Kong Gateway Operator 1.5: Better Together with Konnect

Kong Gateway Operator (KGO) is the most effective way to install, upgrade, scale, and manage a Kong Gateway or Kubernetes Ingress. The latest release of the Kong Gateway Operator brings several updates that streamline integration with Kong Konnect and improve configuration and reliability. 

Below, we highlight the most notable changes and explain how they can benefit your organization. Keep on reading to find out more. 

Enhanced Konnect integration

In the previous release, we enhanced the operator to manage Konnect within Kubernetes environments using Kubernetes Custom Resource Definitions (CRDs), making it possible to create control planes and other Konnect entities as Kubernetes manifests. With this release, we're introducing further improvements to enhance the user experience for those leveraging this feature.

Apply global plugins universally from a single operator resource 

Kong Gateway Operator now has the power to apply a plugin universally across an entire control plane. You can now set the scope field in a KongPluginBinding to GlobalInControlPlane to ensure that the specified plugin is automatically applied to all entities within the control plane. 

This capability eliminates the need for repetitive, target-specific plugin configurations, streamlining the management process, especially for customers with large-scale or complex deployments.

The existing default setting, OnlyTargets, is still available and can be applied to plugins with specified targets. Combined, these two options for the scope field offer you the flexibility and control to apply plugins universally or only to targeted configurations. 

An easier way to reference Konnect control planes 

We're also improving KonnectExtension, a CRD that was originally created to enable seamless attachment to a DataPlane CR through an extension point in the DataPlane specification, allowing you to declare your Konnect control plane attributes once and quickly apply them to many data plane instances. In this release, we're adding KonnectExtension to ControlPlane, which allows users to configure Kong Ingress Controller (KIC) in Konnect, and GatewayConfiguration, which enables users to configure a Gateway API Gateway in Konnect. 

Configuration improvements

Enhanced custom CA certificates

The Kong Gateway Operator utilizes a certificate authority (CA) certificate to sign the certificates used by ControlPlane and DataPlane components to ensure secure communication (e.g., for Kong’s Admin API). This CA certificate is securely retrieved from a Kubernetes Secret.

We're introducing two new flags to give you greater control over configuring your cluster CA to better align with your security and compliance requirements. The two new flags — cluster-ca-key-type and cluster-ca-key-size — will allow you to choose between supported private key types (RSA or ECDSA, with ECDSA as the default) and specify a custom key size to meet your needs. 

If you're wondering which key might be the better option for you, here are some things to consider:

• ECDSA is known for its efficiency, strong security, and smaller key sizes. It’s suitable if performance and speed are top priorities for you. Or if you work in environments with limited computational power and storage, such as mobile. 
• RSA, on the other hand, is one of the oldest and most widely adopted options. For this reason, it's a suitable choice if remaining compatible with a wide range of systems (including older and legacy platforms) is important.

More descriptive service configuration

We're introducing a feature that allows users to define custom, predictable service names to prevent complications in processes like CI/CD caused by unpredictable proxy service names generated by the Kong Gateway Operator.

With a new Name field in ServiceOptions, you can clearly specify the name of the owning service, currently supported for DataPlane ingress services. This helps you organize and track service ownership more effectively.

More ways to enhance reliability

Improved resilience with multi-replica KIC ControlPlane deployment

For high availability (HA) and resilience, you can now scale a KIC control plane deployment horizontally by specifying the number of control plane replicas of the ControlPlane deployment. This multi-replica approach increases the availability of your services and the resilience of your system against failures, network issues, or other disruptions. 

Observe and troubleshoot more easily with new Konnect-related metrics

The new Prometheus metrics provide valuable operational insights into Konnect-related activities, enabling users to: 

• Track workloads trends: gateway_operator_konnect_entity_operation_count tracks the number of Konnect-related operations, offering a clear view of operational volume over time. This helps understand the workload and operational trends within your Konnect environment.

• Monitor performance: gateway_operator_konnect_entity_operation_duration_millisecond provides the duration of these Konnect-related operations as measured in milliseconds. This metric helps monitor performance and identify any latency issues that may arise during operations that target Konnect. 

These enhancements empower users to maintain better observability, faster issue resolution, and improved performance management for their Kong Konnect environment.

Simpler metrics access control 

With the deprecation of kube-rbac-proxy, we needed a new way to ensure that sensitive data leaving metrics endpoints remain protected. To address this issue, we're removing ‘kube-rbac-proxy’ and introducing the new metrics access filter, providing several key benefits:

• Simplified deployment: Eliminates the need for an additional external dependency (kube-rbac-proxy), reducing operational complexity.
• Improved security: The new configurable flag: --metrics-access-filter flag (or GATEWAY_OPERATOR_METRICS_ACCESS_FILTER environment variable)  provides built-in access control for metrics endpoints. off (default): No restriction on metrics access; rbac: A bearer token is required to access metrics.
• More flexibility: Users can configure metrics access according to their security needs without relying on an external proxy.

Removing an external dependency and offering a built-in access filter, makes KGO easier to manage, more secure, and better aligned with Kubernetes-native best practices.

Note on upgrading to 1.5

If you're on version 1.3 or older, please upgrade to 1.4.1 before moving to 1.5.0 to avoid migration issues due to the removed legacy label support. Please see our documentation on upgrading here or the chart upgrade guide here to learn how you can upgrade to 1.5.

Talk to us in person at KubeCon Europe

If you want to learn more and talk to our SMEs about the Kong Gateway Operator or Kong in general, join us at KubeCon Europe in London from April 1–4, 2025. Visit us at booth S231 where we will have special swag, experts ready to chat, and the chance to win special prizes.

Reach out to events@konghq.com if you're interested in setting up a formal meeting with our team. 

Try Kong Gateway Operator today

Kong Gateway Operator 1.5 focuses on delivering practical improvements, especially for customers leveraging Konnect. From global plugin flexibility to enhanced HA configurations and native Kubernetes validations, this release streamlines your workflows while improving reliability and observability.

Try out the new features and give us feedback by visiting the Kong community forums or opening an issue in the Kong Gateway Operator repository. 

Happy upgrading!