Estimated reading time:
decK helps manage Kong’s configuration in a declarative fashion. It can sync
configuration to a running Kong cluster, diff configuration to detect any drift
or manual changes and backup your Kong’s configuration. It also can manage Kong’s
configuration in a distributed way using tags, helping you split Kong’s
configuration across various teams.
Here is an introductory screencast explaining decK:
Export: Export Kong configuration to a YAML configuration file.
This feature is especially useful for backing up Kong’s configuration.
Import: Populate Kong’s database using a previously exported or
manually written configuration file.
Diff and sync capabilities: decK can diff the configuration between the
provided configuration file and Kong’s database, then sync the configs based on
the diff. This feature is particularly useful for detecting config drifts or
Reverse sync: decK also supports sync in the opposite direction, meaning
that if an entity is created in Kong and isn’t added to the config file,
decK will detect the change.
Validation: decK can validate YAML files that you backup or modify to
catch errors early on.
Reset: decK can completely reset Kong’s database by deleting all entities.
Parallel operations: All Admin API calls to Kong are executed in parallel
using multiple threads to speed up the sync process.
Authentication with Kong: Custom HTTP headers can be injected in requests
to Kong’s Admin API for authentication or authorization purposes.
Manage Kong’s config with multiple config files: Split your configuration
into multiple logical files based on a shared set of tags amongst entities.
Designed to automate configuration management: decK is designed to be part
of your CI pipeline, where it can push configuration to Kong and detect drifts
decK is compatible with Kong Gateway >= 1.x and
Kong Enterprise >= 0.35.
The command line
--help flag on the main command or a subcommand (like diff,
sync, reset, etc.) shows the help text along with supported flags for those
A list of all commands that are available in decK can be found
Frequently Asked Questions (FAQs)
You can find answers to FAQs here.
Harry Bagdi gave a talk on motivation behind decK and demonstrated a few key
features of decK at Kong Summit 2019. The following is a recording of that session:
The changelog can be found in the
decK is licensed with Apache License Version 2.0.
Please read the
LICENSE file for more details.
decK does not offer to secure your Kong deployment but only configures it.
It encourages you to protect your Kong’s Admin API with authentication but
doesn’t offer such a service itself.
decK’s state file can contain sensitive data such as private keys of
certificates, credentials, etc. It is left up to the user to manage
and store the state file in a secure fashion.
If you believe that you have found a security vulnerability in decK,
submit a detailed report, along with reproducible steps
One of the design goals of decK is deliver a good developer experience to you.
Part of it is getting the required help when you need it.
To seek help, use the following resources:
--help flag gives you the necessary help in the terminal itself and should
solve most of your problems.
- If you still need help, please open a
Github issue to ask your
- decK has very wide adoption by Kong’s community and you can seek help
from the larger community at Kong Nation.
Reporting a bug
If you believe you have run into a bug with decK, please open
a Github issue.
If you think you’ve found a security issue with decK, please read the