Mission control
for Crossplane.

A single Go binary that provisions a Crossplane environments, attaches remote nodes over WireGuard-encrypted SSH, and hot-reloads local packages while you build.
Multi-engine. Multi-node. Open source & MIT licensed.

LAUNCH_SEQUENCE· one line · macOS / linux / windowsv1.0.6 · released 2026-05-08

$curl -sL "https://raw.githubusercontent.com/web-seven/overlock/refs/heads/main/scripts/install.sh" | sh

get started↗star on github↗discord↗

[ DASH_00 ]capability_overview07 modules

01// quick_env_setup

Quick Environment Setup

Single-command provisioning of a fully configured Crossplane environment. Cluster, engine, package manager — bootstrapped automatically.

open module →

02// multi_engine

Multi-Engine

KinD, K3s, K3d, K3s-Docker — pick the distribution that fits your workflow.

03// remote_nodes

Multi-Node & Remote Nodes

Add Linux machines as worker nodes via SSH. Inter-node traffic encrypted by WireGuard out of the box.

04// cpu_limits

CPU Limits

Cap CPU per container node so reconciliation loops don't grind your laptop to a halt. Accepts 2, 0.5, 50%.

05// packages

Package Management

Install, list and remove Crossplane configurations, providers and functions from any OCI registry.

06// live_dev

Live Development

Hot-reload local packages. Edit code; see changes reflected in the cluster within seconds.

07// registries

Registry Integration

Local and remote OCI registries. Same UX. Air-gapped pipelines welcome.

08// plugins

Plugin System

Drop a binary into ~/.config/overlock/plugins and it becomes a first-class subcommand. Build your team's CLI without forking ours.

[ PNL_01 ]quick_environment_setuppriority_high

Create fully configured Crossplane environments with a single command.

Overlock handles cluster provisioning, Crossplane installation, and initial configuration automatically. No bootstrap scripts. No checklist. Pick a Kubernetes distribution and Overlock builds the rest.

Multi-engine support means the same vocabulary across KinD, K3s, K3d and K3s-Docker — choose the engine that fits your machine and your team.

Cluster & Crossplane bootstrapped automatically
Pin a specific Crossplane version with --engine-version
Start, stop, upgrade and delete environments at will

~/lab — overlock environmentREADY

# Create a new environment with default settings
$ overlock environment create my-dev-env

# Create with a specific Crossplane version
$ overlock --engine-version 1.18.0 environment create my-dev-env

# List environments / start / stop / upgrade / delete
$ overlock environment list
$ overlock environment start   my-dev-env
$ overlock environment stop    my-dev-env
$ overlock environment upgrade my-dev-env
$ overlock environment delete  my-dev-env

SUB_PANEL// supported_engines

Four engines. Same vocabulary.

01KinD

Kubernetes in Docker.
Quick local testing.

--engine kind

02K3s

Lightweight Kubernetes.
Low-resource environments.

--engine k3s

03K3d

K3s in Docker.
Fast multi-cluster setups.

--engine k3d

04K3s-Docker

K3s with Docker containers as nodes.
Distributed and multi-node environments.

--engine k3s-docker

[ PNL_02 ]multi_node · remote_nodes · wireguardk3s-docker

Distributed control planes across any Linux host.

The k3s-docker engine creates an agentless K3s server with two default agent nodes — workloads for user pods and system services, and engine dedicated to Crossplane, providers, functions, Kyverno and CertManager.

Remote nodes join the cluster via SSH. Any Linux host with Docker installed can be added as a worker. Inter-node traffic is encrypted by WireGuard out of the box.

Agentless K3s server, two-tier node scoping
SSH-attached remote nodes (any Linux + Docker)
WireGuard-encrypted inter-node traffic
Containers cleaned up automatically on env delete

~/lab — overlock env nodeWG_ON

# Create a k3s-docker environment
$ overlock env create my-env --engine k3s-docker

# Add a remote machine as an engine node
$ overlock env node create my-remote-node \
    --env my-env \
    --host 192.168.1.100 \
    --scopes engine

# Limit each container to 2 CPU cores
$ overlock env create my-env --engine k3s-docker --cpu 2

# Fractional and percentage values supported
$ overlock env create my-env --engine k3s-docker --cpu 0.5
$ overlock env create my-env --engine k3s-docker --cpu 50%

FIG_02// inter_node_topology

[ PNL_03 ]packages · live_dev · registriescrossplane.surface

~/lab — overlock packagesSYNC

# Install a provider
$ overlock provider install xpkg.upbound.io/crossplane-contrib/provider-gcp:v0.22.0

# Apply a configuration
$ overlock configuration apply xpkg.upbound.io/devops-toolkit/dot-application:v3.0.31

# Apply a function
$ overlock function apply xpkg.upbound.io/crossplane-contrib/function-patch-and-transform:v0.7.0

# List installed packages
$ overlock provider list
$ overlock configuration list
$ overlock function list

# Live develop · hot reload from local filesystem
$ overlock configuration serve ./my-config-package
$ overlock provider serve ./my-provider ./cmd/provider
$ overlock function serve ./my-function

The full Crossplane surface, scripted.

Pull, install, version, and remove configurations, providers and functions from any OCI registry — Upbound, GitHub Container Registry, Harbor, or your own. The verbs you already think in: install, apply, list, describe, delete.

Run a registry on your machine for development and CI/CD pipelines, or point at any remote OCI host. Same UX either way. Air-gapped teams welcome.

For local development, serve commands watch your filesystem and rebuild & reload the package within seconds — a fast feedback loop Crossplane has been missing.

SUB_PANEL_A// registry

Local and remote registries

# Local registry for development
$ overlock registry create --local --default

# Connect a remote registry
$ overlock registry create \
    --registry-server=registry.example.com \
    --username=myuser --password=***

# List configured registries
$ overlock registry list

SUB_PANEL_B// plugin_system

Drop a binary, ship a subcommand

# Use a custom plugin path
$ overlock --plugin-path /path/to/plugins <cmd>

# Default plugin path:
~/.config/overlock/plugins/
├── overlock-deploy
├── overlock-audit
└── overlock-secrets

[ PNL_05 ]comparable_instrumentsapril_2026

The platform-builder's control surface.

capability	overlock	kubectl + helm	crossplane CLI	up CLI
single-command env	✓ yes	manual	manual	✓ yes
multi-engine	✓ kind/k3s/k3d/k3s-docker	any	any	limited
multi-node + remote SSH	✓ WireGuard	no	no	no
CPU per-node limits	✓ --cpu 2 / 0.5 / 50%	manual	no	no
package management	✓ built-in	manual	limited	✓ built-in
live-reload dev loop	✓ serve cmds	no	no	partial
local + remote registries	✓ both	manual	remote only	✓ both
plugin system	✓ ~/.config/overlock/plugins	—	no	no
vendor lock-in	✓ none · MIT	none	none	SaaS

[ TLM_06 ]vital_signslive

install → running00_s

engines0_{· kind/k3s/k3d/k3s-docker}

binary0_{· static · no daemon}

plugins∞_{· drop a binary}

READY_TO_LAUNCH// final_sequence

Sixty seconds from now,
the platform is yours.

EXEC_THIS· macOS / linux / windowsv1.0.6 · 2026-05-08