Happy holidays everyone! We've been working hard on the Kong Ingress Controller (KIC) and the latest 3.4 release is jam-packed with new features, bugfixes, and improvements.
With this update, we're introducing easier TLS encryption, enhanced performance during complex deployments, and general availability of Kong Custom Entities support. Additionally, we've made some internal changes to where our CRD references are published that may affect some customers.
We’re also excited to announce that this release of KIC will have long-term support (LTS).
Let's dive in!
In this release, we’re adding support for ensuring “upstream TLS” — that is, ensuring by policy that traffic will be encrypted in transit between when traffic enters the cluster at the Ingress and the upstream service within the cluster. The policy can either be configured using the Kubernetes Gateway API or by adding specific annotations to Kubernetes Service objects.
If you use the Gateway API, you can configure upstream TLS using [`BackendTLSPolicy`](https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/)`BackendTLSPolicy`. If you reference a Kubernetes Service in your `BackendTLSPolicy` spec, and that service is mapped to an `HTTPRoute` that binds it to a Kong Gateway as a parent, the Gateway will be configured to verify with the upstream Service using a TLS connection as defined in the policy.
As an alternative configuration option, we’ve added support for using annotations on Kubernetes Service objects to set upstream TLS policies. For example, once you add the `konghq.com/tls-verify` annotation to a service the Gateway will verify that connections from that Service are TLS encrypted. Additional annotations are available to configure specific TLS settings. For more details, check out the [docs](https://docs.konghq.com//kubernetes-ingress-controller/3.4.x/guides/security/verify-upstream-tls/)docs.
Our customers are using KIC in larger and more complex deployments than ever. In this release, we've made a few changes to configure and optimize the behavior of KIC in these scenarios.
`--secret-label-selector` to set the label selector for Secrets to ingest. By setting this flag, the secrets that are ingested will be limited to those having this label set to "true". This can reduce memory usage in scenarios with a large number of large secrets. Learn more [here](https://docs.konghq.com/kubernetes-ingress-controller/3.4.x/reference/cli-arguments/)here.`--configmap-label-selector` to set the label selector for `ConfigMaps` to ingest. By setting this flag, the ConfigMaps that are ingested will be limited to those having this label set to "true". This limits the amount of resources that are kept in memory. The default value is `konghq.com/configmap`. Learn more [here](https://docs.konghq.com/kubernetes-ingress-controller/3.4.x/reference/cli-arguments/)here.We've added `Prometheus metrics ingress_controller_configuration_push_size` and `ingress_controller_fallback_configuration_push_size` to record the size of the config sent to a Kong DataPlane by the controller in DB-less mode. Learn more [here](https://docs.konghq.com/kubernetes-ingress-controller/3.4.x/production/observability/prometheus/)here. [](https://docs.konghq.com/kubernetes-ingress-controller/3.4.x/production/observability/prometheus/)
We’ve also done some important housekeeping for this release.
Kong Custom Entities support, which graduated in KIC 3.3 to beta status, is now generally available. Kong Custom Entities allow you to configure certain Kong Plugins using CRDs, which simplifies declarative configuration of the controller. Please refer to our documentation to [learn more](https://docs.konghq.com/kubernetes-ingress-controller/3.4.x/guides/services/custom-entity/)learn more.
Also, in order to share custom resource definitions efficiently between the KIC and the Kong Gateway Operator, we've migrated our active CRDs to a new dedicated [repository](https://github.com/kong/kubernetes-configuration)repository. If you depend on them, please update your dependencies to use the new repository. CRD type bindings under `/pkg` and clientsets under `/pkg/clientset` are deprecated and will be removed in the next major release. Until then, they won't be updated.
Read our [engineering deep dive](https://frontend.prd.mktg.konghq.com/blog/engineering/managing-konnect-entities-from-k8s-clusters)engineering deep dive to learn more about this change.
Lastly, in part because of this work, a lot of testing, and detailed feedback from early users, we're excited to announce that KIC 3.4 is a long-term support (LTS) release — the first release in the 3.X series to come with LTS. LTS means that we'll continue to update KIC 3.4 with critical fixes for the next three years, giving teams confidence that they'll continue to be supported without significant API or functional changes. Read more about [long-term support for KIC](https://docs.konghq.com/kubernetes-ingress-controller/latest/support-policy/#kong-ingress-controller-versions)long-term support for KIC.
This is just a taste of the more than 30 features, fixes, and updates in the 3.4 release of KIC. For a full list please read the [CHANGELOG](https://github.com/Kong/kubernetes-ingress-controller/blob/main/CHANGELOG.md#310)CHANGELOG.
As always, the [quickest way to get started](https://konghq.com/products/kong-konnect/register)quickest way to get started with KIC is with Kong Konnect thanks to our [KIC in Kong Konnect](https://konghq.com/blog/product-releases/kic-in-kong-konnect)KIC in Kong Konnect functionality.
Please also share any feedback that you might have on our GitHub discussion forum for KIC [here](https://github.com/Kong/kubernetes-ingress-controller/discussions)here.
Simplify operations and scale with confidence To unlock Kubernetes’ full potential, many enterprises are relying on three key building blocks available in Kong Konnect today: Kubernetes Ingress Controllers: Ingress controllers are used for managing
[](https://konghq.com/blog/product-releases/kubernetes-experience-in-konnect)
With Kong Ingress Controller, when your Control Plane was hosted in Kong Konnect, and you were using Kubernetes Gateway API, your dataplane, routes, and services were in read-only mode. When using Kong Ingress Controller with Kubernetes Gateway API
[](https://konghq.com/blog/product-releases/kong-operator-2-1)
This blog addresses the common challenges organizations face with fragmented API management in Kubernetes environments and presents Kong Konnect combined with the Kong Ingress Controller (KIC) as a comprehensive solution. We'll highlight the issues
[](https://konghq.com/blog/engineering/kic-operational-insights-kubernetes-deployments)
Simplified controller configuration When using the Kong Ingress Controller, a significant amount of effort was needed to apply configuration to the controller by setting environment variables. The new ControlPlane resource greatly simplifies this an
[](https://konghq.com/blog/product-releases/kong-operator-2-0)
We're happy to announce the 3.5 release of Kong Ingress Controller (KIC). This release includes the graduation of combined services to General Availability, support for connection draining, as well as the start of deprecating support for some Ingre
[](https://konghq.com/blog/product-releases/kic-3-5)Kong Gateway Operator (KGO) is the most effective way to install, upgrade, scale, and manage a Kong Gateway or Kubernetes Ingress. The latest release of the Kong Gateway Operator brings several updates that streamline integration with Kong Konnect
[](https://konghq.com/blog/product-releases/kong-gateway-operator-1-5)
It’s here! The Kong Gateway Operator release we teased at API Summit is now available for you all to use. KGO 1.4 allows you to configure Kong Konnect using CRDs, attach your DataPlane resources to Konnect with minimal configuration, and even ma
[](https://konghq.com/blog/product-releases/kong-gateway-operator-1-4)