**Help improve this page** 

To contribute to this user guide, choose the **Edit this page on GitHub** link that is located in the right pane of every page.

# Create a kro capability
<a name="create-kro-capability"></a>

This topic explains how to create a kro capability on your Amazon EKS cluster.

## Prerequisites
<a name="_prerequisites"></a>

Before creating a kro capability, ensure you have:
+ An existing Amazon EKS cluster running a supported Kubernetes version (all versions in standard and extended support are supported)
+ Sufficient IAM permissions to create capability resources on EKS clusters
+ (For CLI/eksctl) The appropriate CLI tool installed and configured

**Note**  
Unlike ACK and Argo CD, kro does not require additional IAM permissions beyond the trust policy. kro operates entirely within your cluster and does not make AWS API calls. However, you still need to provide an IAM Capability Role with the appropriate trust policy. For information about configuring Kubernetes RBAC permissions for kro, see [Configure kro permissions](kro-permissions.md).

## Choose your tool
<a name="_choose_your_tool"></a>

You can create a kro capability using the AWS Management Console, AWS CLI, or eksctl:
+  [Create a kro capability using the Console](kro-create-console.md) - Use the Console for a guided experience
+  [Create a kro capability using the AWS CLI](kro-create-cli.md) - Use the AWS CLI for scripting and automation
+  [Create a kro capability using eksctl](kro-create-eksctl.md) - Use eksctl for a Kubernetes-native experience

## What happens when you create a kro capability
<a name="_what_happens_when_you_create_a_kro_capability"></a>

When you create a kro capability:

1. EKS creates the kro capability service and configures it to monitor and manage resources in your cluster

1. Custom Resource Definitions (CRDs) are installed in your cluster

1. An access entry is automatically created for your IAM Capability Role with the `AmazonEKSKROPolicy` which grants permissions to manage ResourceGraphDefinitions and their instances (see [Security considerations for EKS Capabilities](capabilities-security.md))

1. The capability assumes the IAM Capability Role you provide (used only for the trust relationship)

1. kro begins watching for `ResourceGraphDefinition` resources and their instances

1. The capability status changes from `CREATING` to `ACTIVE` 

Once active, you can create ResourceGraphDefinitions to define custom APIs and create instances of those APIs.

**Note**  
The automatically created access entry includes the `AmazonEKSKROPolicy` which grants kro permissions to manage ResourceGraphDefinitions and their instances. To allow kro to create the underlying Kubernetes resources defined in your ResourceGraphDefinitions (such as Deployments, Services, or ACK resources), you must configure additional access entry policies. To learn more about access entries and how to configure additional permissions, see [Configure kro permissions](kro-permissions.md) and [Security considerations for EKS Capabilities](capabilities-security.md).

## Next steps
<a name="_next_steps"></a>

After creating the kro capability:
+  [kro concepts](kro-concepts.md) - Understand kro concepts and resource composition
+  [kro concepts](kro-concepts.md) - Learn about SimpleSchema, CEL expressions, and resource composition patterns

# Create a kro capability using the Console
<a name="kro-create-console"></a>

This topic describes how to create a kro (Kube Resource Orchestrator) capability using the AWS Management Console.

## Create the kro capability
<a name="_create_the_kro_capability"></a>

1. Open the Amazon EKS console at https://console.aws.amazon.com/eks/home\$1/clusters.

1. Select your cluster name to open the cluster detail page.

1. Choose the **Capabilities** tab.

1. In the left navigation, choose **kro (Kube Resource Orchestrator)**.

1. Choose **Create kro capability**.

1. For **IAM Capability Role**:
   + If you already have an IAM Capability Role, select it from the dropdown
   + If you need to create a role, choose **Create kro role** 

     This opens the IAM console in a new tab with pre-populated trust policy. The role requires no additional IAM permissions since kro operates entirely within your cluster.

     After creating the role, return to the EKS console and the role will be automatically selected.
**Note**  
Unlike ACK and Argo CD, kro does not require additional IAM permissions beyond the trust policy. kro operates entirely within your cluster and does not make AWS API calls.

1. Choose **Create**.

The capability creation process begins.

## Verify the capability is active
<a name="_verify_the_capability_is_active"></a>

1. On the **Capabilities** tab, view the kro capability status.

1. Wait for the status to change from `CREATING` to `ACTIVE`.

1. Once active, the capability is ready to use.

For information about capability statuses and troubleshooting, see [Working with capability resources](working-with-capabilities.md).

## Grant permissions to manage Kubernetes resources
<a name="_grant_permissions_to_manage_kubernetes_resources"></a>

When you create a kro capability, an EKS Access Entry is automatically created with the `AmazonEKSKROPolicy`, which allows kro to manage ResourceGraphDefinitions and their instances. However, no permissions are granted by default to create the underlying Kubernetes resources (like Deployments, Services, ConfigMaps, etc.) defined in your ResourceGraphDefinitions.

This intentional design follows the principle of least privilege—different ResourceGraphDefinitions require different permissions. You must explicitly configure the permissions kro needs based on the resources your ResourceGraphDefinitions will manage.

For getting started quickly, testing, or development environments, use `AmazonEKSClusterAdminPolicy`:

1. In the EKS console, navigate to your cluster’s **Access** tab.

1. Under **Access entries**, find the entry for your kro capability role (it will have the role ARN you created earlier).

1. Choose the access entry to open its details.

1. In the **Access policies** section, choose **Associate access policy**.

1. Select `AmazonEKSClusterAdminPolicy` from the policy list.

1. For **Access scope**, select **Cluster**.

1. Choose **Associate**.

**Important**  
The `AmazonEKSClusterAdminPolicy` grants broad permissions to create and manage all Kubernetes resources, including the ability to create any resource type across all namespaces. This is convenient for development and POCs but should not be used in production. For production, create custom RBAC policies that grant only the permissions needed for the specific resources your ResourceGraphDefinitions will manage. For guidance on configuring least-privilege permissions, see [Configure kro permissions](kro-permissions.md) and [Security considerations for EKS Capabilities](capabilities-security.md).

## Verify custom resources are available
<a name="_verify_custom_resources_are_available"></a>

After the capability is active, verify that kro custom resources are available in your cluster.

 **Using the console** 

1. Navigate to your cluster in the Amazon EKS console

1. Choose the **Resources** tab

1. Choose **Extensions** 

1. Choose **CustomResourceDefinitions** 

You should see the `ResourceGraphDefinition` resource type listed.

 **Using kubectl** 

```
kubectl api-resources | grep kro.run
```

You should see the `ResourceGraphDefinition` resource type listed.

## Next steps
<a name="_next_steps"></a>
+  [kro concepts](kro-concepts.md) - Understand kro concepts and resource composition
+  [kro concepts](kro-concepts.md) - Learn about SimpleSchema, CEL expressions, and composition patterns
+  [Working with capability resources](working-with-capabilities.md) - Manage your kro capability resource

# Create a kro capability using the AWS CLI
<a name="kro-create-cli"></a>

This topic describes how to create a kro (Kube Resource Orchestrator) capability using the AWS CLI.

## Prerequisites
<a name="_prerequisites"></a>
+  ** AWS CLI** – Version `2.12.3` or later. To check your version, run `aws --version`. For more information, see [Installing](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html) in the AWS Command Line Interface User Guide.
+  ** `kubectl` ** – A command line tool for working with Kubernetes clusters. For more information, see [Set up `kubectl` and `eksctl`](install-kubectl.md).

## Step 1: Create an IAM Capability Role
<a name="_step_1_create_an_iam_capability_role"></a>

Create a trust policy file:

```
cat > kro-trust-policy.json << 'EOF'
{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "capabilities.eks.amazonaws.com"
      },
      "Action": [
        "sts:AssumeRole",
        "sts:TagSession"
      ]
    }
  ]
}
EOF
```

Create the IAM role:

```
aws iam create-role \
  --role-name KROCapabilityRole \
  --assume-role-policy-document file://kro-trust-policy.json
```

**Note**  
Unlike ACK and Argo CD, kro does not require additional IAM permissions. kro operates entirely within your cluster and does not make AWS API calls. The role is only needed to establish the trust relationship with the EKS capabilities service.

## Step 2: Create the kro capability
<a name="_step_2_create_the_kro_capability"></a>

Create the kro capability resource on your cluster. Replace *region-code* with the AWS Region where your cluster is located (such as `us-west-2`) and *my-cluster* with your cluster name.

```
aws eks create-capability \
  --region region-code \
  --cluster-name my-cluster \
  --capability-name my-kro \
  --type KRO \
  --role-arn arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/KROCapabilityRole \
  --delete-propagation-policy RETAIN
```

The command returns immediately, but the capability takes some time to become active as EKS creates the required capability infrastructure and components. EKS will install the Kubernetes Custom Resource Definitions related to this capability in your cluster as it is being created.

**Note**  
If you receive an error that the cluster doesn’t exist or you don’t have permissions, verify:  
The cluster name is correct
Your AWS CLI is configured for the correct region
You have the required IAM permissions

## Step 3: Verify the capability is active
<a name="_step_3_verify_the_capability_is_active"></a>

Wait for the capability to become active. Replace *region-code* with the AWS Region that your cluster is in and replace *my-cluster* with the name of your cluster.

```
aws eks describe-capability \
  --region region-code \
  --cluster-name my-cluster \
  --capability-name my-kro \
  --query 'capability.status' \
  --output text
```

The capability is ready when the status shows `ACTIVE`.

You can also view the full capability details:

```
aws eks describe-capability \
  --region region-code \
  --cluster-name my-cluster \
  --capability-name my-kro
```

## Step 4: Grant permissions to manage Kubernetes resources
<a name="_step_4_grant_permissions_to_manage_kubernetes_resources"></a>

When you create a kro capability, an EKS Access Entry is automatically created with the `AmazonEKSKROPolicy`, which allows kro to manage ResourceGraphDefinitions and their instances. However, no permissions are granted by default to create the underlying Kubernetes resources (like Deployments, Services, ConfigMaps, etc.) defined in your ResourceGraphDefinitions.

This intentional design follows the principle of least privilege—different ResourceGraphDefinitions require different permissions. For example: \$1 A ResourceGraphDefinition that creates only ConfigMaps and Secrets needs different permissions than one that creates Deployments and Services \$1 A ResourceGraphDefinition that creates ACK resources needs permissions for those specific custom resources \$1 Some ResourceGraphDefinitions might only read existing resources without creating new ones

You must explicitly configure the permissions kro needs based on the resources your ResourceGraphDefinitions will manage.

### Quick setup
<a name="_quick_setup"></a>

For getting started quickly, testing, or development environments, use `AmazonEKSClusterAdminPolicy`:

Get the capability role ARN:

```
CAPABILITY_ROLE_ARN=$(aws eks describe-capability \
  --region region-code \
  --cluster-name my-cluster \
  --capability-name my-kro \
  --query 'capability.roleArn' \
  --output text)
```

Associate the cluster admin policy:

```
aws eks associate-access-policy \
  --region region-code \
  --cluster-name my-cluster \
  --principal-arn $CAPABILITY_ROLE_ARN \
  --policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy \
  --access-scope type=cluster
```

**Important**  
The `AmazonEKSClusterAdminPolicy` grants broad permissions to create and manage all Kubernetes resources, including the ability to create any resource type across all namespaces. This is convenient for development and POCs but should not be used in production. For production, create custom RBAC policies that grant only the permissions needed for the specific resources your ResourceGraphDefinitions will manage. For guidance on configuring least-privilege permissions, see [Configure kro permissions](kro-permissions.md) and [Security considerations for EKS Capabilities](capabilities-security.md).

## Step 5: Verify custom resources are available
<a name="_step_5_verify_custom_resources_are_available"></a>

After the capability is active, verify that kro custom resources are available in your cluster:

```
kubectl api-resources | grep kro.run
```

You should see the `ResourceGraphDefinition` resource type listed.

## Next steps
<a name="_next_steps"></a>
+  [kro concepts](kro-concepts.md) - Understand kro concepts and resource composition
+  [kro concepts](kro-concepts.md) - Learn about SimpleSchema, CEL expressions, and composition patterns
+  [Working with capability resources](working-with-capabilities.md) - Manage your kro capability resource

# Create a kro capability using eksctl
<a name="kro-create-eksctl"></a>

This topic describes how to create a kro (Kube Resource Orchestrator) capability using eksctl.

**Note**  
The following steps require eksctl version `0.220.0` or later. To check your version, run `eksctl version`.

## Step 1: Create an IAM Capability Role
<a name="_step_1_create_an_iam_capability_role"></a>

Create a trust policy file:

```
cat > kro-trust-policy.json << 'EOF'
{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "capabilities.eks.amazonaws.com"
      },
      "Action": [
        "sts:AssumeRole",
        "sts:TagSession"
      ]
    }
  ]
}
EOF
```

Create the IAM role:

```
aws iam create-role \
  --role-name KROCapabilityRole \
  --assume-role-policy-document file://kro-trust-policy.json
```

**Note**  
Unlike ACK and Argo CD, kro does not require additional IAM permissions beyond the trust policy. kro operates entirely within your cluster and does not make AWS API calls.

## Step 2: Create the kro capability
<a name="_step_2_create_the_kro_capability"></a>

Create the kro capability using eksctl. Replace *region-code* with the AWS Region that your cluster is in and replace *my-cluster* with the name of your cluster.

```
eksctl create capability \
  --region region-code \
  --cluster my-cluster \
  --name my-kro \
  --type KRO \
  --role-arn arn:aws:iam::[.replaceable]111122223333:role/KROCapabilityRole
```

The command returns immediately, but the capability takes some time to become active.

## Step 3: Verify the capability is active
<a name="_step_3_verify_the_capability_is_active"></a>

Check the capability status. Replace *region-code* with the AWS Region that your cluster is in and replace *my-cluster* with the name of your cluster.

```
eksctl get capability \
  --region region-code \
  --cluster my-cluster \
  --name my-kro
```

The capability is ready when the status shows `ACTIVE`.

## Step 4: Grant permissions to manage Kubernetes resources
<a name="_step_4_grant_permissions_to_manage_kubernetes_resources"></a>

By default, kro can only create and manage ResourceGraphDefinitions and their instances. To allow kro to create and manage the underlying Kubernetes resources defined in your ResourceGraphDefinitions, associate the `AmazonEKSClusterAdminPolicy` access policy with the capability’s access entry.

Get the capability role ARN:

```
CAPABILITY_ROLE_ARN=$(aws eks describe-capability \
  --region region-code \
  --cluster my-cluster \
  --name my-kro \
  --query 'capability.roleArn' \
  --output text)
```

Associate the cluster admin policy:

```
aws eks associate-access-policy \
  --region region-code \
  --cluster my-cluster \
  --principal-arn $CAPABILITY_ROLE_ARN \
  --policy-arn arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy \
  --access-scope type=cluster
```

**Important**  
The `AmazonEKSClusterAdminPolicy` grants broad permissions to create and manage all Kubernetes resources and is intended to streamline getting started. For production use, create more restrictive RBAC policies that grant only the permissions needed for the specific resources your ResourceGraphDefinitions will manage. For guidance on configuring least-privilege permissions, see [Configure kro permissions](kro-permissions.md) and [Security considerations for EKS Capabilities](capabilities-security.md).

## Step 5: Verify custom resources are available
<a name="_step_5_verify_custom_resources_are_available"></a>

After the capability is active, verify that kro custom resources are available in your cluster:

```
kubectl api-resources | grep kro.run
```

You should see the `ResourceGraphDefinition` resource type listed.

## Next steps
<a name="_next_steps"></a>
+  [kro concepts](kro-concepts.md) - Understand kro concepts and resource composition
+  [kro concepts](kro-concepts.md) - Learn about SimpleSchema, CEL expressions, and composition patterns
+  [Working with capability resources](working-with-capabilities.md) - Manage your kro capability resource