Add policies to the GKE Gateway

This page applies to Apigee, but not to Apigee hybrid.

View Apigee Edge documentation.

This page describes how to add Apigee runtime policies and a Google token injection policy to the Google Kubernetes Engine (GKE) Gateway with the Apigee APIM Operator for Kubernetes (Preview). Adding an available set of policies to the Gateway allows you to extend the functionality of the Gateway beyond API product enforcement to include additional security and business rules.

The Apigee APIM Operator for Kubernetes can be used to add the following policies to the Gateway:

• SpikeArrest policy
• JavaScript policy
• Google token injection policy

Overview

The following sections describe how to:

• Add policies to the GKE Gateway.
• Create a template rule to enforce usage of the policies.
• Update the Apigee template to include the template rule.
• Deploy the Apigee Gateway policy with the template.
• Validate policy enforcement.

Before you begin

To modify your GKE Gateway with the complete set of policies used as an example in this guide, you must have a service account with the roles required to create tokens within Apigee and deploy proxies and extensions. If you choose not to create Google tokens, you do not need to add the additional roles to your service account and you can skip to the next section.

To create a service account with the required permissions:

1. If you created a service account named apigee-apim-gsa in the Apigee APIM Operator for Kubernetes installation guide, you can skip this step and proceed to the next step. Otherwise, create the service account:

   gcloud iam service-accounts create apigee-apim-gsa --project=${PROJECT_ID}

2. Grant the service account the necessary role to create tokens:

   gcloud projects add-iam-policy-binding ${PROJECT_ID} \
     --member "serviceAccount:apigee-apim-gsa@${PROJECT_ID}.iam.gserviceaccount.com" \
     --role "roles/iam.serviceAccountTokenCreator"

3. Grant the apigee-apim-gsa service account the necessary role to deploy proxies and extensions:

   gcloud projects add-iam-policy-binding ${PROJECT_ID} \
     --member "serviceAccount:apigee-apim-gsa@${PROJECT_ID}.iam.gserviceaccount.com" \
     --role "roles/iam.serviceAccountUser"

Modify your GKE Gateway with policies

You can choose to modify your GKE Gateway with one or more policies to extend its functionality. This example walkthrough applies a yaml file to the Gateway that includes the specifications for two Apigee policies and a Google token injection policy.

Each one of the policies applied to the Gateway using the following yaml file performs a different role when evaluating requests sent to the Gateway:

• The SpikeArrest policy controls the peak message rate by defining a maximum rate of allowed requests over a unit of time. In this example, the maximum rate is set to five per minute. To learn more about how the SpikeArrest policy is used to smooth out sudden spikes in traffic, see SpikeArrest policy.
• The JavaScript policy lets you add custom JavaScript code to the Gateway requests. In this example, the policy is used to add a custom header to the request. For more on how the JavaScript policy is used to add custom code, see JavaScript policy.
• The Google token injection policy is used to inject a Google authentication access token into the Gateway requests, using the AssignMessage policy. Apigee supports using Google OAuth tokens or OpenID Connect tokens to authenticate with Google services. To learn more about authentication tokens, see Using Google authentication.

Add the policies to the Gateway:

1. Create a new file named apigee-policies.yaml in the apim namespace.
2. Copy the contents of the following file into the new file you created:

   # apigee-policies.yaml
   apiVersion: apim.googleapis.com/v1alpha1
   kind: SpikeArrest
   metadata:
     name: spike-arrest
     namespace: apim
   spec:
     identifier:
       ref: request.header.name
     useEffectiveCount: true
     peakMessageRate:
       value: "5pm"
   ---
   apiVersion: apim.googleapis.com/v1alpha1
   kind: Javascript
   metadata:
     name: js-add-headers
     namespace: apim
   spec:
     timeLimit: 2000
     source: |
       var sum = 1+1;
       context.setVariable("request.header.first", 1);
       context.setVariable("request.header.second", 1);
       context.setVariable("request.header.sum", sum);
   ---
   apiVersion: apim.googleapis.com/v1alpha1
   kind: AssignMessage
   metadata:
     name: google-token-policy
     namespace: apim
   spec:
     setActions:
       - authentication:
           googleAccessToken:
             scopes:
               - 'https://www.googleapis.com/auth/cloud-platform'
     AssignTo:
       createNew: false
       type: request
     

3. Apply the yaml file to the Gateway using the following command:

   kubectl -n apim apply -f apigee-policies.yaml

Create a TemplateRule as a SharedFlow template

In this step, you will create a TemplateRule to enforce the policies you have added to the Gateway. A template rule is a rule for SharedFlows created by organization administrators to ensure that only approved policies are applied to Gateway traffic by service developers. A template rule ensures that developers understand which policies are available to them, which policies are required for specific use cases, and which policies can't be used by service developers.

Create a template rule

Create a template rule to enforce usage of the AssignMessage policy:

1. Create a new yaml file named template-rule.yaml in the apim namespace.
2. Copy the contents of the following file into the new file you created:

   # template-rule.yaml
   apiVersion: apim.googleapis.com/v1alpha1
   kind: ApimTemplateRule
   metadata:
     name: template-rule
     namespace: apim
   spec:
     allowList: [SpikeArrest, Javascript]
     requiredList: [AssignMessage]
     denyList: []

   In this example, the template rule tells developers that the AssignMessage policy describing the Google token injection policy is required. It also tells developers that they can use the SpikeArrest and JavaScript policies in their API management. There are no policies specified in the deny list.

Apply the template rule

Apply the template rule using the following command:

kubectl apply -f template-rule.yaml

Update the Apigee template to include the template rules

Update the Apigee template to include the template rule you created in the previous section:

1. Create a new yaml file named new-admin-template.yaml in the apim namespace.
2. Copy the contents of the following file into the new file you created:

   # new-admin-template.yaml
   apiVersion: apim.googleapis.com/v1alpha1
   kind: ApimTemplate
   metadata:
     name: new-admin-template
     namespace: apim
   spec:
     apimTemplateRule:
       group: apim.googleapis.com
       kind: ApimTemplateRule
       name: template-rule
       namespace: apim
     templates:
     - policies:
         - group: apim.googleapis.com
           kind: SpikeArrest
           name: spike-arrest
           namespace: apim
         - group: apim.googleapis.com
           kind: Javascript
           name: js-add-headers
           namespace: apim
         - group: apim.googleapis.com
           kind: AssignMessage
           name: google-token-policy
           namespace: apim

3. Apply the updated template using the following command:

   kubectl apply -f new-admin-template.yaml

Deploy the Apigee Gateway policy

In this step, you will apply a new file to your Gateway that includes the specifications for an ApigeeGatewayPolicy. This policy is used to deploy the Apigee template to the Gateway.

Deploy the Apigee Gateway policy:

1. Create a new yaml file named apigee-gateway-policy-withSA.yaml in the apim namespace.
2. Copy the contents of the following file into the new file you created:

   # apigee-gateway-policy-withSA.yaml
   apiVersion: apim.googleapis.com/v1alpha1
   kind: ApigeeGatewayPolicy
   metadata:
     name: apim-template-injection
     namespace: apim
   spec:
     serviceAccount: apigee-apim-gsa@$PROJECT_ID.iam.gserviceaccount.com
     ref:
       group: apim.googleapis.com
       kind: ApimTemplate
       name: new-admin-template
       namespace: apim
     targetRef:
       group: apim.googleapis.com
       kind: APIMExtensionPolicy
       name: global-ext-lb1-apim-policy
       namespace: apim

3. Apply the policy:

   kubectl apply -f apigee-gateway-policy-withSA.yaml

4. Verify the deployment status of the new Gateway policy:

   kubectl -n apim get ApigeeGatewayPolicy

   Once deployed, the policy STATUS should display CREATED.

After the new Gateway policy is deployed, wait two minutes before sending a request to the Gateway to allow the policy to propagate to the cluster.

Validate policy enforcement

To confirm that the Apigee Gateway policies are working as expected, send requests to the Gateway as described in the following sections.

Verify AssignMessage policy enforcement

To confirm that the {company_name} token is injected into the request using the AssignMessage policy, send a request to the Gateway using the following command:

curl http://GATEWAY_IP_ADDRESS/get -H "Host: HOST_NAME" -H "x-api-key: API_KEY"

Where:

• GATEWAY_IP_ADDRESS is the IP address of the Gateway. You can retrieve the Gateway IP address using the following command:

  kubectl get gateway GATEWAY_NAME

• HOST_NAME is the name of the host.
• API_KEY is the API key value.

A successful response should include an Authorization header with the generated bearer token, similar to the following:

{
  "args": {}, 
  "headers": {
    "Accept": "*/*", 
    "Authorization": "Bearer ya29.c.c0ASRK0Gbw03y9cfvxL11DxaRYBQUU18SmUP4Vu63OckHI5cX7wJ4DmGMG2vbDDS69HXJHqMj-lak4tcqOsJGmE65crn2gNuJLanXidwM8", 
    "First": "1.0", 
    "Host": "apigee-apim-operator-test.apigee.net", 
    "Second": "1.0", 
    "Sum": "2", 
    "User-Agent": "curl/8.7.1", 
    "X-Api-Key": "McYcHGR3PTSGLXExvKADwQ1JJeCjgPDUvAakCl0rJKCFaX0Y", 
    "X-Cloud-Trace-Context": "0fd3dadc2a3c328fa968d5f5f1434c29/18300783092696918345"
  }, 
  "origin": "34.54.108.129", 
  "url": "apigee-apim-operator-test.apigee.net/get"
}

Confirm SpikeArrest policy enforcement

You can test enforcement of the SpikeArrest policy by sending a request to the Gateway ten times within the span of one minute.

You can run the following script to generate the requests:

#!/bin/sh
for i in $(seq 1 11); do
    curl http://GATEWAY_IP_ADDRESS/get -H "Host: HOST_NAME" -H "x-api-key: API_KEY"
    sleep 1
done

Where:

• GATEWAY_IP_ADDRESS is the IP address of the Gateway. You can retrieve the Gateway IP address using the following command, where GATEWAY_NAME is the name of the Gateway:

  kubectl get gateways.gateway.networking.k8s.io GATEWAY_NAME -o=jsonpath="{.status.addresses[0].value}"

• HOST_NAME is the hostname defined in the Gateway's HTTPRoute.
• API_KEY is the API key value obtained in Testing set up.

The response will appear similar to the following:

"fault":{"faultstring":"Spike arrest violation. Allowed rate : MessageRate{capacity=5, period=Minutes}","detail":{"errorcode":"policies.ratelimit.SpikeArrestViolation"}}}

Troubleshoot

If you encounter issues when adding policies to the GKE Gateway, see Troubleshoot the APIM Operator for solutions to common errors.

What's next

• Learn more about SpikeArrest policy.
• Learn more about JavaScript policy.