Kong Ingress Controller (KIC)
Configure Kong Gateway using Kubernetes CRDs with Kong Ingress ControllerWhat is the Kong Ingress Controller?
Kong Ingress Controller allows you to run Kong Gateway as a Kubernetes Ingress to handle inbound requests for a Kubernetes cluster.
Kong Ingress Controller takes Kubernetes resources such as Ingress and HTTPRoute and converts them into a valid Kong Gateway configuration. It enables you to configure all the features of Kong Gateway using Kubernetes CRDs.
KIC supports all Kong Gateway entities, and can be deployed multiple times within a single cluster to provide traffic splitting.
When should I use KIC?
You should use KIC if one or more of the following is true:
- You’re running Kong Gateway in a Kubernetes environment
- You want Kubernetes-native API Gateway management
flowchart TB A(Cluster Operator) B(
API server) C(
Kong Ingress Controller) D@{ shape: processes, label: "
Gateway API support
Kong is proud to be a driving force behind the Kubernetes Gateway API standard. With multiple contributors in maintainer and reviewer roles, Kong is all-in on Gateway API as the future of Kubernetes networking.
Kong Ingress Controller was the first submitted conformance report, and is 100% compliant with the core conformance tests, and many other additional extended tests. Kong has implemented the Gateway API resources as first-class citizens, converting them directly in to Kong Gateway configuration rather than using intermediate CRDs. This makes the Gateway API CRDs a native language for Kong Ingress Controller.
Common use cases
Many Kong Ingress Controller users have the same questions when adding an ingress controller to their cluster:
- How do I expose my service on a specific path?
- How do I protect the service with rate limiting?
- How do I cache responses for a period of time to reduce load?
- How do I add authentication to my service?
Follow our getting started guide which takes you through all of these in under 10 minutes, step-by-step. Each page contains copy/paste instructions, and links to additional documentation if you want to learn more.
Troubleshooting
If Kong Ingress Controller is not working for you the following pages may help:
- Troubleshooting: Common issues that people encounter when running Kong Ingress Controller.
- FAQ: Specific questions about routing behavior, plugin compatibility and more.
- Feature gates: If something isn’t working as expected, ensure that you have the correct feature gates activated.
- Create a GitHub issue: Report a bug or make a feature request for Kong Ingress Controller.
- Join the Kong Slack community: Get help from the team
KIC feature support and deployment models
Kong Ingress Controller integrates Kong Gateway with Kubernetes by translating Kubernetes resources into Kong Gateway configuration. Feature support differs depending on the operational model:
- Standalone (KIC only): You provision and manage Kong Gateway yourself, and Kong Ingress Controller applies configuration using Kubernetes resources.
- With Kong Gateway Operator (KO/KGO): The Operator provisions and manages Kong Gateway deployments declaratively.
To compare feature support in each model, use the following table:
|
Feature |
KIC-only Model |
KO/KGO Hybrid Model |
|---|---|---|
| Configuration | Configure all Kong Gateway entities with CRDs directly. For example, Services, Routes, Consumers, Plugins, Certificates, CA Certificates, Vaults. | Same configuration scope, however the Operator automatically provisions and reconciles the gateways. |
| Kong Gateway API |
Supports Ingress, HTTPRoute, TCPRoute, and UDPRoute. From KIC 3.5 onward, compliant with Gateway API v1.3.
|
Supports GatewayClass, Gateway, and GRPCRoute, in addition to HTTPRoute, TCPRoute, and UDPRoute.
|
| Feature Gates |
Activate gates like FillIDs, RewriteURIs, and CombinedServicesFromDifferentHTTPRoutes with CONTROLLER_FEATURE_GATES.
|
Identical feature gate support and constraints declared through CRDs. No change between models. |
| Fallback configuration | Applies valid configuration while skipping invalid objects to maintain cluster stability. | Behaves similarly where fallback configuration is supported, but specific operator‑driven behavior may vary and should be tested. |
| Last Known Good Config |
Retains the last valid configuration in memory and reapplies it after restart to avoid system lock‑ups. If you need to manually after the kong proxy container starts, use use CONTROLLER_ENABLE_REVERSE_SYNC=true to force reloads.
|
Supports last known good configuration behavior where configured, but the exact triggers and flags may differ. For example, at single proxy container restart. |
| Path Rewriting |
Rewrite request paths using the konghq.com/rewrite annotation.
|
Identical path rewriting support. No change between models. |
| Konnect integration |
KIC-managed resources appear as read-only in Konnect UI/Admin API.
|
Same Konnect behavior and restriction. No change between models |
| Hybrid mode plugins | Not applicable — Standalone model does not use Hybrid Gateway. |
When Kong Gateway runs in hybrid mode:
|
| Licensing | Enterprise license must be valid. In DB-less deployments, expired licenses block new nodes and restarts. |
Enterprise license must be valid. Operator adds declarative license management with the KongLicense CRD.
|
All other Kong Gateway features that can be configured through CRDs are supported equally in both models. For example, plugins, health checks, or load balancing.
Frequently asked questions
I’m using AWS CDK, can I manage Kong resources with CDK instead of Kong Ingress Controller?
Currently, you can’t manage Kong resources via AWS CDK. We recommend managing Kong configurations by deploying decK or custom automation (for example, Lambda functions) through CDK that interact with the Admin API.