Each supported platform has its own permission requirements for creating a cluster. After the cluster
is created. As cluster owner, you can proceed to install the Apigee-specific components
(including Apigee, ASM, and cert-manager) into
the cluster. However, if you want to delegate to another user the installation of the runtime
components into the cluster, you can manage the
necessary permissions through
Kubernetes authn-authz.
To install the hybrid runtime components into the cluster, a non-cluster-owner user should
have CRUD permission on these resources:
ClusterRole
Webhooks (ValidatingWebhookConfiguration and MutatingWebhookConfiguration)
PriorityClass
ClusterIssuer
CustomerResourceDefinitions
StorageClass (optional, if the default StorageClass is not used)
Prerequisites
This section describes tasks you must accomplish before you begin the runtime plane quickstart
install.
Complete the following tasks to ensure that you can successfully begin the runtime installation (as described in
this section):
After you have satisfied the above prerequisites, go to the quickstart for your platform:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eThis documentation version (1.4) for Apigee hybrid is end-of-life and an upgrade to a newer version is recommended.\u003c/p\u003e\n"],["\u003cp\u003eClusters must meet minimum configuration requirements, as detailed in the documentation for the cluster overview.\u003c/p\u003e\n"],["\u003cp\u003eInstalling Apigee hybrid requires specific cluster permissions, including CRUD permissions on various resources for non-cluster-owner users.\u003c/p\u003e\n"],["\u003cp\u003ePrerequisites include completing Google Cloud and UI setup, as well as having a managed domain name for the Apigee hybrid installation.\u003c/p\u003e\n"],["\u003cp\u003eYou can install Apigee hybrid on a shared or separate cluster, each with their own considerations regarding version management, isolation, and operational effort.\u003c/p\u003e\n"]]],[],null,["# Part 2: Hybrid runtime setup\n\n| You are currently viewing version 1.4 of the Apigee hybrid documentation. **This version is end of life.** You should upgrade to a newer version. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\nSupported platforms\n-------------------\n\n\nSee [Apigee hybrid: supported platforms](/apigee/docs/hybrid/supported-platforms).\n\nMinimum cluster configurations\n------------------------------\n\n\nYour cluster must meet minimum configuration requirements. For details, see\n[Minimum cluster configurations](/apigee/docs/hybrid/v1.4/cluster-overview).\n\nCluster permissions\n-------------------\n\n\nEach supported platform has its own permission requirements for creating a cluster. After the cluster\nis created. As cluster owner, you can proceed to install the Apigee-specific components\n(including Apigee, ASM, and cert-manager) into\nthe cluster. However, if you want to delegate to another user the installation of the runtime\ncomponents into the cluster, you can manage the\nnecessary permissions through\nKubernetes [authn-authz](https://kubernetes.io/docs/reference/access-authn-authz/rbac/).\n\n\nTo install the hybrid runtime components into the cluster, a non-cluster-owner user should\nhave CRUD permission on these resources:\n\n- ClusterRole\n- Webhooks (ValidatingWebhookConfiguration and MutatingWebhookConfiguration)\n- PriorityClass\n- ClusterIssuer\n- CustomerResourceDefinitions\n- StorageClass (optional, if the default StorageClass is not used)\n\nPrerequisites\n-------------\n\nThis section describes tasks you must accomplish before you begin the runtime plane quickstart\ninstall.\n\n| **Note about clusters:** You can create a new separate cluster for Apigee hybrid or you can install it in a cluster that is running other workloads. \n|\n| - **Shared cluster:** If you install Apigee hybrid in a cluster running other workloads, you need to upgrade and maintain your GKE/AKS cluster at the versions and features required in common for Apigee hybrid and for your other workloads. You may want to develop a plan to migrate one or more workloads in case conflicts arise between supported versions and requirements.\n| - **Separate cluster:** Creating a dedicated cluster for Apigee hybrid adds isolation. It also adds the operational effort of maintaining the new cluster.\n| Both options are valid.\n| **Note about VPC Service Controls:** If you plan to enable Google Cloud [Virtual Private Cloud (VPC) Service\n| Controls](https://cloud.google.com/vpc-service-controls) with your Apigee hybrid installation, see [Using VPC Service Controls with Apigee and\n| Apigee hybrid](/apigee/docs/api-platform/security/vpc-sc) for instructions before you proceed.\n\nAfter you have satisfied the above prerequisites, go to the quickstart for your platform:"]]
