gVisor demo (minikube)

This demo compares a normal container runtime (runc) vs gVisor using the demo-nginx and demo-nginx-gvisor deployments in the cydu namespace.

Prereqs

• Minikube with containerd + gVisor addon:

bash minikube start --container-runtime=containerd minikube addons enable gvisor

Apply the demo

bash kubectl apply -f k8s/demo-gvisor.yaml

How to tell which pod is gVisor

RuntimeClass name:

bash kubectl get pods -n cydu -o custom-columns=NAME:.metadata.name,RUNTIMECLASS:.spec.runtimeClassName

Behavior check using dmesg:

• gVisor returns a synthetic log (you will see lines like "Starting gVisor...")
• Non-gVisor reads the host kernel ring buffer

dmesg demo (CAP_SYSLOG enabled)

Get pod names:

bash kubectl get pods -n cydu

Check dmesg output:

bash kubectl exec -n cydu <demo-nginx-pod> -- dmesg | head -n 5 kubectl exec -n cydu <demo-nginx-gvisor-pod> -- dmesg | head -n 5

Clear dmesg inside the pod:

bash kubectl exec -n cydu <demo-nginx-pod> -- dmesg -C kubectl exec -n cydu <demo-nginx-gvisor-pod> -- dmesg -C

Notes:

• In the non-gVisor pod, dmesg -C clears the host kernel ring buffer.
• In the gVisor pod, dmesg -C clears only the synthetic gVisor buffer.

Optional: show a stronger isolation difference

If you want a demo that fails in gVisor but succeeds in runc, use ptrace (strace -p 1) or mount (with CAP_SYS_ADMIN).