Skills2026年4月16日·1 分钟阅读

Emissary Ingress — Kubernetes-Native API Gateway on Envoy

Emissary Ingress is an open-source Kubernetes API gateway built on Envoy Proxy, providing rate limiting, authentication, and traffic management for microservices.

AI Open Source
AI Open Source · Community
Agent 就绪

Agent 可直接安装

这个资产可安装;Agent 先选择当前运行时、检查安装计划,再运行匹配命令。

Native · 98/100策略:允许
Agent 入口
任意 MCP/CLI Agent
类型
Skill
安装
Single
信任
信任等级:Established
入口
Emissary Ingress Overview
直接安装命令
npx -y tokrepo@latest install 0a68950e-3998-11f1-9bc6-00163e2b0d79 --target codex

先 dry-run 确认安装计划,再运行此命令。

TL;DR
Emissary Ingress routes HTTP and gRPC traffic on Kubernetes using Envoy Proxy and CRDs.
§01

What it is

Emissary Ingress (formerly Ambassador API Gateway) is a Kubernetes-native API gateway built on top of Envoy Proxy. It uses Custom Resource Definitions (CRDs) to configure routing, rate limiting, TLS termination, and authentication without restarting the proxy.

Emissary is designed for teams running microservices on Kubernetes who need a developer-friendly, GitOps-compatible ingress layer. It handles HTTP and gRPC traffic routing, canary releases, and traffic shifting through declarative Kubernetes manifests.

§02

How it saves time or tokens

Emissary eliminates the complexity of manually configuring Envoy Proxy. Instead of writing Envoy YAML configurations and managing hot-reloading, you declare routing rules as Kubernetes CRDs. Changes apply automatically without proxy restarts. The Mapping CRD maps URL paths to services in a single resource definition, replacing the multi-file Ingress + Service + upstream configuration pattern. Integration with cert-manager provides automatic TLS certificate provisioning and renewal.

§03

How to use

  1. Install Emissary Ingress via Helm:
helm repo add datawire https://app.getambassador.io
helm install emissary datawire/emissary-ingress \
  -n emissary --create-namespace
  1. Create a Mapping to route traffic to your service:
apiVersion: getambassador.io/v3alpha1
kind: Mapping
metadata:
  name: my-service
spec:
  hostname: 'api.example.com'
  prefix: /api/
  service: my-service:8080
  1. Apply the mapping and verify traffic routing:
kubectl apply -f mapping.yaml
kubectl get mappings
§04

Example

Configuring rate limiting and authentication for an API endpoint:

apiVersion: getambassador.io/v3alpha1
kind: Mapping
metadata:
  name: protected-api
spec:
  hostname: 'api.example.com'
  prefix: /api/v1/
  service: backend-api:8080
  labels:
    ambassador:
      - request_label_group:
        - api-rate-limit:
            header: 'Authorization'
---
apiVersion: getambassador.io/v3alpha1
kind: RateLimitService
metadata:
  name: rate-limit
spec:
  service: rate-limit-service:8081
  protocol_version: v3
§05

Related on TokRepo

§06

Common pitfalls

  • Forgetting to create a Host CRD alongside Mappings causes TLS to not work. Define Host resources with your domain and TLS configuration before creating Mappings.
  • Using prefix-based routing without trailing slashes can match unintended paths. Be explicit with prefix values and use regex_prefix for complex matching.
  • Not setting resource limits on the Emissary pods leads to Envoy consuming excessive memory under high traffic. Always configure CPU and memory limits in the Helm values.

常见问题

How does Emissary Ingress differ from NGINX Ingress?+

Emissary uses Envoy Proxy as its data plane, providing native gRPC support, circuit breaking, and distributed tracing. It configures routing via CRDs (Mapping, Host) rather than annotations on Ingress resources, which scales better for complex configurations.

Does Emissary support canary deployments?+

Yes. You can define multiple Mappings for the same prefix with different services and weight them. Emissary splits traffic according to the weights, enabling progressive rollouts and A/B testing.

What authentication methods does Emissary support?+

Emissary integrates with external authentication services for OAuth2, JWT validation, and API key checks. It sends authentication requests to your auth service via the FilterPolicy and AuthService CRDs.

Can Emissary handle gRPC traffic?+

Yes. Envoy natively supports HTTP/2 and gRPC. Emissary routes gRPC traffic using the same Mapping CRD with the grpc: true flag. Load balancing and retries work for gRPC calls.

Is Emissary Ingress production-ready?+

Emissary is a CNCF incubating project with years of production use. It is maintained by Ambassador Labs and used by organizations running microservices on Kubernetes at scale.

引用来源 (3)
TokRepo 相关
DevOps toolsAI gateway providersFeatured workflows

讨论

登录后参与讨论。
还没有评论,来写第一条吧。

相关资产

ingress-nginx — Kubernetes NGINX Ingress Controller

ingress-nginx is the community Kubernetes ingress controller built on NGINX, turning Ingress and Gateway API resources into production-ready HTTP/S and TCP load-balancer configuration.

Skills
AI Open Source

Contour — High-Performance Kubernetes Ingress Controller Using Envoy

Route traffic into Kubernetes clusters with Contour. Built on Envoy proxy, it provides a powerful HTTPProxy CRD for advanced routing, TLS delegation, and rate limiting beyond standard Ingress.

Skills
Script Depot

ExternalDNS — Sync Kubernetes Services with DNS Providers

Kubernetes SIG controller that keeps Route 53, Cloudflare, Google Cloud DNS and 30+ other providers in sync with Services, Ingresses, and Gateway API routes.

Skills
AI Open Source

MicroK8s — Lightweight Zero-Ops Kubernetes from Canonical

Get a fully conformant Kubernetes cluster running in a single command with built-in add-ons for DNS, storage, ingress, GPU support, and Istio.

Skills
AI Open Source
首页🔍搜索👤我的