Happy holidays everyone! We've been working hard on the Kong Ingress Controller (KIC) and the latest 3.4 release is jam-packed with new features, bugfixes, and improvements.
With this update, we're introducing easier TLS encryption, enhanced performance during complex deployments, and general availability of Kong Custom Entities support. Additionally, we've made some internal changes to where our CRD references are published that may affect some customers.
We’re also excited to announce that this release of KIC will have long-term support (LTS).
Let's dive in!
In this release, we’re adding support for ensuring “upstream TLS” — that is, ensuring by policy that traffic will be encrypted in transit between when traffic enters the cluster at the Ingress and the upstream service within the cluster. The policy can either be configured using the Kubernetes Gateway API or by adding specific annotations to Kubernetes Service objects.
If you use the Gateway API, you can configure upstream TLS using BackendTLSPolicy. If you reference a Kubernetes Service in your BackendTLSPolicy spec, and that service is mapped to an HTTPRoute that binds it to a Kong Gateway as a parent, the Gateway will be configured to verify with the upstream Service using a TLS connection as defined in the policy.
As an alternative configuration option, we’ve added support for using annotations on Kubernetes Service objects to set upstream TLS policies. For example, once you add the konghq.com/tls-verify annotation to a service the Gateway will verify that connections from that Service are TLS encrypted. Additional annotations are available to configure specific TLS settings. For more details, check out the docs.
Our customers are using KIC in larger and more complex deployments than ever. In this release, we've made a few changes to configure and optimize the behavior of KIC in these scenarios.
--secret-label-selector to set the label selector for Secrets to ingest. By setting this flag, the secrets that are ingested will be limited to those having this label set to "true". This can reduce memory usage in scenarios with a large number of large secrets. Learn more here.--configmap-label-selector to set the label selector for ConfigMaps to ingest. By setting this flag, the ConfigMaps that are ingested will be limited to those having this label set to "true". This limits the amount of resources that are kept in memory. The default value is konghq.com/configmap. Learn more here.We've added Prometheus metrics ingress_controller_configuration_push_size and ingress_controller_fallback_configuration_push_size to record the size of the config sent to a Kong DataPlane by the controller in DB-less mode. Learn more here.
We’ve also done some important housekeeping for this release.
Kong Custom Entities support, which graduated in KIC 3.3 to beta status, is now generally available. Kong Custom Entities allow you to configure certain Kong Plugins using CRDs, which simplifies declarative configuration of the controller. Please refer to our documentation to learn more.
Also, in order to share custom resource definitions efficiently between the KIC and the Kong Gateway Operator, we've migrated our active CRDs to a new dedicated repository. If you depend on them, please update your dependencies to use the new repository. CRD type bindings under /pkg and clientsets under /pkg/clientset are deprecated and will be removed in the next major release. Until then, they won't be updated.
Read our engineering deep dive to learn more about this change.
Lastly, in part because of this work, a lot of testing, and detailed feedback from early users, we're excited to announce that KIC 3.4 is a long-term support (LTS) release — the first release in the 3.X series to come with LTS. LTS means that we'll continue to update KIC 3.4 with critical fixes for the next three years, giving teams confidence that they'll continue to be supported without significant API or functional changes. Read more about long-term support for KIC.
This is just a taste of the more than 30 features, fixes, and updates in the 3.4 release of KIC. For a full list please read the CHANGELOG.
As always, the quickest way to get started with KIC is with Kong Konnect thanks to our KIC in Kong Konnect functionality.
Please also share any feedback that you might have on our GitHub discussion forum for KIC here.
Simplify operations and scale with confidence To unlock Kubernetes’ full potential, many enterprises are relying on three key building blocks available in Kong Konnect today: Kubernetes Ingress Controllers: Ingress controllers are used for managing
Simplified controller configuration When using the Kong Ingress Controller, a significant amount of effort was needed to apply configuration to the controller by setting environment variables. The new ControlPlane resource greatly simplifies this an
This blog addresses the common challenges organizations face with fragmented API management in Kubernetes environments and presents Kong Konnect combined with the Kong Ingress Controller (KIC) as a comprehensive solution. We'll highlight the issues
"To prioritize the safety and security of the ecosystem, Kubernetes SIG Network and the Security Response Committee are announcing the upcoming retirement of Ingress NGINX . Best-effort maintenance will continue until March 2026. Afterward, there w
We're happy to announce the 3.5 release of Kong Ingress Controller (KIC). This release includes the graduation of combined services to General Availability, support for connection draining, as well as the start of deprecating support for some Ingre
Kong Gateway Operator (KGO) is the most effective way to install, upgrade, scale, and manage a Kong Gateway or Kubernetes Ingress. The latest release of the Kong Gateway Operator brings several updates that streamline integration with Kong Konnect