Securing the runtime installation

You are currently viewing version 1.13 of the Apigee hybrid documentation. For more information, see Supported versions.

A typical Apigee hybrid installation is made of multiple pods, as listed in thefollowing table. Each of these pods require specific access to ports, and not every pod needs to communicate with every other pod. For a detailed map of these internal connections and the security protocols they employ, seeInternal connections.

Pod	Description
`apigee-logger`	Contains an Apigee logger agent that sends application logs to Cloud Operations.
`apigee-metrics`	Contains an Apigee metrics agent that sends application logs to Cloud Operations.
`apigee-cassandra`	Contains the hybrid runtime persistence layer.
`apigee-synchronizer`	Synchronizes configuration between the management (control) plane and runtime (data) plane.
`apigee-udca`	Allows transfer of analytics data to the management plane.
`apigee-mart`	Contains the Apigee administrative API endpoint.
`apigee-runtime`	Contains the gateway for API request processing and policy execution.

Google recommends that you follow these methods and best practices to harden, secure, and isolate the runtime pods:

Method	Description
Kubernetes security overview	Review the Google Kubernetes Engine (GKE) document Security overview. This document provides an overview of each layer of your Kubernetes infrastructure, and explains how you can configure its security features to best suit your needs. For Google Kubernetes Engine's current guidance for hardening your GKE cluster, see Hardening your cluster's security.
Network policies	Use network policies to restrict communication between Pods and to pods that have access outside the Kubernetes network. For more information, see Creating a cluster network policy in the GKE documentation. A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints. The KubernetesNetworkPolicy resource uses labels to select pods and define rules which specify what traffic is allowed to the selected pods. You can implement a Container Network Interface (CNI) plugin to add network policies to an Apigee hybrid runtime installation. Network policies let you isolate pods from outside access and enable access to specific pods. You can use an open source CNI plugin, such asCalico to get started.

Method

Description

Kubernetes security overview

Review the Google Kubernetes Engine (GKE) document Security overview. This document provides an overview of each layer of your Kubernetes infrastructure, and explains how you can configure its security features to best suit your needs.

For Google Kubernetes Engine's current guidance for hardening your GKE cluster, see Hardening your cluster's security.

Network policies

Use network policies to restrict communication between Pods and to pods that have access outside the Kubernetes network. For more information, see Creating a cluster network policy in the GKE documentation.

A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints.

The KubernetesNetworkPolicy resource uses labels to select pods and define rules which specify what traffic is allowed to the selected pods.

You can implement a Container Network Interface (CNI) plugin to add network policies to an Apigee hybrid runtime installation. Network policies let you isolate pods from outside access and enable access to specific pods. You can use an open source CNI plugin, such asCalico to get started.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-17 UTC.

Movatterモバイル変換

Securing the runtime installation Stay organized with collections Save and categorize content based on your preferences.

Securing the runtime installation