> ## Documentation Index
> Fetch the complete documentation index at: https://tyk.io/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Tyk Operator Release Notes

> Release notes documenting updates, enhancements, fixes and changes for Tyk Operator.

**Licensed Protected Product**

**This page contains all release notes for Tyk Operator displayed in a reverse chronological order**

## Support Lifetime

Our minor releases are supported until our next minor comes out.

***

## 1.4 Release Notes

### 1.4.1 Release Notes

#### Release Date 21 May 2026

#### Release Highlights

In this release, we have addressed CVEs for enhanced security and performance.

For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v1.4.1) below.

#### Breaking Changes

This release has no breaking changes.

#### Dependencies

##### 3rd Party Dependencies & Tools

| Third Party Dependency              | Tested Versions  | Compatible Versions | Comments |
| :---------------------------------- | :--------------- | :------------------ | :------- |
| [Kubernetes](https://kubernetes.io) | 1.28.x to 1.32.x | 1.19.x to 1.32.x    |          |

Given the time difference between your upgrade and the release of this version, we recommend customers verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

#### Deprecations

There are no deprecations in this release.

#### Upgrade instructions

Go to the [Upgrading Tyk Operator](/nightly/tyk-stack/tyk-operator/installing-tyk-operator) section for detailed upgrade instructions.

#### Downloads

* [Docker image v1.4.1](https://hub.docker.com/r/tykio/tyk-operator/tags?page=\&page_size=\&ordering=\&name=v1.4.1)
  * ```bash theme={null}
    docker pull tykio/tyk-operator:v1.4.1
    ```
* Helm chart
  * [tyk-charts v5.2.0](/nightly/developer-support/release-notes/helm-chart#5-2-0-release-notes)

#### Changelog

<a id="Changelog-v1.4.1" data-scroll-offset />

##### Security Fixes

<AccordionGroup>
  <Accordion title="Resolved CVEs">
    Addressed the following CVEs, providing increased protection against security
    vulnerabilities, including, but not limited to:

    * <a href="https://nvd.nist.gov/vuln/detail/CVE-2026-33811" target="_blank">CVE-2026-33811</a>
    * <a href="https://nvd.nist.gov/vuln/detail/CVE-2026-33814" target="_blank">CVE-2026-33814</a>
    * <a href="https://nvd.nist.gov/vuln/detail/CVE-2026-39820" target="_blank">CVE-2026-39820</a>
    * <a href="https://nvd.nist.gov/vuln/detail/CVE-2026-39836" target="_blank">CVE-2026-39836</a>
    * <a href="https://nvd.nist.gov/vuln/detail/CVE-2026-42499" target="_blank">CVE-2026-42499</a>
    * <a href="https://nvd.nist.gov/vuln/detail/CVE-2026-39823" target="_blank">CVE-2026-39823</a>
    * <a href="https://nvd.nist.gov/vuln/detail/CVE-2026-39826" target="_blank">CVE-2026-39826</a>
    * <a href="https://nvd.nist.gov/vuln/detail/CVE-2026-39825" target="_blank">CVE-2026-39825</a>
  </Accordion>
</AccordionGroup>

### 1.4.0 Release Notes

#### Release Date 20 May 2026

#### Release Highlights

Tyk Operator 1.4.0 introduces support for managing [MCP (Model Context Protocol) Proxy](/nightly/ai-management/mcp-gateway/managing-proxies) definitions through Kubernetes custom resources. The new `TykMcpProxyDefinition` CRD allows you to manage MCP Proxies declaratively, and the `SecurityPolicy` CRD has been extended with MCP access rights for tool-based access control and per-primitive rate limiting.

For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v1.4.0).

<Note>
  The initial Helm chart for Operator 1.4.0 contained an installation bug. Please ensure you use [Tyk Charts 5.2.0](/nightly/developer-support/release-notes/helm-chart#5-2-0-release-notes) or later to install Operator 1.4.0.
</Note>

#### Breaking Changes

This release has no breaking changes.

#### Dependencies

##### 3rd Party Dependencies & Tools

| Third Party Dependency              | Tested Versions  | Compatible Versions | Comments |
| :---------------------------------- | :--------------- | :------------------ | :------- |
| [Kubernetes](https://kubernetes.io) | 1.28.x to 1.32.x | 1.19.x to 1.32.x    |          |

Given the time difference between your upgrade and the release of this version, we recommend customers verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

#### Deprecations

There are no deprecations in this release.

#### Upgrade instructions

The MCP Proxy support in Tyk Operator 1.4.0 requires Tyk Gateway 5.13.0 and Tyk Dashboard 5.13.0 (or newer)

Attempting to use `TykMcpProxyDefinition` resources with Operator  1.4.0 prior to upgrading Gateway and Dashboard to a version supporting MCP Proxies will cause reconciliation failures.

See [MCP Gateway upgrade considerations](/nightly/developer-support/upgrading#mcp-upgrade-considerations) for details.

Go to the [Upgrading Tyk Operator](/nightly/tyk-stack/tyk-operator/installing-tyk-operator) section for detailed upgrade instructions.

#### Downloads

* [Docker image v1.4.0](https://hub.docker.com/r/tykio/tyk-operator/tags?page=\&page_size=\&ordering=\&name=v1.4.0)
  * ```bash theme={null}
    docker pull tykio/tyk-operator:v1.4.0
    ```
* Helm chart
  * [tyk-charts v5.2.0](/nightly/developer-support/release-notes/helm-chart#5-2-0-release-notes)

#### Changelog

<a id="Changelog-v1.4.0" data-scroll-offset />

##### Added

<AccordionGroup>
  <Accordion title="Add MCP Proxy support">
    This release adds support for MCP (Model Context Protocol) Proxies with a new TykMcpProxyDefinition CRD and an extension to the SecurityPolicy CRD.

    **TykMcpProxyDefinition CRD**

    A new `TykMcpProxyDefinition` CRD allows you to manage MCP Proxy definitions declaratively in Kubernetes.

    The CRD status surface exposes three hashes — `CRDSpecHash`, `ConfigMapHash`, and `TykSpecHash` — to track synchronisation state between the Kubernetes resource, the ConfigMap, and the Tyk Gateway definition.

    **SecurityPolicy CRD — MCP access rights**

    The `SecurityPolicy` CRD has been extended to support MCP-specific access rights:

    * Per-tool, per-resource, and per-prompt allow/deny lists (`mcp_access_rights`)
    * Per-JSON-RPC-method allow/deny lists (`json_rpc_methods_access_rights`)
    * Per-primitive rate limits (`mcp_primitives`) and per-method rate limits (`json_rpc_methods`)

    For details, see the [MCP proxy policies documentation](/nightly/ai-management/mcp-gateway/policies).
  </Accordion>
</AccordionGroup>

## 1.3 Release Notes

### 1.3.0 Release Notes

#### Release Date 11 March 2026

#### Release Highlights

Tyk Operator v1.3.0 delivers improvements for API monitoring and ingress management in Kubernetes environments. This release adds native uptime test configuration support for both Tyk OAS and Tyk Classic API definitions, eliminating the need for manual Dashboard configuration.

For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v1.3.0) below.

<Note>
  The initial `Helm chart` for Operator 1.3.0 contained an installation bug. Please ensure you use tyk-charts version [5.1.1](/nightly/developer-support/release-notes/helm-chart#5-1-1-release-notes) or later to install Operator 1.3.0.
</Note>

#### Breaking Changes

This release has no breaking changes.

#### Dependencies

##### 3rd Party Dependencies & Tools

| Third Party Dependency              | Tested Versions  | Compatible Versions | Comments |
| :---------------------------------- | :--------------- | :------------------ | :------- |
| [Kubernetes](https://kubernetes.io) | 1.28.x to 1.32.x | 1.19.x to 1.32.x    |          |

Given the time difference between your upgrade and the release of this version, we recommend customers verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

#### Deprecations

There are no deprecations in this release.

#### Upgrade instructions

Go to the [Upgrading Tyk Operator](/nightly/tyk-stack/tyk-operator/installing-tyk-operator) section for detailed upgrade instructions.

#### Downloads

* [Docker image v1.3.0](https://hub.docker.com/r/tykio/tyk-operator/tags?page=\&page_size=\&ordering=\&name=v1.3.0)
  * ```bash theme={null}
    docker pull tykio/tyk-operator:v1.3.0
    ```
* Helm chart
  * [tyk-charts v5.1.0](/nightly/developer-support/release-notes/helm-chart#5-0-0-release-notes)

#### Changelog

<a id="Changelog-v1.3.0" data-scroll-offset />

##### Changed

<AccordionGroup>
  <Accordion title="Golang 1.25 Update">
    The Tyk Operator now runs on Golang 1.25, providing improved performance, enhanced security, and access to the latest language features.

    This update ensures the Operator remains current with supported Go versions and reduces exposure to security vulnerabilities found in older runtime versions.
  </Accordion>
</AccordionGroup>

##### Added

<AccordionGroup>
  <Accordion title="Added Uptime Test Configuration Support">
    The Tyk Operator now supports configuration of [upstream uptime tests](/nightly/planning-for-production/ensure-high-availability/uptime-tests) directly in your API definitions through both Tyk OAS and Tyk Classic CRDs.
  </Accordion>
</AccordionGroup>

##### Fixed

<AccordionGroup>
  <Accordion title="Tyk Operator Ingress Controller Now Respects Strip Listen Path Configuration">
    The ingress controller now respects the [`listenPath.strip`](/nightly/api-management/gateway-config-tyk-oas#listenpath) configuration defined in your Tyk OAS API templates. This fix ensures that template configurations are preserved while maintaining backward compatibility, as templates without an explicit strip setting will continue to default to `true`, and ACME challenge paths will still force `strip: false` as required.
  </Accordion>
</AccordionGroup>

## 1.2 Release Notes

### 1.2.0 Release Notes

#### Release Date 02 April 2025

#### Release Highlights

##### Support for Tyk 5.8

Tyk Operator v1.2 introduces key enhancements and critical fixes to improve API management in Kubernetes environments. This release adds support for HMAC request signing and YAML-based OAS definitions, aligning with Tyk Gateway 5.8.

For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v1.2.0) below.

#### Breaking Changes

This release has no breaking changes.

#### Dependencies

##### 3rd Party Dependencies & Tools

| Third Party Dependency              | Tested Versions  | Compatible Versions | Comments |
| :---------------------------------- | :--------------- | :------------------ | :------- |
| [Kubernetes](https://kubernetes.io) | 1.28.x to 1.32.x | 1.19.x to 1.32.x    |          |

Given the time difference between your upgrade and the release of this version, we recommend customers verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

#### Deprecations

There are no deprecations in this release.

#### Upgrade instructions

Tyk Operator v1.2 introduced new Custom Resource Definitions (CRDs). Before upgrading to Tyk Operator v1.2 with Helm Chart, please run the following commands to install the CRDs:

```bash theme={null}
$ kubectl apply -f https://raw.githubusercontent.com/TykTechnologies/tyk-charts/refs/heads/main/tyk-operator-crds/crd-v1.2.0.yaml
```

Go to the [Upgrading Tyk Operator](/nightly/tyk-stack/tyk-operator/installing-tyk-operator) section for detailed upgrade instructions.

#### Downloads

* [Docker image v1.2.0](https://hub.docker.com/r/tykio/tyk-operator/tags?page=\&page_size=\&ordering=\&name=v1.2.0)
  * ```bash theme={null}
    docker pull tykio/tyk-operator:v1.2.0
    ```
* Helm chart
  * [tyk-charts v3.0.0](/nightly/developer-support/release-notes/helm-chart#3-0-0-release-notes)

#### Changelog

<a id="Changelog-v1.2.0" data-scroll-offset />

##### Added

<AccordionGroup>
  <Accordion title="HMAC request signing support">
    Tyk Operator now supports HMAC request signing, enabling enhanced security and integrity for API requests. This feature aligns with Tyk 5.8 capabilities.

    [Learn More](/nightly/api-management/upstream-authentication/request-signing)
  </Accordion>

  <Accordion title="YAML-based OAS API definitions">
    Tyk Operator now allows OAS API definitions in YAML format, increasing flexibility in API configurations.
  </Accordion>

  <Accordion title="JWT OAS API policy linking">
    Tyk Operator now supports linking of policies for JWT default policies and JWT scope-to-policy mappings using kubernetes names. They can set these fields in TykOASApiDefinition CRD.
  </Accordion>
</AccordionGroup>

##### Updated

<Expandable title="Removed dependency on kube-rbac-proxy">
  Tyk Operator removed dependency on kubebuilder's `rbac-proxy` for authentication/authorization of metrics server.
  `WithAuthenticationAndAuthorization` feature provided by Controller-Runtime will be used instead.

  Users are encouraged to update to Tyk Operator v1.2 to benefit from this change.

  For users who cannot immediately update, there is an alternative option: modifying the Operator's Helm chart configuration to replace the image `gcr.io/kubebuilder/kube-rbac-proxy` with another trusted source. For details, please see [Issue 365](https://github.com/TykTechnologies/tyk-charts/issues/365).
</Expandable>

##### Fixed

<AccordionGroup>
  <Accordion title="Operator reconciliation error handling">
    Fixed an issue where reconciliation conflicts appeared as errors in logs, which occurred because an outdated copy of the Kubernetes resource was being processed. This has been resolved by fetching the latest copy of the object from the cluster and retrying the operation.
  </Accordion>

  <Accordion title="Cert-manager dependency">
    Users can now disable cert-manager, making it optional rather than mandatory for onboarding. This enhances flexibility in deployment configurations.
  </Accordion>

  <Accordion title="Circuit breaker schema validation">
    Fixed an issue where user was getting validation error while setting `threshold_precent` field of classic API Definition CRD starting from Operator v1.0.0, which blocked users from upgrading.
  </Accordion>

  <Accordion title="Portal API Catalog infinite loop">
    Resolved an issue where the Operator could enter an infinite loop when a PortalAPICatalogue CR was created.
  </Accordion>

  <Accordion title="Leader election flag">
    Because of some issue in Operator helm chart, configurations options were not getting read correctly.
    Helm chart has been fixed and leader election works by default again.
  </Accordion>
</AccordionGroup>

***

## 1.1 Release Notes

### 1.1.0 Release Notes

#### Release Date 09 December 2024

#### Release Highlights

###### Support for Tyk Streams API

Tyk Operator v1.1 supports management of Tyk Streams APIs through the new **`TykStreamsApiDefinition`** custom resource. This allows you to have declarative, versioned, and fully automated control to your streaming APIs.

#### Breaking Changes

This release has no breaking changes.

#### Dependencies

##### 3rd Party Dependencies & Tools

| Third Party Dependency              | Tested Versions  | Compatible Versions | Comments |
| :---------------------------------- | :--------------- | :------------------ | :------- |
| [Kubernetes](https://kubernetes.io) | 1.26.x to 1.30.x | 1.19.x to 1.30.x    |          |

Given the time difference between your upgrade and the release of this version, we recommend customers verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

#### Deprecations

There are no deprecations in this release.

#### Upgrade instructions

Tyk Operator v1.1 introduced new Custom Resource Definitions (CRDs). Before upgrading to Tyk Operator v1.1 with Helm Chart, please run the following commands to install the CRDs:

```bash theme={null}
$ kubectl apply -f https://raw.githubusercontent.com/TykTechnologies/tyk-charts/refs/heads/main/tyk-operator-crds/crd-v1.1.0.yaml
```

Go to the [Upgrading Tyk Operator](/nightly/tyk-stack/tyk-operator/installing-tyk-operator) section for detailed upgrade instructions.

#### Downloads

* [Docker image v1.1.0](https://hub.docker.com/r/tykio/tyk-operator/tags?page=\&page_size=\&ordering=\&name=v1.1.0)
  * ```bash theme={null}
    docker pull tykio/tyk-operator:v1.1.0
    ```
* Helm chart
  * tyk-charts v2.2.0 {/* This is the link to the Helm charts links. Please be mindful that this URL is only available a few hours or day/s after we release the main release, so this link needs to be updated in a separate iteration */}

#### Changelog

##### Added

<Expandable title="TykStreamsApiDefinition: new Custom Resource for Tyk Streams">
  The `TykStreamsApiDefinition` custom resource allows you to manage Tyk Streams APIs directly within your Kubernetes environment. This enhancement offers a Kubernetes-native approach to managing Tyk APIs, streamlining operations and ensure single source of truth in Kubernetes.

  [Learn More](/nightly/tyk-stack/tyk-operator/create-an-api#create-a-tykstreamsapidefinition-custom-resource)
</Expandable>

##### Fixed

<Expandable title="SecurityPolicy: kind of referenced API definitions should have a default value">
  With `TykOasApiDefinition` support, we expect API references in SecurityPolicy to have `kind` field which can be either `ApiDefinition` or `TykOasApiDefinition`. However, the validation was failing if users were upgrading from v0.18 to v1.0 since the `kind` field is empty in the CR.

  Updated CRD rules to add default value for the `kind` field.
</Expandable>

***

## 1.0 Release Notes

### 1.0.0 Release Notes

We are excited to announce the release of **Tyk Operator v1.0**, marking a significant milestone with new features, enhancements, and critical changes. This release introduces support for Tyk OAS APIs, extended capabilities for managing Classic APIs and security policies, and includes **license changes** that you must be aware of before upgrading.

#### Release Date 10 Oct 2024

#### Release Highlights

##### Support for Tyk OAS API

The Tyk Operator v1.0 release introduces powerful new features designed to enhance how you manage APIs in Kubernetes environments. One of the key highlights is the full support for Tyk OAS APIs, allowing you to define and manage APIs through the new **`TykOasApiDefinition`** custom resource. This integration extends GitOps API Management to Tyk OAS, allowing you to have declarative, versioned, and fully automated control to your APIs in Kubernetes environments.

Key features:

* **Define and Manage Tyk OAS APIs** using the TykOasApiDefinition custom resource.
* **Manage API Definitions in ConfigMaps**: Any changes are automatically tracked and synced to Tyk.
* **Configure Tyk OAS in a Kubernetes-native way**: You can organize APIs by categories or manage multiple API versions easily with the new CRD.
* **Simplify certificate management** by referencing Kubernetes secrets.
* **Use the Tyk Ingress controller** to create Tyk OAS APIs from Ingress specs.

With this release, users benefit from seamless GitOps workflows, ensuring a Kubernetes-native operation workflow. Security is also made simpler with automated certificate synchronization, removing the hassle of manual certificate management.

##### Enhanced Classic API and Security Policy Features

Enhanced support for Tyk Classic APIs continues, with improvements to security policies and new capabilities for setting API and endpoint-specific rate limits, making it easier than ever to customize API usage policies.

This release represents a significant upgrade for both API management and security, offering a more efficient, scalable, and Kubernetes-native way to operate Tyk. Whether you're leveraging Tyk OAS APIs or continuing with Tyk Classic, this version brings the tools and features you need to streamline your workflows and enhance operational efficiency.

For details please refer to the [changelog](/nightly/#Changelog-v1.0.0) below.

#### Breaking Changes

<a id="breaking-changesv1.0.0" />

{/* This release has no breaking changes. */}

**License Requirement:** Tyk Operator is now a closed-source product and requires a valid license key to operate. Please follow our [Installation and Upgrade Guide](/nightly/tyk-stack/tyk-operator/installing-tyk-operator) to set your license key before installation or upgrade.

If the license is missing, invalid, or expired, Tyk Operator will exit with an error message. Ensure that you carefully review the setup steps to avoid any issues during the upgrade or installation process.

**Admission Webhook Removal:** The admission webhook for security policy (`validate-tyk-tyk-io-v1alpha1-securitypolicy`) has been removed. No action is required from users, and existing `SecurityPolicy` CRDs and resources remain fully supported and unaffected.

{/* ##### Changed error log messages
Important for users who monitor Tyk components using the application logs (i.e. Tyk Gateway log, Tyk Dashboard log, etc.).
We try to avoid making changes to our log messages, especially at error and critical levels. However, sometimes it's necessary. Please find the list of changes made to the application log in this release: */}

{/* ##### Planned Breaking Changes */}

{/* Required. Version compatibility with other components in the Tyk stack. This takes the form of a compatibility matrix and is only required for Gateway and Portal.
###### Compatibility Matrix For Tyk Components
An illustrative example is shown below. */}

#### Dependencies

##### 3rd Party Dependencies & Tools

| Third Party Dependency              | Tested Versions  | Compatible Versions | Comments |
| :---------------------------------- | :--------------- | :------------------ | :------- |
| [Kubernetes](https://kubernetes.io) | 1.26.x to 1.30.x | 1.19.x to 1.30.x    |          |

Given the time difference between your upgrade and the release of this version, we recommend customers verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

#### Deprecations

There are no deprecations in this release.

{/* ###### Future deprecations */}

#### Upgrade instructions

Tyk Operator v1.0 introduced new Custom Resource Definitions (CRDs). Before upgrading to Tyk Operator v1.0 with Helm Chart, please run the following commands to install the CRDs:

```bash theme={null}
$ kubectl apply -f https://raw.githubusercontent.com/TykTechnologies/tyk-charts/refs/heads/main/tyk-operator-crds/crd-v1.0.0.yaml
```

Go to the [Upgrading Tyk Operator](/nightly/tyk-stack/tyk-operator/installing-tyk-operator#upgrading-tyk-operator) section for detailed upgrade instructions.

#### Downloads

* [Docker image v1.0.0](https://hub.docker.com/r/tykio/tyk-operator/tags?page=\&page_size=\&ordering=\&name=v1.0.0)
  * ```bash theme={null}
    docker pull tykio/tyk-operator:v1.0.0
    ```
* Helm chart
  * [tyk-charts v2.1.0](/nightly/developer-support/release-notes/helm-chart#2-1-0-release-notes) {/* This is the link to the Helm charts links. Please be mindful that this URL is only available a few hours or day/s after we release the main release, so this link needs to be updated in a separate iteration */}

#### Changelog

<a id="Changelog-v1.0.0" data-scroll-offset />

##### Added

<AccordionGroup>
  <Accordion title="TykOasApiDefinition: new Custom Resource for Tyk OAS">
    The `TykOasApiDefinition` custom resource allows you to manage Tyk OAS APIs directly within your Kubernetes environment. You can now categorize APIs, manage multiple versions, and simplify SSL certificate management by referencing Kubernetes secrets. This enhancement offers a Kubernetes-native approach to managing Tyk APIs, streamlining operations and reducing the complexity of versioning and certificate handling across different environments.

    Learn More: [Create Tyk OAS API](/nightly/tyk-stack/tyk-operator/create-an-api#set-up-tyk-oas-api)
  </Accordion>

  <Accordion title="Ingress Controller: Support Tyk OAS API as an Ingress Template">
    With this release, you can use the TykOasApiDefinition resource as a template for automatically creating Tyk OAS APIs based on Kubernetes Ingress specs. This simplifies the process of generating APIs by leveraging Ingress controller annotations, reducing manual intervention, and automating API creation workflows for better scalability and operational efficiency.

    Learn More: [Tyk Ingress Controller](/nightly/product-stack/tyk-operator/tyk-ingress-controller)
  </Accordion>

  <Accordion title="SecurityPolicy: Support for Key-Level Per-API Rate Limits and Quota">
    This release introduces the ability to configure specific rate limits, quotas, and throttling rules at the API level using the `access_rights_array` in the security policy. Each API now has the flexibility to inherit global limit settings or apply custom limits, making it easier to control API usage on a per-API basis. This provides enhanced granularity in managing traffic, ensuring optimal resource allocation and improved performance under heavy loads.

    Learn More: [Key-Level Per-API Rate Limits and Quota](/nightly/tyk-stack/tyk-operator/create-an-api#security-policy-example)
  </Accordion>

  <Accordion title="SecurityPolicy: Support for Key-Level Per-Endpoint Rate Limits">
    By configuring key-level per-endpoint limits, you can restrict the request rate for specific API clients to a specific endpoint of an API.

    Learn More: [Key-Level Per-Endpoint Rate Limits](/nightly/tyk-stack/tyk-operator/create-an-api#security-policy-example)
  </Accordion>

  <Accordion title="SecurityPolicy: Support for TykOasApiDefinition">
    This update extends the security policy to include TykOasApiDefinition resources within the `access_rights_array`, allowing you to manage security policies for both Tyk Classic APIs and Tyk OAS APIs. By specifying the API kind, you can now apply rate limits, quotas, and other access controls to Tyk OAS APIs, streamlining security management in mixed environments.

    Learn More: [TykOasApiDefinition in Security Policy](/nightly/tyk-stack/tyk-operator/create-an-api#add-a-security-policy-to-your-api)
  </Accordion>

  <Accordion title="ApiDefinition: Support for Event Handler">
    Tyk Operator now supports event handler integration for ApiDefinition, enabling webhooks to be triggered by specific API events. This allows for real-time, event-driven automation between Tyk and other systems, sending notifications or executing actions as events occur in the API lifecycle. The event\_handlers field in the ApiDefinition CRD makes it easy to set up webhook-driven processes for better control and automation across your services.

    Learn More: [Event Webhook with Tyk Classic](/nightly/api-management/gateway-events#webhook-event-handlers-with-tyk-classic-apis)
  </Accordion>

  <Accordion title="ApiDefinition: Support timeout Field in Advanced Cache Control">
    The advanced cache configuration for ApiDefinition now supports a timeout field, providing greater control over cache behavior. You can define specific cache timeouts for different API paths, allowing for more fine-tuned control over caching strategies. This feature helps optimize API performance, particularly for high-traffic endpoints requiring precise cache management.

    ```yaml theme={null}
    extended_paths:
      advance_cache_config:
        - path: "/json"    
          method: "GET"
          cache_response_codes: [200, 204]
          timeout: 120
    ```
  </Accordion>

  <Accordion title="ApiDefinition: Support new Fields in `VersionDefinition`">
    `VersionDefinition` within `ApiDefinition` has been expanded to include additional fields, offering more granular control over API versioning and path management. These new fields allow you to configure version handling more flexibly, enhancing your ability to manage API versions and customize how version data is processed in API paths.
  </Accordion>
</AccordionGroup>

##### Changed

<Expandable title="Go Version Updated to 1.22">
  The underlying Go runtime for Tyk Operator has been updated to version 1.22. This upgrade brings performance improvements, enhanced security, and compatibility with the latest Go libraries, ensuring Tyk Operator remains efficient and secure in production environments.
</Expandable>

<Expandable title="Admission Webhook for SecurityPolicy Removed">
  The admission webhook for the security policy (`validate-tyk-tyk-io-v1alpha1-securitypolicy`) has been removed because it did not perform any functional validation. This change simplifies deployment of Tyk Operator and reduces webhook overhead.
</Expandable>

{/* This section should be a bullet point list that should be included when any security fixes have been made in the release, e.g. CVEs. For CVE fixes, consideration needs to be made as follows:
##### Security Fixes
1. Dependency-tracked CVEs - External-tracked CVEs should be included on the release note.
2. Internal scanned CVEs - Refer to the relevant engineering and delivery policy.

For agreed CVE security fixes, provide a link to the corresponding entry on the NIST website. For example:

- Fixed the following CVEs:
  - [CVE-2022-33082](https://nvd.nist.gov/vuln/detail/CVE-2022-33082) */}

***

{/* The footer of the release notes page. It contains a further information section with details of how to upgrade Tyk,
links to API documentation and FAQs. You can copy it from the previous release. */}

## 0.18 Release Notes

### 0.18.0 Release Notes

#### Release date 4 Jul 2024

#### Breaking Changes

This release has no breaking changes.

#### Deprecations

There are no deprecations in this release.

#### Upgrade Instructions

Go to the [Upgrading Tyk Operator](/nightly/tyk-stack/tyk-operator/installing-tyk-operator#upgrading-tyk-operator) section for detailed upgrade instructions.

#### Release Highlights

This release added support for Tyk 5.4 API definition.

For details please refer to the [changelog](/nightly/#Changelog-v0.18.0) below.

#### Downloads

* [Docker image v0.18.0](https://hub.docker.com/r/tykio/tyk-operator/tags?page=\&page_size=\&ordering=\&name=v0.18.0)
  * ```bash theme={null}
    docker pull tykio/tyk-operator:v0.18.0
    ```
* Source code tarball - [Tyk Operator Repo](https://github.com/TykTechnologies/tyk-operator/releases/tag/v0.18.0)

#### Changelog

<a id="Changelog-v0.18.0" data-scroll-offset />

##### Added

<Expandable title="Added support of Tyk 5.4 API definition CRD">
  Added to ApiDefinition [Custom Resource Definition (CRD)](https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/):

  * [introspection](/nightly/api-management/graphql#turning-off-introspection) option to enable/disable GraphQL introspection
  * [graphql.proxy.auth\_headers](/nightly/api-management/graphql#creating-a-graphql-api-via-the-dashboard-ui)
  * [graphql.proxy.subscription\_type](/nightly/api-management/graphql#graphql-subscriptions)
  * [graphql.proxy.request\_headers](/nightly/api-management/graphql#request-headers)
  * graphql.proxy.use\_response\_extensions
  * graphql.proxy.request\_headers\_rewrite
  * graphql.proxy.features
</Expandable>

## 0.17 Release Notes

### 0.17.1 Release Notes

#### Release date 6 May 2024

#### Breaking Changes

This release has no breaking changes.

#### Deprecations

There are no deprecations in this release.

#### Upgrade Instructions

Go to the [Upgrading Tyk Operator](/nightly/tyk-stack/tyk-operator/installing-tyk-operator#upgrading-tyk-operator) section for detailed upgrade instructions.

#### Release Highlights

This release is focused on bug fixes. For details please refer to the [changelog](/nightly/#Changelog-v0.17.1) below.

#### Downloads

* [Docker image v0.17](https://hub.docker.com/r/tykio/tyk-operator/tags?page=\&page_size=\&ordering=\&name=v0.17.1)
  * ```bash theme={null}
    docker pull tykio/tyk-operator:v0.17.1
    ```
* Source code tarball - [Tyk Operator Repo](https://github.com/TykTechnologies/tyk-operator/releases/tag/v0.17.1)

#### Changelog

<a id="Changelog-v0.17.1" data-scroll-offset />

##### Fixed

<AccordionGroup>
  <Accordion title="Fixed ApiDefinition Custom Resources generated by the Ingress Controller used a wrong certificate">
    When using Tyk as an Ingress Controller with TLS enabled, the ApiDefinition Custom Resources generated by the Ingress Controller is missing the OrgID field. As a result, Tyk Gateway used a wrong certificate when serving a request. It is fixed by adding back OrgID field to ApiDefinition CRs created by Ingress Controller.
  </Accordion>

  <Accordion title="Added Webhook and RBAC port configurations in Tyk Operator Helm chart">
    Users can configure Tyk Operator webhook and RBAC port via helm chart values `.Values.webhookPort` and `.Values.rbac.port` respectively.
  </Accordion>

  <Accordion title="Addressed security vulnerabilities CVE-2023-45288">
    Addressed security vulnerabilities [CVE-2023-45288](https://nvd.nist.gov/vuln/detail/CVE-2023-45288) where an attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
  </Accordion>

  <Accordion title="Addressed security vulnerabilities CVE-2024-24786">
    Addressed security vulnerabilities [CVE-2024-24786](https://nvd.nist.gov/vuln/detail/CVE-2024-24786) where the `protojson.Unmarshal` function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a `google.protobuf.Any` value, or when the `UnmarshalOptions.DiscardUnknown` option is set.
  </Accordion>
</AccordionGroup>

### 0.17.0 Release Notes

#### Release date 05 Apr 2024

#### Breaking Changes

This release has no breaking changes.

#### Deprecations

There are no deprecations in this release.

#### Upgrade Instructions

Go to the [Upgrading Tyk Operator](/nightly/tyk-stack/tyk-operator/installing-tyk-operator#upgrading-tyk-operator) section for detailed upgrade Instructions.

#### Release Highlights

This release added support for `GraphQLIntrospectionConfig` in API definition and fixed an issue where the Tyk Operator creates duplicate APIs on Tyk.

For details please refer to the [changelog](/nightly/#Changelog-v0.17.0) below.

#### Downloads

* [Docker image v0.17](https://hub.docker.com/r/tykio/tyk-operator/tags?page=\&page_size=\&ordering=\&name=v0.17.0)
  * ```bash theme={null}
    docker pull tykio/tyk-operator:v0.17.0
    ```
* Source code tarball - [Tyk Operator Repo](https://github.com/TykTechnologies/tyk-operator/releases/tag/v0.17.0)

#### Changelog

<a id="Changelog-v0.17.0" data-scroll-offset />

##### Fixed

<Expandable title="Fixed creating duplicated API definitions on Tyk">
  Fix creating duplicated API definitions on Tyk in case of cluster failures. If network errors happen while updating the API definition, the Tyk Operator retries the reconciliation based on the underlying error type.
</Expandable>

##### Added

<Expandable title="Added support of GraphQLIntrospectionConfig in API definition CRD">
  Added to ApiDefinition CRD: support of `GraphQLIntrospectionConfig` field at `graphql.introspection.disabled`. This feature will be enabled in future Tyk releases.
</Expandable>

## 0.16 Release Notes

### 0.16.0 Release Notes

#### Release date 12 Jan 2024

#### Breaking Changes

This release has no breaking changes.

#### Deprecations

There are no deprecations in this release.

#### Upgrade Instructions

While upgrading Tyk Operator release via Helm, please make sure that the latest CRDs are also applied on the cluster, as follows:

```bash theme={null}
kubectl apply -f https://raw.githubusercontent.com/TykTechnologies/tyk-operator/v0.16.0/helm/crds/crds.yaml
```

#### Release Highlights

This release added support for analytics plugin, UDG global header, and detailed tracing setting in ApiDefinition as detailed in the [changelog](/nightly/#Changelog-v0.16.0) below.

#### Downloads

* [Docker image to pull](https://hub.docker.com/layers/tykio/tyk-operator/v0.16.0/images/sha256-7c5b526af96ef772e8e53b8817538f41585c4ad641388609b349368219bb3d7d?context=explore)
* [Source code](https://github.com/TykTechnologies/tyk-operator/releases/tag/v0.16.0)

#### Changelog

<a id="Changelog-v0.16.0" data-scroll-offset />

##### Added

<AccordionGroup>
  <Accordion title="Added imagePullSecrets configuration for ServiceAccount in Tyk Operator Helm chart">
    Added [imagePullSecrets](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/) configuration for ServiceAccount in Tyk Operator Helm chart. It allows user to pull image from a private registry.
  </Accordion>

  <Accordion title="Added tyk to categories field of CRDs">
    Added tyk to categories field of CRDs. So, from now on, all CRs related to Tyk Operator is grouped into tyk category and can be displayed via kubectl get tyk.
  </Accordion>

  <Accordion title="Added support of analytics plugin in ApiDefinition CRD">
    Added to ApiDefinition CRD: support of analytics plugin at [spec.analytics\_plugin](https://doc.crds.dev/github.com/TykTechnologies/tyk-operator/tyk.tyk.io/ApiDefinition/v1alpha1@v0.16.0#spec-analytics_plugin). See [Example CRD with Analytics Plugin](https://github.com/TykTechnologies/tyk-operator/tree/master/config/samples/analytics_plugin.yaml) for details.
  </Accordion>

  <Accordion title="Added support of UDG Global Header in ApiDefinition CRD">
    Added to ApiDefinition CRD: support for UDG Global Header at [spec.graphql.engine.global\_headers](https://doc.crds.dev/github.com/TykTechnologies/tyk-operator/tyk.tyk.io/ApiDefinition/v1alpha1@v0.16.0#spec-graphql-engine-global_headers) object in ApiDefinition CRD. This feature is compatible with Tyk 5.2 or above.
  </Accordion>

  <Accordion title="Added support of detail tracing in ApiDefinition CRD">
    Added to ApiDefinition CRD: support for detail tracing configuration at [spec.detailed\_tracing](https://doc.crds.dev/github.com/TykTechnologies/tyk-operator/tyk.tyk.io/ApiDefinition/v1alpha1@v0.16.0#spec-detailed_tracing) field in ApiDefinition CRD. Enable it for the API if you want to get detail span for each middleware involved in request processing.
  </Accordion>
</AccordionGroup>

##### Updated

<Expandable title="Updated Go version to 1.21">
  Updated Go version to 1.21
</Expandable>

##### Fixed

<Expandable title="Fixed CVE-2023-39325 (NVD)">
  Fixed [CVE-2023-39325 (NVD)](https://nvd.nist.gov/vuln/detail/CVE-2023-39325)
</Expandable>

<Expandable title="Fixed security policy handling in OSS mode">
  Fixed a bug that prevents Tyk Operator to work with SecurityPolicy in OSS Mode. Now, SecurityPolicy controller will not modify spec.MID (\_id) field in SecurityPolicy
</Expandable>

## Further Information

### Upgrading Tyk

Please refer to the [upgrading Tyk](/nightly/developer-support/upgrading) page for further guidance on the upgrade strategy.

### FAQ

Please visit our [Developer Support](/nightly/developer-support/community) page for further information relating to reporting bugs, upgrading Tyk, technical support and how to contribute.