Configuration options allow you to customize the behavior of Kong Ingress Controller to meet your needs.
The default configuration will work for most users. These options are provided for advanced users.
Kong Ingress Controller configuration options
Uses:
Kong Ingress Controller
Related Documentation
Using environment variables
Each flag defined in the following table can also be configured using an environment variable. The name of the environment variable is CONTROLLER_ string followed by the name of flag in uppercase.
For example, --ingress-class can be configured using the following environment variable:
CONTROLLER_INGRESS_CLASS=kong-foobar
We recommend configuring all settings through environment variables and not CLI flags.
Flags
|
Flag |
Type |
Description |
Default |
|---|---|---|---|
--admission-webhook-cert
|
string
|
Admission server PEM certificate value. Mutually exclusive with –admission-webhook-cert-file. | |
--admission-webhook-cert-file
|
string
|
Admission server PEM certificate file path. If both this and the cert value is unset, defaults to /admission-webhook/tls.crt. Mutually exclusive with –admission-webhook-cert. | |
--admission-webhook-key
|
string
|
Admission server PEM private key value. Mutually exclusive with –admission-webhook-key-file. | |
--admission-webhook-key-file
|
string
|
Admission server PEM private key file path. If both this and the key value is unset, defaults to /admission-webhook/tls.key. Mutually exclusive with –admission-webhook-key. | |
--admission-webhook-listen
|
string
|
The address to start admission controller on (ip:port). Setting it to ‘off’ disables the admission controller. |
off
|
--anonymous-reports
|
bool
|
Send anonymized usage data to help improve Kong. |
true
|
--apiserver-burst
|
int
|
The Kubernetes API RateLimiter maximum burst queries per second. |
300
|
--apiserver-host
|
string
|
The Kubernetes API server URL. If not set, the controller will use cluster config discovery. | |
--apiserver-qps
|
int
|
The Kubernetes API RateLimiter maximum queries per second. |
100
|
--cache-sync-timeout
|
duration
|
The time limit set to wait for syncing controllers’ caches. Set to 0 to use default from controller-runtime. |
2m0s
|
--cluster-domain
|
string
|
The cluster domain. This is used e.g. in generating addresses for upstream services. | |
--configmap-label-selector
|
string
|
Limits the configmaps ingested to those having this label set to “true”. |
konghq.com/configmap
|
--dump-config
|
bool
|
Enable config dumps via web interface host:10256/debug/config. |
false
|
--dump-sensitive-config
|
bool
|
Include credentials and TLS secrets in configs exposed with –dump-config flag. |
false
|
--election-id
|
string
|
Election id to use for status update. |
5b374a9e.konghq.com
|
--election-namespace
|
string
|
Leader election namespace to use when running outside a cluster. | |
--emit-kubernetes-events
|
bool
|
Emit Kubernetes events for successful configuration applies, translation failures and configuration apply failures on managed objects. |
true
|
--enable-controller-gwapi-gateway
|
bool
|
Enable the Gateway API Gateway controller. |
true
|
--enable-controller-gwapi-grpcroute
|
bool
|
Enable the Gateway API GRPCRoute controller. |
true
|
--enable-controller-gwapi-httproute
|
bool
|
Enable the Gateway API HTTPRoute controller. |
true
|
--enable-controller-gwapi-reference-grant
|
bool
|
Enable the Gateway API ReferenceGrant controller. |
true
|
--enable-controller-ingress-class-networkingv1
|
bool
|
Enable the networking.k8s.io/v1 IngressClass controller. |
true
|
--enable-controller-ingress-class-parameters
|
bool
|
Enable the IngressClassParameters controller. |
true
|
--enable-controller-ingress-networkingv1
|
bool
|
Enable the networking.k8s.io/v1 Ingress controller. |
true
|
--enable-controller-kong-custom-entity
|
bool
|
Enable the KongCustomEntity controller. |
true
|
--enable-controller-kong-license
|
bool
|
Enable the KongLicense controller. |
true
|
--enable-controller-kong-service-facade
|
bool
|
Enable the KongServiceFacade controller. |
true
|
--enable-controller-kong-upstream-policy
|
bool
|
Enable the KongUpstreamPolicy controller. |
true
|
--enable-controller-kong-vault
|
bool
|
Enable the KongVault controller. |
true
|
--enable-controller-kongclusterplugin
|
bool
|
Enable the KongClusterPlugin controller. |
true
|
--enable-controller-kongconsumer
|
bool
|
Enable the KongConsumer controller. |
true
|
--enable-controller-kongingress
|
bool
|
Enable the KongIngress controller. |
true
|
--enable-controller-kongplugin
|
bool
|
Enable the KongPlugin controller. |
true
|
--enable-controller-service
|
bool
|
Enable the Service controller. |
true
|
--enable-controller-tcpingress
|
bool
|
Enable the TCPIngress controller. |
true
|
--enable-controller-udpingress
|
bool
|
Enable the UDPIngress controller. |
true
|
--enable-reverse-sync
|
bool
|
Send configuration to Kong even if the configuration checksum has not changed since previous update. |
false
|
--feature-gates
|
list of string=bool
|
A set of comma separated key=value pairs that describe feature gates for alpha/beta/experimental features. See the Feature Gates documentation for information and available options: https://github.com/Kong/kubernetes-ingress-controller/blob/main/FEATURE_GATES.md. | |
--gateway-api-controller-name
|
string
|
The controller name to match on Gateway API resources. |
konghq.com/kic-gateway-controller
|
--gateway-discovery-dns-strategy
|
string
|
Strategy used for resolving Gateway data plane addresses when the Gateway status address is a DNS name. Options are: “RoundRobin”, “IPv4Only”, “IPv6Only”. Defaults to RoundRobin. |
RoundRobin
|
--gateway-tls-secret-label-selector
|
string
|
The label selector used to match TLS secrets for Gateways. If empty, all secrets are considered. | |
--health-probe-bind-address
|
string
|
The address the probe endpoint binds to. |
:8081
|
--kong-admin-ca-cert-file
|
string
|
Path to a CA certificate used to verify Kong Admin API TLS certificate. | |
--kong-admin-filter-tag
|
string
|
A tag to filter Admin API resources with. | |
--kong-admin-host
|
string
|
Kong Admin API server host address. | |
--kong-admin-tls-client-cert-file
|
string
|
Path to a client certificate file for mTLS with Kong Admin API. | |
--kong-admin-tls-client-key-file
|
string
|
Path to a client key file for mTLS with Kong Admin API. | |
--kong-admin-token
|
string
|
Kong Admin API authentication token (if Admin API requires authentication). | |
--kong-admin-url
|
string
|
Full URL to the Kong Admin API. | |
--kong-admin-headers
|
map[string][]string
|
Headers to add to Admin API requests, e.g. key1=value1,key2=value2a;value2b. | |
--kong-proxy-url
|
string
|
The Kong proxy URL that the controller uses to check proxy health. | |
--kong-workspace
|
string
|
Kong Enterprise workspace to use. | |
--konnect-runtime-group-id
|
string
|
The ID of the Konnect runtime group to manage. | |
--konnect-pat
|
string
|
Personal Access Token for authenticating with Konnect. | |
--konnect-api-svc-addr
|
string
|
Address of the Konnect control plane API (advanced). | |
--konnect-runtime-addr
|
string
|
The address of the Konnect runtime. | |
--konnect-sync-timeout
|
duration
|
The timeout for Konnect sync requests. |
10s
|
--konnect-refresh-interval
|
duration
|
Interval to refresh Konnect session and runtime configuration. |
1m
|
--leader-election
|
bool
|
Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager. |
true
|
--log-format
|
string
|
Log format. One of: text, json.
|
text
|
--log-level
|
string
|
Minimum logging level. One of: trace, debug, info, warn, error.
|
info
|
--metrics-bind-address
|
string
|
The address the metric endpoint binds to. |
:8080
|
--profiling
|
bool
|
Enable profiling via web interface host:10256/debug/pprof/. |
false
|
--publish-service
|
string
|
The Service to use for publishing ingress status. | |
--status-listen
|
string
|
The address the debug endpoint listens on (ip:port). |
0.0.0.0:10256
|
--status-sync-interval
|
duration
|
The interval for syncing status updates. |
30s
|
--tls-min-version
|
string
|
The minimum TLS version supported. One of: TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3.
|
TLSv1.2
|
--update-status
|
bool
|
Enables updating the status of Ingress resources. |
true
|
--username-password-secret-name
|
string
|
Secret name containing Kong Admin API credentials (username/password). | |
--username-password-secret-namespace
|
string
|
Namespace of the secret containing Kong Admin API credentials. | |
--version
|
bool
|
Show version and exit. |
false
|
--v
|
int
|
Set the verbosity level for logs. Higher means more output (klog-style). |
0
|
--watch-namespace
|
string
|
Restrict the controller to only watch resources in a specific namespace. |