Add policies to the GKE Gateway

This page applies to Apigee, but not to Apigee hybrid.

View Apigee Edge documentation.

This page describes how to add Apigee runtime policies and a Google token injection policy to the Google Kubernetes Engine (GKE) Gateway with the Apigee APIM Operator for Kubernetes (Preview). Adding an available set of policies to the Gateway allows you to extend the functionality of the Gateway beyond API product enforcement to include additional security and business rules.

The Apigee APIM Operator for Kubernetes can be used to add the following policies to the Gateway:

Overview

The following sections describe how to:

Before you begin

To modify your GKE Gateway with the complete set of policies used as an example in this guide, you must have a service account with the roles required to create tokens within Apigee and deploy proxies and extensions. If you choose not to create Google tokens, you do not need to add the additional roles to your service account and you can skip to the next section.

To create a service account with the required permissions:

  1. If you created a service account named apigee-apim-gsa in the Apigee APIM Operator for Kubernetes installation guide, you can skip this step and proceed to the next step. Otherwise, create the service account:
    gcloud iam service-accounts create apigee-apim-gsa --project=${PROJECT_ID}
  2. Grant the service account the necessary role to create tokens:
    gcloud projects add-iam-policy-binding ${PROJECT_ID} \
      --member "serviceAccount:apigee-apim-gsa@${PROJECT_ID}.iam.gserviceaccount.com" \
      --role "roles/iam.serviceAccountTokenCreator"
  3. Grant the apigee-apim-gsa service account the necessary role to deploy proxies and extensions:
    gcloud projects add-iam-policy-binding ${PROJECT_ID} \
      --member "serviceAccount:apigee-apim-gsa@${PROJECT_ID}.iam.gserviceaccount.com" \
      --role "roles/iam.serviceAccountUser"

Modify your GKE Gateway with policies

You can choose to modify your GKE Gateway with one or more policies to extend its functionality. This example walkthrough applies a yaml file to the Gateway that includes the specifications for two Apigee policies and a Google token injection policy.

Each one of the policies applied to the Gateway using the following yaml file performs a different role when evaluating requests sent to the Gateway:

  • The SpikeArrest policy controls the peak message rate by defining a maximum rate of allowed requests over a unit of time. In this example, the maximum rate is set to five per minute. To learn more about how the SpikeArrest policy is used to smooth out sudden spikes in traffic, see SpikeArrest policy.
  • The JavaScript policy lets you add custom JavaScript code to the Gateway requests. In this example, the policy is used to add a custom header to the request. For more on how the JavaScript policy is used to add custom code, see JavaScript policy.
  • The Google token injection policy is used to inject a Google authentication access token into the Gateway requests, using the AssignMessage policy. Apigee supports using Google OAuth tokens or OpenID Connect tokens to authenticate with Google services. To learn more about authentication tokens, see Using Google authentication.

Add the policies to the Gateway:

  1. Create a new file named apigee-policies.yaml in the apim namespace.
  2. Copy the contents of the following file into the new file you created:
    # apigee-policies.yaml
    apiVersion: apim.googleapis.com/v1alpha1
    kind: SpikeArrest
    metadata:
      name: spike-arrest
      namespace: apim
    spec:
      identifier:
        ref: request.header.name
      useEffectiveCount: true
      peakMessageRate:
        value: "5pm"
    ---
    apiVersion: apim.googleapis.com/v1alpha1
    kind: Javascript
    metadata:
      name: js-add-headers
      namespace: apim
    spec:
      timeLimit: 2000
      source: |
        var sum = 1+1;
        context.setVariable("request.header.first", 1);
        context.setVariable("request.header.second", 1);
        context.setVariable("request.header.sum", sum);
    ---
    apiVersion: apim.googleapis.com/v1alpha1
    kind: AssignMessage
    metadata:
      name: google-token-policy
      namespace: apim
    spec:
      setActions:
        - authentication:
            googleAccessToken:
              scopes:
                - 'https://www.googleapis.com/auth/cloud-platform'
      AssignTo:
        createNew: false
        type: request
      
  3. Apply the yaml file to the Gateway using the following command:
    kubectl -n apim apply -f apigee-policies.yaml

Create a TemplateRule as a SharedFlow template

In this step, you will create a TemplateRule to enforce the policies you have added to the Gateway. A template rule is a rule for SharedFlows created by organization administrators to ensure that only approved policies are applied to Gateway traffic by service developers. A template rule ensures that developers understand which policies are available to them, which policies are required for specific use cases, and which policies can't be used by service developers.

Create a template rule

Create a template rule to enforce usage of the AssignMessage policy:

  1. Create a new yaml file named template-rule.yaml in the apim namespace.
  2. Copy the contents of the following file into the new file you created:
    # template-rule.yaml
    apiVersion: apim.googleapis.com/v1alpha1
    kind: ApimTemplateRule
    metadata:
      name: template-rule
      namespace: apim
    spec:
      allowList: [SpikeArrest, Javascript]
      requiredList: [AssignMessage]
      denyList: []

    In this example, the template rule tells developers that the AssignMessage policy describing the Google token injection policy is required. It also tells developers that they can use the SpikeArrest and JavaScript policies in their API management. There are no policies specified in the deny list.

Apply the template rule

Apply the template rule using the following command:

kubectl apply -f template-rule.yaml

Update the Apigee template to include the template rules

Update the Apigee template to include the template rule you created in the previous section:

  1. Create a new yaml file named new-admin-template.yaml in the apim namespace.
  2. Copy the contents of the following file into the new file you created:
    # new-admin-template.yaml
    apiVersion: apim.googleapis.com/v1alpha1
    kind: ApimTemplate
    metadata:
    name: new-admin-template
    namespace: apim
    spec:
    apimTemplateRule:
    group: apim.googleapis.com
    kind: ApimTemplateRule
    name: template-rule
    namespace: apim
    templates:
      - policies:
          - group: apim.googleapis.com
            kind: SpikeArrest
            name: spike-arrest
            namespace: apim
          - group: apim.googleapis.com
            kind: Javascript
            name: js-add-headers
            namespace: apim
          - group: apim.googleapis.com
            kind: AssignMessage
            name: google-token-policy
            namespace: apim
  3. Apply the updated template using the following command:
    kubectl apply -f new-admin-template.yaml

Deploy the Apigee Gateway policy

In this step, you will apply a new file to your Gateway that includes the specifications for an ApigeeGatewayPolicy. This policy is used to deploy the Apigee template to the Gateway.

Deploy the Apigee Gateway policy:

  1. Create a new yaml file named apigee-gateway-policy-withSA.yaml in the apim namespace.
  2. Copy the contents of the following file into the new file you created:
    # apigee-gateway-policy-withSA.yaml
    apiVersion: apim.googleapis.com/v1alpha1
    kind: ApigeeGatewayPolicy
    metadata:
      name: apim-template-injection
      namespace: apim
    spec:
      serviceAccount: apigee-apim-gsa@${PROJECT_ID}.iam.gserviceaccount.com
      ref:
        group: apim.googleapis.com
        kind: ApimTemplate
        name: new-admin-template
        namespace: apim
      targetRef:
        group: apim.googleapis.com
        kind: APIMExtensionPolicy
        name: global-ext-lb1-apim-policy
        namespace: apim
  3. Apply the policy:
    kubectl apply -f apigee-gateway_policy_withSA.yaml
  4. Verify the deployment status of the new Gateway policy:
    kubectl -n apim get ApigeeGatewayPolicy

    Once deployed, the policy STATUS should display CREATED.

After the new Gateway policy is deployed, wait two minutes before sending a request to the Gateway to allow the policy to propagate to the cluster.

Validate policy enforcement

To confirm that the Apigee Gateway policy is working as expected, send a request to the Gateway and verify that the Google token is injected into the request.

Send a request to the Gateway using the following command:

curl http://GATEWAY_IP_ADDRESS/get -H "Host: HOST_NAME" -H "x-api-key: API_KEY" -k

Where:

  • GATEWAY_IP_ADDRESS is the IP address of the Gateway. You can retrieve the Gateway IP address using the following command:
    kubectl get gateway GATEWAY_NAME
  • HOST_NAME is the name of the host.
  • API_KEY is the API key value.

A successful response should include an Authorization header with the generated bearer token, similar to the following:

{
  "args": {}, 
  "headers": {
    "Accept": "*/*", 
    "Authorization": "Bearer ya29.c.c0ASRK0Gbw03y9cfvxL11DxaRYBQUU18SmUP4Vu63OckHI5cX7wJ4DmGMG2vbDDS69HXJHqMj-lak4tcqOsJGmE65crn2gNuJLanXidwM8", 
    "First": "1.0", 
    "Host": "apigee-apim-operator-test.apigee.net", 
    "Second": "1.0", 
    "Sum": "2", 
    "User-Agent": "curl/8.7.1", 
    "X-Api-Key": "McYcHGR3PTSGLXExvKADwQ1JJeCjgPDUvAakCl0rJKCFaX0Y", 
    "X-Cloud-Trace-Context": "0fd3dadc2a3c328fa968d5f5f1434c29/18300783092696918345"
  }, 
  "origin": "34.54.108.129", 
  "url": "apigee-apim-operator-test.apigee.net/get"
}

Troubleshoot

If you encounter issues when adding policies to the GKE Gateway, see Troubleshoot the APIM Operator for solutions to common errors.

What's next