A typical Apigee hybrid installation is made of multiple pods, as listed in the
following table.
Each of these pods require specific access to ports, and not every pod needs to communicate
with every other pod. For a detailed map of these internal connections and the security
protocols they employ, see Internal connections.
Pod
Description
apigee-logger
Contains an Apigee logger agent that sends application logs to Stackdriver.
apigee-metrics
Contains an Apigee metrics agent that sends application logs to Stackdriver.
apigee-cassandra
Contains the hybrid runtime persistance layer.
apigee-synchronizer
Synchronizes configuration between the management (control) plane and runtime
(data) plane.
apigee-udca
Allows transfer of analytics data to the management plane.
apigee-mart
Contains the Apigee administrative API endpoint.
apigee-runtime
Contains the gateway for API request processing and policy execution.
Google recommends that you follow these methods and best practices to harden,
secure, and isolate the runtime
pods:
Method
Description
Kubernetes security overview
Review the Google Kubernetes Engine (GKE) document
Security overview. This document provides an overview of each layer of your Kubernetes
infrastructure, and explains how you can configure its security features to best
suit your needs.
Use network policies to restrict communication between Pods and to pods that have access
outside the Kubernetes network. For more information, see
Creating a cluster network policy in the GKE documentation.
A network policy is a specification of how groups of pods are
allowed to communicate with each other and other network endpoints.
The Kubernetes
NetworkPolicy
resource uses labels to select pods and define
rules which specify what traffic is allowed to the selected pods.
You can implement a Container Network Interface (CNI) plugin to add network policies to
an Apigee hybrid runtime installation. Network policies let you isolate pods from outside
access and enable access to specific pods. You can use an open source CNI plugin, such as
Calico to get started.
GKE Sandbox
Enable GKE Sandbox for the Kubernetes clusters that run Apigee
hybrid. See GKE Sandbox for details.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-03-07 UTC."],[[["This Apigee hybrid documentation version 1.1 is end-of-life and requires an upgrade to a newer version."],["An Apigee hybrid installation consists of multiple pods, each with specific port access requirements and varying communication needs."],["The runtime pods can be secured and isolated by following the recommended practices such as reviewing the GKE security overview, utilizing network policies, and enabling GKE Sandbox."],["Network policies help in restricting pod-to-pod communication and controlling access outside the Kubernetes network, and they can be implemented using Container Network Interface (CNI) plugins."],["GKE Sandbox, based on the open-source gVisor project, provides a virtualized container environment to further enhance the security of Kubernetes clusters running Apigee hybrid."]]],[]]
