Kong Gateway Operator (KGO) is the most effective way to install, upgrade, scale, and manage a Kong Gateway or Kubernetes Ingress. The latest release of the Kong Gateway Operator brings several updates that streamline integration with Kong Konnect and improve configuration and reliability.
Below, we highlight the most notable changes and explain how they can benefit your organization. Keep on reading to find out more.
In the previous release, we enhanced the operator to manage Konnect within Kubernetes environments using Kubernetes Custom Resource Definitions (CRDs), making it possible to create control planes and other Konnect entities as Kubernetes manifests. With this release, we're introducing further improvements to enhance the user experience for those leveraging this feature.
Kong Gateway Operator now has the power to apply a plugin universally across an entire control plane. You can now set the scope field in a KongPluginBinding to GlobalInControlPlane to ensure that the specified plugin is automatically applied to all entities within the control plane.
This capability eliminates the need for repetitive, target-specific plugin configurations, streamlining the management process, especially for customers with large-scale or complex deployments.
The existing default setting, OnlyTargets, is still available and can be applied to plugins with specified targets. Combined, these two options for the scope field offer you the flexibility and control to apply plugins universally or only to targeted configurations.
We're also improving KonnectExtension, a CRD that was originally created to enable seamless attachment to a DataPlane CR through an extension point in the DataPlane specification, allowing you to declare your Konnect control plane attributes once and quickly apply them to many data plane instances. In this release, we're adding KonnectExtension to ControlPlane, which allows users to configure Kong Ingress Controller (KIC) in Konnect, and GatewayConfiguration, which enables users to configure a Gateway API Gateway in Konnect.
The Kong Gateway Operator utilizes a certificate authority (CA) certificate to sign the certificates used by ControlPlane and DataPlane components to ensure secure communication (e.g., for Kong’s Admin API). This CA certificate is securely retrieved from a Kubernetes Secret.
We're introducing two new flags to give you greater control over configuring your cluster CA to better align with your security and compliance requirements. The two new flags — cluster-ca-key-type and cluster-ca-key-size — will allow you to choose between supported private key types (RSA or ECDSA, with ECDSA as the default) and specify a custom key size to meet your needs.
If you're wondering which key might be the better option for you, here are some things to consider:
We're introducing a feature that allows users to define custom, predictable service names to prevent complications in processes like CI/CD caused by unpredictable proxy service names generated by the Kong Gateway Operator.
With a new Name field in ServiceOptions, you can clearly specify the name of the owning service, currently supported for DataPlane ingress services. This helps you organize and track service ownership more effectively.
For high availability (HA) and resilience, you can now scale a KIC control plane deployment horizontally by specifying the number of control plane replicas of the ControlPlane deployment. This multi-replica approach increases the availability of your services and the resilience of your system against failures, network issues, or other disruptions.
The new Prometheus metrics provide valuable operational insights into Konnect-related activities, enabling users to:
gateway_operator_konnect_entity_operation_count tracks the number of Konnect-related operations, offering a clear view of operational volume over time. This helps understand the workload and operational trends within your Konnect environment.gateway_operator_konnect_entity_operation_duration_millisecond provides the duration of these Konnect-related operations as measured in milliseconds. This metric helps monitor performance and identify any latency issues that may arise during operations that target Konnect. These enhancements empower users to maintain better observability, faster issue resolution, and improved performance management for their Kong Konnect environment.
With the deprecation of kube-rbac-proxy, we needed a new way to ensure that sensitive data leaving metrics endpoints remain protected. To address this issue, we're removing ‘kube-rbac-proxy’ and introducing the new metrics access filter, providing several key benefits:
kube-rbac-proxy), reducing operational complexity.--metrics-access-filter flag (or GATEWAY_OPERATOR_METRICS_ACCESS_FILTER environment variable) provides built-in access control for metrics endpoints. off (default): No restriction on metrics access; rbac: A bearer token is required to access metrics.Removing an external dependency and offering a built-in access filter, makes KGO easier to manage, more secure, and better aligned with Kubernetes-native best practices.
If you're on version 1.3 or older, please upgrade to 1.4.1 before moving to 1.5.0 to avoid migration issues due to the removed legacy label support. Please see our documentation on upgrading here or the chart upgrade guide here to learn how you can upgrade to 1.5.
If you want to learn more and talk to our SMEs about the Kong Gateway Operator or Kong in general, join us at KubeCon Europe in London from April 1–4, 2025. Visit us at booth S231 where we will have special swag, experts ready to chat, and the chance to win special prizes.
Reach out to events@konghq.com if you're interested in setting up a formal meeting with our team.
Kong Gateway Operator 1.5 focuses on delivering practical improvements, especially for customers leveraging Konnect. From global plugin flexibility to enhanced HA configurations and native Kubernetes validations, this release streamlines your workflows while improving reliability and observability.
Try out the new features and give us feedback by visiting the Kong community forums or opening an issue in the Kong Gateway Operator repository.
Happy upgrading!
As of September 2025, Kong Gateway Enterprise 3.8 will enter its End Of Life (EOL) phase and will no longer be fully supported by Kong. Following this, Kong Gateway Enterprise 3.8 will enter a 12-month sunset support period, focused on helping cus
We're very excited to announce Kong Mesh 2.12 to the world! Kong Mesh 2.12 delivers two very important features: SPIFFE / SPIRE support, which provides enterprise-class workload identity and trust models for your mesh, as well as a consistent Kuma R
Meet Emily. She’s an API product manager at ACME, Inc., an ecommerce company that runs on dozens of APIs. One morning, her team lead asks a simple question: “Who’s our top API consumer, and which of your APIs are causing the most issues right now?”
Today, we’re announcing that Kong has acquired OpenMeter , the open source and SaaS leader for real-time usage metering and billing. OpenMeter’s capabilities will be integrated into Kong Konnect, enabling usage-based pricing, entitlements, and invo
It’s been almost a year since we released our Konnect Terraform provider . In that time we’ve seen over 300,000 installs, have 1.7 times as many resources available, and have expanded the provider to include data sources to enable federated managem
We're happy to announce the 3.5 release of Kong Ingress Controller (KIC). This release includes the graduation of combined services to General Availability, support for connection draining, as well as the start of deprecating support for some Ingre
Update Includes Data Orchestration, CyberArk Support, Solace Integration, and Kafka Schema Validation We’re excited to bring you Kong Gateway Enterprise 3.11 with compelling new features to make your APIs and event streams even more powerful, includ