6 min • read

Get traffic from the edge


The core Emissary-ingress resource used to manage cluster ingress is the Mapping resource.

A Mapping resource routes a URL path (or prefix) to a service (either a Kubernetes service or other web service).


This Mapping would route requests to https://<hostname>/webapp/ to the webapp-svc Service. This is not a complete example on its own; see below.

metadata.nameStringIdentifies the Mapping.
spec.prefixStringThe URL prefix identifying your resource. See below on how Emissary-ingress handles resources.
spec.serviceStringThe service handling the resource. If a Kubernetes service, it must include the namespace (in the format service.namespace) if the service is in a different namespace than Emissary-ingress. See below on service name formatting.

Here's another example using a web service that maps requests to /httpbin/ to http://httpbin.org (again, this is not a complete example on its own; see below):

Complete example configuration

For demonstration purposes, here's a possible way of combining a Listener, a Host, and both Mappings above that is complete and functional:

  • it will accept HTTP or HTTPS on port 8443;
  • Emissary-ingress is terminating TLS;
  • HTTPS to foo.example.com will be routed as above;
  • HTTP to foo.example.com will be redirected to HTTPS;
  • HTTP or HTTPS to other hostnames will be rejected; and
  • the associations between the Listener, the Host, and the Mappings use Kubernetes labels.

Note the addition of labels and selectors to explicitly specify which resources should associate in this example.

Applying a Mapping resource

A Mapping resource can be managed using the same workflow as any other Kubernetes resources (like a Service or Deployment). For example, if the above Mapping is saved into a file called httpbin-mapping.yaml, the following command will apply the configuration directly to Emissary-ingress:


To Emissary-ingress, a resource is a group of one or more URLs that all share a common prefix in the URL path. For example, these URLs all share the /resource1/ path prefix, so /resource1/ can be considered a single resource:

  • https://ambassador.example.com/resource1/foo
  • https://ambassador.example.com/resource1/bar
  • https://ambassador.example.com/resource1/baz/zing

On the other hand, these URLs share only the prefix / -- you could tell Emissary-ingress to treat them as a single resource, but it's probably not terribly useful.

  • https://ambassador.example.com/resource1/foo
  • https://ambassador.example.com/resource2/bar
  • https://ambassador.example.com/resource3/baz/zing

Note that the length of the prefix doesn't matter; a prefix like /v1/this/is/my/very/long/resource/name/ is valid.

Also note that Emissary-ingress does not actually require the prefix to start and end with / -- however, in practice, it's a good idea. Specifying a prefix of /man would match all of the following, which probably is not what was intended:

  • https://ambassador.example.com/man/foo
  • https://ambassador.example.com/mankind
  • https://ambassador.example.com/man-it-is/really-hot-today


Emissary-ingress routes traffic to a service. A service is defined as [scheme://]service[.namespace][:port]. Everything except for the service is optional.

  • scheme can be either http or https; if not present, the default is http.
  • service is the name of a service (typically the service name in Kubernetes or Consul); it is not allowed to contain the . character.
  • namespace is the namespace in which the service is running. Starting with Emissary-ingress 1.0.0, if not supplied, it defaults to the namespace in which the Mapping resource is defined. The default behavior can be configured using the Module resource. When using a Consul resolver, namespace is not allowed.
  • port is the port to which a request should be sent. If not specified, it defaults to 80 when the scheme is http or 443 when the scheme is https. Note that the resolver may return a port in which case the port setting is ignored.

Extending Mappings

Mapping resources support a rich set of annotations to customize the specific routing behavior. Here's an example service for implementing the CQRS pattern (using HTTP):

Best Practices

Emissary-ingress's configuration is assembled from multiple YAML blocks which are managed by independent application teams. This implies that certain best practices should be followed.

Emissary-ingress's configuration should be under version control.

While you can always read back the Emissary-ingress's configuration from Kubernetes or its diagnostic service, the Emissary-ingress will not do versioning for you.

Emissary-ingress tries to not start with a broken configuration, but it's not perfect.

Gross errors will result in the Emissary-ingress refusing to start, in which case kubectl logs will be helpful. However, it's always possible to map a resource to the wrong service, or use the wrong rewrite rules. Emissary-ingress can't detect that on its own, although its diagnostic service can help you figure it out.

Be careful of mapping collisions.

If two different developers try to map /myservice/ to something, this can lead to unexpected behavior. Emissary-ingress's canary deployment logic means that it's more likely that traffic will be split between them than that it will throw an error -- again, the diagnostic service can help you here.

Unless specified, mapping attributes cannot be applied to any other resource type.

What's next?

There are many options for advanced mapping configurations, with features like automatic retries, timeouts, rate limiting, redirects, and more.