||Contains an Apigee logger agent that sends application logs to Stackdriver.|
||Contains an Apigee metrics agent that sends application logs to Stackdriver.|
||Contains the hybrid runtime persistance layer.|
||Synchronizes configuration between the management (control) plane and runtime (data) plane.|
||Allows transfer of analytics data to the management plane.|
||Contains the Apigee administrative API endpoint.|
||Contains the gateway for API request processing and policy execution.|
Google recommends that you follow these methods and best practices to harden, secure, and isolate the runtime pods:
|Kubernetes security overview||Review the Google Kubernetes Engine (GKE) document
Security overview. This document provides an overview of each layer of your Kubernetes
infrastructure, and explains how you can configure its security features to best
suit your needs.
For Google Cloud Engine's current guidance for hardening your GKE cluster, see Hardening your cluster's security.
Use network policies to restrict communication between Pods and to pods that have access outside the Kubernetes network. For more information, see Creating a cluster network policy in the GKE documentation.
A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints.
The Kubernetes NetworkPolicy resource uses labels to select pods and define rules which specify what traffic is allowed to the selected pods.
You can implement a Container Network Interface (CNI) plugin to add network policies to an Apigee hybrid runtime installation. Network policies let you isolate pods from outside access and enable access to specific pods. You can use an open source CNI plugin, such as Calico to get started.
|GKE Sandbox||Enable GKE Sandbox for the Kubernetes clusters that run Apigee hybrid. See GKE Sandbox for details.|