Konnect Control Plane Default Changes due to 3.14 Release and Secure by Default

Update timeline

1. investigating Apr 08, 2026, 04:20 PM UTC

   With the release of 3.14 and changes to default security settings for Kong’s secure by default initiatives, Konnect customers running dataplanes less than 3.14 and updating certain plugins without providing overrides to the new defaults began experiencing the following issues: Konnect would begin reporting that a default had been overridden that did not apply to the connected dataplane. This is a warning that Konnect gives when the configuration on Konnect control plane appears to have user-defined changes that do not apply to the dataplane version the customer is using. This message is provided to avoid a user configuring properties on a plugin that their dataplane would not utilize, to make it clear to users why a new field isn’t taking effect. Since our defaults changed, this caused the reporting in some cases to see this as an ‘override’ if the configuration didn’t match the new default, causing the message. This had no impact on dataplane configurations or behavior, but it was a confusing message, and we have removed it. The second and more impactful issue is the updating of default values in 3.14. After the 3.14 release, some fields like ssl_verify and hide_credentials in various entities started defaulting to true instead of false . This is causing customers who run a deck sync without these fields defined, will see their config values change from false to true which is an issue. Konnect is working on rolling back to the old default values. Once the default values are restored on the API, the next time the config is updated without the default values, the previous values will be applied. Plugins using ssl_verify: ace acme ai-aws-guardrail ai-azure-content-safety ai-llm-as-judge ai-proxy-advanced ai-rag-injector ai-rate-limiting-advanced ai-request-transformer ai-response-transformer ai-semantic-cache ai-semantic-prompt-guard ai-semantic-response-guard aws-lambda azure-functions basic-auth confluent confluent-consume datakit forward-proxy graphql-proxy-cache-advanced graphql-rate-limiting-advanced header-cert-auth http-log jwt-signer kafka-consume kafka-log kafka-upstream ldap-auth ldap-auth-advanced mtls-auth opa openid-connect proxy-cache-advanced rate-limiting rate-limiting-advanced request-callout response-ratelimiting saml service-protection tcp-log upstream-oauth Plugins using hide_credentials: Key-auth Key-auth-enc Basic-auth Hmac-authldap-auth Oauth2 Oauth2-introspection vault-auth (EE) ldap-auth-advanced (EE)

2. identified Apr 08, 2026, 04:20 PM UTC

   The issue has been identified and a fix is being implemented.

3. resolved Apr 08, 2026, 09:33 PM UTC

   We have completed the rollback to the original default values. Customers applying their configurations without explicitly defining ssl_verify and hide_credentials will default to `false` again.