Apigee Operator for Kubernetes resource reference Stay organized with collections Save and categorize content based on your preferences.
This pageapplies toApigee andApigee hybrid.
View Apigee Edge documentation.![]()
This page is a reference for each Kubernetes resource that is supported by the Apigee Operator for Kubernetes. Unless specifically noted as Optional, all fields are required.
APIProduct
| Field | Description |
|---|---|
apiVersionType: | apim.googleapis.com/v1 |
kindType: | APIProduct |
metadata | Refer to the Kubernetes API documentation for the fields available inmetadata. |
specType:APIProductSpec | spec defines the desired state of the APIProductSet. |
APIProductSpec
| Field | Description |
|---|---|
nameType: | The name of the API Product. |
approvalTypeType: | Flag that specifies how API keys are approved to access the APIs defined by the API product.If set tomanual, the consumer key is generated and returned aspending.In this case, the API keys won't work until they are explicitly approved.If set to |
descriptionType: | Description of the API product. |
displayNameType: | Name displayed in the UI or developer portal to developers registering for API access. |
analyticsType: Analytics | Defines whether analytics should be collected for operations associated with this product. |
enforcementRefsType: | Array ofEnforcementRef resources to apply to the API product. |
attributesType: | Array of attributes that may be used to extend the default API product profile with customer-specific metadata. |
EnforcementRef
| Field | Description |
|---|---|
nameType: | The name of the target resource. |
kindType: | APIMExtensionPolicy |
groupType: | TheAPIGroup for Apigee APIM Operator, which isapim.googleapis.com. |
namespaceType: | (Optional) The namespace of the referent. When unspecified, the local namespace is inferred. |
Attribute
| Field | Description |
|---|---|
name Type: | The key of the attribute. |
value Type: | The value of the attribute. |
APIOperationSet
| Field | Description |
|---|---|
apiVersionType: | apim.googleapis.com/v1 |
kindType: | APIOperationSet |
metadata | Refer to the Kubernetes API documentation for the fields available inmetadata. |
specType:APIOperationSetSpec | Defines the desired state of the APIOperationSet. |
APIOperationSetSpec
| Field | Description |
|---|---|
quotaType:Quota | Quota definition. |
restOperationsType: | Array ofRESTOperation definitions. |
apiProductRefsType: | Array ofAPIProductRef resources, or references to API Products where theRESTOperations should apply. |
Quota
| Field | Description |
|---|---|
limitType: | Number of request messages permitted per app by the API product for the specifiedinterval andtimeUnit. |
intervalType: | Time interval over which the number of request messages is calculated. |
timeUnitType: | Time unit defined for the interval. Valid values includeminute,hour,day, ormonth. |
RESTOperation
| Field | Description |
|---|---|
nameType: | The name of the of the REST operation. |
pathType: | In combination withmethods,path is the HTTP path to match for aquota and/or for anAPI product. |
methodsType: | In combination withpath,methods is the list (asstrings) of applicable http methods to match for aquota and/or for anAPI product. |
APIProductRef
| Field | Description |
|---|---|
nameType: | The name of the target resource. |
kind Type: | APIProduct |
group Type: | TheAPIGroup for Apigee APIM Operator, which isapim.googleapis.com. |
namespaceType: | (Optional) The namespace of the referent. When unspecified, the local namespace is inferred. |
APIMExtensionPolicy
| Field | Description |
|---|---|
apiVersion Type: | apim.googleapis.com/v1 |
kind Type: | APIMExtensionPolicy |
metadata | Refer to the Kubernetes API documentation for the fields available inmetadata. |
spec | Defines the desired state of APIMExtensionPolicy. |
APIMExtensionPolicySpec
| Field | Description |
|---|---|
apigeeEnv | (Optional) Apigee environment. If not provided, a new environment is created and attached to all available instances. If provided, this environment must be attached to all available instances while using an external global load balancer. |
failOpen Type: | Specifies whether or not tofail open when the Apigee runtime is unreachable. If set totrue, calls to the Apigee runtime will be treated as successful even if the runtime is unreachable. |
timeoutType: | Specifies the timeout period before calls to the Apigee runtime fail, in seconds or milliseconds. For example,10s. |
targetRefType:ExtensionServerRef | Identifies the Google Kubernetes Engine Gateway where the extension should be installed. |
location Type: | Identifies the Google Cloud location where APIMExtensionPolicy is enforced. |
supportedEvents Type: | Specifies the list of extension processor events sent to Apigee. These include the following:
|
ExtensionServerRef
| Field | Description |
|---|---|
name Type: | The name of the target resource. |
kind Type: | Specifies thekind of the target resource, for example,Gateway orService. |
group Type: | TheAPIGroup for Apigee APIM Operator, which isapim.googleapis.com. |
namespace Type: | (Optional) The namespace of the referent. When unspecified, the local namespace is inferred. |
ApigeeGatewayPolicy
| Field | Description |
|---|---|
apiVersion Type: | apim.googleapis.com/v1 |
kind Type: | ApigeeGatewayPolicy |
metadata | Refer to the Kubernetes API documentation for the fields available inmetadata. |
spec | Defines the desired state of ApigeeGatewayPolicy. |
ApigeeGatewayPolicySpec
| Field | Description |
|---|---|
refType:ExtensionServerRef | Refers to the APIM template created to govern the policies applied to the GKE Gateway. |
targetRefType:ExtensionServerRef | Refers to the APIM extension policy that should apply this specific Gateway policy. Indirectly refers to the GKE Gateway. |
serviceAccount | (Optional) Specifies the service account used to generate Google auth tokens in an Apigee ProApigee proxy. |
ApimTemplate
| Field | Description |
|---|---|
apiVersion Type: | apim.googleapis.com/v1 |
kind Type: | ApimTemplate |
metadata | Refer to the Kubernetes API documentation for the fields available inmetadata. |
specType:ApimTemplateSpec | Defines the desired state of ApimTemplate. |
ApimTemplateSpec
| Field | Description |
|---|---|
templatesType: | A list ofApimTemplateFlow resources that specify the policies that are to be executed in the request flow. |
apimTemplateRuleType:ExtensionServerRef | Specifies the APIM template rule that should be used to validate the applied policies. |
ApimTemplateFlow
| Field | Description |
|---|---|
policiesType: | A list ofConditionalParameterReference resources that specify the ordered list of policies to be executed as part of the request flow. |
conditionType: | Specifies the conditions for executing this resource. |
ConditionalParameterReference
| Field | Description |
|---|---|
condition
| Specifies the conditions for executing this resource. |
ApimTemplateRule
| Field | Description |
|---|---|
apiVersion Type: | apim.googleapis.com/v1 |
kind Type: | ApimTemplateRule |
metadata | Refer to the Kubernetes API documentation for the fields available inmetadata. |
specType:ApimTemplateRuleSpec | Defines the desired state of ApimTemplateRule. |
ApimTemplateRuleSpec
| Field | Description |
|---|---|
requiredList | The list of policies (asstrings) thatmust be present in the ApimTemplate. |
denyList | The list of policies (asstrings) thatshould not be present in the ApimTemplate. |
allowList | The list of policies (asstrings) thatmay be present in the ApimTemplate but are not required. |
override Type: | Overrides updates to the APIM template rule in the event that APIM templates using the rule exist. Valid values aretrue orfalse. |
AssignMessage (Google token injection)
| Field | Description |
|---|---|
apiVersion Type: | apim.googleapis.com/v1 |
kind Type: | AssignMessage |
metadata | Refer to the Kubernetes API documentation for the fields available inmetadata. |
specType:AssignMessageBean | Defines the desired state of the AssignMessage policy. |
AssignMessageBean
| Field | Description |
|---|---|
setActions Type: | Array ofSetActionsBean objects. Replaces values of existing properties on the request or response, as specified by theAssignTo element.If the headers or parameters are already present in the original message, |
AssignToType:AssignToBean | Specifies which message the AssignMessage policy operates on. Options include the request, the response, or a new custom message. |
SetActionsBean
| Field | Description |
|---|---|
AuthenticationType:AuthenticationBean | Generates Google OAuth 2.0 or OpenID Connect tokens to make authenticated calls to Google services or custom services running on certain Google Cloud products, such as Cloud Run functions and Cloud Run. |
AuthenticationBean
| Field | Description |
|---|---|
GoogleAccessToken | GeneratesGoogle OAuth 2.0 tokens to make authenticated calls to Google services. |
GoogleIDTokenType:GoogleIDTokenBean | Configuration to generate an OpenID Connect Token to authenticate the target request. |
headerName Type: | By default, when an Authentication configuration is present, Apigee generates a bearer token and injects it into the Authorization header of the message sent to the target system. TheheaderName element allows you to specify the name of adifferent header to hold the bearer token. |
GoogleAccessTokenBean
| Field | Description |
|---|---|
scopes Type: | Array ofstrings that specifies a valid Google API scope. For more information, seeOAuth 2.0 Scopes for Google APIs. |
LifetimeInSeconds Type: | Specifies the lifetime duration of the access token in seconds. |
GoogleIDTokenBean
| Field | Description |
|---|---|
AudienceType:AudienceBean | The audience for the generated authentication token, such as the API or service account granted access by the token. |
IncludeEmail Type: | If set totrue, the generated authentication token will contain the service accountemail andemail_verified claims. |
AudienceBean
| Field | Description |
|---|---|
useTargetHost Type: | If the value ofAudience is empty or theref variable does not resolve to a valid value, anduseTargetUrl istrue, then the URL of the target (excluding any query parameters) is used as the audience. |
useTargetUrl Type: | By default,useTargetUrl isfalse. |
AssignToBean
| Field | Description |
|---|---|
createNew Type: | Determines whether the policy creates a new message when assigning values. If set totrue, the policy creates a new message. |
type Type: | Specifies the type of the new message, whenCreateNew is set totrue true. Valid values arerequest orresponse. |
Javascript
| Field | Description |
|---|---|
apiVersion Type: | apim.googleapis.com/v1 |
kind Type: | JavaScript |
metadata | Refer to the Kubernetes API documentation for the fields available inmetadata. |
specType:JavascriptBean | Defines the desired state of the JavaScript policy. |
JavascriptBean
| Field | Description |
|---|---|
mode Type: | Array ofstrings that specifiesProxyRequest orProxyResponse. Determines whether the policy is attached to the request flow or response flow. |
source Type: | Inline JavaScript code. |
timeLimit Type: | Specifies the timeout for JavaScript code execution. |
KVM
| Field | Description |
|---|---|
apiVersion Type: | apim.googleapis.com/v1 |
kind Type: | KVM |
metadata | Refer to the Kubernetes API documentation for the fields available inmetadata. |
spec | Defines the desired state of the KVM policy. |
KeyValueMapOperationsBean
| Field | Description |
|---|---|
MapName Type: | Enables the policy to identify which KVM to use dynamically, at runtime. For more information, seeMapName element. |
expiryTimeInSecs Type: | Specifies the duration in seconds after which Apigee refreshes its cached value from the specified KVM. For more information, seeExpiryTimeInSecs element. |
initialEntries Type: | Seed values for KVMs, which are populated in the KVM when it is initialized. For more information, seeInitialEntries element. |
delete Type: | Deletes the specified key/value pair from the KVM. For more information, seeDelete element. |
get Type: | Retrieves the value of a key from the KVM. For more information, seeGet element. |
OASValidation
| Field | Description |
|---|---|
apiVersion Type: | apim.googleapis.com/v1 |
kind Type: | OASValidation |
metadata | Refer to the Kubernetes API documentation for the fields available inmetadata. |
specType:OASValidationBean | Defines the desired state of the OASValidation policy. |
statusType:ApimResourceStatus | Shows the OASValidation policy status. |
OASValidationBean
| Field | Description |
|---|---|
openApiSpec Type: | Specifies the OpenAPI spec inyaml to be validated. Because this is a multilineyaml fragment, use the "|" delimiter. |
source Type: | One ofmessage,request, orresponse. When set torequest, it will evaluate inbound requests from client apps; when set toresponse, it will evaluate responses from target servers. When set tomessage, it will automatically evaluate request or response depending on whether the policy is attached to the request or response flow. |
options Type: | SeeOASValidationOptions/td> |
OASValidationOptions
| Field | Description |
|---|---|
validateMessageBody Type: | Specifies whether the policy should validate the message body against the operation's request body schema in the OpenAPI Specification. Set totrue to validate the message body contents. Set tofalse to validate only that the message body exists. |
allowUnspecifiedParameters Type: | SeeStrictOptions |
StrictOptions
| Field | Description |
|---|---|
header Type: | To allow header parameters to be specified in the request that are not defined in the OpenAPI Specification, set this parameter totrue. Otherwise, set this parameter tofalse to cause policy execution to fail. |
query Type: | To allow query parameters to be specified in the request that are not defined in the OpenAPI Specification, set this parameter totrue. Otherwise, set this parameter tofalse to cause policy execution to fail. |
cookie Type: | To allow cookie parameters to be specified in the request that are not defined in the OpenAPI Specification, set this parameter totrue. Otherwise, set this parameter tofalse to cause policy execution to fail. |
ApimResourceStatus
| Field | Description |
|---|---|
currentState Type: | Shows the current state of the resource:
|
errorMessage Type: | Error message related to one of the failure states ofcurrentState field. |
operationResult Type: | A response string from one of the long running operations related to resource creation, update, or deletion. |
ServiceCallout
| Field | Description |
|---|---|
apiVersion Type: | apim.googleapis.com/v1 |
kind Type: | ServiceCallout |
metadata | Refer to the Kubernetes API documentation for the fields available inmetadata. |
specType:ServiceCalloutBean | Defines the desired state of the ServiceCallout policy. |
statusType:ApimResourceStatus | Shows the ServiceCallout policy status. |
ServiceCalloutBean
| Field | Description |
|---|---|
httpTargetConnection Type: | Provides transport details such as URL, TLS/SSL, and HTTP properties. |
requestType: CalloutRequest | Specifies the variable containing the request message that gets sent from the API proxy to the other service. |
ResponseType: | Specifies the variable containing the response message that gets returned to the API proxy from the external service. |
HttpTargetConnection
| Field | Description |
|---|---|
url Type: | The URL of the target service. |
properties Type: | HTTP transport properties to the backend service. For more information, seeEndpoint properties reference. |
timeout Type: | The timeout in milliseconds for the service callout. For more information, seetimeout. |
CalloutRequest
| Field | Description |
|---|---|
url Type: | The URL of the target service. |
properties Type: | HTTP transport properties to the backend service. For more information, seeEndpoint properties reference. |
SpikeArrest
| Field | Description |
|---|---|
apiVersion Type: | apim.googleapis.com/v1 |
kind Type: | SpikeArrest |
metadata | Refer to the Kubernetes API documentation for the fields available inmetadata. |
specType:SpikeArrestBean | Defines the desired state of the SpikeArrest policy. |
SpikeArrestBean
| Field | Description |
|---|---|
mode Type: | Array ofstrings that specifiesProxyRequest orProxyResponse. Determines whether the policy is attached to the request flow or response flow. |
peakMessageRateType:peakMessageRate | Specifies the messagerate for SpikeArrest. |
useEffectiveCount Type: | If set totruetrue, SpikeArrest is distributed in a region, with request counts synchronized across Apigee message processors (MPs) in a region.If set to |
peakMessageRate
| Field | Description |
|---|---|
ref Type: | Variable referencing therate value. |
value Type: | Actualrate value if a reference is not available. |
GenerateJWT
| Field | Description |
|---|---|
apiVersion Type: | apim.googleapis.com/v1 |
kind Type: | GenerateJWT |
metadata | Refer to the Kubernetes API documentation for the fields available inmetadata. |
specType:GenerateJWTBean | Defines the desired state of the GenerateJWT policy. |
statusType:ApimResourceStatus | Shows the GenerateJWT policy status. |
GenerateJWTBean
| Field | Description |
|---|---|
subjectType:PropertyBean | Identifies the principal that is the subject of the JWT. For more information, seeSubject element. |
issuerType:PropertyBean | Identifies the principal that issued the JWT. For more information, seeIssuer element. |
audienceType:VarArrayBean | Identifies the recipients that the JWT is intended for. For more information, seeAudience element. |
idType:PropertyBean | Specifies a unique identifier for the JWT. For more information, seeId element. |
expiresInType:PropertyBean | Specifies the expiration time for the JWT. For more information, seeExpiresIn element. |
notBeforeType:PropertyBean | Identifies the time before which the JWT must not be accepted for processing. For more information, seeNotBefore element. |
additionalClaimsType:AdditionalClaimsBean | Specifies additional claims to include in the JWT. For more information, seeAdditionalClaims element. |
compress Type: | Specifies whether to compress the JWT payload. For more information, seeCompress element. |
PropertyBean
| Field | Description |
|---|---|
value Type: | The literal value of the property. |
ref Type: | A reference to a variable containing the value of the property. |
VarArrayBean
| Field | Description |
|---|---|
values Type: | An array of literal string values. |
ref Type: | A reference to a variable containing the array of values. |
AdditionalClaimsBean
| Field | Description |
|---|---|
claims Type: | A map of claim names to claim values. |
ref Type: | A reference to a variable containing the claims map. |
OAuthV2
| Field | Description |
|---|---|
apiVersion Type: | apim.googleapis.com/v1 |
kind Type: | OAuthV2 |
metadata | Refer to the Kubernetes API documentation for the fields available inmetadata. |
specType:OAuthV2Bean | Defines the desired state of the OAuthV2 policy. |
statusType:ApimResourceStatus | Shows the OAuthV2 policy status. |
OAuthV2Bean
| Field | Description |
|---|---|
operation Type: | The OAuthV2 operation to perform. Valid values are:
|
configRef Type: | (Optional) Reference to anOAuthV2Config custom resource name containing reusable OAuthV2 settings. |
scope Type: | The scope of the access token. For more information, seeScope element. |
generateResponseType:GenerateResponse | Configures the response generation. For more information, seeGenerateResponse element. |
generateErrorResponse | Configures the error response generation. For more information, seeGenerateErrorResponse element. |
expiresInType:PropertyExpiryBean | The expiration time of the access token. For more information, seeExpiresIn element. |
refreshTokenExpiresInType:PropertyExpiryBean | The expiration time of the refresh token. For more information, seeRefreshTokenExpiresIn element. |
supportedGrantTypes Type: | A list of supported grant types. For more information, seeSupportedGrantTypes element. |
redirectURI Type: | The redirect URI used in the authorization code grant type. For more information, seeRedirectUri element. |
responseType Type: | The response type for the authorization code grant type. For more information, seeResponseType element. |
clientID Type: | The client ID. For more information, seeClientId element. |
state Type: | The state parameter for the authorization code grant type. For more information, seeState element. |
appEndUser Type: | The end user ID. For more information, seeAppEndUser element. |
code Type: | The authorization code. For more information, seeCode element. |
userName Type: | The username for the password grant type. For more information, seeUserName element. |
password Type: | The password for the password grant type. For more information, seePassword element. |
grantType Type: | The grant type. For more information, seeGrantType element. |
refreshToken Type: | The refresh token. For more information, seeRefreshToken element. |
accessToken Type: | The access token. For more information, seeAccessToken element. |
cacheExpiryInSecondsType:PropertyExpiryBean | The cache expiry time in seconds. For more information, seeCache Expiry Settings. |
verifyAccessTokenPrefix Type: | (Optional) Prefix to use when verifying an access token. |
externalAuthorization Type: | Indicates whether to use an external authorization service. For more information, seeExternalAuthorization element. |
reuseRefreshToken Type: | Specifies whether to reuse refresh tokens. For more information, seeReuseRefreshToken element. |
rfcCompliance Type: | Enforces RFC compliance. For more information, seeRFCCompliantRequestResponse element. |
enforceStrictCallbackURIEnforced Type: | (Optional) Enforces strict callback URI matching. |
customAttributes Type: | Custom attributes to add to the token. For more information, seeAttributes element. |
externalAccessToken Type: | An external access token. For more information, seeExternalAccessToken element. |
externalRefreshToken Type: | An external refresh token. For more information, seeExternalRefreshToken element. |
storeToken Type: | Specifies whether to store the token. For more information, seeStoreToken element. |
tokens Type: | A list of tokens to invalidate. For more information, seeTokens element. |
algorithm Type: | The algorithm used to sign the JWT. For more information, seeAlgorithm element. |
secretKeyType:SecretKey | The secret key used to sign the JWT. For more information, seeSecretKey element. |
privateKeyType:PrivateKey | The private key used to sign the JWT. For more information, seePrivateKey element. |
publicKeyType:PublicKey | The public key used to verify the JWT. For more information, seePublicKey element. |
GenerateResponse
| Field | Description |
|---|---|
enabled Type: | If set totrue or if the enabled attribute is omitted, the policy generates and returns a response. |
format Type: | One ofXML,FORM_PARAM. |
GenerateErrorResponse
| Field | Description |
|---|---|
enabled Type: | If set totrue or if the enabled attribute is omitted, the policy generates and returns a response. |
format Type: | One ofXML,FORM_PARAM. |
realmType:PropertyBean | The realm to return in theWWW-Authenticate header. |
PropertyExpiryBean
| Field | Description |
|---|---|
value Type: | The literal value of the expiration. |
ref Type: | A reference to a variable containing the expiration value. |
CustomAttribute
| Field | Description |
|---|---|
name Type: | The name of the custom attribute. |
ref Type: | A reference to a variable containing the attribute value. |
value Type: | The literal value of the attribute. |
SecretKey
| Field | Description |
|---|---|
valueType:PropertyBean | Specifies the secret key used to sign the JWT. For more information, seeSecretKey element. |
PrivateKey
| Field | Description |
|---|---|
valueType:PropertyBean | Specifies the private key used to sign the JWT. For more information, seePrivateKey element. |
PublicKey
| Field | Description |
|---|---|
valueType:PropertyBean | Specifies the public key used to verify the JWT. For more information, seePublicKey element. |
ResponseCache Policy
| Field | Description |
|---|---|
apiVersionType: | apim.googleapis.com/v1 |
kind Type: | ResponseCache |
metadata | Refer to the Kubernetes API documentation for the fields available inmetadata. |
spec | Defines the desired state of ResponseCache. |
ResponseCacheBean
| Field | Description |
|---|---|
mode Type: | SpecifiesProxyRequest orProxyResponse. Determines whether the policy is attached to the request flow or response flow. |
cacheExpiryType:cacheExpiry | Provides the cacheExpiry object. |
cacheKeyType:cacheKey | Provides the cacheKey object. |
cacheLookupTimeOut type: | Specifies the cache look up timeout period. |
cacheResourceRef type: | Specifies the cache resource identifier using a variable reference. |
excludeErrorResponse type: | This policy can cache HTTP responses withany status code. That means both success and error responses can be cached, including2xx and3xx status codes. |
skipCacheLookupCondition type: | Defines an expression that, if it evaluates totrue at runtime, specifies that cache lookup should be skipped and the cache should be refreshed |
skipCachePopulationCondition type: | Defines an expression that, if it evaluates totrue at runtime, specifies that cache lookup should be skipped and the cache should be refreshed at runtime, specifies that a write to the cache should be skipped. |
useAcceptHeader type: | Set totrue to append values from responseAccept headers to the response cache entry's cache key. |
useResponseCacheHeaders type: | Set totrue to have HTTP response headers considered when setting the "time to live" (TTL) of the response in the cache. |
cacheExpiry
| Field | Description |
|---|---|
expiryDate Type: | Specifies the date on which a cache entry should expire. |
timeOfDay Type: | Specifies the time of day at which a cache entry should expire. |
timeoutInSeconds Type: | Specifies the number of seconds after which a cache entry should expire. |
cacheKey
| Field | Description |
|---|---|
cacheKeyPrefix Type: | Specifies a value to use as a cache key prefix. |
fragments Type: | Specifies a value to be included in the cache key to create a namespace for matching requests to cached responses. |
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-18 UTC.