The procedures to install and manage Apigee hybrid require the following permissions and roles. Individual tasks can be performed by different members of your organization who have the required permissions and roles.
Cluster permissions
Each supported platform has its own permission requirements for creating a cluster. As cluster owner, you can proceed to install the Apigee-specific components (including cert-manager and the Apigee runtime) into the cluster. However, if you want to delegate to another user the installation of the runtime components into the cluster, you can manage the necessary permissions through Kubernetes authn-authz.
To install the hybrid runtime components into the cluster, a non-cluster-owner user should have CRUD permission on these resources:
- ClusterRole
- ClusterRoleBinding
- Webhooks (ValidatingWebhookConfiguration and MutatingWebhookConfiguration)
- PriorityClass
- ClusterIssuer
- CustomerResourceDefinitions
- StorageClass (Optional, if the default StorageClass is not used. For information on changing the default and creating a custom storage class, see StorageClass configuration.)
IAM Roles
You need to have the following IAM roles assigned to your user account in order to perform these steps. If your account does not have these roles, have a user with the roles perform the steps. For more information on IAM roles, see IAM basic and predefined roles reference.
To create service accounts and grant them access to your project:
- Create Service Accounts (
roles/iam.serviceAccountCreator) - Project IAM Admin (
roles/resourcemanager.projectIamAdmin)
To grant synchronizer access to your project:
- Apigee Organization Admin (
roles/apigee.admin)
To configure workload identity for installations on GKE (optional):
- Kubernetes Engine Admin (
roles/container.admin) - Service Account Admin (
roles/iam.serviceAccountAdmin)