Introduction
Because Kong Gateway can be deployed in a variety of ways, not all plugins are fully compatible with every deployment mode.
By design, some plugins require central database coordination or dynamic creation of entities.
Compatibility
Kong Gateway OSS
Kong Enterprise
Kong Gateway can be deployed in the following ways:
- Classic: Every node is connected to a database. Refers to a classic deployment on any platform, including Kubernetes.
- DB-less: Deployed without a database (available in Kong Gateway 1.1 onward). Does not have an Admin API. Refers to a DB-less deployment on any platform, including Kubernetes.
- Hybrid mode: Nodes are split into control plane and data plane roles. The control plane coordinates configuration and propagates it to data plane nodes, so only control plane nodes require a database (available in Kong Gateway 2.0 onward).
Legend
Full support
Partially supported with limitations
Not supported
Full support
Partially supported with limitations
Not supported
| Plugin | Kong or Third-Party | Classic | DB-less | Hybrid mode | Notes {:width=40%:} |
|---|---|---|---|---|---|
| ACL | Kong | Authentication plugins can only be used if the set of credentials is static and specified as part of the declarative configuration. Admin API endpoints to dynamically create, update, or delete credentials are not available in DB-less mode. | |||
| ACME (Let’s Encrypt) | Kong | ||||
| Apache OpenWhisk | Kong | ||||
| API Fortress HTTP Log | Third-party | ||||
| API Transformer | Third-party | ||||
| Approov API Threat Protection | Third-party | ||||
| ArecaBay MicroSensor | Third-party | ||||
| AWS Lambda | Kong | ||||
| Azure Functions | Kong | ||||
| Basic Authentication | Kong | Authentication plugins can only be used if the set of credentials is static and specified as part of the declarative configuration. Admin API endpoints to dynamically create, update, or delete credentials are not available in DB-less mode. | |||
| Bot Detection | Kong | ||||
| Cleafy plugin for Kong | Third-party | ||||
| Correlation ID | Kong | ||||
| CORS | Kong | ||||
| Datadog | Kong | ||||
| File Log | Kong | ||||
| Google Analytics Log | Third-party | ||||
| gRPC-Gateway | Kong | ||||
| gRPC-Web | Kong | ||||
| HMAC Authentication | Kong | Authentication plugins can only be used if the set of credentials is static and specified as part of the declarative configuration. Admin API endpoints to dynamically create, update, or delete credentials are not available in DB-less mode. | |||
| HTTP Log | Kong | ||||
| Inspur Request Transformer | Third-party | ||||
| Inspur Response Transform | Third-party | ||||
| IP Restriction | Kong | ||||
| JWT | Kong | Authentication plugins can only be used if the set of credentials is static and specified as part of the declarative configuration. Admin API endpoints to dynamically create, update, or delete credentials are not available in DB-less mode. | |||
| JWT to Header (Route by JWT Claim) | Third-party | ||||
| Key Authentication | Kong | Authentication plugins can only be used if the set of credentials is static and specified as part of the declarative configuration. Admin API endpoints to dynamically create, update, or delete credentials are not available in DB-less mode. | |||
| Kong Path Whitelist | Third-party | ||||
| Kong Response Size Limiting | Third-party | ||||
| Kong Service Virtualization | Third-party | ||||
| Kong Spec Expose | Third-party | ||||
| Kong Splunk Log | Third-party | ||||
| Kong Upstream JWT | Third-party | ||||
| LDAP Authentication | Kong | ||||
| Loggly | Kong | ||||
| Moesif API Insights | Third-party | ||||
| OAuth 2.0 Authentication | Kong | For its regular work, the plugin needs to both generate and delete tokens, and commit those changes to the database, which is not compatible with DB-less mode. | |||
| PASETO | Third-party | Authentication plugins can only be used if the set of credentials is static and specified as part of the declarative configuration. Admin API endpoints to dynamically create, update, or delete credentials are not available in DB-less mode. | |||
| Prometheus | Kong | ||||
| Proxy Cache | Kong | ||||
| Rate Limiting | Kong | The cluster policy is not supported in DB-less and hybrid modes. For DB-less mode, use one of redis or local; for hybrid mode, use redis. |
|||
| Reedelk Transformer | Third-party | ||||
| Request Size Limiting | Kong | ||||
| Request Termination | Kong | ||||
| Request Transformer | Kong | ||||
| Response Rate Limiting | Kong | ||||
| Response Transformer | Kong | ||||
| Salt Security | Third-party | Unknown | |||
| Serverless Functions | Kong | ||||
| Session | Kong | config.storage must be set to "cookie". The "kong" strategy uses a database, and is not supported. The plugin currently lacks checks for this invalid configuration in DB-less mode. |
|||
| Signal Sciences | Third-party | ||||
| SignalFx | Third-party | ||||
| StatsD | Kong | ||||
| Syslog | Kong | ||||
| TCP Log | Kong | ||||
| Template Transformer | Third-party | ||||
| UDP Log | Kong | ||||
| Upstream HTTP Basic Authentication | Third-party | ||||
| URL Rewrite | Third-party | ||||
| Wallarm | Third-party | ||||
| Zipkin | Kong |
Kong Enterprise can be deployed in the following ways:
- Classic: Every node is connected to a database. Refers to a classic deployment on any platform, including Kubernetes (Kong for Kubernetes with Kong Enterprise).
- Kong for Kubernetes Enterprise (K4K8s): Deployed with the Kong Ingress Controller and no database.
- Hybrid mode: Nodes are split into control plane and data plane roles. The control plane coordinates configuration and propagates it to data plane nodes, so only control plane nodes require a database (available in Kong Enterprise 2.1 onward).
Note: For details on the differences between deployment types, see Kong Deployment Options and Kong Enterprise for Kubernetes Deployment Options.
Legend
Full support
Partially supported with limitations
Not supported
Full support
Partially supported with limitations
Not supported
| Plugin | Kong or Third-Party | Classic and K4K8s with Kong Enterprise | K4K8s | Hybrid Mode | Notes {:width=30%:} |
|---|---|---|---|---|---|
| ACL | Kong | ||||
| Apache OpenWhisk | Kong | ||||
| Approov API Threat Protection | Third-party | ||||
| ArecaBay MicroSensor | Third-party | ||||
| AWS Lambda | Kong | ||||
| Azure Functions | Kong | ||||
| Basic Authentication | Kong | ||||
| Bot Detection | Kong | ||||
| Canary Release | Kong | ||||
| Cleafy plugin for Kong | Third-party | ||||
| Correlation ID | Kong | ||||
| CORS | Kong | ||||
| Datadog | Kong | ||||
| DeGraphQL | Kong | ||||
| Exit Transformer | Kong | ||||
| File Log | Kong | ||||
| Forward Proxy Advanced | Kong | ||||
| Google Analytics Log | Third-party | ||||
| GraphQL Proxy Caching Advanced | Kong | ||||
| GraphQL Rate Limiting Advanced | Kong | ||||
| HMAC Authentication | Kong | ||||
| HTTP Log | Kong | ||||
| IP Restriction | Kong | ||||
| JWT to Header (Route by JWT Claim) | Third-party | ||||
| JWT | Kong | ||||
| Kafka Log | Kong | ||||
| Kafka Upstream | Kong | ||||
| Key Authentication - Encrypted | Kong | The time-to-live setting (ttl), which determines the length of time a credential remains valid, does not work in Hybrid mode. |
|||
| Key Authentication | Kong | ||||
| Kong JWT Signer | Kong | ||||
| Kong Response Size Limiting | Third-party | ||||
| Kong Service Virtualization | Third-party | ||||
| Kong Spec Expose | Third-party | ||||
| Kong Splunk Log | Third-party | ||||
| Kong Upstream JWT | Third-party | ||||
| LDAP Authentication Advanced | Kong | ||||
| LDAP Authentication | Kong | ||||
| Loggly | Kong | ||||
| Moesif API Insights | Third-party | ||||
| Mutual TLS Authentication | Kong | ||||
| OAuth 2.0 Authentication | Kong | For its regular work, the plugin needs to both generate and delete tokens, and commit those changes to the database, which is not compatible with hybrid mode. | |||
| OAuth 2.0 Introspection | Kong | ||||
| Okta | Third-party | ||||
| OpenID Connect | Kong | ||||
| PASETO | Third-party | ||||
| Portal Application Registration | Kong | This plugin is only used with the Developer Portal, which is not available with K4K8s. | |||
| Prometheus | Kong | ||||
| Proxy Cache | Kong | ||||
| Proxy Caching Advanced | Kong | ||||
| Rate Limiting Advanced | Kong | The plugin does not support the cluster strategy in hybrid mode. The redis strategy must be used instead. |
|||
| Reedelk Transformer | Third-party | ||||
| Request Size Limiting | Kong | ||||
| Request Termination | Kong | ||||
| Request Transformer Advanced | Kong | Request Transformer now has feature parity with Request Transformer Advanced. Request Transformer Advanced remains only for compatibility with existing configurations. |
|||
| Request Transformer | Kong | ||||
| Request Validator | Kong | ||||
| Response Rate Limiting | Kong | ||||
| Response Transformer Advanced | Kong | Response Transformer now has feature parity with Response Transformer Advanced. Response Transformer Advanced remains only for compatibility with existing configurations. |
|||
| Response Transformer | Kong | ||||
| Route By Header | Kong | ||||
| Route Transformer Advanced | Kong | ||||
| Salt Security | Third-party | ||||
| Serverless Functions | Kong | ||||
| Session | Kong | ||||
| Signal Sciences | Third-party | ||||
| SignalFx | Third-party | ||||
| StatsD Advanced | Kong | ||||
| StatsD | Kong | This plugin is only used with Vitals, which is not available with K4K8s. | |||
| Syslog | Kong | ||||
| TCP Log | Kong | ||||
| Template Transformer | Third-party | ||||
| UDP Log | Kong | ||||
| Upstream HTTP Basic Authentication | Third-party | ||||
| URL Rewrite | Third-party | ||||
| Vault Authentication | Kong | ||||
| Wallarm | Third-party | ||||
| Zipkin | Kong |