Skip to main content
< All Topics

Container Runtime Interface

Posted
Updated
Author -Rajkumar Aute
Views54

The Container Runtime is the low-level software responsible for pulling container images from a registry (like Docker Hub or ECR), unpacking them, and running the application processes in an isolated environment.

The CRI (Container Runtime Interface)

Historically, Kubernetes was tightly coupled with Docker. To allow flexibility, Kubernetes introduced the CRI, a plugin interface. Kubelet calls the CRI (via gRPC), and the CRI implementation talks to the specific runtime.

  1. Containerd: An industry-standard runtime (graduated CNCF project). It was originally part of Docker but was spun out as a standalone, lightweight runtime. It is the most popular choice for modern Kubernetes clusters.
  2. CRI-O: A lightweight runtime designed specifically for Kubernetes. It implements the CRI to run OCI (Open Container Initiative) compatible runtimes. It is minimalist and optimized solely for K/8s.
  3. Docker Engine (Legacy): While still used, Kubernetes has deprecated the direct “dockershim” bridge. Modern clusters prefer Containerd or CRI-O directly.
  4. gVisor / Kata Containers: These are “sandboxed” runtimes. They provide stronger isolation (like lightweight VMs) for enhanced security, ensuring that a compromised container cannot easily access the host kernel.

Implicit Components (The Unsung Heroes)

While the three components above are the “Big Three,” a Worker Node relies on a few others to function correctly:

cAdvisor (Container Advisor)
  • Role: The Monitor.
  • Function: Often built directly into the Kubelet binary, cAdvisor collects, aggregates, and processes information about running containers. It tracks resource usage (CPU, memory, file system, network) and provides this data to the Kubelet (and metrics servers like Prometheus).
CNI Plugin (Container Network Interface)
  • Role: The Electrician (Wiring).
  • Function: While Kube-Proxy handles routing rules, the CNI plugin (like Calico, Flannel, Cilium) is responsible for actually configuring the network interface when a Pod starts. It assigns the IP address to the Pod and connects it to the cluster network bridge.
  • Workflow: Kubelet calls the CNI plugin after the sandbox container is created to set up networking.

Contents
Scroll to Top