This page applies to Apigeeand Apigee hybrid.
View Apigee Edge
documentation.
This page describes how to create an APIMExtensionPolicy
to create the required traffic extension
on the Google Kubernetes Engine (GKE) Gateway running in your cluster.
Before you begin
Before you begin this task, complete the following steps:
- Confirm that your GKE cluster has a Workload Identity configured. See Create a workload identity for the required steps.
- Confirm that your cluster has a GKE Gateway configured and working. See Deploying gateways for more details.
- Install the Apigee Operator for Kubernetes. See Install Apigee Operator for Kubernetes for installation instructions.
Required roles
If you assign the required roles to your service account as described in Install the Apigee Operator for Kubernetes , no additional IAM roles or permissions are required to complete these tasks.
You can choose to authorize actions on resources in your Google Kubernetes Engine cluster using the built-in role-based access control (RBAC) mechanism in Kubernetes. For more information, see Authorize actions in clusters using role-based access control .
Create the APIMExtensionPolicy
In this step, create the APIMExtensionPolicy
and apply it to the GKE Gateway running in your cluster.
This policy governs all
traffic going through the Gateway and its associated HTTPRoutes
,
operating similarly to a flowhook
at the environment level in Apigee today.
Create the APIM Extension policy:
- Create a new file named
global-ext-lb1-apim-policy.yamlin theapimnamespace. - Copy the following content into the new file:
# global-ext-lb1-apim-policy.yaml apiVersion : apim.googleapis.com/v1 kind : APIMExtensionPolicy metadata : name : global-ext-lb1-apim-policy namespace : apim spec : apigeeEnv : ENV_NAME # optional location : global failOpen : false timeout : 1000ms defaultSecurityEnabled : true targetRef : # identifies the Gateway where the extension should be applied name : global-ext-lb1 kind : Gateway namespace : default
Where ENV_NAME is the name of the Apigee environment created in the installation step Create an Apigee environment .
You can view all available environments in the Apigee Environments page in the Google Cloud console:
- Apply the policy:
kubectl -n apim apply -f global-ext-lb1-apim-policy.yaml
Once the policy is applied, the Apigee Operator for Kubernetes creates networking resources in the background.
- Check the status of the APIM Extension policy using the following command:
kubectl -n apim get APIMExtensionPolicy
The output should look similar to the following, with a
StateofRUNNING:NAME STATE ERRORMESSAGE global-ext-lb1-apim-policy RUNNING
- Use the following command to send a request to the Gateway:
curl http:// GATEWAY_IP_ADDRESS /get -H "Host: HOST_NAME "
Where:
-
GATEWAY_IP_ADDRESSis the IP address of the Gateway. You can retrieve the Gateway IP address using the following command, whereGATEWAY_NAMEis the name of the Gateway:kubectl get gateways.gateway.networking.k8s.io GATEWAY_NAME -o = jsonpath = "{.status.addresses[0].value}"
-
HOST_NAMEis the hostname defined in the Gateway'sHTTPRoute.
-
- The request should fail because default security is enabled by setting
defaultSecurityEnabled: truein the API Extension policy resource. You should see a response similar to the following:{ "fault" : { "faultstring" : "Raising fault. Fault name : RF-insufficient-request-raise-fault" , "detail" : { "errorcode" : "steps.raisefault.RaiseFault" }}}
This indicates that the Apigee extension policy is active and that API key enforcement and access token verification is active.
What's next
- Learn how to Add policies to the GKE Gateway .
- Learn how to Uninstall the Apigee Operator for Kubernetes .
