly on pull requests.

Key Takeaways

Control planes over pipelines: Continuous reconciliation with Crossplane eliminates drift and reduces manual maintenance compared to traditional CI/CD pipelines
Multi-cloud unification: A single Crossplane-based control plane manages AWS, GCP, and Azure resources instead of separate tools per cloud
Brownfield integration matters: Building integration APIs (Identity, Access Management, Compliance) enabled new control plane resources to work seamlessly with existing infrastructure
Shift-left security: "Bot of bots" workflow validates security and compliance on pull requests before deployment, giving developers fast feedback without touching cloud APIs
Git commit signing: Enforces that all deployments pass through the validation workflow before reaching ArgoCD and Crossplane
Community-supported tools reduce maintenance: Using CNCF ecosystem tools (Crossplane, Argo, Gatekeeper, Grafana/Loki) makes CVE management and upgrades easier

Summary

Macquarie's Cloud Journey

Pranita Praveen, Director of Engineering at Macquarie Group, presented alongside Steven Borrelli, Principal Solutions Architect at Upbound and Crossplane community member.

Macquarie is a global financial services company headquartered in Sydney with ~20,000 employees, providing asset management, investment banking, and retail banking. About 10 years ago, they began migrating to public cloud, starting with AWS and expanding to GCP and Azure. Today they're approximately 70%+ in public cloud, primarily using IaaS on AWS.

The Problem: Pipeline Sprawl and Toil

Over a decade of cloud migration, their deployment pipelines became increasingly cumbersome:

Different deployment solutions for each cloud provider
Growing maintenance burden for platform engineers
Slow enablement of new cloud services (critical in a regulated environment)
Manual processes slowing developer velocity

Why Crossplane?

The team evaluated Terraform (already in use), KCC (for GCP), and Crossplane. Crossplane won because it:

Provides KRM (Kubernetes Resource Model) integration
Offers built-in continuous reconciliation via Kubernetes controllers
Supports all three major cloud providers with a unified approach
Uses managed resources that map 1:1 between Kubernetes CRDs and cloud resources
Enables composition to bundle multiple resources into reusable abstractions

Architecture Overview

The new control plane runs on EKS (AWS) and includes:

Infrastructure as Code: Crossplane
CI: Argo Workflows
CD: ArgoCD
Policy/Security: Gatekeeper (OPA)
Observability: Grafana and Loki
Custom Go/Python APIs for internal integrations

Brownfield vs. Greenfield Decision

The team chose a brownfield approach, integrating the new control plane with existing infrastructure rather than starting fresh. This required building three custom integration services in Go:

Identity API: Retrieves resource identifiers across both old and new control planes
Access Management API: Manages IAM policies that span both systems
Compliance API: Validates target environment compliance before allowing deployments

This approach meant any team could adopt the new control plane while their applications still integrated with existing resources.

Developer Experience: Bot of Bots Workflow

A key innovation is the "bot of bots" Argo Workflow that runs on every pull request:

Policy-as-Code Bot: Validates security requirements against the claim specification
Compliance Bot: Checks the target environment meets governance rules
Hydrator Bot: Auto-populates technical details (VPC IDs, Route53 IDs, DNS info) so developers write minimal YAML

How it works:

Pull request triggers webhook to Argo Workflow
Ephemeral pods run each bot sequentially
Results posted as PR comments
On success, reviewer approves and merges
Merge triggers git commit signing (unsigned commits are rejected)
Signed commit flows through ArgoCD to Crossplane

"In the past with the pipeline, they had to actually wait for the deployment to hit the cloud platform and then see if there's a failure... This bot because it just works on the code in the pull request, it's a lot faster for them. It just runs within a few seconds."

What's Next for Macquarie

Composition templates: Standardized starting points for new compositions
vClusters: Investigating for segmented testing and blue-green deployments
Crossplane v2: Evaluating new features including namespace-based tenant isolation

Notable Quotes

"We like the idea of that continuous reconciliation you get with a control plane."

"The benefit of a greenfield is it was faster... but in terms of the use cases and the impact it would have in Macquarie it just meant that the application teams that had brand new applications and didn't necessarily need to be talking with their existing ecosystems only they would really be finding use for this control plane."

"If the commit isn't signed, it just means that the bot of bots has either not been successful or that it has not even been run and so they're trying to bypass those checks."

References & Resources

From Description

KubeCon Events: kubecon.io

Mentioned in Video

Macquarie Engineering Blog: Search "Macquarie engineering blog" for detailed control plane articles
Crossplane: CNCF project for cloud-native control planes
ArgoCD: GitOps continuous delivery for Kubernetes
Argo Workflows: Kubernetes-native workflow engine
Gatekeeper/OPA: Policy-as-code for Kubernetes
Grafana/Loki: Observability stack
vClusters: Virtual Kubernetes clusters for isolation
KCC (Config Connector): Google's Kubernetes-native GCP resource management
Crossplane v2: Next major version with namespace isolation and improved workload management

Full Transcript

Hi everyone, nice to meet you. Thanks for coming to our talk today. We'll be talking about the journey to evolving our cloud control plane in Macquarie group. I'm Pranita Praveen and I'm a director of engineering in Macquarie. I've got a bit of experience in platform engineering in cloud platforms essentially. That's my background for the past 10 years. I'll be presenting with Steven. Hello. Yes, I'm Steven Borrelli, a principal solutions architect at Upbound and a member of the crossplane community. So, just a little bit about Macquarie if you don't know already. So, at Macquarie, we're a financial services group. So, we provide asset management, investment banking, retail banking services. We're headquartered in Sydney, Australia, but we are global. So, we've got an office in London, all around the world really in Americas as well. I'm based in Melbourne. So it's a pretty fun place to work in. There's about 20,000 or so employees, so fairly big for a company. We really love to say that, you know, we're empowering our people, both our staff as well as our customers to innovate and invest for a better future. In saying that, about 10 years ago, we started moving all our tech stack onto the public cloud. We started with AWS and now eventually we've gotten on to GCP as well as Microsoft Azure. So we're firmly multicloud right now. I would say we're about 70% or more at least in the public cloud and we're still looking at moving some of our old stack into the public cloud because we started quite a while ago. We're mostly IaaS right now and mostly sitting in AWS but we are looking to uplift that move on to PaaS and SaaS solutions and also become more firmly multicloud as well with the proper strategy. We found that over the 10 years because we've just been focused on moving all of our stuff into the cloud etc. our pipeline that we'd used to get onto the cloud was getting more and more cumbersome to maintain. We were finding that there was a bit more toil for the platform engineers in fixing what we needed to fix to get it working to support our production applications. And we also had because we started with AWS moved on to GCP Azure we had different solutions for deployment into the three clouds. So that was a little bit more operations heavy. We wanted just one multi cloud solution. So then we started thinking about how do we change this? What do we want to do to uplift what we're doing in the cloud to make it easier for our developers to really give a great developer experience both for our platform developers but also our application developers and also primarily make it really fast for us to consume the new cloud services that we're getting released basically every week. So in Macquarie, we're highly regulated and when we want to consume a new cloud service for development and test, we need to make sure that we've got some security boundaries and guardrails around that service. So that's what I mean by service enablement, just FYI. So we wanted to really have super fast service enablement. We started thinking about what are the principles that we want to deploy to get this amazing uplift into our cloud journey. And that's where control planes came in. We like the idea of that continuous reconciliation you get with a control plane. And we also wanted to make just one multicloud deployment solution for all three clouds, make it a little bit more simple for our developers to maintain. We wanted to automate as much as possible. So use the GitOps principles widely across all of our stack and potentially just keep to cloud native where we could so that it was easier to keep our code secure. We didn't have to do so much custom upgrades etc to keep to the latest standards. So that's where crossplane came in and I'll hand over to Steve just to tell you a bit about crossplane. [Transcript continues - see full video for complete content]