A “service” in KDP defines a unique Kubernetes API Group and offers a number of resources (types) to
use. A service could offer certificate management, databases, cloud infrastructure or any other set
of Kubernetes resources.
Services are provided by service owners, who run their own Kubernetes clusters and take care of the
maintenance and scaling tasks for the workload provisioned by all users of the service(s) they
offer.
A KDP Service should not be confused with a Kubernetes Service. Internally, a KDP Service is
ultimately translated into a kcp APIExport
with a number of APIResourceSchemas
(~ CRDs).
Scope
This document describes the process of setting up a new Service from scratch, from the standpoint
of a Service Owner. See Using Services
for more information from the standpoint of Service Consumers (i.e. endusers).
Creating Services
Login to the KDP Dashboard and navigate to the organization where the Service should be available
(generally, Services can be consumed from any other workspace). Choose the “Create Service” option.

First, choose a title. This is a “human readable” name for your Service and will be shown to potential
consumers in the service catalog. Next, choose a unique API group. API groups are DNS-style names,
so it is recommended to choose a sub-domain of a DNS name you actually control
(e.g. databases.services.kubermatic.com
).
You must also choose the location to which the api-syncagent kubeconfig secret is written.
This secret is required to set up the api-syncagent later.
The service creation wizard also offers several optional metadata fields that will help service consumers
understand what kind of services are offered. You can (optionally) provide a documentation link which
will be shown to consumers as a way to discover more information about the service, a logo which will
be displayed alongside the service in the service catalog and a markdown-capable description to convey
what the service is about.
Via API
It is of course also possible to create services from the kcp API directly via kubectl
or similar tools
(useful when the service should be managed via GitOps, for example). Here is an example YAML specification:
apiVersion: core.kdp.k8c.io/v1alpha1
kind: Service
metadata:
name: sample.example.com
spec:
apiGroup: sample.example.com
catalogMetadata:
description: This is a sample service.
documentationURL: ""
title: sample-service
kubeconfig:
name: sample-api-syncagent-kubeconfig
namespace: default
This can be applied with kubectl
in your organization workspace.
$ kubectl ws :root:my-org # switch to your workspace
$ kubectl apply -f service.yaml
Use the following command to explore the full schema for Service
objects:
$ kubectl explain --api-version=core.kdp.k8c.io/v1alpha1 service
This concludes all required steps to define the new service. Click on the confirm button to create
the Service.
Setting up the api-syncagent
Once the service is created, KDP will provision a kubeconfig. This kubeconfig is meant to be used
by the api-syncagent, the component installed by service owners into the service cluster.
The generated kubeconfig is available from the service’s context menu in the Dashboard.

Click “kubeconfig” to inspect and download the kubeconfig:

You can also use kubectl
to navigate into your workspace and inspect your Service object.
In spec.kubeconfig
you will find the name of the kubeconfig Secret that you can use for your
api-syncagent.
Now switch your focus to your own cluster, where your business logic happens (for example where
Crossplane runs). For your Service you need to provide exactly one api-syncagent in one Kubernetes
cluster. This agent can have multiple replicas as it uses leader election, but you must not have two
or more independent agents processing the same Service. There is currently no mechanism to spread
load between multiple Service clusters and two or more agents will most likely conflict with each
other.
The api-syncagent comes as a Helm chart. See the kcp chart repository
for more information. You basically need to provide the kubeconfig generated by KDP as the
“kcp kubeconfig”, the service’s name (not its API Group) and a unique name for the agent itself. Put
all the information in a values.yaml
and run helm install
to deploy your agent.
Once the agent has booted up, it will just sit there and do nothing, waiting for further
configuration.
Defining Published Resources
Once the api-syncagent is up and running, you have to create PublishedResource
objects on the
service cluster. See the documentation for
publishing resources for more
information.
The agent will automatically react to PublishedResources
and begin replicating them into KDP/kcp.
This means setting up an APIExport
and APIResourceSchemas
. Once this is done, the KDP Service
can actually be consumed on the platform. See
Using Services for more information.