Add policies to the GKE Gateway

This page applies to Apigee, but not to Apigee hybrid.

View Apigee Edge documentation.

This page describes how to add Apigee runtime policies and a Google token injection policy to the Google Kubernetes Engine (GKE) Gateway with the Apigee APIM Operator for Kubernetes (Preview). Adding an available set of policies to the Gateway allows you to extend the functionality of the Gateway beyond API product enforcement to include additional security and business rules.

The Apigee APIM Operator for Kubernetes can be used to add the following policies to the Gateway:

Overview

The following sections describe how to:

Add policies to the GKE Gateway.
Create a template rule to enforce usage of the policies.
Update the Apigee template to include the template rule .

Deploy the Apigee Gateway policy with the template.
Validate policy enforcement.

Before you begin

To modify your GKE Gateway with the complete set of policies used as an example in this guide, you must have a service account with the roles required to create tokens within Apigee and deploy proxies and extensions. If you choose not to create Google tokens, you do not need to add the additional roles to your service account and you can skip to the next section.

To create a service account with the required permissions:

If you created a service account named apigee-apim-gsa in the Apigee APIM Operator for Kubernetes installation guide, you can skip this step and proceed to the next step. Otherwise, create the service account:
```
gcloud iam service-accounts create apigee-apim-gsa --project=${PROJECT_ID}
```

Grant the service account the necessary role to create tokens:

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
  --member "serviceAccount:apigee-apim-gsa@${PROJECT_ID}.iam.gserviceaccount.com" \
  --role "roles/iam.serviceAccountTokenCreator"

Grant the apigee-apim-gsa service account the necessary role to deploy proxies and extensions:

gcloud projects add-iam-policy-binding ${PROJECT_ID} \
  --member "serviceAccount:apigee-apim-gsa@${PROJECT_ID}.iam.gserviceaccount.com" \
  --role "roles/iam.serviceAccountUser"

Modify your GKE Gateway with policies

You can choose to modify your GKE Gateway with one or more policies to extend its functionality. This example walkthrough applies a yaml file to the Gateway that includes the specifications for two Apigee policies and a Google token injection policy.

Each one of the policies applied to the Gateway using the following yaml file performs a different role when evaluating requests sent to the Gateway:

The SpikeArrest policy controls the peak message rate by defining a maximum rate of allowed requests over a unit of time. In this example, the maximum rate is set to five per minute. To learn more about how the SpikeArrest policy is used to smooth out sudden spikes in traffic, see SpikeArrest policy.
The JavaScript policy lets you add custom JavaScript code to the Gateway requests. In this example, the policy is used to add a custom header to the request. For more on how the JavaScript policy is used to add custom code, see JavaScript policy.
The Google token injection policy is used to inject a Google authentication access token into the Gateway requests, using the AssignMessage policy. Apigee supports using Google OAuth tokens or OpenID Connect tokens to authenticate with Google services. To learn more about authentication tokens, see Using Google authentication.

Add the policies to the Gateway:

Create a new file named apigee-policies.yaml in the apim namespace.

Copy the contents of the following file into the new file you created:

# apigee-policies.yaml
apiVersion: apim.googleapis.com/v1alpha1
kind: SpikeArrest
metadata:
  name: spike-arrest
  namespace: apim
spec:
  identifier:
    ref: request.header.name
  useEffectiveCount: true
  peakMessageRate:
    value: "5pm"
---
apiVersion: apim.googleapis.com/v1alpha1
kind: Javascript
metadata:
  name: js-add-headers
  namespace: apim
spec:
  timeLimit: 2000
  source: |
    var sum = 1+1;
    context.setVariable("request.header.first", 1);
    context.setVariable("request.header.second", 1);
    context.setVariable("request.header.sum", sum);
---
apiVersion: apim.googleapis.com/v1alpha1
kind: AssignMessage
metadata:
  name: google-token-policy
  namespace: apim
spec:
  setActions:
    - authentication:
        googleAccessToken:
          scopes:
            - 'https://www.googleapis.com/auth/cloud-platform'
  AssignTo:
    createNew: false
    type: request

Apply the yaml file to the Gateway using the following command:
```
kubectl -n apim apply -f apigee-policies.yaml
```

Create a TemplateRule as a SharedFlow template

In this step, you will create a TemplateRule to enforce the policies you have added to the Gateway. A template rule is a rule for SharedFlows created by organization administrators to ensure that only approved policies are applied to Gateway traffic by service developers. A template rule ensures that developers understand which policies are available to them, which policies are required for specific use cases, and which policies can't be used by service developers.

Create a template rule

Create a template rule to enforce usage of the AssignMessage policy:

Create a new yaml file named template-rule.yaml in the apim namespace.
Copy the contents of the following file into the new file you created:
```
# template-rule.yaml
apiVersion: apim.googleapis.com/v1alpha1
kind: ApimTemplateRule
metadata:
  name: template-rule
  namespace: apim
spec:
  allowList: [SpikeArrest, Javascript]
  requiredList: [AssignMessage]
  denyList: []
```
In this example, the template rule tells developers that the AssignMessage policy describing the Google token injection policy is required. It also tells developers that they can use the SpikeArrest and JavaScript policies in their API management. There are no policies specified in the deny list.

Apply the template rule

Apply the template rule using the following command:

kubectl apply -f template-rule.yaml

Update the Apigee template to include the template rules

Update the Apigee template to include the template rule you created in the previous section:

Create a new yaml file named new-admin-template.yaml in the apim namespace.

Copy the contents of the following file into the new file you created:

# new-admin-template.yaml
apiVersion: apim.googleapis.com/v1alpha1
kind: ApimTemplate
metadata:
name: new-admin-template
namespace: apim
spec:
apimTemplateRule:
group: apim.googleapis.com
kind: ApimTemplateRule
name: template-rule
namespace: apim
templates:
  - policies:
      - group: apim.googleapis.com
        kind: SpikeArrest
        name: spike-arrest
        namespace: apim
      - group: apim.googleapis.com
        kind: Javascript
        name: js-add-headers
        namespace: apim
      - group: apim.googleapis.com
        kind: AssignMessage
        name: google-token-policy
        namespace: apim

Apply the updated template using the following command:
```
kubectl apply -f new-admin-template.yaml
```

Deploy the Apigee Gateway policy

In this step, you will apply a new file to your Gateway that includes the specifications for an ApigeeGatewayPolicy. This policy is used to deploy the Apigee template to the Gateway.

Deploy the Apigee Gateway policy:

Create a new yaml file named apigee-gateway-policy-withSA.yaml in the apim namespace.

Copy the contents of the following file into the new file you created:

# apigee-gateway-policy-withSA.yaml
apiVersion: apim.googleapis.com/v1alpha1
kind: ApigeeGatewayPolicy
metadata:
  name: apim-template-injection
  namespace: apim
spec:
  serviceAccount: apigee-apim-gsa@${PROJECT_ID}.iam.gserviceaccount.com
  ref:
    group: apim.googleapis.com
    kind: ApimTemplate
    name: new-admin-template
    namespace: apim
  targetRef:
    group: apim.googleapis.com
    kind: APIMExtensionPolicy
    name: global-ext-lb1-apim-policy
    namespace: apim

Apply the policy:

kubectl apply -f apigee-gateway_policy_withSA.yaml

Verify the deployment status of the new Gateway policy:
```
kubectl -n apim get ApigeeGatewayPolicy
```
Once deployed, the policy STATUS should display CREATED.

After the new Gateway policy is deployed, wait two minutes before sending a request to the Gateway to allow the policy to propagate to the cluster.

Validate policy enforcement

To confirm that the Apigee Gateway policy is working as expected, send a request to the Gateway and verify that the Google token is injected into the request.

Send a request to the Gateway using the following command:

curl http://GATEWAY_IP_ADDRESS/get -H "Host: HOST_NAME" -H "x-api-key: API_KEY" -k

Where:

GATEWAY_IP_ADDRESS is the IP address of the Gateway. You can retrieve the Gateway IP address using the following command:
```
kubectl get gateway GATEWAY_NAME
```
HOST_NAME is the name of the host.
API_KEY is the API key value.

A successful response should include an Authorization header with the generated bearer token, similar to the following:

{
  "args": {}, 
  "headers": {
    "Accept": "*/*", 
    "Authorization": "Bearer ya29.c.c0ASRK0Gbw03y9cfvxL11DxaRYBQUU18SmUP4Vu63OckHI5cX7wJ4DmGMG2vbDDS69HXJHqMj-lak4tcqOsJGmE65crn2gNuJLanXidwM8", 
    "First": "1.0", 
    "Host": "apigee-apim-operator-test.apigee.net", 
    "Second": "1.0", 
    "Sum": "2", 
    "User-Agent": "curl/8.7.1", 
    "X-Api-Key": "McYcHGR3PTSGLXExvKADwQ1JJeCjgPDUvAakCl0rJKCFaX0Y", 
    "X-Cloud-Trace-Context": "0fd3dadc2a3c328fa968d5f5f1434c29/18300783092696918345"
  }, 
  "origin": "34.54.108.129", 
  "url": "apigee-apim-operator-test.apigee.net/get"
}

Troubleshoot

If you encounter issues when adding policies to the GKE Gateway, see Troubleshoot the APIM Operator for solutions to common errors.

What's next

Learn more about SpikeArrest policy.
Learn more about JavaScript policy.