SkillsApr 16, 2026·3 min read

Emissary Ingress — Kubernetes-Native API Gateway on Envoy

Emissary Ingress is an open-source Kubernetes API gateway built on Envoy Proxy, providing rate limiting, authentication, and traffic management for microservices.

AI Open Source
AI Open Source · Community
Agent ready

Ready-to-run agent install

This asset can be installed after the agent chooses its runtime, checks the plan, and runs the matching command.

Native · 98/100Policy: allow
Agent surface
Any MCP/CLI agent
Kind
Skill
Install
Single
Trust
Trust: Established
Entrypoint
Emissary Ingress Overview
Direct install command
npx -y tokrepo@latest install 0a68950e-3998-11f1-9bc6-00163e2b0d79 --target codex

Run after dry-run confirms the install plan.

TL;DR
Emissary Ingress routes HTTP and gRPC traffic on Kubernetes using Envoy Proxy and CRDs.
§01

What it is

Emissary Ingress (formerly Ambassador API Gateway) is a Kubernetes-native API gateway built on top of Envoy Proxy. It uses Custom Resource Definitions (CRDs) to configure routing, rate limiting, TLS termination, and authentication without restarting the proxy.

Emissary is designed for teams running microservices on Kubernetes who need a developer-friendly, GitOps-compatible ingress layer. It handles HTTP and gRPC traffic routing, canary releases, and traffic shifting through declarative Kubernetes manifests.

§02

How it saves time or tokens

Emissary eliminates the complexity of manually configuring Envoy Proxy. Instead of writing Envoy YAML configurations and managing hot-reloading, you declare routing rules as Kubernetes CRDs. Changes apply automatically without proxy restarts. The Mapping CRD maps URL paths to services in a single resource definition, replacing the multi-file Ingress + Service + upstream configuration pattern. Integration with cert-manager provides automatic TLS certificate provisioning and renewal.

§03

How to use

  1. Install Emissary Ingress via Helm:
helm repo add datawire https://app.getambassador.io
helm install emissary datawire/emissary-ingress \
  -n emissary --create-namespace
  1. Create a Mapping to route traffic to your service:
apiVersion: getambassador.io/v3alpha1
kind: Mapping
metadata:
  name: my-service
spec:
  hostname: 'api.example.com'
  prefix: /api/
  service: my-service:8080
  1. Apply the mapping and verify traffic routing:
kubectl apply -f mapping.yaml
kubectl get mappings
§04

Example

Configuring rate limiting and authentication for an API endpoint:

apiVersion: getambassador.io/v3alpha1
kind: Mapping
metadata:
  name: protected-api
spec:
  hostname: 'api.example.com'
  prefix: /api/v1/
  service: backend-api:8080
  labels:
    ambassador:
      - request_label_group:
        - api-rate-limit:
            header: 'Authorization'
---
apiVersion: getambassador.io/v3alpha1
kind: RateLimitService
metadata:
  name: rate-limit
spec:
  service: rate-limit-service:8081
  protocol_version: v3
§05

Related on TokRepo

§06

Common pitfalls

  • Forgetting to create a Host CRD alongside Mappings causes TLS to not work. Define Host resources with your domain and TLS configuration before creating Mappings.
  • Using prefix-based routing without trailing slashes can match unintended paths. Be explicit with prefix values and use regex_prefix for complex matching.
  • Not setting resource limits on the Emissary pods leads to Envoy consuming excessive memory under high traffic. Always configure CPU and memory limits in the Helm values.

Frequently Asked Questions

How does Emissary Ingress differ from NGINX Ingress?+

Emissary uses Envoy Proxy as its data plane, providing native gRPC support, circuit breaking, and distributed tracing. It configures routing via CRDs (Mapping, Host) rather than annotations on Ingress resources, which scales better for complex configurations.

Does Emissary support canary deployments?+

Yes. You can define multiple Mappings for the same prefix with different services and weight them. Emissary splits traffic according to the weights, enabling progressive rollouts and A/B testing.

What authentication methods does Emissary support?+

Emissary integrates with external authentication services for OAuth2, JWT validation, and API key checks. It sends authentication requests to your auth service via the FilterPolicy and AuthService CRDs.

Can Emissary handle gRPC traffic?+

Yes. Envoy natively supports HTTP/2 and gRPC. Emissary routes gRPC traffic using the same Mapping CRD with the grpc: true flag. Load balancing and retries work for gRPC calls.

Is Emissary Ingress production-ready?+

Emissary is a CNCF incubating project with years of production use. It is maintained by Ambassador Labs and used by organizations running microservices on Kubernetes at scale.

Citations (3)
Related on TokRepo
DevOps toolsAI gateway providersFeatured workflows

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets

ingress-nginx — Kubernetes NGINX Ingress Controller

ingress-nginx is the community Kubernetes ingress controller built on NGINX, turning Ingress and Gateway API resources into production-ready HTTP/S and TCP load-balancer configuration.

Skills
AI Open Source

Contour — High-Performance Kubernetes Ingress Controller Using Envoy

Route traffic into Kubernetes clusters with Contour. Built on Envoy proxy, it provides a powerful HTTPProxy CRD for advanced routing, TLS delegation, and rate limiting beyond standard Ingress.

Skills
Script Depot

ExternalDNS — Sync Kubernetes Services with DNS Providers

Kubernetes SIG controller that keeps Route 53, Cloudflare, Google Cloud DNS and 30+ other providers in sync with Services, Ingresses, and Gateway API routes.

Skills
AI Open Source

MicroK8s — Lightweight Zero-Ops Kubernetes from Canonical

Get a fully conformant Kubernetes cluster running in a single command with built-in add-ons for DNS, storage, ingress, GPU support, and Istio.

Skills
AI Open Source
Home🔍Search👤Me