Kubernetes

Cloud Native

Serverless

Containers

Kyma Runtime

SAP BTP's managed Kubernetes environment — container-native, serverless-capable, and ideal for microservices architectures, event-driven applications, and teams embracing cloud-native DevOps.

Kyma Runtime Architecture

Rendering diagram…

Executive Summary

Kyma Runtime is SAP's managed Kubernetes (K8s) offering on BTP. Built on Gardener (SAP's Kubernetes-as-a-Service), Kyma adds SAP-specific components: Istio service mesh, NATS-based eventing, Kyma Functions (serverless), and Service Manager for OSBAPI integration. It is the runtime of choice for containerised microservices, event-driven architectures, and teams using Helm and GitOps.

Unlike Cloud Foundry, Kyma gives teams full Kubernetes API access — enabling standard tooling (kubectl, Helm, ArgoCD) while BTP manages the control plane, upgrades, and scaling of the underlying cluster.

Kyma Architecture Concepts

Managed K8s ClusterOne Gardener-provisioned cluster per BTP subaccount. SAP manages the control plane; you manage workloads via kubectl and standard K8s tooling.

Istio Service MeshAutomatic mTLS between all pods in Istio-enabled namespaces. Provides traffic management, observability, and security policy enforcement.

Kyma FunctionsServerless FaaS (Node.js 18 / Python 3.11) triggered by HTTP or events. Ideal for lightweight event handlers with sub-10-minute execution time.

Event Mesh IntegrationSubscribe to S/4HANA Business Events (e.g., BusinessPartner.Changed, SalesOrder.Created) via NATS-based Kyma Subscriptions.

API RulesKyma CRD for exposing K8s services via the Kyma Gateway (Istio-based ingress). Replaces raw Ingress resources with SAP-aware routing.

Service ManagerOSBAPI-compliant broker that creates and binds BTP services as K8s ServiceInstance and ServiceBinding CRDs — no manual secret management.

BTP Service OperatorK8s operator that reconciles ServiceInstance / ServiceBinding CRDs against the BTP Service Manager API. Installed by default in Kyma.

Helm ChartsStandard deployment mechanism for Kyma workloads. Use helm upgrade --install for idempotent deployments in CI/CD pipelines.

Kyma Function + Event Subscription

Event-driven with zero infrastructure

Kyma Functions let you react to S/4HANA business events without managing servers. The Subscription resource wires an event type to a Function endpoint automatically via the NATS eventing backbone.

kyma-function.yaml

1# kyma-function.yaml — Kyma serverless function
2apiVersion: serverless.kyma-project.io/v1alpha2
3kind: Function
4metadata:
5  name: bp-changed-handler
6  namespace: production
7spec:
8  runtime: nodejs18
9  source:
10    inline:
11      source: |
12        const axios = require('axios');
13        module.exports = {
14          main: async function(event, context) {
15            const { data } = event;
16            console.log('BusinessPartner changed:', data.BusinessPartner);
17            // Call CAP service to sync data
18            await axios.post(
19              process.env.CAP_SRV_URL + '/odata/v4/bp-sync/syncPartner',
20              { businessPartner: data.BusinessPartner }
21            );
22            return { status: 'synced' };
23          }
24        };
25---
26# Event subscription — trigger on S/4HANA BusinessPartner.Changed
27apiVersion: eventing.kyma-project.io/v1alpha2
28kind: Subscription
29metadata:
30  name: bp-changed-sub
31  namespace: production
32spec:
33  sink: http://bp-changed-handler.production.svc.cluster.local:80
34  source: sap.s4.beh.businesspartner.v1
35  typeMatching: standard
36  types:
37    - sap.s4.beh.businesspartner.v1.BusinessPartner.Changed.v1

Kyma CLI Commands

kyma-deploy.sh

1# Deploy to Kyma using kubectl
2kubectl apply -f kyma-function.yaml
3
4# Check Kyma function status
5kubectl get functions -n production
6
7# Deploy CAP app as K8s Deployment
8helm upgrade --install my-cap-app ./charts/cap-app \
9  --namespace production \
10  --set image.repository=my-registry/cap-app \
11  --set image.tag=1.0.0
12
13# Access Kyma dashboard
14kubectl proxy &
15open http://localhost:8001/api/v1/namespaces/kyma-system/services/console-web:80/proxy/

Enterprise Example: DEWA Smart City Event Platform

DEWA Production Configuration

DEWA uses Kyma for their Smart City event platform. S/4HANA Business Events (meter reading events, customer data changes) flow via BTP Event Mesh into Kyma Subscriptions, triggering Kyma Functions that process and route data to HANA Cloud and external IoT systems. CAP services run as K8s Deployments served via Kyma API Rules. HPA configured to scale CAP pods from 2 to 10 replicas based on CPU utilisation.

Best Practices

Use Namespaces per application domain

Separate namespaces per domain (not per environment — use separate clusters for production) to isolate workloads and apply RBAC cleanly.

Enable Istio mTLS for all services

Verify Istio sidecar injection is active on all application namespaces. mTLS provides automatic in-cluster encryption with no code changes.

Use Kyma Service Operator for BTP bindings

Declare BTP service instances and bindings as K8s CRDs (ServiceInstance / ServiceBinding). Avoid manual secret creation.

Build minimal container images

Use distroless or alpine base images. Smaller images reduce attack surface, speed up pull times, and lower cluster egress costs.

Configure Horizontal Pod Autoscaler

Set HPA on all production CAP deployments with CPU and memory targets. Define min/max replicas based on expected load patterns.

Common Pitfalls

Using Kyma Functions for long-running tasks

Functions have a maximum 10-minute timeout. Long-running tasks must be Kubernetes Jobs or Deployments, not Functions.

Missing resource requests/limits on pods

Without resource constraints, pods can consume unbounded CPU/memory, causing OOMKilled events and noisy-neighbour problems.

Ignoring Istio sidecar injection

Namespaces without the istio-injection=enabled label have no sidecar — breaking mTLS assumptions and service mesh observability.

Using default namespace for application workloads

The default namespace has no RBAC boundaries. All production workloads need dedicated namespaces with network policies.

Not backing up Kyma cluster config in Git

Without GitOps discipline, cluster configuration drifts and is unrecoverable after a cluster incident. Use ArgoCD or Flux.

Security Considerations

Kyma uses Istio for mTLS between services — verify Istio is enabled on all application namespaces. Use K8s RBAC roles (not cluster-admin) for developer access. Store sensitive configuration as K8s Secrets encrypted with KMS. Apply Pod Security Standards (restricted profile) for all production namespaces. Regularly rotate kubeconfig credentials and audit RBAC role bindings quarterly.

References

Kyma Runtime on BTP

Official SAP Help documentation for Kyma Environment on BTP

Kyma Project documentation

Open-source Kyma project docs — Functions, Eventing, Service Manager

BTP Service Operator

K8s operator for managing BTP service instances declaratively via CRDs

Kyma Functions guide

Tutorials for building and deploying Kyma serverless Functions