fix(sandbox): configure gVisor host network mode for Cilium eBPF comp

pkg/sandboxcli/commands.go

@@ -73,8 +73,12 @@
 		return sid, false, nil
 	}
 
+	var hosts []string
+	if raw := ctx.String("allowed-hosts"); raw != "" {
+		hosts = strings.Split(raw, ",")
+	}
 	resp, err := client.SandboxServiceClient.CreateSession(context.Background(), &pb.CreateSessionRequest{
-		TenantId: ctx.String("tenant"), RuntimeClass: "gvisor",
+		TenantId: ctx.String("tenant"), RuntimeClass: "gvisor", AllowedHosts: hosts,
 	})
 	if err != nil {
 		return "", false, fmt.Errorf("create session: %w", err)
@@ -159,6 +163,7 @@
 			cli.StringFlag{Name: "git-repo", Usage: "Git repo to clone (only when auto-creating session)"},
 			cli.StringFlag{Name: "git-ref", Value: "main", Usage: "Git ref for --git-repo"},
 			cli.StringFlag{Name: "git-path", Value: "repo", Usage: "Destination path for --git-repo"},
+			cli.StringFlag{Name: "allowed-hosts", Usage: "Comma-separated FQDN egress allowlist (only when auto-creating session)"},
 		},
 		Action: runAction,
 	}

pkg/sandboxmatrix/controller.go

@@ -175,6 +175,7 @@ func newWarmPod(cfg config.SandboxConfig, runtimeClass string) *corev1.Pod {
 			GenerateName: "sandbox-warm-",
 			Namespace:    cfg.Namespace,
 			Labels:       map[string]string{sandboxgrpc.LabelState: sandboxgrpc.StateWarm},
+			Annotations:  sandboxgrpc.GvisorAnnotations(runtimeClass),
 		},
 		Spec: warmPodSpec(runtimeClass, cfg),
 	}

pkg/sandboxmatrix/grpc/orchestrator.go

@@ -616,9 +616,10 @@ func (o *Orchestrator) claimOrCreatePod(ctx context.Context, sessionID, runtimeC
 	}
 	pod := &corev1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      fmt.Sprintf("sandbox-%s", sessionID),
-			Namespace: sandboxNS,
-			Labels:    map[string]string{labelState: stateActive, labelSessionID: sessionID},
+			Name:        fmt.Sprintf("sandbox-%s", sessionID),
+			Namespace:   sandboxNS,
+			Labels:      map[string]string{labelState: stateActive, labelSessionID: sessionID},
+			Annotations: GvisorAnnotations(runtimeClass),
 		},
 		Spec: sandboxPodSpec(runtimeClass, pvcName, cpu, memory),
 	}
@@ -671,6 +672,17 @@ func SandboxPodSpec(runtimeClass, pvcName, cpu, memory, image string) corev1.Pod
 
 func boolPtr(b bool) *bool { return &b }
 
+// GvisorAnnotations returns pod annotations required for gVisor to work with
+// Cilium eBPF. The default netstack mode processes network in userspace,
+// bypassing Cilium's eBPF programs attached to veth pairs. Host network mode
+// forwards syscalls to the pod's kernel network namespace instead.
+func GvisorAnnotations(runtimeClass string) map[string]string {
+	if runtimeClass == "gvisor" {
+		return map[string]string{"gvisor.dev/network": "host"}
+	}
+	return nil
+}
+
 // ensureWorkspacePVC creates a PVC for the session workspace if it doesn't exist.
 func (o *Orchestrator) ensureWorkspacePVC(ctx context.Context, sessionID string) (string, error) {
 	pvcName := "workspace-" + sessionID
@@ -721,6 +733,16 @@ func (o *Orchestrator) applyCNP(ctx context.Context, session *sandboxv1.SandboxS
 			"endpointSelector": map[string]interface{}{
 				"matchLabels": map[string]interface{}{labelSessionID: session.Name},
 			},
+			"ingress": []interface{}{
+				map[string]interface{}{
+					"fromEntities": []interface{}{"host"},
+					"toPorts": []interface{}{
+						map[string]interface{}{
+							"ports": []interface{}{map[string]interface{}{"port": "2024", "protocol": "TCP"}},
+						},
+					},
+				},
+			},
 			"egress": []interface{}{
 				map[string]interface{}{
 					"toEndpoints": []interface{}{