containerd CRI Plugin
The containerd CRI plugin implements the Kubernetes Container Runtime Interface, making containerd the default and recommended runtime for Kubernetes. Learn how it works and how to configure it.
The Container Runtime Interface (CRI) is a plugin interface that allows Kubernetes to use different container runtimes without recompiling. It defines gRPC APIs for managing containers, images, and pods. Any runtime that implements CRI can be used with Kubernetes.
CRI was introduced in Kubernetes v1.5 to enable pluggable container runtimes. Before CRI, Kubernetes was tightly coupled with Docker. CRI made Kubernetes runtime-agnostic, allowing it to work with containerd, CRI-O, and other runtimes.
The containerd CRI plugin is a built-in plugin that implements the Kubernetes CRI. It allows containerd to serve as the container runtime for Kubernetes nodes. When kubelet makes CRI calls, the plugin translates them to containerd operations.
The CRI plugin handles all the container operations that Kubernetes needs: pod sandbox management (pause containers), container lifecycle (create, start, stop, delete), image management (pull, list, remove), and pod networking (CNI integration).
# Check CRI plugin status
crictl info
crictl info | grep -A 5 -i "cri"
# Check containerd CRI configuration
containerd config dump | grep -A 20 "io.containerd.grpc.v1.cri"
- Pod Sandbox Management: Creates and manages pause containers (sandboxes) for each pod.
- Container Lifecycle: Complete container management (create, start, stop, delete, status).
- Image Management: Pull, list, inspect, and remove container images.
- Networking Integration: Works with CNI plugins for pod networking.
- Volume Support: Manages volume mounts for containers.
- Runtime Configuration: Supports different runtimes (runc, Kata, gVisor).
- Metrics Collection: Provides metrics for container resource usage.
- Event Reporting: Reports container events to kubelet.
The CRI plugin is configured in containerd's config.toml file. The configuration controls various aspects of the runtime behavior.
# /etc/containerd/config.toml
version = 2
[plugins."io.containerd.grpc.v1.cri"]
sandbox_image = "registry.k8s.io/pause:3.9"
max_container_log_line_size = 16384
[plugins."io.containerd.grpc.v1.cri".containerd]
default_runtime_name = "runc"
snapshotter = "overlayfs"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
runtime_type = "io.containerd.runc.v2"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
SystemdCgroup = true
[plugins."io.containerd.grpc.v1.cri".registry]
config_path = "/etc/containerd/certs.d"
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
endpoint = ["https://registry-1.docker.io"]
crictl is a CLI tool for interacting with CRI-compatible runtimes. It's the primary tool for debugging containers on Kubernetes nodes.
# Install crictl
VERSION="v1.28.0"
curl -L https://github.com/kubernetes-sigs/cri-tools/releases/download/$VERSION/crictl-$VERSION-linux-amd64.tar.gz -o crictl.tar.gz
sudo tar Cxzvf /usr/local/bin crictl.tar.gz
# List pods
crictl pods
crictl pods --name nginx
# List containers
crictl ps
crictl ps -a
# List images
crictl images
crictl images -v
# Pull image
crictl pull nginx:alpine
# Container logs
crictl logs
# Execute command
crictl exec -it sh
# Remove container
crictl rm
- containerd: Broader feature set, used by Docker and Kubernetes, default for most distributions.
- CRI-O: Lightweight, focused purely on Kubernetes, default for OpenShift.
# Check containerd status
sudo systemctl status containerd
# Check containerd logs
sudo journalctl -u containerd -f
# Check kubelet logs
sudo journalctl -u kubelet -f | grep -i containerd
# Verify CRI plugin is loaded
containerd plugin ls | grep cri
# Test CRI connectivity
crictl info
# Check pod sandbox status
crictl pods
# View container details
crictl inspect
The containerd CRI plugin is the backbone of Kubernetes container runtime. Understanding it helps you debug and optimize your Kubernetes nodes.