Skip to content

fix(sandbox): resolve DNS failure in gVisor sandbox pods#496

Merged
xiaods merged 1 commit into
mainfrom
dev
Jun 6, 2026
Merged

fix(sandbox): resolve DNS failure in gVisor sandbox pods#496
xiaods merged 1 commit into
mainfrom
dev

Conversation

@xiaods

@xiaods xiaods commented Jun 6, 2026

Copy link
Copy Markdown
Owner

gVisor host network mode prevents Cilium from performing service load balancing (DNAT) on ClusterIP traffic, so DNS requests to the kube-dns ClusterIP (10.43.0.10) are dropped as "world" identity.

Three coordinated fixes:

  • Disable Cilium global DNS proxy (dnsProxy.enabled: false) to stop eBPF-level DNS interception that gVisor cannot handle.
  • Change CNP DNS egress rule from toEndpoints (kube-dns label matching) to toEntities: ["world"], matching how Cilium classifies gVisor-originated traffic.
  • Set DNSPolicy: Default on sandbox pods so they use the node's DNS resolver instead of the unreachable ClusterIP.

@xiaods
fix(sandbox): resolve DNS failure in gVisor sandbox pods
3b3b5f5 
gVisor host network mode prevents Cilium from performing service
load balancing (DNAT) on ClusterIP traffic, so DNS requests to the
kube-dns ClusterIP (10.43.0.10) are dropped as "world" identity.

Three coordinated fixes:
- Disable Cilium global DNS proxy (dnsProxy.enabled: false) to stop
  eBPF-level DNS interception that gVisor cannot handle.
- Change CNP DNS egress rule from toEndpoints (kube-dns label
  matching) to toEntities: ["world"], matching how Cilium classifies
  gVisor-originated traffic.
- Set DNSPolicy: Default on sandbox pods so they use the node's DNS
  resolver instead of the unreachable ClusterIP.
@sonarqubecloud

sonarqubecloud Bot commented Jun 6, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@github-actions

github-actions Bot commented Jun 6, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Test Results

306 tests  ±0   306 ✅ ±0   4m 14s ⏱️ -13s
110 suites ±0     0 💤 ±0 
  1 files   ±0     0 ❌ ±0 

Results for commit 3b3b5f5. ± Comparison against base commit 6cc05f2.

♻️ This comment has been updated with latest results.

@xiaods xiaods merged commit c74c266 into main Jun 6, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@xiaods