In a nutshell

Kyma allows you to connect applications and third-party services in a cloud-native environment. Use it to create extensions for the existing systems, regardless of the language they are written in. Customize extensions with minimum effort and time devoted to learning their configuration details.

Focus purely on coding with these out-of-the-box functionalities at hand:

  • Service-to-service communication and proxying (Istio Service Mesh)
  • In-built monitoring, tracing, and logging (Grafana, Prometheus, Jaeger, Loki, Kiali)
  • Secure authentication and authorization (Dex, Service Identity, TLS, Role Based Access Control)
  • The catalog of services to choose from (Service Catalog, Service Brokers)
  • The development platform to run lightweight functions in a cost-efficient and scalable way (Serverless, Kubeless)
  • The endpoint to register Events and APIs of external applications (Application Connector)
  • The messaging channel to receive Events, enrich them, and trigger business flows using lambdas or services (Event Bus, NATS)
  • CLI supported by the intuitive UI (Console)

Main features

Major open-source and cloud-native projects, such as Istio, NATS, Kubeless, and Prometheus, constitute the cornerstone of Kyma. Its uniqueness, however, lies in the "glue" that holds these components together. Kyma collects those cutting-edge solutions in one place and combines them with the in-house developed features that allow you to connect and extend your enterprise applications easily and intuitively.

Kyma allows you to extend and customize the functionality of your products in a quick and modern way, using serverless computing or microservice architecture. The extensions and customizations you create are decoupled from the core applications, which means that:

  • Deployments are quick.
  • Scaling is independent from the core applications.
  • The changes you make can be easily reverted without causing downtime of the production system.

Last but not least, Kyma is highly cost-efficient. All Kyma native components and the connected open-source tools are written in Go. It ensures low memory consumption and reduced maintenance costs compared to applications written in other programming languages such as Java.

Technology stack

The entire solution is containerized and runs on a Kubernetes cluster. Customers can access it easily using a single sign on solution based on the Dex identity provider integrated with any OpenID Connect-compliant identity provider or a SAML2-based enterprise authentication server.

The communication between services is handled by the Istio Service Mesh component which enables security, traffic management, routing, resilience (retry, circuit breaker, timeouts), monitoring, and tracing without the need to change the application code. Build your applications using services provisioned by one of the many Service Brokers compatible with the Open Service Broker API, and monitor the speed and efficiency of your solutions using Prometheus, which gives you the most accurate and up-to-date monitoring data.

Key components

Kyma is built of numerous components but these three drive it forward:

  • Application Connector:
    • Simplifies and secures the connection between external systems and Kyma
    • Registers external Events and APIs in the Service Catalog and simplifies the API usage
    • Provides asynchronous communication with services and lambdas deployed in Kyma through Events
    • Manages secure access to external systems
    • Provides monitoring and tracing capabilities to facilitate operational aspects
  • Serverless:
    • Ensures quick deployments following a lambda function approach
    • Enables scaling independent of the core applications
    • Gives a possibility to revert changes without causing production system downtime
    • Supports the complete asynchronous programming model
    • Offers loose coupling of Event providers and consumers
    • Enables flexible application scalability and availability
  • Service Catalog:

    • Connects services from external sources
    • Unifies the consumption of internal and external services thanks to compliance with the Open Service Broker standard
    • Provides a standardized approach to managing the API consumption and access
    • Eases the development effort by providing a catalog of API and Event documentation to support automatic client code generation

This basic use case shows how the three components work together in Kyma:


Kyma and Knative - brothers in arms

Integration with Knative is a step towards Kyma modularization and the "slimming" approach which aims to extract some out-of-the-box components and provide you with a more flexible choice of tools to use in Kyma.

Both Kyma and Knative are Kubernetes and Istio-based systems that offer development and eventing platforms. The main difference, however, is their focus. While Knative concentrates more on providing the building blocks for running serverless workloads, Kyma focuses on integrating those blocks with external services and applications.

The diagram shows dependencies between the components:


Kyma and Knative cooperation focuses on replacing Kyma eventing with Knative eventing, and Kyma Serverless with Knative serving.



Kyma is built on the foundation of the best and most advanced open-source projects which make up the components readily available for customers to use. This section describes the Kyma components.

Service Catalog

The Service Catalog lists all of the services available to Kyma users through the registered Service Brokers. Use the Service Catalog to provision new services in the Kyma Kubernetes cluster and create bindings between the provisioned service and an application.

Service Mesh

The Service Mesh is an infrastructure layer that handles service-to-service communication, proxying, service discovery, traceability, and security independent of the code of the services. Kyma uses the Istio Service Mesh that is customized for the specific needs of the implementation.


Kyma security enforces RBAC (Role Based Access Control) in the cluster. Dex handles the identity management and identity provider integration. It allows you to integrate any OpenID Connect or SAML2-compliant identity provider with Kyma using connectors. Additionally, Dex provides a static user store which gives you more flexibility when managing access to your cluster.

Helm Broker

The Helm Broker is a Service Broker which runs in the Kyma cluster and deploys Kubernetes native resources using Helm and Kyma bundles. A bundle is an abstraction layer over a Helm chart which allows you to represent it as a ClusterServiceClass in the Service Catalog. Use bundles to install the GCP Broker, Azure Service Broker and the AWS Service Broker in Kyma.

Application Connector

The Application Connector is a proprietary Kyma solution. This endpoint is the Kyma side of the connection between Kyma and the external solutions. The Application Connector allows you to register the APIs and the Event Catalog, which lists all of the available events, of the connected solution. Additionally, the Application Connector proxies the calls from Kyma to external APIs in a secure way.

Event Bus

Kyma Event Bus receives Events from external solutions and triggers the business logic created with lambda functions and services in Kyma. The Event Bus is based on the NATS Streaming open source messaging system for cloud-native applications.


The Kyma Serverless component allows you to reduce the implementation and operation effort of an application to the absolute minimum. Kyma Serverless provides a platform to run lightweight functions in a cost-efficient and scalable way using JavaScript and Node.js. Kyma Serverless is built on the Kubeless framework, which allows you to deploy lambda functions, and uses the NATS messaging system that monitors business events and triggers functions accordingly.


Kyma comes bundled with tools that give you the most accurate and up-to-date monitoring data. Prometheus open source monitoring and alerting toolkit provides this data, which is consumed by different add-ons, including Grafana for analytics and monitoring, and Alertmanager for handling alerts.


The tracing in Kyma uses the Jaeger distributed tracing system. Use it to analyze performance by scrutinizing the path of the requests sent to and from your service. This information helps you optimize the latency and performance of your solution.


Logging in Kyma uses Loki, a Prometheus-like log management system.

Testing Kyma

Kyma components use Octopus for testing. Octopus is a testing framework that allows you to run tests defined as Docker images on a running cluster. Octopus uses two CustomResourceDefinitions (CRDs):

  • TestDefinition, which defines your test as a Pod specification.
  • ClusterTestSuite, which defines a suite of tests to execute and how to execute them.

Add a new test

To add a new test, create a yaml file with TestDefinition CR in your chart. To comply with the convention, place it under the tests directory. See the exemplary chart structure for Dex:

Click to copy
# Chart tree
├── Chart.yaml
├── templates
│   ├── tests
│   │ └── test-dex-connection.yaml
│   ├── dex-deployment.yaml
│   ├── dex-ingress.yaml
│   ├── dex-rbac-role.yaml
│   ├── dex-service.yaml
│   ├── pre-install-dex-account.yaml
│   ├── pre-install-dex-config-map.yaml
│   └── pre-install-dex-secrets.yaml
└── values.yaml

The test adds a new test-dex-connection.yaml under the templates/tests directory. For more information on TestDefinition, read the Octopus documentation.

The following example presents TestDefinition with a container that calls the Dex endpoint with cURL. You must define at least the spec.template parameter which is of the PodTemplateSpec type.

Click to copy
apiVersion: ""
kind: TestDefinition
name: {{ .Chart.Name }}
app: {{ .Chart.Name }}-tests {{ .Chart.Name }}-tests {{ .Release.Service }} {{ .Release.Name }} {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
annotations: "false"
- name: tests
image: tutum/curl:alpine
command: ["/usr/bin/curl"]
args: [
"--max-time", "10",
"--retry", "60",
"--retry-delay", "3",
"http://dex-service.{{ .Release.Namespace }}.svc.cluster.local:5556/.well-known/openid-configuration"
restartPolicy: Never

Tests execution

To run all tests, use the script located in the /installation/scripts/ directory. Internally, the ClusterTestSuite resource is defined. It fetches all TestDefinitions and executes them.

Run tests manually

To run tests manually, create your own ClusterTestSuite resource. See the following example:

Click to copy
kind: ClusterTestSuite
labels: "1.0"
name: {my-suite}
maxRetries: 0
concurrency: 1
count: 1

Creation of the suite triggers tests execution. See the current tests progress in the ClusterTestSuite status. Run:

Click to copy
kubectl get cts {my-suite} -oyaml

The sample output looks as follows:

Click to copy
kind: ClusterTestSuite
name: {my-suite}
concurrency: 1
count: 1
maxRetries: 0
- status: "True"
type: Running
- executions:
- completionTime: 2019-04-05T12:23:00Z
id: {my-suite}-test-dex-dex-connection-dex-0
podPhase: Succeeded
startTime: 2019-04-05T12:22:54Z
name: test-dex-dex-connection-dex
namespace: kyma-system
status: Succeeded
- executions:
- id: {my-suite}-test-core-core-ui-acceptance-0
podPhase: Running
startTime: 2019-04-05T12:37:53Z
name: test-core-core-ui-acceptance
namespace: kyma-system
status: Running
- executions: []
name: test-core-api-controller-0
namespace: kyma-system
status: NotYetScheduled
startTime: 2019-04-05T12:22:53Z

The ID of the test execution is the same as the ID of the testing Pod. The testing Pod is created in the same Namespace as its TestDefinition. To get logs for a specific test, run the following command:

Click to copy
kubectl logs {execution-id} -n {test-def-namespace}


Kyma uses Helm charts to deliver single components and extensions, as well as the core components. This document contains information about the chart-related technical concepts, dependency management to use with Helm charts, and chart examples.

Manage dependencies with Init Containers

The ADR 003: Init Containers for dependency management document declares the use of Init Containers as the primary dependency mechanism.

Init Containers present a set of distinctive behaviors:

  • They always run to completion.
  • They start sequentially, only after the preceding Init Container completes successfully. If any of the Init Containers fails, the Pod restarts. This is always true, unless the restartPolicy equals never.

Readiness Probes ensure that the essential containers are ready to handle requests before you expose them. At a minimum, probes are defined for every container accessible from outside of the Pod. It is recommended to pair the Init Containers with readiness probes to provide a basic dependency management solution.


Here are some examples:

  1. Generic
Click to copy
apiVersion: apps/v1beta2
kind: Deployment
name: nginx-deployment
replicas: 3
app: nginx
app: nginx
- name: nginx
image: nginx:1.7.9
- containerPort: 80
path: /healthz
port: 80
initialDelaySeconds: 30
timeoutSeconds: 1
Click to copy
apiVersion: v1
kind: Pod
name: myapp-pod
- name: init-myservice
image: busybox
command: ['sh', '-c', 'until nslookup nginx; do echo waiting for nginx; sleep 2; done;']
- name: myapp-container
image: busybox
command: ['sh', '-c', 'echo The app is running! && sleep 3600']
  1. Kyma
Click to copy
apiVersion: extensions/v1beta1
kind: Deployment
name: helm-broker
app: helm-broker
replicas: 1
app: helm-broker
type: RollingUpdate
maxUnavailable: 0
app: helm-broker
- name: init-helm-broker
command: ['sh', '-c', 'until nc -zv service-catalog-controller-manager.kyma-system.svc.cluster.local 8080; do echo waiting for etcd service; sleep 2; done;']
- name: helm-broker
- containerPort: 6699
port: 6699
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 3
successThreshold: 1
timeoutSeconds: 2

Support for the Helm wait flag

High level Kyma components, such as core, come as Helm charts. These charts are installed as part of a single Helm release. To provide ordering for these core components, the Helm client runs with the --wait flag. As a result, Tiller waits for the readiness of all of the components, and then evaluates the readiness.

For Deployments, set the strategy to RollingUpdate and set the MaxUnavailable value to a number lower than the number of replicas. This setting is necessary, as readiness in Helm v2.10.0 is fulfilled if the number of replicas in ready state is not lower than the expected number of replicas:

Click to copy
ReadyReplicas >= TotalReplicas - MaxUnavailable

Chart installation details

The Tiller server performs the chart installation process. This is the order of operations that happen during the chart installation:

  • resolve values
  • recursively gather all templates with the corresponding values
  • sort all templates
  • render all templates
  • separate hooks and manifests from files into sorted lists
  • aggregate all valid manifests from all sub-charts into a single manifest file
  • execute PreInstall hooks
  • create a release using the ReleaseModule API and, if requested, wait for the actual readiness of the resources
  • execute PostInstall hooks


All notes are based on Helm v2.10.0 implementation and are subject to change in future releases.

  • Regardless of how complex a chart is, and regardless of the number of sub-charts it references or consists of, it's always evaluated as one. This means that each Helm release is compiled into a single Kubernetes manifest file when applied on API server.

  • Hooks are parsed in the same order as manifest files and returned as a single, global list for the entire chart. For each hook the weight is calculated as a part of this sort.

  • Manifests are sorted by Kind. You can find the list and the order of the resources on the Kubernetes Tiller website.


  • resource is any document in a chart recognized by Helm or Tiller. This includes manifests, hooks, and notes.
  • template is a valid Go template. Many of the resources are also Go templates.

Deploy with a private Docker registry

Docker is a free tool to deploy applications and servers. To run an application on Kyma, provide the application binary file as a Docker image located in a Docker registry. Use the DockerHub public registry to upload your Docker images for free access to the public. Use a private Docker registry to ensure privacy, increased security, and better availability.

This document shows how to deploy a Docker image from your private Docker registry to the Kyma cluster.


The deployment to Kyma from a private registry differs from the deployment from a public registry. You must provide Secrets accessible in Kyma, and referenced in the .yaml deployment file. This section describes how to deploy an image from a private Docker registry to Kyma. Follow the deployment steps:

  1. Create a Secret resource.
  2. Write your deployment file.
  3. Submit the file to the Kyma cluster.

Create a Secret for your private registry

A Secret resource passes your Docker registry credentials to the Kyma cluster in an encrypted form. For more information on Secrets, refer to the Kubernetes documentation.

To create a Secret resource for your Docker registry, run the following command:

Click to copy
kubectl create secret docker-registry {secret-name} --docker-server={registry FQN} --docker-username={user-name} --docker-password={password} --docker-email={registry-email} --namespace={namespace}

Refer to the following example:

Click to copy
kubectl create secret docker-registry docker-registry-secret --docker-server=myregistry:5000 --docker-username=root --docker-password=password --namespace=production

The Secret is associated with a specific Namespace. In the example, the Namespace is production. However, you can modify the Secret to point to any desired Namespace.

Write your deployment file

  1. Create the deployment file with the .yml extension and name it deployment.yml.

  2. Describe your deployment in the .yml file. Refer to the following example:

Click to copy
apiVersion: apps/v1beta2
kind: Deployment
namespace: production # {production/stage/qa}
name: my-deployment # Specify the deployment name.
annotations: true
replicas: 3 # Specify your replica - how many instances you want from that deployment.
app: app-name # Specify the app label. It is optional but it is a good practice.
app: app-name # Specify app label. It is optional but it is a good practice.
version: v1 # Specify your version.
- name: container-name # Specify a meaningful container name.
image: myregistry:5000/user-name/image-name:latest # Specify your image {registry FQN/your-username/your-space/image-name:image-version}.
- containerPort: 80 # Specify the port to your image.
- name: docker-registry-secret # Specify the same Secret name you generated in the previous step for this Namespace.
- name: example-secret-name # Specify your Namespace Secret, named `example-secret-name`.
  1. Submit your deployment file using this command:
Click to copy
kubectl apply -f deployment.yml

Your deployment is now running on the Kyma cluster.

Resource quotas

Resource quotas are a convenient way to manage the consumption of resources in a Kyma cluster. You can easily set resource quotas for every Namespace you create through the Console UI.

When you click Create Namespace, you can define:

  • Total Memory Quotas, which limit the overall memory consumption by the Namespace by creating a ResourceQuota object.
  • Limits per container, which limit the memory consumption for individual containers in the Namespace by creating LimitRange objects.

To manage existing resource quotas in a Namespace, select that Namespace in the Namespaces view of the Console and go to the Resources tab. This view allows you to edit or delete the existing limits.

TIP: If you want to manage ResourceQuotas and LimitRanges directly from the terminal, follow this comprehensive Kubernetes guide.



Kyma is a complex tool which consists of many different components that provide various functionalities to extend your application. This entails high technical requirements that can influence your local development process. To meet the customer needs, we ensured Kyma modularity. This way you can decide not to include a given component in the Kyma installation, or install it after the Kyma installation process.

To make the local development process easier, we introduced the Kyma Lite concept in which case some components are not included in the local installation process by default. These are the Kyma and Kyma Lite components:

ComponentKymaKyma Lite

NOTE: To include backup in the installation process, you need to set it up first. Use the Kyma backup setup instructions to do so.

Installation guides

Follow these installation guides to install Kyma locally or on a cluster:

Read the rest of the installation documents to learn how to:

NOTE: Make sure that the version of the documentation selected in the left pane of matches the version of Kyma you're using.

Install Kyma locally

This Installation guide shows you how to quickly deploy Kyma locally on the MacOS and Linux platforms. Kyma is installed locally using a proprietary installer based on a Kubernetes operator.

TIP: See this document for troubleshooting tips.



NOTE: To work with Kyma, use only the provided commands. Kyma requires a specific Minikube configuration and does not work on a basic Minikube cluster that you can start using the minikube start command.

Install Kyma

Follow these instructions to install Kyma from a release or from sources:

  • From a release
  • From sources
  1. Provision a Kubernetes cluster on Minikube. Run:

    Click to copy
    kyma provision minikube

    NOTE: The provision command uses the default Minikube VM driver installed for your operating system. For a list of supported VM drivers see this document.

  1. Install the latest Kyma release on Minikube:

    Click to copy
    kyma install

    NOTE If you want to install a specific release version, go to the GitHub releases page to find out more about available releases. Use the release version as a parameter when calling kyma install --release {KYMA_RELEASE}.

Post-installation steps

Kyma comes with a local wildcard self-signed server.crt certificate. The kyma install command already downloads and adds trusted certificates to your OS so you can access the Console UI.

NOTE: Mozilla Firefox uses its own certificate keychain. If you want to access the Console UI though Firefox, add the Kyma wildcard certificate to the certificate keychain of the browser. To access the Application Connector and connect an external solution to the local deployment of Kyma, you must add the certificate to the trusted certificate storage of your programming environment. Read this document to learn more.

  1. After the installation is completed, you can access the Console UI. Go to this address and select Login with Email. Use the email address and the password printed in the terminal once the installation process is completed.

  2. At this point, Kyma is ready for you to explore. See what you can achieve using the Console UI or check out one of the available examples.

Read this document to learn how to reinstall Kyma without deleting the cluster from Minikube. To learn how to test Kyma, see this document.

Stop and restart Kyma without reinstalling

Use the Kyma CLI to restart the Minikube cluster without reinstalling Kyma. Follow these steps to stop and restart your cluster:

  1. Stop the Minikube cluster with Kyma installed. Run:
    Click to copy
    minikube stop
  2. Restart the cluster without reinstalling Kyma. Run:
    Click to copy
    kyma provision minikube

The Kyma CLI discovers that a Minikube cluster is initialized and asks if you want to delete it. Answering no causes the Kyma CLI to start the Minikube cluster and restarts all of the previously installed components. Even though this procedure takes some time, it is faster than a clean installation as you don't download all of the required Docker images.

To verify that the restart is successful, run this command and check if all Pods have the RUNNING status:

Click to copy
kubectl get pods --all-namespaces

Install Kyma on a cluster

This installation guide explains how you can quickly deploy Kyma on a cluster with a wildcard DNS provided by using a GitHub release of your choice.

NOTE: If you want to expose the Kyma cluster on your own domain, follow this installation guide. To install using your own image instead of a GitHub release, follow these instructions.

If you need to use Helm and access Tiller, complete the additional configuration after the installation.

Choose the installation type and get started:

  • GCP Marketplace
  • GKE
  • AKS
  1. Access project Kyma on the Google Cloud Platform (GCP) Marketplace and click CONFIGURE.
  1. When the pop-up box appears, select you project from the available list and confirm your choice.
  1. To create a Kubernetes cluster for your Kyma installation, select a cluster zone from the drop-down menu and click Create cluster. Wait for a few minutes for the Kubernetes cluster to deploy.
  1. Leave the default values or adjust these settings:

    FieldDefault value
    App instance namekyma-1
    Cluster Admin Service AccountCreate a new service account
  2. Accept the GCP Marketplace Terms of Service to continue.

  1. Click the Deploy button for the Kyma installation to start.

NOTE: The installation can take several minutes to complete.

  1. Once you become redirected to the Applications page under Kubernetes Engine in the GCP Console, you get the installation status details. Check the installation status. If it is green, follow the steps under the Next steps section in INFO PANEL to import the self-signed TLS certificate to your trusted certified authorities.
  1. Access the cluster using the link and login details provided in the Kyma info section on the Application details page.

TIP: Watch this video for a walkthrough of the installation process.

Use your own domain

This guide explains how to deploy Kyma on a cluster using your own domain.

TIP: Get a free domain for your cluster using services like or similar.

Choose your cloud provider and get started:

  • GKE
  • AKS

Install Kyma on a Google Kubernetes Engine (GKE) cluster.


Choose the release to install

  1. Go to this page and choose the release you want to install.
  1. Export the release version as an environment variable. Run:

    Click to copy

DNS setup and TLS certificate generation

Delegate the management of your domain to Google Cloud DNS

NOTE: Google Cloud DNS setup has to be done only once per DNS zone

Follow these steps:

  1. Export the project name, domain name, and DNS zone name as environment variables. Run the commands listed below:

    Click to copy


    Click to copy
    export DNS_ZONE=myzone
  2. Create a DNS-managed zone in your Google project. Run:

    Click to copy
    gcloud dns --project=$GCP_PROJECT managed-zones create $DNS_ZONE --description= --dns-name=$DNS_NAME

    Alternatively, create it through the GCP UI. Navigate go to Network Services in the Network section, click Cloud DNS and select Create Zone.

  3. Delegate your domain to Google name servers.

    • Get the list of the name servers from the zone details. This is a sample list:
      Click to copy
    • Set up your domain to use these name servers.
  4. Check if everything is set up correctly and your domain is managed by Google name servers. Run:

    Click to copy
    host -t ns $DNS_NAME

    A successful response returns the list of the name servers you fetched from GCP.

Get the TLS certificate

  1. Export the certificate issuer email and the cluster domain as environment variables:

    Click to copy
    export DOMAIN="$CLUSTER_NAME.$(echo $DNS_NAME | sed `s/\.$//`)"
  2. Create a folder for certificates. Run:

    Click to copy
    mkdir letsencrypt
  3. Create a new service account and assign it to the dns.admin role. Run these commands:

    Click to copy
    gcloud iam service-accounts create dnsmanager --display-name "dnsmanager" --project "$GCP_PROJECT"
    Click to copy
    gcloud projects add-iam-policy-binding $GCP_PROJECT \
    --member serviceAccount:dnsmanager@$ --role roles/dns.admin

    NOTE: You don't have to create a new DNS manager service account (SA) every time you deploy a cluster. Instead, you can use an existing SA that has the dns.admin assigned.

  1. Generate an access key for this account in the letsencrypt folder. Run:

    Click to copy
    gcloud iam service-accounts keys create ./letsencrypt/key.json --iam-account dnsmanager@$

    NOTE: The number of keys you can generate for a single service account is limited. Reuse the existing keys instead of generating a new key for every cluster.

  1. Run the Certbot Docker image with the letsencrypt folder mounted. Certbot uses the key to apply DNS challenge for the certificate request and stores the TLS certificates in that folder. Run:

    Click to copy
    docker run -it --name certbot --rm \
    -v "$(pwd)/letsencrypt:/etc/letsencrypt" \
    certbot/dns-google \
    certonly \
    -m $CERT_ISSUER_EMAIL --agree-tos --no-eff-email \
    --dns-google \
    --dns-google-credentials /etc/letsencrypt/key.json \
    --server \
    -d "*.$DOMAIN"
  2. Export the certificate and key as environment variables. Run these commands:

    Click to copy
    export TLS_CERT=$(cat ./letsencrypt/live/$DOMAIN/fullchain.pem | base64 | sed 's/ /\\ /g' | tr -d '\n');
    export TLS_KEY=$(cat ./letsencrypt/live/$DOMAIN/privkey.pem | base64 | sed 's/ /\\ /g' | tr -d '\n')

Prepare the GKE cluster

  1. Select a name for your cluster. Set the cluster name and the zone you want to deploy to as environment variables. Run:

    Click to copy
  2. Create a cluster in the configured zone. Run:

    Click to copy
    gcloud container --project "$GCP_PROJECT" clusters \
    create "$CLUSTER_NAME" --zone "$GCP_ZONE" \
    --cluster-version "1.12" --machine-type "n1-standard-4" \
    --addons HorizontalPodAutoscaling,HttpLoadBalancing
  3. Ensure kubectl is configured to use your new cluster. Run:

    Click to copy
    gcloud container clusters get-credentials $CLUSTER_NAME --zone $GCP_ZONE --project $GCP_PROJECT
  4. Add your account as the cluster administrator:

    Click to copy
    kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=$(gcloud config get-value account)
  5. Install Tiller on your GKE cluster. Run:

    Click to copy
    kubectl apply -f$KYMA_VERSION/installation/resources/tiller.yaml
  6. Install custom installation overrides for your DNS domain and TLC certifcates. Run:

    Click to copy
    kubectl create namespace kyma-installer \
    && kubectl create configmap owndomain-overrides -n kyma-installer --from-literal=global.domainName=$DOMAIN --from-literal=global.tlsCrt=$TLS_CERT --from-literal=global.tlsKey=$TLS_KEY \
    && kubectl label configmap owndomain-overrides -n kyma-installer installer=overrides

    TIP: An example config map is available here

Install Kyma

  1. Deploy Kyma. Run:

    Click to copy
    kubectl apply -f$KYMA_VERSION/kyma-installer-cluster.yaml
  2. Check if the Pods of Tiller and the Kyma Installer are running:

    Click to copy
    kubectl get pods --all-namespaces
  3. To watch the installation progress, run:

    Click to copy
    while true; do \
    kubectl -n default get installation/kyma-installation -o jsonpath="{'Status: '}{.status.state}{', description: '}{.status.description}"; echo; \
    sleep 5; \

    After the installation process is finished, the Status: Installed, description: Kyma installed message appears. In case of an error, you can fetch the logs from the Kyma Installer by running:

    Click to copy
    kubectl -n kyma-installer logs -l 'name=kyma-installer'

Configure DNS for the cluster load balancer

To add DNS entries, run these commands:

Click to copy
export EXTERNAL_PUBLIC_IP=$(kubectl get service -n istio-system istio-ingressgateway -o jsonpath="{.status.loadBalancer.ingress[0].ip}")
export APISERVER_PUBLIC_IP=$(kubectl get service -n kyma-system apiserver-proxy-ssl -o jsonpath="{.status.loadBalancer.ingress[0].ip}")
gcloud dns --project=$PROJECT record-sets transaction start --zone=$DNS_ZONE
gcloud dns --project=$PROJECT record-sets transaction add $EXTERNAL_PUBLIC_IP --name=\*.$DOMAIN. --ttl=60 --type=A --zone=$DNS_ZONE
gcloud dns --project=$PROJECT record-sets transaction add $APISERVER_PUBLIC_IP --name=\apiserver.$DOMAIN. --ttl=60 --type=A --zone=$DNS_ZONE
gcloud dns --project=$PROJECT record-sets transaction execute --zone=$DNS_ZONE

Access the cluster

  1. To get the address of the cluster's Console, check the host of the Console's virtual service. The name of the host of this virtual service corresponds to the Console URL. To get the virtual service host, run:

    Click to copy
    kubectl get virtualservice core-console -n kyma-system -o jsonpath='{ .spec.hosts[0] }'
  2. Access your cluster under this address:

    Click to copy
  3. To log in to your cluster's Console UI, use the default admin static user. Click Login with Email and sign in with the email address. Use the password contained in the admin-user Secret located in the kyma-system Namespace. To get the password, run:

    Click to copy
    kubectl get secret admin-user -n kyma-system -o jsonpath="{.data.password}" | base64 --decode

Use your own Kyma Installer image

When you install Kyma from a release, you use the release artifacts that already contain the Kyma Installer - a Docker image containing the combined binary of the Kyma Operator and the component charts from the /resources folder. If you install Kyma from sources and use the latest master branch, you must build the image yourself to prepare the configuration file for Kyma installation on a GKE or AKS cluster. You also require a new image if you add components and custom Helm charts that are not included in the /resources folder to the installation.

In addition to the tools required to install Kyma on a cluster, you also need:

  1. Clone the Kyma repository to your machine using either HTTPS or SSH. Run this command to clone the repository and change your working directory to kyma:

    • HTTPS
    • SSH
    Click to copy
    git clone ; cd kyma
  2. Build a Kyma-Installer image that is based on the current Kyma Operator binary and includes the current installation configurations and resources charts. Run:

    Click to copy
    docker build -t kyma-installer -f tools/kyma-installer/kyma.Dockerfile .
  3. Push the image to your Docker Hub. Run:

    Click to copy
    docker tag kyma-installer:latest {YOUR_DOCKER_LOGIN}/kyma-installer
    docker push {YOUR_DOCKER_LOGIN}/kyma-installer
  4. Prepare the Kyma deployment file. Run this command:

    Click to copy
    (cat installation/resources/installer.yaml ; echo "---" ; cat installation/resources/installer-cr-cluster.yaml.tpl) > my-kyma.yaml
  5. The output of this operation is the my-kyma.yaml file. Find the following section in my-kyma.yaml and modify it to fetch the image you prepared. Change the image attribute value to {YOUR_DOCKER_LOGIN}/kyma-installer:

    Click to copy
    name: kyma-installer
    serviceAccountName: kyma-installer
    - name: kyma-installer-container
    image: {YOUR_DOCKER_LOGIN}/kyma-installer
    imagePullPolicy: IfNotPresent
  6. Use the my-kyma.yaml file to deploy Kyma. Choose the desired installation option and run this command after you prepared the cluster:

    Click to copy
    kubectl apply -f my-kyma.yaml

Use Helm

You can use Helm to manage Kubernetes resources in Kyma, for example to check the already installed Kyma charts or to install new charts that are not included in the Kyma Installer image.

To use it, you must establish a secure connection with Tiller by saving the cluster's client certificate, key, and Certificate Authority (CA) to Helm Home.

NOTE: Read this document to learn more about TLS in Tiller.

Run these commands at the end of the Kyma cluster installation to save the client certificate, key, and CA to Helm Home:

Click to copy
kubectl get -n kyma-installer secret helm-secret -o jsonpath="{.data['global\.helm\.ca\.crt']}" | base64 --decode > "$(helm home)/ca.pem";
kubectl get -n kyma-installer secret helm-secret -o jsonpath="{.data['global\.helm\.tls\.crt']}" | base64 --decode > "$(helm home)/cert.pem";
kubectl get -n kyma-installer secret helm-secret -o jsonpath="{.data['global\.helm\.tls\.key']}" | base64 --decode > "$(helm home)/key.pem";

Additionally, you must add the --tls flag to every Helm command you run.

Upgrade Kyma

Upgrading Kyma is the process of migrating from one version of the software to a newer release. This operation depends on release artifacts listed in the Assets section of the GitHub releases page and migration guides delivered with the target release.

To upgrade to a version that is several releases newer than the version you're currently using, you must move up to the desired release incrementally. You can skip patch releases.

For example, if you're running Kyma 1.0 and you want to upgrade to version 1.3, you must perform these operations:

  1. Upgrade from version 1.0 to version 1.1.
  2. Upgrade from version 1.1 to version 1.2.
  3. Upgrade from version 1.2 to version 1.3.

NOTE: Kyma does not support a dedicated downgrade procedure. You can achieve a similar result by restoring your cluster from a backup. Read this document to learn more about backups.

The upgrade procedure relies heavily on Helm. As a result, the availability of cluster services during the upgrade is not defined by Kyma and can vary from version to version. The existing custom resources (CRs) remain in the cluster.

NOTE: To learn more about the technical aspects of the upgrade, read this document.

Upgrade Kyma to a newer version

Follow these steps:

  1. Check which version you're currently running. Run this command:
    Click to copy
    kubectl -n kyma-installer get deploy kyma-installer -o jsonpath='{.spec.template.spec.containers[].image}'
  2. Perform the required actions described in the migration guide published with the release you want to upgrade to. Migration guides are linked in the release notes and are available on the respective release branches in the docs/migration-guides directory.

    NOTE: Not all releases require you to perform additional migration steps. If your target release doesn't come with a migration guide, proceed to the next step.

  3. Trigger the upgrade:

    • Local deployment
    • Cluster deployment
    • Download the kyma-config-local.yaml artifact. Run this command to apply the overrides required by the new release to your Minikube cluster:

      Click to copy
      kubectl apply -f {KYMA-CONFIG-LOCAL-FILE}

      NOTE: If you customized your deployment and its overrides, download the kyma-config-local.yaml artifact and compare your changes to the overrides of the target release. Merge your changes if necessary.

    • Download the kyma-installer-local.yaml artifact and apply it to the cluster to upgrade Kyma. Run:

      Click to copy
      kubectl apply -f {KYMA-INSTALLER-LOCAL-FILE}
  4. Applying the release artifacts to the cluster triggers the installation of the desired Kyma version. To watch the installation status, run:

    • Local deployment
    • Cluster deployment
    Click to copy

Update Kyma

This guide describes how to update Kyma deployed locally or on a cluster.

NOTE: Updating Kyma means introducing changes to a running deployment. If you want to upgrade to a newer version, read this document.


  • Docker
  • Access to a Docker Registry - only for cluster installation


Kyma consists of multiple components, installed as Helm releases.

Update of an existing deployment can include:

  • Changes in charts
  • Changes in overrides
  • Adding new Helm releases

The update procedure consists of three main steps:

  • Prepare the update
  • Update the Kyma Installer
  • Trigger the update process

In case of dependency conflicts or major changes between components versions, some updates may not be possible.

CAUTION: Currently Kyma doesn't support removing components as a part of the update process.

Prepare the update

  • If you update an existing component, make all required changes to the Helm charts of the component located in the resources directory.

  • If you add a new component to your Kyma deployment, add a top-level Helm chart for that component. Additionally, run this command to edit the Installation custom resource and add the new component to the installed components list:

    Click to copy
    kubectl edit installation kyma-installation

NOTE: Read this document to learn more about the Installation custom resource.

  • If you introduced changes in overrides, update the existing ConfigMaps and Secrets. Add new ConfigMaps and Secrets if required. See this document for more information on overrides.

Perform the update

If your changes involve any modifications in the /resources folder that includes component chart configurations, perform the whole update process that includes updating the Kyma Installer and triggering the update. If you only modify installation artifacts, for example by adding or removing components in the installation files or adding or removing overrides in the configuration files, only trigger the update process.

Read about each update step in the following sections.

Update the Kyma Installer on a local deployment

  • Build a new image for the Kyma Installer:

    Click to copy

    NOTE: If you started Kyma with the script with a --vm-driver {value} parameter, provide the same parameter to the script.

  • Restart the Kyma Installer Pod:

    Click to copy
    kubectl delete pod -n kyma-installer {INSTALLER_POD_NAME}

Update the Kyma Installer on a cluster deployment

  • Build a new image for the Kyma Installer:

    Click to copy
    docker build -t {IMAGE_NAME}:{IMAGE_TAG} -f tools/kyma-installer/kyma.Dockerfile .
  • Push the image to your Docker registry.

  • Redeploy the Kyma Installer Pod using the new image. Run this command to edit the Deployment configuration:

    Click to copy
    kubectl edit deployment kyma-installer -n kyma-installer

    Change the image and imagePullPolicy attributes in this section:

    Click to copy
    - image: <your_image_name>:<your_tag>
    imagePullPolicy: Always

    NOTE: If the desired image name and imagePullPolicy is already set in the deployment configuration, restart the Pod by running kubectl delete pod -n kyma-installer {INSTALLER_POD_NAME}.

Trigger the update process

Execute the following command to trigger the update process:

Click to copy
kubectl label installation/kyma-installation action=install

Reinstall Kyma

The Kyma CLI allow you to remove Kyma from a Minikube cluster and reinstall Kyma without removing the cluster.

NOTE: The Kyma CLI can uninstall Kyma without deleting the cluster from your Minikube. This allows you to quickly reinstall Kyma.

  1. Use Kyma CLI to uninstall Kyma from the cluster. Run:

    Click to copy
    kyma uninstall
  2. Run this command to reinstall Kyma on an existing cluster:

    Click to copy
    kyma install



You can configure the Kyma installation by:

  • Customizing the list of the components to install.
  • Providing overrides that change the configuration values used by one or more components.

The list of components to install is defined in the Installation custom resource (CR). The overrides are delivered as ConfigMaps or Secrets defined by the user before triggering the installation. The Kyma Installer reads the configuration from the Installation CR and the overrides and applies it in the installation process.

Default settings

The default settings for the cluster and local installation are defined in different files.

  • Local installation
  • Cluster installation

For the list of all components available to install see the installer-cr.yaml.tpl file. For the list of the default installation overrides see the installer-config-local.yaml.tpl file. Other configuration values are defined directly in the configuration of the respective components.

CAUTION: The default configuration uses tested and recommended settings. Change them at your own risk.

Installation configuration

Before you start the Kyma installation process, you can customize the default settings.


One of the released Kyma artifacts is the Kyma Installer, a Docker image that combines the Kyma Operator executable with charts of all components available in the release. The Kyma Installer can install only the components contained in its image. The Installation CR specifies which components of the available components are installed. The component list in the Installation CR has the components that are not an integral part of the default Kyma Lite package commented out with a hash character (#). The Kyma Installer doesn't install these components. You can customize the list of components by:

  • Uncommenting a component entry to install the component.
  • Commenting out a component entry using the hash character (#) to skip the installation of that component.
  • Adding new components along with their chart definitions to the list. If you do that, you must build your own Kyma Installer image as you are adding a new component to Kyma.

For more details on custom component installation, see this document.


The common overrides that affect the entire installation, are described in the installation guides. Other overrides are component-specific. To learn more about the configuration options available for a specific component, see the Configuration section of the component's documentation.

CAUTION: Override only values for those parameters from values.yaml files that are exposed in configuration documents for a given component.

Read more about the types of overrides and the rules for creating them.

CAUTION: An override must exist in a cluster before the installation starts. If you fail to deliver the override before the installation, the configuration can't be applied.

Advanced configuration

All values.yaml files in charts and sub-charts contain pre-defined attributes that are:

  • Configurable
  • Used in chart templates
  • Recommended production settings

You can only override values that are included in the values.yaml files of a given resource. If you want to extend the available customization options, request adding a new attribute with a default value to the pre-defined list in values.yaml. Raise a pull request in which you propose changes in the chart, the new attribute, and its value to be added to values.yaml. This way you ensure that you can override these values when needed, without these values being overwritten each time an update or rebase takes place.

NOTE: Avoid modifications of such open-source components as Istio or Service Catalog as such changes can severely impact their future version updates.

Custom component installation

By default, you install Kyma with a set of components provided in the Kyma Lite package.

During installation, the Kyma Installer applies the content of the local or cluster installation file that includes the list of component names and Namespaces in which the components are installed. The Installer skips the lines starting with a hash character (#):

Click to copy
#- name: "backup"
# namespace: "kyma-system"

You can modify the component list as follows:

  • Add components to the installation file before the installation
  • Add components to the installation file after the installation
  • Remove components from the installation file before the installation

NOTE: Currently, it is not possible to remove a component that is already installed. If you remove it from the installation file or precede its entries with a hash character (#) when Kyma is already installed, the Kyma Installer simply does not update this component during the update process but the component is not removed.

Each modification requires an action from the Kyma Installer for the changes to take place:

  • If you make changes before the installation, proceed with the standard installation process to finish Kyma setup.
  • If you make changes after the installation, follow the update process to refresh the current setup.

Read the subsections for details.

Add a component

You can add a component before and after installation.

Installation from the release

  1. Download the newest version of Kyma.
  2. Customize the installation by adding a component to the list in the installation file or removing the hash character (#) in front of the name and namespace entries. For example, to enable the Monitoring installation, add or unmark these entries:
    Click to copy
    - name: "monitoring"
    namespace: "kyma-system"
  • in the kyma-installer-local.yaml file for the local installation
  • in the kyma-installer-cluster.yaml file for the cluster installation
  1. Follow the installation steps to install Kyma locally from the release or install Kyma on a cluster.

Installation from sources

  1. Customize the installation by adding a component to the list of components or removing the hash character (#) in front of the name and namespace entries in the following installation files:
  1. Follow the installation steps to install Kyma locally from sources or install Kyma on a cluster.

Post-installation changes

To add a component that was not installed with Kyma by default, modify the Installation custom resource.

  1. Edit the resource:
    Click to copy
    kubectl edit installation kyma-installation
  2. Add the new component to the list of components or remove the hash character (#) preceding these lines:
    Click to copy
    #- name: "jaeger"
    # namespace: "kyma-system"
  3. Trigger the installation:

    Click to copy
    kubectl label installation/kyma-installation action=install

Verify the installation

You can verify the installation status by calling ./installation/scripts/ in the terminal.

Remove a component

You can only remove the component before the installation process starts. To disable a component on the list of components that you install with Kyma by default, remove this component's name and namespace entries from the appropriate installation file or add hash character (#) in front of them. The file differs depending on whether you install Kyma from the release or from sources, and if you install Kyma locally or on a cluster. The version of your component's deployment must match the version that Kyma currently supports.

NOTE: For some components, you must perform additional actions to remove them from the Kyma installation. In case of Istio and the Service Catalog, you must provide your own deployment of these components in the Kyma-supported version before you remove them from the installation process. See this file to check the currently supported version of Istio. See this file to check the currently supported version of the Service Catalog.

Installation from the release

  1. Download the newest version of Kyma.
  2. Customize the installation by removing a component from the list in the installation file or adding a hash character (#) in front of the name and namespace entries. For example, to disable the Application Connector installation, remove these entries or add a hash character (#) in front of:
    Click to copy
    - name: "application-connector"
    namespace: "kyma-system"
  • in the kyma-installer-local.yaml file for the local installation
  • in the kyma-installer-cluster.yaml file for the cluster installation
  1. Follow the installation steps to install Kyma locally from the release or install Kyma on a cluster.

Installation from sources

  1. Customize the installation by removing a component from the list of components or adding a hash character (#) in front of the name and namespace entries in the following installation files:
  1. Follow the installation steps to install Kyma locally from sources or install Kyma on a cluster.

Verify the installation

  1. Check if all Pods are running in the kyma-system Namespace:
    Click to copy
    kubectl get pods -n kyma-system
  2. Sign in to the Kyma Console using the email address as described in the Install Kyma locally from the release document.

Helm overrides for Kyma installation

Kyma packages its components into Helm charts that the Kyma Operator uses during installation and updates. This document describes how to configure the Kyma Installer with new values for Helm charts to override the default settings in values.yaml files.


The Kyma Operator is a Kubernetes Operator that uses Helm to install Kyma components. Helm provides an overrides feature to customize the installation of charts, for example to configure environment-specific values. When using Kyma Operator for Kyma installation, users can't interact with Helm directly. The installation is not an interactive process.

To customize the Kyma installation, the Kyma Operator exposes a generic mechanism to configure Helm overrides called user-defined overrides.

User-defined overrides

The Kyma Operator finds user-defined overrides by reading the ConfigMaps and Secrets deployed in the kyma-installer Namespace and marked with:

  • the installer: overrides label
  • a component: {COMPONENT_NAME} label if the override refers to a specific component

NOTE: There is also an additional "" label in all ConfigMaps and Secrets that allows you to easily filter the installation resources.

The Kyma Operator constructs a single override by inspecting the ConfigMap or Secret entry key name. The key name should be a dot-separated sequence of strings corresponding to the structure of keys in the chart's values.yaml file or the entry in chart's template.

The Kyma Operator merges all overrides recursively into a single yaml stream and passes it to Helm during the Kyma installation and upgrade operations.

Common vs. component overrides

The Kyma Operator looks for available overrides each time a component installation or an update operation is due. Overrides for a component are composed of two sets: common overrides and component-specific overrides.

Kyma uses common overrides for the installation of all components. ConfigMaps and Secrets marked with the installer: overrides label contain the definition.

Kyma uses component-specific overrides only for the installation of specific components. ConfigMaps and Secrets marked with both installer: overrides and component: {component-name} labels contain the definition. Component-specific overrides have precedence over common ones in case of conflicting entries.

NOTE: Add the additional "" label to both common and component-specific overrides to enable easy installation resources filtering.

Overrides examples

Top-level charts overrides

Overrides for top-level charts are straightforward. Just use the template value from the chart as the entry key in the ConfigMap or Secret. Leave out the .Values. prefix.

Se an example:

The Installer uses an asset-store top-level chart that contains a template with the following value reference:

Click to copy
resources: {{ toYaml .Values.resources | indent 12 }}

The chart's default values minio.resources.limits.memory and minio.resources.limits.cpu in the values.yaml file resolve the template. The following fragment of values.yaml shows this definition:

Click to copy
memory: "128Mi"
cpu: "100m"

To override these values, for example to 512Mi and 250m, proceed as follows:

  • Create a ConfigMap in the kyma-installer Namespace and label it.
  • Add the minio.resources.limits.memory: 512Mi and minio.resources.limits.cpu: 250m entries to the ConfigMap and apply it:
Click to copy
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ConfigMap
name: assetstore-overrides
namespace: kyma-installer
installer: overrides
component: assetstore ""
minio.resources.limits.memory: 512Mi #increased from 128Mi
minio.resources.limits.cpu: 250m #increased from 100m

Once the installation starts, the Kyma Operator generates overrides based on the ConfigMap entries. The system uses the values of 512Mi instead of the default 128Mi for Minio memory and 250m instead of 100m for Minio CPU from the chart's values.yaml file.

For overrides that the system should keep in Secrets, just define a Secret object instead of a ConfigMap with the same key and a base64-encoded value. Be sure to label the Secret.

If you add the overrides in the runtime, trigger the update process using this command:

Click to copy
kubectl label installation/kyma-installation action=install

Sub-chart overrides

Overrides for sub-charts follow the same convention as top-level charts. However, overrides require additional information about sub-chart location.

When a sub-chart contains the values.yaml file, the information about the chart location is not necessary because the chart and its values.yaml file are on the same level in the directory hierarchy.

The situation is different when the Kyma Operator installs a chart with sub-charts. All template values for a sub-chart must be prefixed with a sub-chart "path" that is relative to the top-level "parent" chart.

This is not an Kyma Operator-specific requirement. The same considerations apply when you provide overrides manually using the helm command-line tool.

Here is an example. There's a core top-level chart that the Kyma Installer installs. There's an application-connector sub-chart in core with a nested connector-service sub-chart. In one of its templates, there's a following fragment:

Click to copy
- name: {{ .Chart.Name }}
- "/connectorservice"
- '--appName={{ .Chart.Name }}'
- "--domainName={{ }}"
- "--tokenExpirationMinutes={{ .Values.deployment.args.tokenExpirationMinutes }}"

This fragment of the values.yaml file in the connector-service chart defines the default value for tokenExpirationMinutes:

Click to copy
tokenExpirationMinutes: 60

To override this value, and change it from 60 to 90, do the following:

  • Create a ConfigMap in the kyma-installer Namespace and label it.
  • Add the application-connector.connector-service.deployment.args.tokenExpirationMinutes: 90 entry to the ConfigMap.

Notice that the user-provided override key now contains two parts:

  • The chart "path" inside the top-level core chart called application-connector.connector-service
  • The original template value reference from the chart without the .Values. prefix, deployment.args.tokenExpirationMinutes.

Once the installation starts, the Kyma Operator generates overrides based on the ConfigMap entries. The system uses the value of 90 instead of the default value of 60 from the values.yaml chart file.

Global overrides

There are several important parameters usually shared across the charts. Helm convention to provide these requires the use of the global override key. For example, to define the global.domain override, just use global.domain as the name of the key in a ConfigMap or Secret for the Kyma Operator.

Once the installation starts, the Kyma Operator merges all of the ConfigMap entries and collects all of the global entries under the global top-level key to use for the installation.

Values and types

The Kyma Operator generally recognizes all override values as strings. It internally renders overrides to Helm as a yaml stream with only string values.

There is one exception to this rule with respect to handling booleans: The system converts true or false strings that it encounters to a corresponding boolean true or false value.

Merging and conflicting entries

When the Kyma Operator encounters two overrides with the same key prefix, it tries to merge them. If both of them represent a ConfigMap (they have nested sub-keys), their nested keys are recursively merged. If at least one of keys points to a final value, the Kyma Operator performs the merge in a non-deterministic order, so either one of the overrides is rendered in the final yaml data.

It is important to avoid overrides having the same keys for final values.

Non-conflicting merge example

Two overrides with a common key prefix ("a.b"):

Click to copy
"a.b.c": "first"
"a.b.d": "second"

The Kyma Operator yields the correct output:

Click to copy
c: first
d: second

Conflicting merge example

Two overrides with the same key ("a.b"):

Click to copy
"a.b": "first"
"a.b": "second"

The Kyma Operator yields either:

Click to copy
b: "first"

Or (due to non-deterministic merge order):

Click to copy
b: "second"

Custom Resource


The CustomResourceDefinition (CRD) is a detailed description of the kind of data and the format used to control the Kyma Installer, a proprietary solution based on the Kubernetes operator principles. To get the up-to-date CRD and show the output in the yaml format, run this command:

Click to copy
kubectl get crd -o yaml

Sample custom resource

This is a sample CR that controls the Kyma Installer. This example has the action label set to install, which means that it triggers the installation of Kyma. The name and namespace fields in the components array define which components you install and Namespaces in which you install them.

NOTE: See the installer-cr.yaml.tpl file in the /installation/resources directory for the complete list of Kyma components.

Click to copy
apiVersion: ""
kind: Installation
name: kyma-installation
action: install
version: "1.0.0"
url: ""
- name: "cluster-essentials"
namespace: "kyma-system"
- name: "istio"
namespace: "istio-system"
- name: "prometheus-operator"
namespace: "kyma-system"
- name: "provision-bundles"
- name: "dex"
namespace: "kyma-system"
- name: "core"
namespace: "kyma-system"

Custom resource parameters

This table lists all the possible parameters of a given resource together with their descriptions:

metadata.nameYESSpecifies the name of the CR.
metadata.labels.actionYESDefines the behavior of the Kyma Installer. Available options are install and uninstall.
metadata.finalizersNOProtects the CR from deletion. Read this Kubernetes document to learn more about finalizers.
spec.versionNOWhen manually installing Kyma on a cluster, specify any valid SemVer notation string.
spec.urlYESSpecifies the location of the Kyma sources tar.gz package. For example, for the master branch of Kyma, the address is
spec.componentsYESLists which components of Helm chart components to install, update or uninstall.
spec.components.nameYESSpecifies the name of the component which is the same as the name of the component subdirectory in the resources directory.
spec.components.namespaceYESDefines the Namespace in which you want the Installer to install or update the component.
spec.components.releaseNOProvides the name of the Helm release. The default parameter is the component name.

Additional information

The Kyma Installer adds the status section which describes the status of Kyma installation. This table lists the fields of the status section.

status.stateYESDescribes the installation state. Takes one of four values.
status.descriptionYESDescribes the installation step the installer performs at the moment.
status.errorLogYESLists all errors that happen during installation and uninstallation.
status.errorLog.componentYESSpecifies the name of the component that causes the error.
status.errorLog.logYESProvides a description of the error.
status.errorLog.occurrencesYESSpecifies the number of subsequent occurrences of the error.

The status.state field uses one of the following four values to describe the installation state:

InstalledInstallation successful.
UninstalledUninstallation successful.
InProgressThe Installer is still installing or uninstalling Kyma. No errors logged.
ErrorThe Installer encountered a problem but it continues to try to process the resource.

These components use this CR:

InstallerThe CR triggers the Installer to install, update or delete of the specified components.


Sample service deployment on local

This tutorial is intended for the developers who want to quickly learn how to deploy a sample service and test it with Kyma installed locally on Mac.

This tutorial uses a standalone sample service written in the Go language .


To use the Kyma cluster and install the example, download these tools:


Deploy and expose a sample standalone service

Follow these steps:

  1. Deploy the sample service to any of your Namespaces. Use the stage Namespace for this guide:

    Click to copy
    kubectl create -n stage -f
  2. Create an unsecured API for your example service:

    Click to copy
    kubectl apply -n stage -f
  3. Add the IP address of Minikube to the hosts file on your local machine for your APIs:

    Click to copy
    echo "$(minikube ip) http-db-service.kyma.local" | sudo tee -a /etc/hosts
  4. Access the service using the following call:

    Click to copy
    curl -ik https://http-db-service.kyma.local/orders

    The system returns a response similar to the following:

    Click to copy
    HTTP/2 200
    content-type: application/json;charset=UTF-8
    vary: Origin
    date: Mon, 01 Jun 2018 00:00:00 GMT
    content-length: 2
    x-envoy-upstream-service-time: 131
    server: envoy

Update your service's API to secure it

Run the following command:

Click to copy
kubectl apply -n stage -f

After you apply this update, you must include a valid bearer ID token in the Authorization header to access the service.

NOTE: The update might take some time.

Sample service deployment on a cluster

This tutorial is intended for the developers who want to quickly learn how to deploy a sample service and test it with the Kyma cluster.

This tutorial uses a standalone sample service written in the Go language.


To use the Kyma cluster and install the example, download these tools:


Get the kubeconfig file and configure the CLI

Follow these steps to get the kubeconfig file and configure the CLI to connect to the cluster:

  1. Access the Console UI of your Kyma cluster.
  2. Click Administration.
  3. Click the Download config button to download the kubeconfig file to a selected location on your machine.
  4. Open a terminal window.
  5. Export the KUBECONFIG environment variable to point to the downloaded kubeconfig. Run this command:

    Click to copy

    NOTE: Drag and drop the kubeconfig file in the terminal to easily add the path of the file to the export KUBECONFIG command you run.

  6. Run kubectl cluster-info to check if the CLI is connected to the correct cluster.

Set the cluster domain as an environment variable

The commands in this guide use URLs in which you must provide the domain of the cluster that you use. Export the domain of your cluster as an environment variable. Run:

Click to copy
export yourClusterDomain='{YOUR_CLUSTER_DOMAIN}'

Deploy and expose a sample standalone service

Follow these steps:

  1. Deploy the sample service to any of your Namespaces. Use the stage Namespace for this guide:

    Click to copy
    kubectl create -n stage -f
  2. Create an unsecured API for your service:

    Click to copy
    curl -k | sed "s/.kyma.local/.$yourClusterDomain/" | kubectl apply -n stage -f -
  3. Access the service using the following call:

    Click to copy
    curl -ik https://http-db-service.$yourClusterDomain/orders

    The system returns a response similar to the following:

    Click to copy
    HTTP/2 200
    content-type: application/json;charset=UTF-8
    vary: Origin
    date: Mon, 01 Jun 2018 00:00:00 GMT
    content-length: 2
    x-envoy-upstream-service-time: 131
    server: envoy

Update your service's API to secure it

Run the following command:

Click to copy
curl -k | sed "s/.kyma.local/.$yourClusterDomain/" | kubectl apply -n stage -f -

After you apply this update, you must include a valid bearer ID token in the Authorization header to access the service.

NOTE: The update might take some time.

Develop a service locally without using Docker

You can develop services in the local Kyma installation without extensive Docker knowledge or a need to build and publish a Docker image. The minikube mount feature allows you to mount a directory from your local disk into the local Kubernetes cluster.

This tutorial shows how to use this feature, using the service example implemented in Golang.


Install Golang.


Install the example on your local machine

  1. Install the example:
Click to copy
go get -insecure
  1. Navigate to installed example and the http-db-service folder inside it:
Click to copy
cd ~/go/src/
  1. Build the executable to run the application:
Click to copy
CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o main .

Mount the example directory into Minikube

For this step, you need a running local Kyma instance. Read this document to learn how to install Kyma locally.

  1. Open the terminal window. Do not close it until the development finishes.
  2. Mount your local drive into Minikube:
Click to copy
# Use the following pattern:
# To follow this guide, call:
minikube mount ~/go/src/

See the example and expected result:

Click to copy
# Terminal 1
minikube mount ~/go/src/
Mounting /Users/{USERNAME}/go/src/ into /go/src/ on the minikube VM
This daemon process must stay alive for the mount to still be accessible...
ufs starting

Run your local service inside Minikube

  1. Create Pod that uses the base Golang image to run your executable located on your local machine:
Click to copy
# Terminal 2
kubectl run mydevpod --image=golang:1.9.2-alpine --restart=Never -n stage --overrides='
"command": ["./main"],
  1. Expose the Pod as a service from Minikube to verify it:
Click to copy
kubectl expose pod mydevpod --name=mypodservice --port=8017 --type=NodePort -n stage
  1. Check the Minikube IP address and Port, and use them to access your service.
Click to copy
# Get the IP address.
minikube ip
# See the example result:
# Check the Port.
kubectl get services -n stage
# See the example result: mypodservice NodePort <none> 8017:32226/TCP 5m
  1. Call the service from your terminal.
Click to copy
curl {minikube ip}:{port}/orders -v
# See the example: curl -v
# The command returns an empty array.

Modify the code locally and see the results immediately in Minikube

  1. Edit the main.go file by adding a new test endpoint to the startService function
Click to copy
router.HandleFunc("/test", func (w http.ResponseWriter, r *http.Request) {
  1. Build a new executable to run the application inside Minikube:
Click to copy
CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o main .
  1. Replace the existing Pod with the new version:
Click to copy
kubectl get pod mydevpod -n stage -o yaml | kubectl replace --force -f -
  1. Call the new test endpoint of the service from your terminal. The command returns the Test string:
Click to copy
curl -v

Publish a service Docker image and deploy it to Kyma

Follow this tutorial to learn how to develop a service locally. You can immediately see all the changes made in a local Kyma installation based on Minikube, without building a Docker image and publishing it to a Docker registry, such as the Docker Hub.

Using the same example service, this tutorial explains how to build a Docker image for your service, publish it to the Docker registry, and deploy it to the local Kyma installation. The instructions base on Minikube, but you can also use the image that you create and the Kubernetes resource definitions that you use on the Kyma cluster.

NOTE: The deployment works both on local Kyma installation and on the Kyma cluster.


Build a Docker image

The http-db-service example used in this guide provides you with the Dockerfile necessary for building Docker images. Examine the Dockerfile to learn how it looks and how it uses the Docker Multistaging feature, but do not use it one-to-one for production. There might be custom LABEL attributes with values to override.

  1. In your terminal, go to the examples/http-db-service directory. If you did not follow the Sample service deployment on local guide and you do not have this directory locally, get the http-db-service example from the examples repository.
  2. Run the build with ./

NOTE: Ensure that the new image builds and is available in your local Docker registry by calling docker images. Find an image called example-http-db-service and tagged as latest.

Register the image in the Docker Hub

This guide bases on Docker Hub. However, there are many other Docker registries available. You can use a private Docker registry, but it must be available in the Internet. For more details about using a private Docker registry, see the this document.

  1. Open the Docker Hub webpage.
  2. Provide all of the required details and sign up.

Sign in to the Docker Hub registry in the terminal

  1. Call docker login.
  2. Provide the username and password, and select the ENTER key.

Push the image to the Docker Hub

  1. Tag the local image with a proper name required in the registry: docker tag example-http-db-service {USERNAME}/example-http-db-service:0.0.1.
  2. Push the image to the registry: docker push {USERNAME}/example-http-db-service:0.0.1.

NOTE: To verify if the image is successfully published, check if it is available online at the following address:{USERNAME}/example-http-db-service/

Deploy to Kyma

The http-db-service example contains sample Kubernetes resource definitions needed for the basic Kyma deployment. Find them in the deployment folder. Perform the following modifications to use your newly-published image in the local Kyma installation:

  1. Go to the deployment directory.
  2. Edit the deployment.yaml file. Change the image attribute to {USERNAME}/example-http-db-service:0.0.1.
  3. Create the new resources in local Kyma using these commands: kubectl create -f deployment.yaml -n stage && kubectl create -f ingress.yaml -n stage.
  4. Edit your /etc/hosts to add the new http-db-service.kyma.local host to the list of hosts associated with your minikube ip. Follow these steps:
    • Open a terminal window and run: sudo vim /etc/hosts
    • Select the i key to insert a new line at the top of the file.
    • Add this line: {YOUR.MINIKUBE.IP} http-db-service.kyma.local
    • Type :wq and select the Enter key to save the changes.
  5. Run this command to check if you can access the service: curl https://http-db-service.kyma.local/orders. The response should return an empty array.



The troubleshooting section aims to identify the most common recurring problems the users face when they install and start using Kyma, as well as the most suitable solutions to these problems.

If you can't find a solution, don't hesitate to create a GitHub issue or reach out to either the #installation or #general Slack channel to get direct support from the community.

Basic troubleshooting

Console UI password

If you forget the password for the, you can get it from the admin-user Secret located in the kyma-system Namespace. Run this command:

Click to copy
kubectl get secret admin-user -n kyma-system -o jsonpath="{.data.password}" | base64 --decode

Kyma Installer doesn't respond as expected

If the Installer does not respond as expected, check the installation status using the script with the --verbose flag added. Run:

Click to copy
scripts/ --verbose

Installation successful, component not working

If the installation is successful but a component does not behave in the expected way, inspect Helm releases for more details on all of the installed components.

Run this command to list all of the available Helm releases:

Click to copy
helm list --tls

Run this command to get more detailed information about a given release:

Click to copy
helm status {RELEASE_NAME} --tls

NOTE: Names of Helm releases correspond to names of Kyma components.

Additionally, see if all deployed Pods are running. Run this command:

Click to copy
kubectl get pods --all-namespaces

The command retrieves all Pods from all Namespaces, the status of the Pods, and their instance numbers. Check if the status is Running for all Pods. If any of the Pods that you require do not start successfully, install Kyma again.

Can't log in to the Console after hibernating the Minikube cluster

If you put a local cluster into hibernation or use minikube stop and minikube start the date and time settings of Minikube get out of sync with the system date and time settings. As a result, the access token used to log in cannot be properly validated by Dex and you cannot log in to the console. To fix that, set the date and time used by your machine in Minikube. Run:

Click to copy
minikube ssh -- docker run -i --rm --privileged --pid=host debian nsenter -t 1 -m -u -n -i date -u $(date -u +%m%d%H%M%Y)

Errors after restarting Kyma on Minikube

If you restart Kyma using unauthorized methods, such as triggering the installation when a Minikube cluster with Kyma is already running, the cluster might become unresponsive which can be fixed by reinstalling Kyma. To prevent such behavior, stop and restart Kyma using only the method described here.

Console access network error

If you try to access the Console of a local or a cluster Kyma deployment and your browser shows a 'Network Error', your local machine doesn't have the Kyma self-signed TLS certificate added to the system trusted certificate list. To fix this, follow one of these two approaches:

  • Add the Kyma certificate to the trusted certificates list of your OS:
  • Minikube on MacOS
  • Minikube on Linux
  • Cluster installation with
Click to copy
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain {PATH_TO_CERT}
  • Trust the certificate in your browser. Follow this guide for Chrome or this guide for Firefox. You must trust the certificate for these addresses:,,, and

TIP: This solution is suitable for users who don't have administrative access to the OS.

Common installation errors

In some cases, the logs of the Kyma Installer may show this error, which seemingly indicates problems with Istio:

Click to copy
Step error: Details: Helm install error: rpc error: code = Unknown desc = validation failed: [unable to recognize "": no matches for kind "DestinationRule" in version "", unable to recognize "": no matches for kind "DestinationRule" in version "", unable to recognize "": no matches for kind "attributemanifest" in version ""

As Istio is the first sizeable component handled by the Kyma Installer, sometimes not all of the required CRDs are created before the Installer proceeds to the next component. This situation doesn't cause the installation to fail. Instead, the Istio installation step repeats and gets more time for setup. The error message is logged regardless of that.

Job failed: DeadlineExceeded error

The Job failed: DeadlineExceeded error indicates that a job object didn't finish in a set time leading to a time-out. Frequently this error is followed by a message that indicates the release which failed to install: Helm install error: rpc error: code = Unknown desc = a release named core already exists.

As this error is caused by a time-out, restart the installation.

If the problem repeats, find the job that causes the error and reach out to the #installation Slack channel or create a GitHub issue.

Follow these steps to identify the failing job:

  1. Get the installed Helm releases which correspond to components:

    Click to copy
    helm ls --tls

    A high number of revisions may suggest that a component was reinstalled several times. If a release has the status different to Deployed, the component wasn't installed.

  2. Get component details:

    Click to copy
    helm status {RELEASE_NAME} --tls

    Pods with not all containers in READY state can cause the error.

  3. Get the deployed jobs:

    Click to copy
    kubectl get jobs --all-namespaces

    Jobs that are not completed can cause the error.

Installation fails without an apparent reason

If the installation fails and the feedback you get from the console output isn't sufficient to identify the root cause of the errors, use the helm history command to inspect errors that were logged for every revision of a given Helm release.

To list all of the available Helm releases, run:

Click to copy
helm list --tls

To inspect a release and its logged errors, run:

Click to copy
helm history {RELEASE_NAME} --tls

NOTE: Names of Helm releases correspond to names of Kyma components.

"Transport is closing" error

Starting with Kyma release 0.9.0 the communication with Helm and Tiller is secured with TLS. If you get the Transport is closing error when you run a Helm command, such as helm ls, Helm denies you access because:

  • The cluster client certificate, key, and Certificate Authority (CA) are not found in Helm Home.
  • You don't use the --tls flag to engage a secure connection.

This problem is most common for cluster deployments where the user must add the required elements to Helm Home manually. When you install Kyma locally, this operation is performed automatically in the installation process.

Read this document to learn more about security in communication with Helm and Tiller.

Installation stuck at ContainerCreating

Starting with Kyma release 0.9.0 the communication with Helm and Tiller is secured with TLS.

If you try to install Kyma using your own image and the installation freezes at the ContainerCreating step, it means that the Kyma Installer cannot start because a required set of client-server certificates is not found in the system.

The my-kyma.yaml file contains two image fields. One of them defines the Tiller TLS certificates image and cannot be edited. Edit the field that defines the URL of the Kyma Installer image.

Click to copy
# This field defines the Tiller TLS certificates image URL. Do not edit.
# This field defines the Kyma Installer image URL. Edit this field.


Kyma features and concepts in practice

The table contains a list of examples that demonstrate Kyma functionalities. You can run all of them locally or on a cluster. Examples are organized by a feature or concept they showcase. Each of them contains ready-to-use code snippets and the instructions in documents.

Follow the links to examples' code and content sources, and try them on your own.

HTTP DB ServiceTest the service that exposes an HTTP API to access a database on the cluster.Go, MSSQL
Event Service SubscriptionTest the example that demonstrates the publish and consume features of the Event Bus.Go
Event Lambda SubscriptionCreate functions, trigger them on Events, and bind them to services.Kubeless
GatewayExpose APIs for functions or services.Kubeless
Service BindingBind a Redis service to a lambda function.Kubeless, Redis, NodeJS
Alert RulesConfigure alert rules in Kyma.Prometheus
Custom Metrics in KymaExpose custom metrics in Kyma.Go, Prometheus
Event Email ServiceSend an automated email upon receiving an Event.NodeJS
TracingConfigure tracing for a service in Kyma.Go