Container Runtime Interface

This article contains my observations from various explorations I conducted regarding Kubernetes and docker. It might be a little unstructured, so bare with me. Also see to colima to read about various experiments I did with minikube.

The Container Runtime Interface is a plugin interface which enables the kubelet to use a wide variety of container runtimes, without having a need to recompile the cluster components.

Kubernetes repo contains a good readme on Why CRI?

Dockershim: the old way

Image ref

Historically, the early versions of Kubernetes only worked with a specific container runtime: Docker Engine. Later, Kubernetes added support for working with other container runtimes.

Image ref

The CRI standard was created to enable interoperability between orchestrators (like Kubernetes) and many different container runtimes (crun, rkt, hypernetes).

Docker Engine doesn’t implement that interface (CRI). To solve this, a small software shim (dockershim) was introduced as part of the kubelet component specifically to fill in the gaps between Docker Engine and CRI. But dockershim was never intended to be a permanent solution, and over the course of years, its existence has introduced a lot of unnecessary complexity to the kubelet itself.

Image ref

So dockershim was deprecated in k8s v1.20, and completely removed in v1.24.

As mentioned in this article from kubernetes:

You see, the thing we call “Docker” isn’t actually one thing—it’s an entire tech stack, and one part of it is a thing called “containerd,” which is a high-level container runtime by itself
Docker is cool and useful because it has a lot of UX enhancements that make it really easy for humans to interact with while we’re doing development work, but those UX enhancements aren’t necessary for Kubernetes, because it isn’t a human.

Docker isn’t compliant with CRI, the Container Runtime Interface. If it were, we wouldn’t need the shim, and this wouldn’t be a thing

CRI: the replacement

Kubelet always uses CRI except for using the rktnetes integration.
The old, pre-CRI Docker integration was removed in 1.7.

To maintain backward compatibility, Docker and Mirantis came together to develop the cri-docker

Widely used CRIs:

• containerd’s cri plugin (CNCF graduated)
• cri-o (CNCF graduated)
• cri-docker

Deprecated CRI:

• rktlet - a CRI for rkt (EOL) runtime
• frakti - a CRI for hypervisor (VM) based containers via runV (EOL). Replaced by kata-containers project.
• cri-containerd - replaced by the cri plugin inside containerd
• singularity-cri

Running kubelet with --container-runtime-endpoint is now deprecated, instead one must use kubelet’s --config option specifying the config file.

References:
The first release article (2016, k8s 1.5): https://kubernetes.io/blog/2016/12/container-runtime-interface-cri-in-kubernetes/
Not so updated readme file in k8s: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-node/container-runtime-interface.md

cri-tools

cri-tools provide CLI and validation tools for Kubelet Container Runtime Interface (CRI) .

crictl is a command-line interface for CRI-compatible container runtimes.
Supported comamands: images, ps
See the documentation