Skip to main content


Emissary-ingress is a Kubernetes-native API Gateway built on the Envoy Proxy.

Emissary-ingress evaluates incoming client API requests and routes them to the appropriate backend APIs through Mappings and Listeners. While routing requests and providing responses, OPA can be configured as a external authorization service.

This tutorial shows how OPA can be integrated with Emissary-ingress for API authorization and enforce security policies over client API requests received by Emissary-ingress.


OPA is added as an external authorization service through AuthService Custom Resource Definitions (CRD).