This feature is supported in Ambassador Pro. Ambassador Pro helps developers and operators accelerate their adoption of Kubernetes.

Register here to get started with a free trial of Ambassador Pro.

Installing Ambassador Pro

Ambassador Pro is a commercial version of Ambassador that includes integrated SSO, flexible rate limiting, and more. In this tutorial, we'll walk through the process of installing Ambassador Pro in Kubernetes.

1. Install and Configure Ambassador

This guide assumes you have Ambassador installed and configured. If this is not the case, follow the Ambassador installation guide to get Ambassador running before continuing.

2. Create the Ambassador Pro registry credentials secret.

Your credentials to pull the image from the Ambassador Pro registry were given in the signup email. If you have lost this email, please contact us at

kubectl create secret docker-registry ambassador-pro-registry-credentials --docker-username=<CREDENTIALS USERNAME> --docker-password=<CREDENTIALS PASSWORD> --docker-email=<YOUR EMAIL>
  • <CREDENTIALS USERNAME>: Username given in signup email
  • <CREDNETIALS PASSWORD>: Password given in signup email
  • <YOUR EMAIL>: Your email address

3. Download the Ambassador Pro Deployment File

Ambassador Pro is deployed as an additional set of Kubernetes services that integrate with Ambassador. In addition, Ambassador Pro also relies on a Redis instance for its rate limit service. The default configuration for Ambassador Pro is available at Download this file locally:

curl -O ""

Next, ensure the namespace field in the ClusterRoleBinding is configured correctly for your particular deployment. If you are not installing Ambassador into the default namespace, you will need to update this file accordingly.

4. Single-Sign On

Ambassador Pro's authentication service requires some additional information about your Identity Provider. This is done by configuring environment variables in the deployment manifest.

apiVersion: extensions/v1beta1
kind: Deployment
  name: ambassador-pro-auth
  replicas: 1
      service: ambassador-pro-auth
        service: ambassador-pro-auth
      serviceAccountName: ambassador-pro
      - name: ambassador-pro
        - containerPort: 8080
#         Configure to your callback URL
          - name: AUTH_CALLBACK_URL
            value: ""
#         Configure to your Auth0 domain
          - name: AUTH_DOMAIN
            value: ""
#         Configure to your Auth0 API Audience
          - name: AUTH_AUDIENCE
            value: ""
#         Configure to your Auth0 Application client ID
          - name: AUTH_CLIENT_ID
            value: ""
#          Uncomment if you want the Auth0 management API to validate your configurations
#          - name: AUTH_CLIENT_SECRET
#            value: <CLIENT SECRET>
      - name: ambassador-pro-registry-credentials

Configure the AUTH_CALLBACK_URL, AUTH_DOMAIN, AUTH_AUDIENCE, and AUTH_CLIENT_ID variables by following the Single Sign-On with OAuth and OIDC guide.

After configuring the authentication, you will need to configure an AuthService for Ambassador. You can do this by updating the Ambassador Pro Kubernetes service, like the below:

apiVersion: v1
kind: Service
  name: ambassador-pro
  annotations: |
      apiVersion: ambassador/v0
      kind: RateLimitService
      name: ambassador-pro
      service: "ambassador-pro:8081"
      apiVersion: ambassador/v0
      kind:  AuthService
      name:  authentication
      auth_service: ambassador-pro
        - "Authorization"
        - "Client-Id"
        - "Client-Secret"

(For the sake of brevity, the full Kubernetes service is not duplicated above.)

5. Deploy Ambassador Pro

Once you have fully configured Ambassador Pro, deploy the your configuration:

kubectl apply -f ambassador-pro.yaml

Verify that Ambassador Pro is running:

kubectl get pods | grep pro
ambassador-pro-79494c799f-vj2dv        2/2       Running            0         1h
ambassador-pro-redis-dff565f78-88bl2   1/1       Running            0         1h

6. Restart Ambassador

Restart Ambassador once Pro is deployed so it will update the AuthService and RateLimitService configuration. You can do this by deleting the Ambassador pods and letting the deployment redeploy the pods.


For more details on Ambassador Pro, see: