Ambassador Edge Stack is a Kubernetes-native API gateway and ingress controller built on Envoy Proxy. It manages the traffic surface of Kubernetes deployments through declarative configuration: mappings that route traffic, hosts that define domains, TLS contexts that secure connections, and rate limits that protect upstream services. The Naftiko capability for Ambassador exposes the full configuration surface as MCP tools.
What the Capability Covers
The gateway-management capability wraps the Ambassador Admin API and exposes every major configuration resource as a governed tool — diagnostics, mappings, hosts, TLS contexts, rate limits, and modules.
MCP Tools Available
get-diagnostics, check-ready, check-alive, list-mappings, create-mapping, get-mapping, update-mapping, delete-mapping, list-hosts, create-host, get-host, update-host, delete-host, list-tls-contexts, create-tls-context, get-tls-context, update-tls-context, delete-tls-context, list-rate-limits, create-rate-limit, get-rate-limit, update-rate-limit, delete-rate-limit, list-modules, get-module, update-module
Capability Specification
naftiko: "1.0.0-alpha1"
info:
label: "Ambassador Gateway Management"
description: "Unified gateway management workflow for platform engineers and DevOps teams to configure API routing, TLS termination, rate limiting, and health monitoring across Ambassador Edge Stack instances."
tags:
- Ambassador
- API Gateway
- Kubernetes
binds:
- namespace: env
keys:
AMBASSADOR_API_TOKEN: AMBASSADOR_API_TOKEN
capability:
consumes:
- namespace: edge-stack
type: http
baseUri: https://api.getambassador.io
authentication:
type: bearer
token: ""
resources:
- name: diagnostics
path: "/ambassador/v0/diag/"
operations:
- name: get-diagnostics
method: GET
- name: mappings
path: "/apis/getambassador.io/v3alpha1/mappings/{name}"
operations:
- name: list-mappings
method: GET
- name: create-mapping
method: POST
- name: hosts
path: "/apis/getambassador.io/v3alpha1/hosts/{name}"
operations:
- name: list-hosts
method: GET
- name: rate-limits
path: "/apis/getambassador.io/v3alpha1/ratelimits/{name}"
operations:
- name: list-rate-limits
method: GET
exposes:
- type: mcp
port: 9080
namespace: gateway-management-mcp
transport: http
description: "MCP server for AI-assisted Ambassador Edge Stack management."
tools:
- name: get-diagnostics
description: "Retrieve Ambassador gateway diagnostics and configuration overview."
hints:
readOnly: true
call: "edge-stack.get-diagnostics"
outputParameters:
- type: object
mapping: "$."
- name: list-mappings
description: "List all traffic routing mappings configured in Ambassador."
hints:
readOnly: true
call: "edge-stack.list-mappings"
outputParameters:
- type: object
mapping: "$."
- name: create-mapping
description: "Create a new traffic routing mapping in Ambassador."
hints:
readOnly: false
destructive: false
idempotent: false
call: "edge-stack.create-mapping"
outputParameters:
- type: object
mapping: "$."
- name: list-hosts
description: "List all host configurations defining domains and TLS settings."
hints:
readOnly: true
call: "edge-stack.list-hosts"
outputParameters:
- type: object
mapping: "$."
- name: list-rate-limits
description: "List all rate limit policies applied across the gateway."
hints:
readOnly: true
call: "edge-stack.list-rate-limits"
outputParameters:
- type: object
mapping: "$."
Running It
docker pull ghcr.io/naftiko/framework:latest
# Set AMBASSADOR_API_TOKEN in your .env file
docker run -p 9080:9080 \
-v ./capabilities/gateway-management.yaml:/app/capability.yaml \
--env-file .env \
ghcr.io/naftiko/framework:latest /app/capability.yaml
With the full Ambassador surface available as MCP tools, an AI agent can audit your Kubernetes ingress configuration, identify misconfigured mappings, check TLS coverage, and propose rate limit policies. The Ambassador capability is part of the Naftiko Fleet.
