Description
Substrate should support transparent egress policy for actors. This should let operators define which external destinations an actor can reach without requiring actor code changes or proxy environment variables.
The policy model should be actor-aware rather than only pod-aware. Actors are dynamically started, restored, suspended, and reused across workers, so egress policy needs to follow actor and template identity through that lifecycle.
Credential handling is a large motivation. Today, if an actor needs to call an external service, credentials generally need to be made available inside the actor runtime. That increases the blast radius if the actor is compromised or prompt-injected, because the actor can potentially exfiltrate credentials or use them against unintended destinations.
Substrate should instead support destination-scoped credential injection. The runtime should be able to attach a configured credential only when the actor is calling an explicitly allowed destination. The actor should not need direct access to the raw credential by default.
Goals
- Default-deny actor egress.
- Allow egress by host and port.
- Apply policy without actor application changes.
- Support destination-scoped credential injection for allowed destinations.
- Keep raw credentials out of the actor environment when possible.
- Support plaintext HTTP policy.
- Support HTTPS passthrough and HTTPS inspection modes.
- Clean up policy state when actors suspend, fail, or move workers.
- Expose effective policy status for debugging.
- Emit audit-relevant allow and deny decisions.
Non-Goals
- Do not require actor applications to set proxy environment variables.
- Do not require actor application code changes.
HTTPS Inspection and MITM
HTTPS policy has two useful modes:
- Passthrough: allow or deny TLS connections based on connection metadata such as hostname and port, without decrypting application traffic.
- Inspection: terminate actor-side TLS, inspect or modify the HTTP request, then establish upstream TLS to the destination.
Credential injection for HTTPS generally requires inspection. If the runtime needs to add an authorization header or similar request credential, it must be able to see and modify the HTTP request before it is sent upstream.
Inspection requires the actor to trust a Substrate-managed certificate authority. That trust can be prepared before golden snapshot creation or provided through a runtime trust bundle. This should be explicit in the policy mode because some workloads will not support inspection:
- Certificate-pinned clients may fail.
- Workloads with private trust stores may need extra integration.
- Some users may prefer passthrough mode for destinations where inspection is not required.
Example Capability Sketch
This is intentionally illustrative rather than a final API.
egress:
defaultAction: Deny
rules:
- to:
host: api.example.com
ports: [443]
mode: Inspect
credential:
header:
name: Authorization
valueFrom:
secretKeyRef:
name: api-example-credentials
key: bearer-token
- to:
host: docs.example.com
ports: [443]
mode: PassthroughOpen Questions
- Should the initial policy be namespace-scoped only?
- Should policy attach directly to actor templates, select actor templates, or both?
- What should the default be when no policy selects a template?
- Should multiple selected policies merge, or should that be rejected?
- What are the minimum useful policy modes for v1?
- How should policy changes apply to already-running actors?
- How should certificate trust be distributed for HTTPS inspection?
- What status fields are needed to make debugging effective policy easy?
Description
Substrate should support transparent egress policy for actors. This should let operators define which external destinations an actor can reach without requiring actor code changes or proxy environment variables.
The policy model should be actor-aware rather than only pod-aware. Actors are dynamically started, restored, suspended, and reused across workers, so egress policy needs to follow actor and template identity through that lifecycle.
Credential handling is a large motivation. Today, if an actor needs to call an external service, credentials generally need to be made available inside the actor runtime. That increases the blast radius if the actor is compromised or prompt-injected, because the actor can potentially exfiltrate credentials or use them against unintended destinations.
Substrate should instead support destination-scoped credential injection. The runtime should be able to attach a configured credential only when the actor is calling an explicitly allowed destination. The actor should not need direct access to the raw credential by default.
Goals
Non-Goals
HTTPS Inspection and MITM
HTTPS policy has two useful modes:
Credential injection for HTTPS generally requires inspection. If the runtime needs to add an authorization header or similar request credential, it must be able to see and modify the HTTP request before it is sent upstream.
Inspection requires the actor to trust a Substrate-managed certificate authority. That trust can be prepared before golden snapshot creation or provided through a runtime trust bundle. This should be explicit in the policy mode because some workloads will not support inspection:
Example Capability Sketch
This is intentionally illustrative rather than a final API.
Open Questions