Skip to content

Egress support#11

Draft
npolshakova wants to merge 5 commits into
kagent-dev:mainfrom
npolshakova:egress-support
Draft

Egress support#11
npolshakova wants to merge 5 commits into
kagent-dev:mainfrom
npolshakova:egress-support

Conversation

@npolshakova

@npolshakova npolshakova commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown

Draft prototype for agent-substrate#126 with agentgateway.

Goal is to start with ActorTemplate.spec.egressPolicy only and focus on workload-intent use cases. We may later want to add standalone EgressPolicy later when global, namespace, or actor-specific policy becomes necessary.

Testing

Setup

./hack/install-ate-kind.sh --bundle-agentgateway-egress=enable --deploy-ate-system --router=agentgateway
./hack/install-ate-kind.sh --bundle-agentgateway-egress=enable --deploy-demo-counter

Create actor:

kubectl ate create actor my-counter-egress --template ate-demo-counter/counter

Port-forward router:

kubectl port-forward -n ate-system svc/atenet-router 8000:80

With this egress policy on ActorTemplate:

apiVersion: ate.dev/v1alpha1
kind: ActorTemplate
metadata:
  name: counter
  namespace: ate-demo-counter
spec:
  containers:
  - command:
    - /ko-app/counter
    image: localhost:5001/counter-7b2c368808ac33f45c7ab87955715526@sha256:af50a1849d08a9841fc802879bd65642cfaf20fea5263f66eaa806d4398fe41a
    name: counter
  egressPolicy:
    allow:
    - name: example
      ports:
      - port: 80
        protocol: TCP
      - port: 443
        protocol: TCP
      to:
      - host: example.com
    audit:
      logs: true
    defaultAction: Deny
  pauseImage: registry.k8s.io/pause:3.10.2@sha256:f548e0e8e3dc1896ca956272154dde3314e8cc4fde0a57577ee9fa1c63f5baf4
  runsc:
    amd64:
      sha256Hash: a397be1abc2420d26bce6c70e6e2ff96c73aaaab929756c56f5e2089ea842b63
      url: gs://gvisor/releases/nightly/2026-05-19/x86_64/runsc
    arm64:
      sha256Hash: 1ba2366ae2efceba166046f51a4104f9261c9cb72c6db8f5b3fe2dc57dea86b9
      url: gs://gvisor/releases/nightly/2026-05-19/aarch64/runsc
  snapshotsConfig:
    location: gs://ate-snapshots/ate-demo-counter/
  workerPoolRef:
    name: counter
    namespace: ate-demo-counter
status:
  conditions:
  - lastTransitionTime: "2026-06-03T21:33:11Z"
    message: Actor template is ready for use
    reason: Ready
    status: "True"
    type: Ready
  goldenActorID: 61086d07-c811-4355-ac76-b01fb0b40c89
  goldenSnapshot: gs://ate-snapshots/ate-demo-counter/61086d07-c811-4355-ac76-b01fb0b40c89/2026-06-03T21:33:11Z-K4RJGWVL5YLWJQAHOYDSVNVN4J
  phase: Ready
  takeGoldenSnapshotAt: "2026-06-03T21:33:11Z"

Request to http://example.com/ or https://example.com/ will work:

❯   curl -i \
    -H "Host: my-counter-policy.actors.resources.substrate.ate.dev" \
    "http://localhost:8000/egress?url=https://example.com/"
HTTP/1.1 200 OK
date: Wed, 03 Jun 2026 21:33:25 GMT
content-length: 571
content-type: text/plain; charset=utf-8

egress url: https://example.com/
status: 200
body_prefix:
<!doctype html><html lang="en"><head><title>Example Domain</title><meta name="viewport" content="width=device-width, initial-scale=1"><style>body{background:#eee;width:60vw;margin:15vh auto;font-family:system-ui,sans-serif}h1{font-size:1.5em}div{opacity:0.8}a:link,a:visited{color:#348}</style></head><body><div><h1>Example Domain</h1><p>This domain is for use in documentation examples without needing permission. Avoid use in operations.</p><p><a href="https://iana.org/domains/example">Learn more</a></p></div

But other requests will get 502:

❯   curl -i \
    -H "Host: my-counter-policy.actors.resources.substrate.ate.dev" \
    "http://localhost:8000/egress?url=https://www.google.com/generate_204"
HTTP/1.1 502 Bad Gateway
content-type: text/plain; charset=utf-8
x-content-type-options: nosniff
date: Wed, 03 Jun 2026 21:33:59 GMT
content-length: 85

Get "https://www.google.com/generate_204": dial tcp 142.251.152.119:443: i/o timeout

The logs will show the egress policy is resolved:

❯   kubectl logs -n ate-demo-counter \
    -l ate.dev/worker-pool=counter \
    -c ateom \
    --tail=200 | grep "Resolved egress policy host"
{"time":"2026-06-03T21:33:19.586841094Z","level":"INFO","msg":"Resolved egress policy host","host":"example.com","ip":"104.20.23.154","ate.dev/trace-id":"c81ee4b3c293a397a820aaa80cfc6a2e"}
{"time":"2026-06-03T21:33:19.58686126Z","level":"INFO","msg":"Resolved egress policy host","host":"example.com","ip":"172.66.147.243","ate.dev/trace-id":"c81ee4b3c293a397a820aaa80cfc6a2e"}

yuval-k and others added 3 commits June 11, 2026 13:22
@yuval-k @EItanya
release workflow (agent-substrate#6)
0090024 
* wip - publish release

* release yaml
@EItanya @howardjohn @peterj
router: add pluggable networking providers (agent-substrate#10)
2008818 
* router: add pluggable networking providers

* make websockets work in agw, make agw default in install script

Signed-off-by: Peter Jausovec <peter.jausovec@solo.io>

---------

Signed-off-by: Peter Jausovec <peter.jausovec@solo.io>
Co-authored-by: John Howard <john.howard@solo.io>
Co-authored-by: Peter Jausovec <peter.jausovec@solo.io>
@yuval-k @EItanya @peterj
feat: allow running with vanilla k8s (agent-substrate#3)
6105286 
* enable websockets (agent-substrate#4)

Signed-off-by: Peter Jausovec <peter.jausovec@solo.io>
Co-authored-by: Peter Jausovec <peter.jausovec@solo.io>

* feat: allow running with vanilla k8s

- add a helm chart
- allow JWT auth instead of mTLS

* update helm chart images

* fix rbac. note that JWT verification is not cached and might not work on some k8s distributions that not expose the JWKS

* fix: add chart boilerplate headers

* fix: support jwt helm install on plain kind

* feat: add substrate crds helm chart

* feat: make jwt helm installs standalone

* fix: make helm defaults cloud-neutral

* fix: sync crd chart templates

* fix: use agentgateway in helm chart

* fix: update agentgateway install overlays

* fix: project agentgateway tls key separately

---------

Signed-off-by: Peter Jausovec <peter.jausovec@solo.io>
Co-authored-by: Eitan Yarmush <eitan.yarmush@solo.io>
Co-authored-by: Peter Jausovec <peter.jausovec@solo.io>
@npolshakova npolshakova mentioned this pull request Jun 11, 2026
Closed
@npolshakova
wip
c2536ed 
Signed-off-by: npolshakova <nina.polshakova@solo.io>

wip

Signed-off-by: npolshakova <nina.polshakova@solo.io>

wip

Signed-off-by: npolshakova <nina.polshakova@solo.io>
@EItanya EItanya force-pushed the main branch 2 times, most recently from 6d7b14d to a3b8f7f Compare June 16, 2026 13:29
@npolshakova
wip
97c9dc3 
Signed-off-by: npolshakova <nina.polshakova@solo.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@npolshakova @yuval-k @EItanya