Service Catalog


The Service Catalog is a grouping of reusable, integrated services from all Service Brokers registered in Kyma. Its purpose is to provide an easy way for Kyma users to access services that the Service Brokers manage and use them in their applications.

Due to the fact that Kyma runs on Kubernetes, you can easily instantiate a service instance that a third party provides and maintains, such as a database. You can consume it from Kyma without extensive knowledge about the clustering of such a datastore service and the responsibility for its upgrades and maintenance. You can also easily provision an instance of the software offering that a Service Broker registered in Kyma exposes, and bind it with an application running in the Kyma cluster.

You can perform the following operations in the Service Catalog:

  • Expose the consumable services by listing them with all the details, including the documentation and the consumption plans.
  • Consume the services by provisioning them in a given Environment, which is Kyma's representation of the Kubernetes Namespace.
  • Bind the services to the applications through Secrets.



This document includes an overview of resources that the Kyma Service Catalog provides.

NOTE: The "Cluster" prefix in front of resources means they are cluster-wide. Resources without that prefix refer to the Environment scope.

  • ClusterServiceBroker is an endpoint for a set of managed services that a third party offers and maintains.

  • ClusterServiceClass is a managed service exposed by a given ClusterServiceBroker. When a cluster administrator registers a new Service Broker in the Service Catalog, the Service Catalog controller obtains new services exposed by the Service Broker and renders them in the cluster as ClusterServiceClasses. A ClusterServiceClass is synonymous with a service in the Service Catalog.

  • ClusterServicePlan is a variation of a ClusterServiceClass that offers different levels of quality, configuration options, and the cost of a given service. Contrary to the ClusterServiceClass, which is purely descriptive, the ClusterServicePlan provides technical information to the ClusterServiceBroker on this part of the service that the ClusterServiceBroker can expose.

  • ServiceBroker is any Service Broker registered in a given Environment where it exposes ServiceClasses and ServicePlans that are available only in that Environment.

  • ServiceClass is an Environment-wide representation of a ClusterServiceClass. Similarly to the ClusterServiceClass, it is synonymous with a service in the Service Catalog.

  • ServicePlan is an Environment-wide representation of a ClusterServicePlan.

  • ServiceInstance is a provisioned instance of a ClusterServiceClass to use in one or more cluster applications.

  • ServiceBinding is a link between a ServiceInstance and an application that cluster users create to request credentials or configuration details for a given ServiceInstance.

  • Secret is a basic resource to transfer credentials or configuration details that the application uses to consume a ServiceInstance. The service binding process leads to the creation of a Secret.

  • ServiceBindingUsage is a Kyma custom resource that allows the ServiceBindingUsage controller to inject Secrets into a given application.

  • UsageKind is a Kyma custom resource that defines which resources can be bound with the ServiceBinding and how to bind them..

Add a service to the Catalog

In general, the Service Catalog can expose a service from any Service Broker that is registered in Kyma in accordance with the Open Service Broker API specification.

The Kyma Service Catalog is currently integrated with the following Service Brokers:

  • Azure Broker
  • Remote Environment Broker
  • Helm Broker (experimental)

For details on how to build and register your own Service Broker to expose more services and plans to the cluster users, see the Service Brokers Overview document.

NOTE: The Service Catalog has the Istio sidecar injected. To enable the communication between the Service Catalog and Service Brokers, either inject Istio sidecar into all brokers or disable mutual TLS authentication.

Provisioning and binding

Provisioning a service means creating an instance of a service. When you consume a specific ClusterServiceClass or a ServiceClass, and the system provisions a ServiceInstance, you need credentials for this service. To obtain credentials, create a ServiceBinding resource using the API of the Service Catalog. One instance can have numerous bindings to use in the application. When you raise a binding request, the system returns the credentials in the form of a Secret. The system creates a Secret in a given Environment.

NOTE: The security in Kyma relies on the Kubernetes concept of a Namespace. Kyma Environment is a security boundary. If the Secret exists in the Environment, the administrator can inject it to any Deployment. The Service Broker cannot prevent other applications from consuming a created Secret. Therefore, to ensure a stronger level of isolation and security, use a dedicated Environment and request separate bindings for each Deployment.

The Secret allows you to run the service successfully. However, a problem appears each time you need to change the definition of the yaml file in the Deployment to specify the Secrets' usage. The manual process of editing the file is tedious and time-consuming. Kyma handles it by offering a custom resource called ServiceBindingUsage. This custom resource applies the Kubernetes PodPreset resource and allows you to enforce an automated flow in which the ServiceBindingUsage controller injects ServiceBindings into a given Application or Function.


This section provides a simplified, graphic representation of the basic operations in the Service Catalog.

Provisioning and binding flow

The diagram shows an overview of interactions between all resources related to Kyma provisioning and binding, and the reverting, deprovisioning, and unbinding operations.

Kyma provisioning and binding

The process of provisioning and binding invokes the creation of three custom resources:

  • ServiceInstance
  • ServiceBinding
  • ServiceBindingUsage

The system allows you to create these custom resources in any order, but within a timeout period.

When you invoke the deprovisioning and unbinding actions, the system deletes all three custom resources. Similar to the creation process dependencies, the system allows you to delete ServiceInstance and ServiceBinding in any order, but within a timeout period. However, before you delete the ServiceBinding, make sure you remove the ServiceBindingUsage first. For more details, see the section on deleting a ServiceBinding.

Provision a service

To provision a service, create a ServiceInstance custom resource. Generally speaking, provisioning is a process in which the Service Broker creates a new instance of a service. The form and scope of this instance depends on the Service Broker.

Kyma provisioning

Deprovision a service

To deprovision a given service, delete the ServiceInstance custom resource. As part of this operation, the Service Broker deletes any resources created during the provisioning. When the process completes, the service becomes unavailable.

Kyma deprovisioning

NOTE: You can deprovision a service only if no corresponding ServiceBinding for a given ServiceInstance exists.

Create a ServiceBinding

Kyma binding operation consists of two phases:

  • The system gathers the information necessary to connect to the ServiceInstance and authenticate it. The Service Catalog handles this phase directly, without the use of any additional Kyma custom resources.
  • The system must make the information it collected available to the application. Since the Service Catalog does not provide this functionality, you must create a ServiceBindingUsage custom resource.

Kyma binding

NOTE: The system allows you to create the ServiceBinding and ServiceBindingUsage resources at the same time.

Bind with other resources

The UsageKind is a cluster-wide custom resource which allows you to bind a ServiceInstance to any resource. By default, Kyma provides two UsageKinds which enable binding either to a Deployment or Function. You can add more UsageKinds if you want to bind your ServiceInstance to other types of resources. The UsageKind contains information on the way in which binding to this custom resource is conducted. The ServiceBindingUsage uses this information to inject Secrets to the Application.

Kyma UsageKind

Delete a ServiceBinding

Kyma unbinding can be achieved in two ways: 1. Delete the ServiceBindingUsage. The Secret injected into application will be deleted by BindingUsageController but the Secret still exist. 2. Delete the ServiceBinding. It deletes the Secret and triggers the deletion of all the related ServiceBindingUsages.

Kyma unbinding

Etcd Database

The Service Catalog requires an etcd database cluster for a production use. It has a separate etcd cluster defined in the Service Catalog etcd-stateful sub-chart. The etcd-backup-operator executes the backup procedure.


This section describes the backup and restore processes of the etcd cluster for the Service Catalog.


To execute the backup process, you must set the following values in the core chart:

Property nameDescription
global.etcdBackup.enabledIf set to true, the etcd-operator chart and the Service Catalog sub-chart installs the CronJob which executes periodically the Etcd Backup application. The etcd-operator also creates the Secret with the storage-account and storage-key keys. For more information on how to configure the backup CronJob, see the Etcd Backup documentation.
global.etcdBackup.containerNameThe ABS container to store the backup.
etcd-operator.backupOperator.abs.storageAccountThe name of the storage account for the Azure Blob Storage (ABS). It stores the value for the storage-account Secret key.
etcd-operator.backupOperator.abs.storageKeyThe key value of the storage account for the ABS. It stores the value for the storage-key Secret key.

NOTE: If you set the storageAccount, storageKey, and containerName properties, the global.etcdBackup.enabled must be set to true.


Follow this instruction to restore an etcd cluster from the existing backup.

  1. Export the ABS_PATH environment variable with the path to the last successful backup file.
Click to copy
export ABS_PATH=$(kubectl get cm -n kyma-system sc-recorded-etcd-backup-data -o=jsonpath='{.data.abs-backup-file-path-from-last-success}')
export BACKUP_FILE_NAME=etcd.backup
  1. Download the backup to the local workstation. You can do it from the portal or by using azure cli. Set the downloaded file path:
Click to copy
export BACKUP_FILE_NAME=/path/to/downloaded/file
  1. Copy the backup file to every running Pod of the StatefulSet.
Click to copy
for i in {0..2};
kubectl cp ./$BACKUP_FILE_NAME kyma-system/core-catalog-etcd-stateful-$i:/$BACKUP_FILE_NAME
  1. Restore the backup on every Pod of the StatefulSet.
Click to copy
for i in {0..2};
remoteCommand="etcdctl snapshot restore /$BACKUP_FILE_NAME "
remoteCommand+="--name core-catalog-etcd-stateful-$i --initial-cluster "
remoteCommand+="core-catalog-etcd-stateful-2=https://core-catalog-etcd-stateful-2.core-catalog-etcd-stateful.kyma-system.svc.cluster.local:2380 "
remoteCommand+="--initial-cluster-token etcd-cluster-1 "
remoteCommand+="--initial-advertise-peer-urls https://core-catalog-etcd-stateful-$i.core-catalog-etcd-stateful.kyma-system.svc.cluster.local:2380"
kubectl exec core-catalog-etcd-stateful-$i -n kyma-system -- sh -c "rm -rf core-catalog-etcd-stateful-$i.etcd"
kubectl exec core-catalog-etcd-stateful-$i -n kyma-system -- sh -c "rm -rf /var/run/etcd/backup.etcd"
kubectl exec core-catalog-etcd-stateful-$i -n kyma-system -- sh -c "$remoteCommand"
kubectl exec core-catalog-etcd-stateful-$i -n kyma-system -- sh -c "mv -f core-catalog-etcd-stateful-$i.etcd /var/run/etcd/backup.etcd"
kubectl exec core-catalog-etcd-stateful-$i -n kyma-system -- sh -c "rm $BACKUP_FILE_NAME"
  1. Delete old Pods.
Click to copy
kubectl delete pod core-catalog-etcd-stateful-0 core-catalog-etcd-stateful-1 core-catalog-etcd-stateful-2 -n kyma-system


The diagram and steps describe the Service Catalog workflow and the roles of specific cluster and Environment-wide resources in this process:

Service Catalog flow

  1. The Kyma installation results in the registration of the default Service Brokers in the Kyma cluster. The Kyma administrator can manually register other ClusterServiceBrokers in the Kyma cluster. The Kyma user can also register a Service Broker in a given Environment.

  2. Inside the cluster, each ClusterServiceBroker exposes services that are ClusterServiceClasses in their different variations called ClusterServicePlans. Similarly, the ServiceBroker registered in a given Environment exposes ServiceClasses and ServicePlans only in this specific Environment.

  3. In the Console UI or CLI, the Kyma user lists all exposed cluster-wide and Environment-specific services and requests to create instances of those services in the Environment.

  4. The Kyma user creates bindings to the ServiceInstances to allow the given applications to access the provisioned services.

CLI reference

Management of the Service Catalog is based on Kubernetes resources and the custom resources specifically defined for Kyma. Manage all of these resources through kubectl.


This section describes the resource names to use in the kubectl command line, the command syntax, and examples of use.

Resource types

Service Catalog operations use the following resources:

Singular namePlural name


Follow the kubectl syntax, kubectl {command} {type} {name} {flags}, where:

  • {command} is any command, such as describe.
  • {type} is a resource type, such as clusterserviceclass.
  • {name} is the name of a given resource type. Use {name} to make the command return the details of a given resource.
  • {flags} specifies the scope of the information. For example, use flags to define the Namespace from which to get the information.


The following examples show how to create a ServiceInstance, how to get a list of ClusterServiceClasses and a list of ClusterServiceClasses with human-readable names, a list of ClusterServicePlans, and a list of all ServiceInstances.

  • Create a ServiceInstance using the example of the Redis ServiceInstance for the 0.1.3 version of the Service Catalog:
Click to copy
cat <<EOF | kubectl create -f -
kind: ServiceInstance
name: my-instance
namespace: stage
clusterServiceClassExternalName: redis
clusterServicePlanExternalName: micro
"imagePullPolicy": "Always"
  • Get the list of all ClusterServiceClasses:
Click to copy
kubectl get clusterserviceclasses
  • Get the list of all ClusterServiceClasses and their human-readable names:
Click to copy
kubectl get clusterserviceclasses,EXTERNAL\ NAME:.spec.externalName
  • Get the list of all ClusterServicePlans and associated ClusterServiceClasses:
Click to copy
kubectl get clusterserviceplans,EXTERNAL\ NAME:.spec.externalName,EXTERNAL\ SERVICE\ CLASS:.spec.clusterServiceClassRef
  • Get the list of all ServiceInstances from all Namespaces:
Click to copy
kubectl get serviceinstances --all-namespaces

Custom Resource


The Custom Resource Definition (CRD) is a detailed description of the kind of data and the format used to inject Secrets to the application. To get the up-to-date CRD and show the output in the yaml format, run this command:

Click to copy
kubectl get crd -o yaml

Sample custom resource

This is a sample resource in which the ServiceBindingUsage injects a Secret associated with the redis-instance-binding ServiceBinding to the redis-client Deployment in the production Namespace. This example has the conditions.status field set to true, which means that the ServiceBinding injection is successful. If this field is set to false, the message and reason fields appear.

Click to copy
kind: ServiceBindingUsage
name: redis-client-binding-usage
namespace: production
"ownerReferences": [
"apiVersion": "",
"kind": "ServiceBinding",
"name": "redis-instance-binding",
"uid": "65cc140a-db6a-11e8-abe7-0242ac110023"
name: redis-instance-binding
kind: deployment
name: redis-client
name: "pico-bello"
- lastTransitionTime: 2018-06-26T10:52:05Z
lastUpdateTime: 2018-06-26T10:52:05Z
status: "True"
type: Ready

Custom resource parameters

This table lists all the possible parameters of a given resource together with their descriptions:

metadata.nameYESSpecifies the name of the CR.
metadata.namespaceYESSpecifies the Namespace in which the CR is created.
metadata.ownerReferencesYESContains an ownerReference to the binding specified at field if the binding exist.
spec.serviceBindingRef.nameYESSpecifies the name of the ServiceBinding.
spec.usedByYESSpecifies the application into which the Secret is injected.
spec.usedBy.kindYESSpecifies the name of the UsageKind custom resource.
spec.usedBy.nameYESSpecifies the name of the application.
spec.parameters.envPrefixNODefines the prefix of environment variables environment variables that the ServiceBindingUsage injects. The prefixing is disabled by default.
spec.parameters.envPrefix.nameYESSpecifies the name of the prefix. This field is mandatory if envPrefix is specified.
status.conditionsNOSpecifies the state of the ServiceBindingUsage.
status.conditions.lastTransitionTimeNOSpecifies the time when the Binding Usage Controller processes the ServiceBindingUsage for the first time or when the status.conditions.status field changes.
status.conditions.lastUpdateTimeNOSpecifies the time of the last ServiceBindingUsage condition update.
status.conditions.statusNOSpecifies whether the status of the status.conditions.type field is True or False.
status.conditions.typeNODefines the type of the condition. The value of this field is always Ready.
messageNODescribes in a human-readable way why the ServiceBinding injection has failed.
reasonNOSpecifies a unique, one-word, CamelCase reason for the condition's last transition.

These are the resources related to this CR:

Custom resourceDescription
UsageKindProvides information where to inject Secrets.
ServiceBindingProvides Secrets to inject.

These components use this CR:

Binding Usage ControllerReacts to every action of creating, updating, or deleting ServiceBindingUsages in all Namespaces, and uses ServiceBindingUsage data to inject binding.
UI API LayerExposes the given CR to the Console UI. It also allows you to create and delete a ServiceBindingUsage.


The Custom Resource Definition (CRD) is a detailed description of the kind of data and the format used to define which resources can be bound with the ServiceBinding and how to bind them. To get the up-to-date CRD and show the output in the yaml format, run this command:

Click to copy
kubectl get crd -o yaml

Sample custom resource

This is a sample resource that allows you to bind a given resource with the ServiceBinding. This example has a resource section specified as function. You can adjust this section to point to any other kind of resource.

Click to copy
kind: UsageKind
name: function
displayName: Function
kind: function
version: v1beta1
labelsPath: spec.deployment.spec.template.metadata.labels

Custom resource parameters

This table lists all the possible parameters of a given resource together with their descriptions:

metadata.nameYESSpecifies the name of the CR.
spec.displayNameYESSpecifies a human-readable name of the UsageKind.
spec.resourceYESSpecifies a resource which is bound with the ServiceBinding. The target resource is specified by its resource group, kind, and version.
spec.resource.groupYESSpecifies the group of the resource.
spec.resource.kindYESSpecifies the kind of the resource.
spec.resource.versionYESSpecifies the version of the resource.
spec.labelsPathYESSpecifies a path to the key that contains labels which are later injected into Pods.

These are the resources related to this CR:

Custom resourceDescription
ServiceBindingUsageContains the reference to the UsageKind.

These components use this CR:

Binding Usage ControllerUses the UsageKind spec.resource and spec.labelsPath parameters to find a resource and a path to which it should inject Secrets.
UI API LayerExposes the given CR to the Console UI.

Getting Started

Register a ClusterServiceBroker

This Getting Started guide shows how to register a new ClusterServiceBroker in the Service Catalog. Follow this guide to register a cluster-wide UPS Broker in the Service Catalog.



  1. Clone the service-catalog repository:

    Click to copy
    git clone
  2. Run this command to install the chart with the ups-broker name in the stage Namespace:

    Click to copy
    helm install service-catalog/charts/ups-broker --name ups-broker --namespace stage
  3. Register your broker:

    Click to copy
    kubectl create -f service-catalog/contrib/examples/walkthrough/ups-broker.yaml

    After you successfully register your ClusterServiceBroker, the Service Catalog periodically fetches services from this broker and creates ClusterServiceClasses from them.

  4. Check the status of the broker:

    Click to copy
    kubectl get clusterservicebrokers ups-broker -o jsonpath="{.status.conditions}"

    The output looks as follows:

    Click to copy
    "lastTransitionTime": "2018-10-26T12:03:32Z",
    "message": "Successfully fetched catalog entries from broker.",
    "reason": "FetchedCatalog",
    "status": "True",
    "type": "Ready"
  5. View ClusterServiceClasses that this broker provides:

    Click to copy
    kubectl get clusterserviceclasses

    These are the UPS Broker ClusterServiceClasses:

    Click to copy
    4f6e6cf6-ffdd-425f-a2c7-3c9258ad2468 user-provided-service
    5f6e6cf6-ffdd-425f-a2c7-3c9258ad2468 user-provided-service-single-plan
    8a6229d4-239e-4790-ba1f-8367004d0473 user-provided-service-with-schemas