Happy holidays everyone! We've been working hard on the Kong Ingress Controller (KIC) and the latest 3.4 release is jam-packed with new features, bugfixes, and improvements.
With this update, we're introducing easier TLS encryption, enhanced performance during complex deployments, and general availability of Kong Custom Entities support. Additionally, we've made some internal changes to where our CRD references are published that may affect some customers.
We’re also excited to announce that this release of KIC will have long-term support (LTS).
Let's dive in!
In this release, we’re adding support for ensuring “upstream TLS” — that is, ensuring by policy that traffic will be encrypted in transit between when traffic enters the cluster at the Ingress and the upstream service within the cluster. The policy can either be configured using the Kubernetes Gateway API or by adding specific annotations to Kubernetes Service objects.
If you use the Gateway API, you can configure upstream TLS using BackendTLSPolicy. If you reference a Kubernetes Service in your BackendTLSPolicy spec, and that service is mapped to an HTTPRoute that binds it to a Kong Gateway as a parent, the Gateway will be configured to verify with the upstream Service using a TLS connection as defined in the policy.
As an alternative configuration option, we’ve added support for using annotations on Kubernetes Service objects to set upstream TLS policies. For example, once you add the konghq.com/tls-verify annotation to a service the Gateway will verify that connections from that Service are TLS encrypted. Additional annotations are available to configure specific TLS settings. For more details, check out the docs.
Our customers are using KIC in larger and more complex deployments than ever. In this release, we've made a few changes to configure and optimize the behavior of KIC in these scenarios.
--secret-label-selector to set the label selector for Secrets to ingest. By setting this flag, the secrets that are ingested will be limited to those having this label set to "true". This can reduce memory usage in scenarios with a large number of large secrets. Learn more here.--configmap-label-selector to set the label selector for ConfigMaps to ingest. By setting this flag, the ConfigMaps that are ingested will be limited to those having this label set to "true". This limits the amount of resources that are kept in memory. The default value is konghq.com/configmap. Learn more here.We've added Prometheus metrics ingress_controller_configuration_push_size and ingress_controller_fallback_configuration_push_size to record the size of the config sent to a Kong DataPlane by the controller in DB-less mode. Learn more here.
We’ve also done some important housekeeping for this release.
Kong Custom Entities support, which graduated in KIC 3.3 to beta status, is now generally available. Kong Custom Entities allow you to configure certain Kong Plugins using CRDs, which simplifies declarative configuration of the controller. Please refer to our documentation to learn more.
Also, in order to share custom resource definitions efficiently between the KIC and the Kong Gateway Operator, we've migrated our active CRDs to a new dedicated repository. If you depend on them, please update your dependencies to use the new repository. CRD type bindings under /pkg and clientsets under /pkg/clientset are deprecated and will be removed in the next major release. Until then, they won't be updated.
Read our engineering deep dive to learn more about this change.
Lastly, in part because of this work, a lot of testing, and detailed feedback from early users, we're excited to announce that KIC 3.4 is a long-term support (LTS) release — the first release in the 3.X series to come with LTS. LTS means that we'll continue to update KIC 3.4 with critical fixes for the next three years, giving teams confidence that they'll continue to be supported without significant API or functional changes. Read more about long-term support for KIC.
This is just a taste of the more than 30 features, fixes, and updates in the 3.4 release of KIC. For a full list please read the CHANGELOG.
As always, the quickest way to get started with KIC is with Kong Konnect thanks to our KIC in Kong Konnect functionality.
Please also share any feedback that you might have on our GitHub discussion forum for KIC here.
As of September 2025, Kong Gateway Enterprise 3.8 will enter its End Of Life (EOL) phase and will no longer be fully supported by Kong. Following this, Kong Gateway Enterprise 3.8 will enter a 12-month sunset support period, focused on helping cus
We're very excited to announce Kong Mesh 2.12 to the world! Kong Mesh 2.12 delivers two very important features: SPIFFE / SPIRE support, which provides enterprise-class workload identity and trust models for your mesh, as well as a consistent Kuma R
Meet Emily. She’s an API product manager at ACME, Inc., an ecommerce company that runs on dozens of APIs. One morning, her team lead asks a simple question: “Who’s our top API consumer, and which of your APIs are causing the most issues right now?”
Today, we’re announcing that Kong has acquired OpenMeter , the open source and SaaS leader for real-time usage metering and billing. OpenMeter’s capabilities will be integrated into Kong Konnect, enabling usage-based pricing, entitlements, and invo
It’s been almost a year since we released our Konnect Terraform provider . In that time we’ve seen over 300,000 installs, have 1.7 times as many resources available, and have expanded the provider to include data sources to enable federated managem
We're happy to announce the 3.5 release of Kong Ingress Controller (KIC). This release includes the graduation of combined services to General Availability, support for connection draining, as well as the start of deprecating support for some Ingre
Update Includes Data Orchestration, CyberArk Support, Solace Integration, and Kafka Schema Validation We’re excited to bring you Kong Gateway Enterprise 3.11 with compelling new features to make your APIs and event streams even more powerful, includ