Browse Courses

Service Binding

July 18, 2025 5 min read DevOps Containers Docs IBM-DevOps Secrets Environment-Variables

Explains the concept, process, and best practices of service binding in Kubernetes, including how to securely connect applications to external services using secrets and environment variables.

On this page

This document details how service binding in Kubernetes enables applications to securely consume external services by managing configuration and credentials through secrets and environment variables. It covers the binding process, practical steps, and usage in application code.

Introduction to Service Binding

Service binding is the process of connecting applications running in Kubernetes to external or backing services, such as REST APIs, databases, or event buses. It manages configuration and credentials for backend services, ensuring sensitive data is protected and made available to applications as secrets.

Goals and Roles of Service Binding

  • Simplifies the consumption of external services by applications.
  • Automatically manages and provides service credentials as Kubernetes secrets.
  • Protects sensitive data and streamlines configuration management.

Service binding allows applications to access required credentials without hard-coding them, improving security and maintainability.

Service Binding Workflow

The typical workflow for binding an external service to a Kubernetes application involves:

  1. Provisioning the Service: Create an instance of the external service (e.g., using IBM Cloud CLI or web catalog).
  2. Binding the Service: Use a service binding command to connect the service to the Kubernetes cluster, which creates a secret containing the service credentials.
  3. Storing Credentials: The credentials are stored in a Kubernetes secret, base64 encoded and formatted as JSON.
  4. Configuring the Application: The application is configured to access the credentials from the secret, either by mounting it as a volume or referencing it in environment variables.

Service Binding Architecture

    flowchart TD
	Deployment --> Pod_MyApp
	Pod_MyApp --> ServiceBinding
	ServiceBinding --> Secret_DBCreds
	Secret_DBCreds --> Pod_MyApp
	ServiceBinding --> Service_PostgreSQL
	Service_PostgreSQL --> Pod_postgres
	
	    subgraph Application_Layer
	        Pod_MyApp
	        Deployment
	    end
	    subgraph Binding_Layer
	        ServiceBinding
	        Secret_DBCreds
	    end
	    subgraph Backing_Service_Layer
	        Service_PostgreSQL
	        Pod_postgres
	    end

Example: IBM Cloud Service Binding

Suppose you want to bind the IBM Watson Tone Analyser service to your Kubernetes cluster:

  • Provision the Service: Create a service instance using the IBM Cloud CLI or web interface.
  • Bind the Service: Use the service binding command to generate credentials and store them in a Kubernetes secret.
  • Verify the Secret: Use the following command to list secrets:

1kubectl get secrets
  • Access the Secret: You can access the secret in two ways:

1. Mount as a Volume

Mount the secret as a volume in your pod. This creates a JSON file (e.g., binding) in the mount directory containing all credentials.

2. Reference in Environment Variables

Reference the secret in your deployment descriptor to expose credentials as environment variables:

 1env:
 2  - name: BINDING_API_KEY
 3    valueFrom:
 4      secretKeyRef:
 5        name: <secret-name>
 6        key: binding.api_key
 7  - name: BINDING_USERNAME
 8    valueFrom:
 9      secretKeyRef:
10        name: <secret-name>
11        key: binding.username
12  - name: BINDING_PASSWORD
13    valueFrom:
14      secretKeyRef:
15        name: <secret-name>
16        key: binding.password

In Node.js, access these variables as:

1const apiKey = process.env.BINDING_API_KEY
2const username = process.env.BINDING_USERNAME
3const password = process.env.BINDING_PASSWORD

Security and Best Practices

  • Always use secrets to store credentials, never hard-code them in application code.
  • Use environment variables or volume mounts to provide credentials to applications.
  • Service binding automates credential management, reducing manual errors and improving security.

Conclusion

Service binding in Kubernetes streamlines the process of connecting applications to external services. By managing credentials as secrets and exposing them securely, it enhances both security and developer productivity.

FAQ

Service binding is the process of connecting applications to external or backing services, managing configuration and credentials as Kubernetes secrets for secure access.

  1. It allows direct database access from the internet
  2. It automates the management of service credentials and configuration for applications
  3. It removes the need for secrets in Kubernetes
  4. It disables environment variables
(2) Service binding automates the management of service credentials and configuration, improving security and developer productivity.

Service credentials are provided as Kubernetes secrets, which can be accessed by mounting them as volumes or referencing them in environment variables.

Hard-coding credentials increases the risk of accidental exposure and security breaches. Using secrets is the recommended practice.

  1. Mounting the secret as a volume
  2. Referencing the secret in environment variables
  3. Storing credentials in a ConfigMap
  4. Using the Kubernetes dashboard to view secrets
(3) ConfigMaps are not intended for sensitive data like credentials; secrets should be used instead.

StepDescription
A. Provision1. Create an instance of the external service
B. Bind2. Connect the service to the cluster and create a secret
C. Store Credentials3. Save credentials in a Kubernetes secret
D. Configure App4. Access credentials from the secret in the app
A-1, B-2, C-3, D-4.

Environment variables can be used to expose secret credentials to applications, allowing secure and flexible access to external services.

Service binding in Kubernetes helps protect sensitive data by managing credentials as secrets and automating their delivery to applications.

True. Service binding ensures credentials are securely managed and not hard-coded in application code.
Config Map