Home / Kong Mesh
Edit
Report

Version specific upgrade notes

Uses: Kong Mesh
Related Documentation
All Mesh Documentation
Related Resources
Mesh upgrade
Mesh changelog
Version Support Policy

Make sure to also check the general upgrade notes.

This document guides you through the process of upgrading Kong Mesh.

First, check if a section named Upgrade to x.y.z exists, with x.y.z being the version you are planning to upgrade to.

Make sure to also check the upgrade notes for the matching version of Kuma.

Upgrade to 2.11.x

Introduce an option to skip RBAC creation

By default, we create all RBAC resources required for the mesh to function properly. Since 2.11.x, it’s possible to skip the creation of ClusterRole, ClusterRoleBinding, Role, and RoleBinding. We introduced two flags:

  • kuma.skipRBAC: Disables the creation of all RBAC resources (CNI and control plane).
  • kuma.controlPlane.skipClusterRoleCreation: Disables the creation of ClusterRole and ClusterRoleBinding resources for the control plane only.

[!WARNING] Before disabling automatic creation, ensure that the necessary RBAC resources are already in place, as the mesh components will not work correctly without them.

Reduce the permissions of the ClusterRole by moving cert-manager permissions to a Role

During installation, we create a ClusterRole with permissions for Kong Mesh resources and cert-manager. We’ve identified that cluster-scoped access to cert-manager is not necessary, so we’ve moved those permissions to a separate Role, bound by a RoleBinding in the system namespace only. This change should not affect your deployment.

Windows support is removed

Running Kong Mesh on Windows is no longer supported. If you are using Windows, please migrate to a Linux-based environment.

Upgrade to 2.10.x

CP tokens are removed

Control Plane Tokens were deprecated in 2.0.x. They are now removed and only zone tokens are supported to auth to zonal control-planes to global. To generate and use zone tokens checkout the dedicated docs.

Upgrade to 2.7.x

RBAC

A new access type: VIEW_CONTROL_PLANE_METADATA has been added to the RBAC configuration which restricts access to /config. If you want to leave the access to /config unrestricted, you need to add VIEW_CONTROL_PLANE_METADATA to the rules of your admin AccessRole.

ECS

The configuration for AWS IAM data plane authentication has changed slightly because of the removal of configuration options KUMA_DP_SERVER_AUTH_* and dpServer.auth.* (see Kuma UPGRADE.md).

Instead of control plane configuration like:

            - Name: KUMA_DP_SERVER_AUTH_TYPE
              Value: aws-iam
            - Name: KUMA_DP_SERVER_AUTH_USE_TOKEN_PATH
              Value: "true"

you’ll need:

            - Name: KUMA_DP_SERVER_AUTHN_DP_PROXY_TYPE
              Value: aws-iam
            - Name: KUMA_DP_SERVER_AUTHN_ZONE_PROXY_TYPE
              Value: aws-iam
            - Name: KUMA_DP_SERVER_AUTHN_ENABLE_RELOADABLE_TOKENS
              Value: "true"

See for an example.

Upgrade to 2.0.x

Control Plane Tokens are deprecated. It will be removed in a future release. You can use the Zone Token instead to authenticate any zonal control plane.

Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support