Each supported platform has its own permission requirements for creating a cluster. After the cluster
is created. As cluster owner, you can proceed to install the Apigee-specific components
(including Apigee, ASM, and cert-manager) into
the cluster. However, if you want to delegate to another user the installation of the runtime
components into the cluster, you can manage the
necessary permissions through
Kubernetes authn-authz.
To install the hybrid runtime components into the cluster, a non-cluster-owner user should
have CRUD permission on these resources:
ClusterRole
Webhooks (ValidatingWebhookConfiguration and MutatingWebhookConfiguration)
PriorityClass
ClusterIssuer
CustomerResourceDefinitions
StorageClass (Optional, if the default StorageClass is not used. For information on
changing the default and creating a custom storage class, see StorageClass configuration.)
Prerequisites
This section describes tasks you must accomplish before you begin the runtime plane quickstart
install.
Complete the following tasks to ensure that you can successfully begin the runtime installation (as described in
this section):
After you have satisfied the above prerequisites, go to the quickstart for your platform:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eThis documentation covers Apigee hybrid version 1.6, which is end of life and requires an upgrade to a newer version.\u003c/p\u003e\n"],["\u003cp\u003eClusters must meet minimum configuration requirements, which are detailed in the minimum cluster configurations section.\u003c/p\u003e\n"],["\u003cp\u003eInstalling Apigee hybrid components requires specific permissions, including CRUD access to ClusterRole, Webhooks, PriorityClass, ClusterIssuer, CustomerResourceDefinitions, and StorageClass for non-cluster-owner users.\u003c/p\u003e\n"],["\u003cp\u003eBefore beginning the runtime installation, users must complete the Google Cloud and UI setup steps and have a domain name they can manage for the Apigee hybrid installation.\u003c/p\u003e\n"],["\u003cp\u003eApigee hybrid can be installed in either a shared cluster with other workloads or a dedicated separate cluster, with different considerations for each method.\u003c/p\u003e\n"]]],[],null,["# Part 2: Hybrid runtime setup\n\n| You are currently viewing version 1.6 of the Apigee hybrid documentation. **This version is end of life.** You should upgrade to a newer version. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\nSupported platforms\n-------------------\n\n\nSee [Apigee hybrid: supported platforms](/apigee/docs/hybrid/supported-platforms).\n\nMinimum cluster configurations\n------------------------------\n\n\nYour cluster must meet minimum configuration requirements. For details, see\n[Minimum cluster configurations](/apigee/docs/hybrid/v1.6/cluster-overview).\n\nCluster permissions\n-------------------\n\n\nEach supported platform has its own permission requirements for creating a cluster. After the cluster\nis created. As cluster owner, you can proceed to install the Apigee-specific components\n(including Apigee, ASM, and cert-manager) into\nthe cluster. However, if you want to delegate to another user the installation of the runtime\ncomponents into the cluster, you can manage the\nnecessary permissions through\nKubernetes [authn-authz](https://kubernetes.io/docs/reference/access-authn-authz/rbac/).\n\n\nTo install the hybrid runtime components into the cluster, a non-cluster-owner user should\nhave CRUD permission on these resources:\n\n- ClusterRole\n- Webhooks (ValidatingWebhookConfiguration and MutatingWebhookConfiguration)\n- PriorityClass\n- ClusterIssuer\n- CustomerResourceDefinitions\n- StorageClass (Optional, if the default StorageClass is not used. For information on changing the default and creating a custom storage class, see [StorageClass configuration](./cassandra-config).)\n\nPrerequisites\n-------------\n\nThis section describes tasks you must accomplish before you begin the runtime plane quickstart\ninstall.\n\n| **Note about clusters:** You can create a new separate cluster for Apigee hybrid or you can install it in a cluster that is running other workloads. \n|\n| - **Shared cluster:** If you install Apigee hybrid in a cluster running other workloads, you need to upgrade and maintain your GKE/AKS cluster at the versions and features required in common for Apigee hybrid and for your other workloads. You may want to develop a plan to migrate one or more workloads in case conflicts arise between supported versions and requirements.\n| - **Separate cluster:** Creating a dedicated cluster for Apigee hybrid adds isolation. It also adds the operational effort of maintaining the new cluster.\n| Both options are valid.\n| **Note about VPC Service Controls:** If you plan to enable Google Cloud [Virtual Private Cloud (VPC) Service\n| Controls](https://cloud.google.com/vpc-service-controls) with your Apigee hybrid installation, see [Using VPC Service Controls with Apigee and\n| Apigee hybrid](/apigee/docs/api-platform/security/vpc-sc) for instructions before you proceed.\n\nAfter you have satisfied the above prerequisites, go to the quickstart for your platform:"]]
