From 3b3b5f551625aef03e36fa78ac7a0b200182832a Mon Sep 17 00:00:00 2001
From: Xiao Deshi <xiaods@gmail.com>
Date: Sat, 6 Jun 2026 16:34:22 +0800
Subject: [PATCH] fix(sandbox): resolve DNS failure in gVisor sandbox pods

gVisor host network mode prevents Cilium from performing service
load balancing (DNAT) on ClusterIP traffic, so DNS requests to the
kube-dns ClusterIP (10.43.0.10) are dropped as "world" identity.

Three coordinated fixes:
- Disable Cilium global DNS proxy (dnsProxy.enabled: false) to stop
  eBPF-level DNS interception that gVisor cannot handle.
- Change CNP DNS egress rule from toEndpoints (kube-dns label
  matching) to toEntities: ["world"], matching how Cilium classifies
  gVisor-originated traffic.
- Set DNSPolicy: Default on sandbox pods so they use the node's DNS
  resolver instead of the unreachable ClusterIP.
---
 manifests/cilium.yaml                  | 2 +-
 pkg/sandboxmatrix/grpc/orchestrator.go | 8 ++------
 2 files changed, 3 insertions(+), 7 deletions(-)

diff --git a/manifests/cilium.yaml b/manifests/cilium.yaml
index c5413ede9..8f1e9085f 100644
--- a/manifests/cilium.yaml
+++ b/manifests/cilium.yaml
@@ -23,4 +23,4 @@ spec:
     k8sServiceHost: "%{API_SERVER_HOST}%"
     k8sServicePort: "%{API_SERVER_PORT}%"
     dnsProxy:
-      enabled: true
+      enabled: false
diff --git a/pkg/sandboxmatrix/grpc/orchestrator.go b/pkg/sandboxmatrix/grpc/orchestrator.go
index 22d7d637f..326f5e73a 100644
--- a/pkg/sandboxmatrix/grpc/orchestrator.go
+++ b/pkg/sandboxmatrix/grpc/orchestrator.go
@@ -662,6 +662,7 @@ func SandboxPodSpec(runtimeClass, pvcName, cpu, memory, image string) corev1.Pod
 			VolumeMounts:    []corev1.VolumeMount{{Name: "workspace", MountPath: "/workspace"}},
 		}},
 		Volumes:       []corev1.Volume{vol},
+		DNSPolicy: corev1.DNSDefault,
 		RestartPolicy: corev1.RestartPolicyNever,
 	}
 	if runtimeClass != "" {
@@ -745,12 +746,7 @@ func (o *Orchestrator) applyCNP(ctx context.Context, session *sandboxv1.SandboxS
 			},
 			"egress": []interface{}{
 				map[string]interface{}{
-					"toEndpoints": []interface{}{
-						map[string]interface{}{"matchLabels": map[string]interface{}{
-							"k8s:io.kubernetes.pod.namespace": "kube-system",
-							"k8s:k8s-app":                    "kube-dns",
-						}},
-					},
+					"toEntities": []interface{}{"world"},
 					"toPorts": []interface{}{
 						map[string]interface{}{
 							"ports": []interface{}{map[string]interface{}{"port": "53", "protocol": "ANY"}},