Changelog for supported Kong Event Gateway versions.
Kong Event Gateway changelog
Uses:
Event Gateway
1.2.0
Release date: 2026/06/29
Deprecations & Behavior Changes
-
Per-policy
*.attemptsmetrics deprecated:kong.keg.kafka.decrypt.attempts,kong.keg.kafka.encrypt.attempts,kong.keg.kafka.kscheme.attempts, andkong.keg.kafka.schema.validation.attemptsare deprecated. Use the unifiedkong.keg.kafka.policy.invocationsmetric instead. -
kong/sverr-{part}header deprecated: Theschema_validationpolicy’skong/sverr-{part}header is deprecated. Usekong/policy-failure-{konnect_id}instead, which carries the reason for the policy failure. -
kong.keg.konnect.analytics.bytes.sentdeprecated: Replaced bykong.keg.konnect.analytics.sent, since the standard unitBybelongs in metric metadata rather than the metric name. The replacement counter is emitted alongside the deprecated one during the migration window. -
kong.keg.resultnow always reflects the real policy result: Previously this labelkong.keg.kafka.policy.invocationsreportedsuccesseven when a policy failed under themark,skip, orpassthroughfailure modes. These invocations now reportkong.keg.result=fail. Use thekong.keg.failure_modelabel if you want to ignore failures handled by those modes. -
Missing fields in parsed-record CEL expressions are now absent rather than null: Paths like
record.value.content[...]that do not exist are no longer placed in the context map, while explicitnullvalues remain present. Use'<path>' in record.value.contentto check for a field before reading or comparing it.
Features
- Topic aliases: Virtual clusters can now expose backend Kafka topics under different client-facing names. Clients see the alias while Event Gateway transparently routes requests to the original backend topic. This lets you rename topics for clients without changing client configuration, or provide multiple names for the same backend topic.
- Encrypt Fields policy: A new produce phase policy that encrypts fields of schema-validated Kafka messages using AES-256-GCM before they reach the backend cluster.
- Decrypt Fields policy: A new consume phase policy that decrypts fields of Kafka messages that were previously encrypted using a referenced key. Use it together with the Encrypt Fields policy to enforce consistent encryption standards across clients.
-
Kong Identity principal metadata: After a client authenticates, the gateway can fetch the principal’s metadata from Kong Identity and expose it as
auth.principal.id. - Schema metadata in the CEL context: Schema metadata is now exposed in the parsed-record CEL context, enabling expressions that reason about a record’s schema in addition to its contents.
-
Unified policy failure modes: Failure-mode handling is now consistent across all policies, including a new
markmode and apassthroughaction for schema validation, giving you predictable control over what happens when a policy fails. - Consumer group administration support: ACL handling now supports consumer group heartbeat and describe operations, and consumer group names are rewritten consistently for namespaced virtual clusters.
-
Observability aligned with OpenTelemetry conventions: Signals, labels, and metric names were aligned with conventions. Adds virtual cluster authentication observability, additional authentication metrics, and a
resultlabel on policy invocations. - Analytics: error codes and queue visibility: Analytics events now carry the request error code (reporting the lowest/most significant code), and the analytics pipeline logs when its queue fills and drains.
-
ca_bundleno longer requires base64 encoding: Backend clusterca_bundlevalues can now be provided directly without base64 encoding.
Fixes
- Consumer group admin APIs were broken: Admin calls returned empty members and the API 69 request timed out. Consumer group handling was reworked and unsupported APIs removed.
- Snappy records failed to decompress with an encryption policy applied: The gateway now correctly decompresses Snappy-compressed records when an encryption policy is in effect.
-
acl_modehot reload had no effect: Switching the ACL mode at runtime is now applied without a restart. - Schema Registry cache poisoned on transient failures: A transient Schema Registry error could be cached and served indefinitely. Retriable errors are now evicted from the cache instead of being persisted.
- Clearer logging when a client disconnects before authenticating: Connections that close before or during authentication now produce accurate, actionable log messages.
1.1.1
Release date: 2026/06/16
Fixes
-
Updated vulnerable dependencies and container base images: Refreshed the runtime distroless base (patched OpenSSL/glibc) and removed the legacy
rustls/rustls-webpkistack, clearing the outstanding advisories. -
Bumped
aws-lc-sys/aws-lc-rs: Pulled in the fixed AWS-LC bindings (RUSTSEC-2026-0044, -0048). - Namespacing: consumer group rewrite: Corrects how consumer group identifiers are rewritten when proxying, so group operations resolve to the right backend.
- ACLs: drop unsupported APIs: Removes Kafka APIs that aren’t supported under ACL handling, avoiding incorrect authorization behavior.
-
Snappy decompression under encryption policies: In some rare cases, raw (non-xerial-framed) Snappy records caused the gateway to fail with a
snappy: corrupt inputerror when an encryption policy was applied on the produce chain and the producer’s compression was set to Snappy.
1.1.0
Release date: 2026/03/25
Breaking Changes
- Observability stack migrated to OpenTelemetry: All metrics, traces, and logs now use OpenTelemetry-native naming. Prometheus is still enabled by default but metric names, attribute keys, and duration units (all now in seconds) have changed. If you have dashboards or alerts based on previous metric names, you will need to update them. See the breaking changes entry for metrics naming for more details.
-
Environment variable names changed: Legacy Konnect bootstrap environment variables are no longer supported. The variables now have a
KONG_prefix. The gateway now logs a clear message indicating which variables to migrate if old-style names are detected:KONNECT_REGION -> KONG_KONNECT_REGION KONNECT_DOMAIN -> KONG_KONNECT_DOMAIN KONNECT_GATEWAY_CLUSTER_ID -> KONG_KONNECT_GATEWAY_CLUSTER_ID KONNECT_API_REQUEST_TIMEOUT -> KONG_KONNECT_API_REQUEST_TIMEOUT KONNECT_INSECURE_SKIP_VERIFY -> KONG_KONNECT_INSECURE_SKIP_VERIFY KONNECT_CLIENT_CERT -> KONG_KONNECT_CLIENT_CERT KONNECT_CLIENT_CERT_PATH -> KONG_KONNECT_CLIENT_CERT_PATH KONNECT_CLIENT_KEY -> KONG_KONNECT_CLIENT_KEY KONNECT_CLIENT_KEY_PATH -> KONG_KONNECT_CLIENT_KEY_PATHSee the Event Gateway configuration reference for all environment variable options.
Features
- Minimum runtime version: Event gateway control planes can now be configured to enforce a minimum version on connecting nodes. Some features are gated behind this setting because they depend on support in the data plane node.
- mTLS to backend Kafka clusters: You can now configure mutual TLS authentication between the gateway and your backend Kafka clusters, enabling encrypted and authenticated connections to brokers.
- mTLS between clients and the gateway: Clients can now authenticate to the gateway using TLS client certificates. Supports principal mapping to extract identity information from certificates for use in authorization policies.
-
JWT claims in ACL expressions: OAuth/JWT claims are now available in the authentication context and can be used in
resource_namesexpressions on ACL rules, enabling dynamic, claim-based access control per topic. - Improved policy failure observability: Policy evaluation errors (CEL, schema validation, encryption) now emit detailed metrics and logs with sampling, making it easier to diagnose why requests are being rejected without overwhelming your logging pipeline.
- Header modification policy: A new policy execution model is now available for header modification policies, providing a more flexible and extensible approach to transforming Kafka request and response headers.
- Backend clusters sharing SNI suffix: Multiple backend clusters can now share a common SNI suffix, simplifying TLS configuration when clusters are behind a shared domain.
- Analytics for record count and message size: Analytics events now include the number of records and byte sizes, giving you more granular visibility into traffic patterns in the Konnect analytics dashboard.
- Long polling for control plane configuration: The gateway now supports long polling when fetching configuration from the Konnect control plane, reducing latency for configuration updates.
-
Enhanced
validatesubcommand: ThevalidateCLI command now performs more thorough validation of your configuration, catching additional issues before startup. - Configuration change observability: Changes to the gateway’s configuration (from the control plane or bootstrap) are now logged with details about what changed, making it easier to audit and debug configuration drift.
Fixes
-
Expressions using the
inoperator failed to parse: ACL expressions containing theinkeyword were incorrectly parsed by a regex-based parser. Switched to AST-based parsing to handle all valid expression syntax. -
Cryptic validation errors when environment variables resolved to empty strings: Setting an env var reference (e.g., for SASL credentials) to an empty value produced an unhelpful error like
virtual_clusters.demo[1].auth.password: length is lower than 1. Empty values are now caught at resolution time with a clear error message. - Analytics payloads were double-compressed: Analytics data sent to Konnect was being compressed twice, causing the backend to fail to decode it. Also fixed the healthcheck ping interval (was 5s, now uses the configured value).
-
ACL default policy had no name in observability data: Metrics and logs for the built-in default ACL policy were missing a policy name, making it difficult to distinguish from other policies in dashboards. Default policies now use the
__internalprefix. -
Principal information missing for unauthenticated requests: When running without authentication, the
auth.typeandauth.principal.namecontext values were not set, which could cause downstream policies or analytics to behave unexpectedly. - Traces showed a misleading gap before authentication: Request traces appeared to show a large delay before authentication started, but this was caused by the trace span starting before the full request was received. Traces now begin after the request is fully read.