Create an APIMExtensionPolicy

This page applies to Apigee and Apigee hybrid.

View Apigee Edge documentation.

This page describes how to create an APIMExtensionPolicy to create the required traffic extension on the Google Kubernetes Engine (GKE) Gateway running in your cluster.

Before you begin

Before you begin this task, complete the following steps:

• Confirm that your GKE cluster has a Workload Identity configured. See Create a workload identity for the required steps.
• Confirm that your cluster has a GKE Gateway configured and working. See Deploying gateways for more details.
• Install the Apigee Operator for Kubernetes. See Install Apigee Operator for Kubernetes for installation instructions.

Required roles

If you assign the required roles to your service account as described in Install the Apigee Operator for Kubernetes, no additional IAM roles or permissions are required to complete these tasks.

You can choose to authorize actions on resources in your Google Kubernetes Engine cluster using the built-in role-based access control (RBAC) mechanism in Kubernetes. For more information, see Authorize actions in clusters using role-based access control.

Create the APIMExtensionPolicy

In this step, create the APIMExtensionPolicy and apply it to the GKE Gateway running in your cluster. This policy governs all traffic going through the Gateway and its associated HTTPRoutes, operating similarly to a flowhook at the environment level in Apigee today.

Create the APIM Extension policy:

1. Create a new file named global-ext-lb1-apim-policy.yaml in the apim namespace.
2. Copy the following content into the new file:

   # global-ext-lb1-apim-policy.yaml
   apiVersion: apim.googleapis.com/v1
   kind: APIMExtensionPolicy
   metadata:
     name: global-ext-lb1-apim-policy
     namespace: apim
   spec:
     apigeeEnv: ENV_NAME # optional
     location: global
     failOpen: false
     timeout: 1000ms
     defaultSecurityEnabled: true
     targetRef: # identifies the Gateway where the extension should be applied
       name: global-ext-lb1
       kind: Gateway
       namespace: default

   Where ENV_NAME is the name of the Apigee environment created in the installation step Create an Apigee environment.

   You can view all available environments in the Apigee Environments page in the Google Cloud console:

   Go to Environments

3. Apply the policy:

   kubectl -n apim apply -f global-ext-lb1-apim-policy.yaml

   Once the policy is applied, the Apigee Operator for Kubernetes creates networking resources in the background.

4. Check the status of the APIM Extension policy using the following command:

   kubectl -n apim get APIMExtensionPolicy

   The output should look similar to the following, with a State of RUNNING:

   NAME                         STATE      ERRORMESSAGE
   global-ext-lb1-apim-policy   RUNNING  

5. Use the following command to send a request to the Gateway:

   curl http://GATEWAY_IP_ADDRESS/get -H "Host: HOST_NAME"

   Where:

   • GATEWAY_IP_ADDRESS is the IP address of the Gateway. You can retrieve the Gateway IP address using the following command, where GATEWAY_NAME is the name of the Gateway:

     kubectl get gateways.gateway.networking.k8s.io GATEWAY_NAME -o=jsonpath="{.status.addresses[0].value}"

   • HOST_NAME is the hostname defined in the Gateway's HTTPRoute.
6. The request should fail because default security is enabled by setting defaultSecurityEnabled: true in the API Extension policy resource. You should see a response similar to the following:

   {"fault":{"faultstring":"Raising fault. Fault name : RF-insufficient-request-raise-fault","detail":{"errorcode":"steps.raisefault.RaiseFault"}}}

   This indicates that the Apigee extension policy is active and that API key enforcement and access token verification is active.

What's next

• Learn how to Add policies to the GKE Gateway.
• Learn how to Uninstall the Apigee Operator for Kubernetes.