Requirements for Packaging Your Application

This page describes the requirements for packaging your Kubernetes application, and guidelines for meeting those requirements.

Your application package is a bundle of container images and configuration files that are deployed to users' Kubernetes clusters. To support deploying your app to Google Kubernetes Engine from the Google Cloud Console, the application package must include a deployment container, which pushes the configuration files and display metadata to the Kubernetes API.

Your application package enables Google Cloud users to:

  • Discover your app in the GCP Marketplace catalog
  • Deploy the application to their GKE cluster, using the Google Cloud UI
  • Interact with the running app using Google Cloud Console

In addition to supporting a UI-based deployment from GCP Marketplace, your package must include steps for users to deploy your app from a command-line interface (CLI), using tools such as kubectl and Helm.

For examples of app packages, see the GitHub repository for Google Click to Deploy Solutions. The repository contains packages for popular open source applications such as WordPress and Elasticsearch.

Before you begin

  • Make sure that you have set up your Google Cloud environment.
  • Create a public Git repository for the configuration files, user guide, and other resources to run your app. You can host the repository with a provider such as GitHub, Cloud Source Repositories, or on your own server. We recommend a dedicated repository for each product that you are distributing.


The application must meet the following requirements:

  • Your repository must contain a LICENSE file, which contains the open source license for the repository.

  • Your repository must contain a configuration file, which deploys your app. The configuration file can be a Kubernetes YAML manifest, or a Helm chart.

    The configuration must include an Application custom resource, which describes the application.

    See Requirements for your configuration.

  • Optionally, if you want your application to be compatible with GKE On-Prem, modify your application images for compatibility.

    See Requirements to support GKE On-Prem.

    For information on GKE On-Prem, request access.

  • Optionally, if you want your application to be compatible with Istio, review the limitations on clusters that run Istio.

  • If you are selling a commercial application, your app must report its usage to Google, so that your customers are billed accurately. We recommend integrating your app with the Usage-based Billing Agent, which sends usage reports to Google.

    See Requirements to integrate the billing agent.

  • You must upload all the container images for your application to your registry in Container Registry. Your registry must also include a deployer image, which pushes the app's configuration to the Google Kubernetes Engine API when users deploy the app from Google Cloud Console.

    See Requirements for building application images.

  • You must include integration tests for the app.

    See Requirements for Verification process.

  • You must include a user guide, with steps to deploy the application from the command line, configure the app, and to use the app.

    See Requirements for your user guide.

Requirements for your configuration

You can provide your configuration either as a Kubernetes manifest, or as a Helm chart.

Your configuration must meet the following requirements:

  • To protect users from unstable APIs, use only beta or generally available Kubernetes resources.

  • Your configuration must deploy an Application custom resource. The Application resource contains the information that users see when they deploy their app through the GCP Marketplace UI.

    The Application resource is a custom resource, which aggregates the Kubernetes components associated with your app, and lets users manage these resources as a group.

    For information on creating an Application resource, and for examples, see the Application GitHub repository.

  • Your configuration must use parameters that can be substituted, either using envsubst, or as flags.

    The following parameters must be capable of being substituted:

    • Cluster and namespace: Kubernetes client tools typically provide a mechanism to select cluster and namespace, which is sufficient to meet this requirement. Namespaces sometimes also appear inside of resource definitions, such as when referring to a ServiceAccount in a RoleBinding. Any such reference must be parameterized.

    • App name: The instance name of the application resource. The same string must also be included in the name of every resource belonging to the application, to avoid name collisions in the event of multiple deployments of the app within one namespace.

    • Container Images: Every image reference, such as in a PodSpec, must be substitutable. This allows GCP Marketplace to override these references to point to images published in our container registry. It also allows customers to easily substitute modified images.

    • License secret: If your application is performing commercial metering, it must accept the name of a Secret resource as a parameter. The secret contains the usage reporting credentials, which your app uses to send usage data to Google.

  • All the resources in your configuration must belong to a single namespace. GCP Marketplace users configure this namespace when they deploy your app. Avoid hard-coding namespaces in your manifests, so that the resources you specify are created in the namespace that users select.

  • It must be possible to deploy your application using client-side tools. For example, if you are using Helm, the deployment must work with the --client-only command-line flag.

Requirements to support GKE On-Prem

If you want your application to run on GKE On-Prem, note that customers' GKE On-Prem clusters might be configured differently than standard GKE clusters, so the following resources must be manually configured by your customers:

  • Storage Classes

    GCP Marketplace cannot predict which Storage Classes exist in a customer's GKE On-Prem cluster, so we recommend the following changes to your application:

    • If you are creating Persistent Volume Claims (PVCs), the claim must be provisioned without explicitly referencing a Storage Class.

    • If your application uses the x-google-marketplace STORAGE_CLASS property, customers must choose a Storage Class when they deploy your app from the Google Cloud Console. We recommend adding documentation that guides users to choose an appropriate Storage Class.

  • Services and Ingress

    GCP Marketplace cannot predict the network topology and networking controllers in a customer's GKE On-Prem cluster, so customers must set up networking that works with their specific configuration.

    Depending on the client that your application uses for the deployment, you must modify your application in the following ways:

    • If you are using kubectl and environment variables for your app's configuration, we recommend removing all Ingress resources from your manifests.

    • If you are using Helm for your configuration, use the x-google-marketplace INGRESS_AVAILABLE property in the schema for your deployment image. If this property is false, your deployer must not create any Ingress resources.

    For high-level information on the deployment container, see the requirements for the deployment container. For detailed steps to build a deployment container, including information about the deployer's schema, see the GCP Marketplace tools GitHub repository.

    In the post-deployment section of your documentation, add steps for your customers to set up networking after they have deployed the application.

  • Kubernetes Service Accounts

    To ensure that customers' GKE On-Prem clusters can access the application images in your Container Registry repository, your application must use explicitly declared Kubernetes Service Accounts. The Service Accounts must be defined in your deployer image's schema, using the x-google-marketplace SERVICE_ACCOUNT property.

    This means that your application must not rely on the namespace's default Service Account, nor should it create new Service Accounts. To remove the dependency on the namespace's default Service Account, explicitly define the service account to use for all workloads, such as by setting the serviceAccountName property for all Pod specs.

    For an application that uses an explicit Service Account, see the following examples from the Prometheus app in the Google Click to Deploy GitHub repository:

    For information on configuring Service Accounts, see the Kubernetes documentation for Service Accounts.

Limitations on clusters with Istio

If you want your application to be compatible with Istio, review the limitations described in this section. For an overview of Istio, see What is Istio?.

If your customers run Istio in their clusters, Istio controls the network traffic between your application's Pods by default. This means that network communication might be blocked in the following scenarios:

  • If your Pods run kubectl commands that use the cluster's IP address, the commands might fail.

  • If your application uses Pod-to-Pod or IP-based communication, the cluster formation step might fail.

  • External connections to third-party services, such as OS package repositories, are blocked. Customers must configure Istio egress traffic to enable access to external services.

We recommend configuring incoming connections using Istio Gateway, instead of LoadBalancer or Ingress resources.

If you are using Helm for your configuration, use the x-google-marketplace ISTIO_ENABLED property in the schema for your deployment image. If this property is true, your deployer must modify the deployment, such as waiting for the Istio sidecar to be ready.

To help your customers set up communication between application Pods, we recommend adding steps to the post-deployment sections of your documentation.

Requirements to integrate the billing agent

If you are selling a commercial application, we recommend integrating your application with the Usage-based Billing (UBB) Agent.

The agent handles authentication and reporting to Google's usage reporting endpoint: Service Control. When you have submitted your pricing model, the GCP Marketplace team creates a service for your application to report against, and the billing metrics to measure usage.

The agent also manages local aggregation, crash recovery, and retries. For the usage-hour metric, the agent can be configured to automatically report heartbeats.

The agent also exposes reporting status, allowing your application to detect whether the agent is successfully reporting usage data.

Customers purchase the application in GCP Marketplace to acquire a license, which is attached to the application at deployment time.

When you are integrating with the billing agent, consider how your application behaves when usage reports fail, which might indicate one of the following:

  • The customer has cancelled their subscription.

  • The customer might have accidentally disabled the reporting channel. For example, customers might inadvertently remove or misconfigure the agent, or the network might prevent the agent from accessing Google's reporting endpoint.

In these cases, Google does not receive usage data and customers are not billed.

In these scenarios, your application can self-terminate, or disable functionality. If usage reports fail during the application's startup, we recommend that your app self-terminate, so that your customers get immediate feedback, and can resolve the issue.

Integrating the billing agent

You can integrate the agent as a sidecar container, which runs in the same Pod as your application, or using the SDK.

In the sidecar approach, the agent runs in its own container, in the same Kubernetes Pod as the application container. Your application communicates with the agent's local REST interface.

If you use the SDK approach, the agent must be compiled or linked into your application binary. The SDK is implemented natively for Go, with bindings for Python.

In general, the sidecar approach requires less integration effort, while the SDK is more robust against being accidentally disabled.

For detailed integration steps, see the README in the Usage-based Billing Agent GitHub repository. To see a sample implementation, see the example app and tools repositories.

Credentials to report usage

The billing agent requires credentials that allow it to send usage reports to Google. GCP Marketplace generates these credentials when users deploy the app from GCP Marketplace, and ensures that they exist as a Secret in the target Kubernetes namespace before your application is deployed. The name of this Secret is passed to your app as the REPORTING_SECRET schema property.

For an example manifest that uses the reporting secret, see the WordPress app example in GitHub.

The Secret contains the following fields:


An identifier representing the customer's agreement to purchase and use the software.


An identifier associated with the Entitlement that is passed to Google Service Control along with usage reports.


The Google Cloud Service Account JSON key used to authenticate to Google Service Control.

If your solution provides a SaaS component in addition to the app, you can optionally have that SaaS component periodically check the validity of entitlement IDs, using the GCP Marketplace Procurement service. To get access to the Procurement service, contact your Partner Engineer.

For information on additional parameters that are passed to the app, see Custom Parameters, later in this section.

Requirements for building your container images

Your application consists of one or more application container images. In addition, your repository must include a deployment container, which is used when customers deploy the app from the GCP Marketplace UI.

Container images are typically built using a Dockerfile and the docker build command-line tool. We recommend that you publish the Dockerfile and container build instructions in the public repository for your application. This enables customers to modify or rebuild the images, which is sometimes necessary to certify images for enterprise production environments.

If your application image depends on a base image such as Debian, or a language runtime image such as Python or OpenJDK, we strongly recommend that you use one of GCP Marketplace's certified container images. Doing so ensures timely updates to your base image, especially for security patches. This approach also simplifies your open source license review step, because you do not need to account for packages that are present in the base image.

After building your application images, push them to the staging registry that you created in Container Registry when you set up your environment.

Your Container Registry repository must have the following structure:

  • Your application's main image must be in the root of the repository. For example, if your Container Registry repository is, the application's image should be in

  • The image for your deployment container must be in a folder called deployer. In the above example, the deployment image must be in

  • If your application uses additional container images, each additional image must be in its own folder. For example, if your application requires an Ubuntu 16.04 image, add the image to

  • All the images in your application must be tagged with the minor version using semantic versioning for your application.

For example, the following image shows the Container Registry repository for the Elasticsearch Cluster Kubernetes application. The application contains the main application image, the deployer image in its own folder, and the Ubuntu 16.04 image in ubuntu16_04. All the images in the repository are tagged with the same minor version number, 6.3, using semantic versioning.

Example Elasticsearch Container Registry repository structure

The repository is at

Use the container image identifiers that you selected when you chose your product identifiers.

To upload your images to Container Registry, tag it with the registry name, and then push the image using gcloud. For example, use the following commands to push the images for example-pro:

docker build -t .
gcloud docker -- push

For detailed steps to tag and push images to your registry, see the Container Registry documentation.

Requirements for the deployment container

The deployment container, or deployer, is used when customers deploy your solution from the GCP Marketplace catalog. The deployer image packages your application's Kubernetes configuration and the client tools such as kubectl or Helm which push the configuration to the Kubernetes API. The deployer should typically use the same set of command-line commands that a user would run to deploy your application.

To create your deployer, use one of the base images for deployment containers from the tools repository marketplace directory:

The base images have built-in utilities for tasks such as assigning owner references, password generation, and post-deploy cleanup.

For detailed steps to build your deployer image, see Building the Application Deployer.

Parameters passed to your app

Your deployment container must declare parameters that need to be collected from customers when they select your app. These parameters are then supplied to the deployment container when users deploy the app.

To configure these parameters, your deployment container image must include a JSON Schema, in YAML format, at this path: /data/schema.yaml.

To learn how to craft schema.yaml, see Deployer schema.

Requirements for Verification process

Applications are executed in our Verification system to ensure that:

  • Installation succeeds: All resources are applied and waited for to become healthy.
  • Functionality tests pass: The deployer starts the Tester Pod and watches its exit status. Zero means success, non-zero means failure.
  • Uninstallation succeeds: Application and all its resources are successfully removed from the cluster.

Successful results are required before the application can be published to the GCP Marketplace.

Follow the instructions at

Requirements for your user guide

Your user guide must include the following information:


  • A general application overview, covering basic functions and configuration options. This section must also link to the published solution on GCP Marketplace.

One-time setup

  • Configuring client tools such as kubectl or Helm. as applicable.
  • Installing the Application CustomResourceDefinition (CRD), so that your cluster can manage the Application resource.
  • If you are selling a commercial app, steps for acquiring and deploying a license Secret from GCP Marketplace.


  • Commands for deploying the application.
  • Passing parameters available in UI configuration.
  • Pinning image references to immutable digests.
  • If you add custom input fields to your deployer schema, add information about the expected values, if applicable.

    Learn about adding input fields to your deployer

Basic Usage

  • Connecting to an admin console (if applicable).
  • Connecting a client tool and running a sample command (if applicable).
  • Modifying usernames and passwords.
  • Enabling ingress and installing TLS certs (if applicable).

Backup and restore

  • Backing up application state.
  • Restoring application state from a backup.

Image updates

  • Updating the application images for patches or minor updates.


  • Scaling the application (if applicable).


  • Deleting the app.
  • Cleaning up any resources that might be intentionally orphaned, such as PersistentVolumeClaims.
Оцените, насколько информация на этой странице была вам полезна:

Оставить отзыв о...

Текущей странице
GCP Marketplace Partners