Skip to main content

Emissary-Ingress

Emissary-Ingress is an open-source Kubernetes-native (API gateway / ingress controller) project for managing edge traffic to microservices using Envoy Proxy as the data plane.

  • Kubernetes-native ingress controller and Application Programming Interface (API) gateway for north-south traffic management (application networking).
  • Built on Envoy Proxy as the underlying data plane (service proxy).
  • Declarative configuration via Kubernetes Custom Resource Definitions (CRDs) (platform operations).
  • Routing, load balancing, Transport Layer Security (TLS) termination, and authentication for HTTP/gRPC services (traffic management and security).
  • Part of the Cloud Native Computing Foundation ecosystem (cloud-native infrastructure).

More About Emissary-Ingress

Emissary-Ingress is an open-source Kubernetes-native (API gateway / ingress controller) designed to manage external client traffic into Kubernetes-hosted microservices. It focuses on the north-south traffic layer, providing a control plane that configures Envoy Proxy as the data plane to handle routing, security, and observability for Hypertext Transfer Protocol (HTTP), HTTPS, and gRPC workloads running on Kubernetes clusters.

The project addresses the problem of exposing multiple backend services through a unified, policy-driven edge, using Kubernetes-native workflows. Platform teams define routing, security, and traffic policies using Kubernetes Custom Resource Definitions (CRDs), which allows configuration to be managed alongside application manifests. This approach aligns ingress and API gateway behavior with GitOps and Infrastructure-as-Code (IaC) practices within enterprise environments.

Key capabilities include advanced request routing, including host- and path-based routing and mapping of external endpoints to internal Kubernetes services (application networking). Emissary-Ingress supports load balancing across service instances (traffic management), TLS termination and certificate management (network security), and integration with external identity providers for authentication and authorization (access control), when configured through supported mechanisms. Because it uses Envoy as the data plane (service proxy), it inherits HTTP/2, gRPC, and modern L7 traffic handling capabilities.

From an operational standpoint, Emissary-Ingress runs inside the Kubernetes cluster and is configured exclusively through Kubernetes resources, so cluster operators can manage it with the same tools and workflows used for other workloads. It supports multi-team environments by allowing teams to define their own mappings and policies within namespaces, while platform administrators can enforce cluster-wide constraints.

Within enterprise architectures, Emissary-Ingress is typically deployed at the edge of one or more Kubernetes clusters to handle external client traffic, API exposure, and service onboarding. It integrates into broader observability stacks via Envoy-compatible telemetry, enabling logging and metrics collection (observability) for traffic patterns and performance. As a project under the Cloud Native Computing Foundation umbrella, it fits into cloud-native platform stacks alongside Kubernetes and other CNCF projects, and can be categorized in directories as a Kubernetes-native API gateway and ingress controller for application-layer traffic management.