Emissary Ingress — Kubernetes-Native API Gateway on Envoy

Introduction

Emissary Ingress (formerly Ambassador API Gateway) is a Kubernetes-native API gateway built on top of Envoy Proxy. It uses Custom Resource Definitions to configure routing, rate limiting, TLS termination, and authentication — all without restarting the proxy. Emissary is designed for teams running microservices on Kubernetes who need a developer-friendly, GitOps-compatible ingress layer.

What Emissary Does

• Routes HTTP and gRPC traffic to Kubernetes services using declarative Mapping CRDs
• Provides rate limiting, circuit breaking, and automatic retries at the edge
• Terminates TLS with automatic certificate management via cert-manager or ACME
• Integrates with external authentication services for OAuth2, JWT, and API key validation
• Supports canary releases and traffic shifting for progressive delivery

Architecture Overview

Emissary runs as a Kubernetes Deployment that wraps Envoy Proxy. The control plane watches for CRD changes (Mappings, Hosts, RateLimits) and translates them into Envoy xDS configuration updates delivered over gRPC. Envoy handles all data-plane traffic with zero-downtime configuration reloads. The architecture separates the control plane (CRD reconciliation) from the data plane (Envoy) for scalability and reliability.

Self-Hosting & Configuration

• Install via Helm chart or YAML manifests into any Kubernetes cluster
• Define routing rules with Mapping CRDs specifying prefix, hostname, and target service
• Configure Host CRDs for TLS termination with automatic ACME certificate provisioning
• Set up RateLimitService CRDs for global or per-route rate limiting
• Enable tracing with Zipkin, Jaeger, or Datadog via Envoy tracing configuration

Key Features

• Envoy-powered data plane with L7 routing, load balancing, and observability
• CRD-based configuration that integrates with GitOps workflows
• Built-in support for gRPC, WebSockets, and HTTP/2
• Developer self-service: teams manage their own Mapping CRDs without cluster-admin access
• Gateway API support alongside traditional Ingress resources

Comparison with Similar Tools

• Ingress-NGINX — widely used but lacks advanced L7 features like rate limiting and auth
• Istio Gateway — more powerful service mesh but significantly more complex to operate
• Traefik — auto-discovers services but Emissary offers deeper Envoy customization
• Kong Ingress — plugin-based API gateway but heavier runtime with Lua/OpenResty

FAQ

Q: Is Emissary the same as Ambassador? A: Yes, Emissary Ingress was previously called Ambassador API Gateway. The project was renamed in 2021.

Q: Does Emissary support the Kubernetes Gateway API? A: Yes, Emissary supports Gateway API resources alongside its own CRDs.

Q: Can Emissary work alongside a service mesh like Istio? A: Yes, Emissary can serve as the edge gateway while Istio manages east-west traffic within the mesh.

Q: How does Emissary handle configuration changes? A: Configuration changes are applied via Envoy xDS hot-reload with zero downtime — no proxy restart required.

Sources

• https://github.com/emissary-ingress/emissary
• https://emissary-ingress.dev