Help improve this page
To contribute to this user guide, choose the Edit this page on GitHub link that is located in the right pane of every page.
Create a kro capability using the Console
This topic describes how to create a kro (Kube Resource Orchestrator) capability using the AWS Management Console.
Create the kro capability
-
Open the Amazon EKS console at https://console.aws.amazon.com/eks/home#/clusters
. -
Select your cluster name to open the cluster detail page.
-
Choose the Capabilities tab.
-
In the left navigation, choose kro (Kube Resource Orchestrator).
-
Choose Create kro capability.
-
For IAM Capability Role:
-
If you already have an IAM Capability Role, select it from the dropdown
-
If you need to create a role, choose Create kro role
This opens the IAM console in a new tab with pre-populated trust policy. The role requires no additional IAM permissions since kro operates entirely within your cluster.
After creating the role, return to the EKS console and the role will be automatically selected.
Note
Unlike ACK and Argo CD, kro does not require additional IAM permissions beyond the trust policy. kro operates entirely within your cluster and does not make AWS API calls.
-
-
Choose Create.
The capability creation process begins.
Verify the capability is active
-
On the Capabilities tab, view the kro capability status.
-
Wait for the status to change from
CREATINGtoACTIVE. -
Once active, the capability is ready to use.
For information about capability statuses and troubleshooting, see Working with capability resources.
Grant permissions to manage Kubernetes resources
When you create a kro capability, an EKS Access Entry is automatically created with the AmazonEKSKROPolicy, which allows kro to manage ResourceGraphDefinitions and their instances.
However, no permissions are granted by default to create the underlying Kubernetes resources (like Deployments, Services, ConfigMaps, etc.) defined in your ResourceGraphDefinitions.
This intentional design follows the principle of least privilege—different ResourceGraphDefinitions require different permissions. You must explicitly configure the permissions kro needs based on the resources your ResourceGraphDefinitions will manage.
For getting started quickly, testing, or development environments, use AmazonEKSClusterAdminPolicy:
-
In the EKS console, navigate to your cluster’s Access tab.
-
Under Access entries, find the entry for your kro capability role (it will have the role ARN you created earlier).
-
Choose the access entry to open its details.
-
In the Access policies section, choose Associate access policy.
-
Select
AmazonEKSClusterAdminPolicyfrom the policy list. -
For Access scope, select Cluster.
-
Choose Associate.
Important
The AmazonEKSClusterAdminPolicy grants broad permissions to create and manage all Kubernetes resources, including the ability to create any resource type across all namespaces.
This is convenient for development and POCs but should not be used in production.
For production, create custom RBAC policies that grant only the permissions needed for the specific resources your ResourceGraphDefinitions will manage.
For guidance on configuring least-privilege permissions, see Configure kro permissions and Security considerations for EKS Capabilities.
Verify custom resources are available
After the capability is active, verify that kro custom resources are available in your cluster.
Using the console
-
Navigate to your cluster in the Amazon EKS console
-
Choose the Resources tab
-
Choose Extensions
-
Choose CustomResourceDefinitions
You should see the ResourceGraphDefinition resource type listed.
Using kubectl
kubectl api-resources | grep kro.run
You should see the ResourceGraphDefinition resource type listed.
Next steps
-
kro concepts - Understand kro concepts and resource composition
-
kro concepts - Learn about SimpleSchema, CEL expressions, and composition patterns
-
Working with capability resources - Manage your kro capability resource