Installing service catalog

This page explains how to install the Kubernetes Service Catalog and register the Google Cloud Service Broker in your Google Kubernetes Engine cluster.

Service Catalog enables you to provision other Google Cloud services, such as Cloud Pub/Sub, from within your GKE cluster by connecting to Service Broker.

For more information on the Service Catalog, refer to the Kubernetes Service Catalog documentation.


  • Ensure that you have installed and initialized the Cloud SDK.
  • Run gcloud components install kubectl to install the kubectl component.
  • Run gcloud auth application-default login to get credentials used in calling Google APIs.
  • Follow the Kubernetes Quickstart to enable billing, configure default settings, create a Kubernetes cluster, and get the authentication credentials necessary to access the cluster.
  • Ensure that the Google Cloud project you are using with the Kubernetes Service Catalog is set as default with gcloud by running gcloud config set project [PROJECT_ID].


Service Catalog installer (sc) is command-line tool that allows you to easily install Service Catalog and add Service Broker to a Kubernetes cluster. Service Catalog enables you to list, provision, and bind with other Google Cloud services.

Installing the Service Catalog and Service Broker

Download the Service Catalog installer

Download the Service Catalog installer archive for your platform and install the contents in your PATH. The archive contains the sc installer tool.

For your convenience, the archive also contains cfssl and cfssljson binaries from CloudFlare's PKI toolkit. You can also download cfssl and cfssljson for your platform from CloudFlare's releases page and install them in your PATH.

Check if all of the dependencies for sc have been installed:

sc check

If the check is successful, it will output the following message:

Dependency check passed. You are good to go.

Set RBAC Permissions on your cluster

Grant the cluster admin role (cluster-admin) to your Google Cloud account. This command gives you permission to install the Service Catalog in your cluster:

kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=$(gcloud config get-value account)

Additional information on Role-Based Access Control is available in Kubernetes documentation.

Install the Service Catalog

Install the Kubernetes Service Catalog into your Kubernetes cluster by running:

sc install

This command creates several Kubernetes deployments inside a service-catalog namespace. These deployments support integrating Open Service Brokers with Kubernetes.

It may take a few minutes after the sc install command succeeds for the Service Catalog to start up in your cluster. To check on the status, run:

kubectl get deployment -n service-catalog

The Service Catalog components are ready once all deployments report as AVAILABLE as in the example output:

NAME                          DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
apiserver                     1         1         1            1           3m
controller-manager            1         1         1            1           3m
etcd-cluster-backup-sidecar   1         1         1            1           3m
etcd-operator                 1         1         1            1           3m

Register Google Cloud Platform Service Broker with the Service Catalog

To register Service Broker with the Kubernetes Service Catalog, run:

sc add-gcp-broker

This command:

  • Enables several Google Cloud APIs.
  • Creates a service broker resource specific to your project.
  • Registers Google Cloud Platform Service Broker with the Service Catalog in your cluster.
  • Installs an OAuth authentication extension, which enables Kubernetes Service Catalog to authenticate with brokers that require OAuth.

If successful, it will output the following message:

The Service Broker added successfully.

Verify that Service Broker is available and ready:

kubectl get clusterservicebrokers -o ',STATUS:.status.conditions[0].reason'

The STATUS of the gcp-broker may change through several values as the Service Catalog establishes communication with the broker and fetches its catalog of services. If successful, this command outputs the FetchedCatalog status as shown below:

gcp-broker   FetchedCatalog

Set the role for the project service account

Find your Project ID and Project number:

GCP_PROJECT_ID=$(gcloud config get-value project)
GCP_PROJECT_NUMBER=$(gcloud projects describe $GCP_PROJECT_ID --format='value(projectNumber)')

Alternatively, you can find these values from Cloud Console.

Grant the Owner role (roles/owner) to the cloudservices service account so that the service account can grant Cloud Identity and Access Management (Cloud IAM) permissions. Service Broker grants Cloud IAM permissions as part of binding to the service instances.

gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
    --member serviceAccount:${GCP_PROJECT_NUMBER} \

(Optional) Installing the svcat CLI tool

The svcat command line tool is the recommended way to interact with the Service Catalog. It simplifies interacting with the Kubernetes Service Catalog, including provisioning and binding services.

You can find svcat installation instructions in the Service Catalog documentation.

What's next