containerd CRI Plugin

The containerd CRI plugin implements the Kubernetes Container Runtime Interface, making containerd the default and recommended runtime for Kubernetes. Learn how it works and how to configure it.

Kubernetes Runtime CRI Plugin Default K8s Runtime
What is the Container Runtime Interface (CRI)?

The Container Runtime Interface (CRI) is a plugin interface that allows Kubernetes to use different container runtimes without recompiling. It defines gRPC APIs for managing containers, images, and pods. Any runtime that implements CRI can be used with Kubernetes.

CRI was introduced in Kubernetes v1.5 to enable pluggable container runtimes. Before CRI, Kubernetes was tightly coupled with Docker. CRI made Kubernetes runtime-agnostic, allowing it to work with containerd, CRI-O, and other runtimes.

CRI is the reason Kubernetes can run with different runtimes. It's a critical part of Kubernetes architecture that enables runtime flexibility.
The containerd CRI Plugin

The containerd CRI plugin is a built-in plugin that implements the Kubernetes CRI. It allows containerd to serve as the container runtime for Kubernetes nodes. When kubelet makes CRI calls, the plugin translates them to containerd operations.

The CRI plugin handles all the container operations that Kubernetes needs: pod sandbox management (pause containers), container lifecycle (create, start, stop, delete), image management (pull, list, remove), and pod networking (CNI integration).

Since Kubernetes v1.24, containerd is the default and recommended runtime for Kubernetes. The CRI plugin is stable and production-ready.
Architecture: How It Works
Kubernetes Node
kubelet
CRI (gRPC)
containerd CRI Plugin
containerd (Core Runtime)
runc (OCI Runtime)
# Check CRI plugin status crictl info crictl info | grep -A 5 -i "cri" # Check containerd CRI configuration containerd config dump | grep -A 20 "io.containerd.grpc.v1.cri"
Key Features of the CRI Plugin
  • Pod Sandbox Management: Creates and manages pause containers (sandboxes) for each pod.
  • Container Lifecycle: Complete container management (create, start, stop, delete, status).
  • Image Management: Pull, list, inspect, and remove container images.
  • Networking Integration: Works with CNI plugins for pod networking.
  • Volume Support: Manages volume mounts for containers.
  • Runtime Configuration: Supports different runtimes (runc, Kata, gVisor).
  • Metrics Collection: Provides metrics for container resource usage.
  • Event Reporting: Reports container events to kubelet.
Configuring the CRI Plugin

The CRI plugin is configured in containerd's config.toml file. The configuration controls various aspects of the runtime behavior.

# /etc/containerd/config.toml version = 2 [plugins."io.containerd.grpc.v1.cri"] sandbox_image = "registry.k8s.io/pause:3.9" max_container_log_line_size = 16384 [plugins."io.containerd.grpc.v1.cri".containerd] default_runtime_name = "runc" snapshotter = "overlayfs" [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] runtime_type = "io.containerd.runc.v2" [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options] SystemdCgroup = true [plugins."io.containerd.grpc.v1.cri".registry] config_path = "/etc/containerd/certs.d" [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"] endpoint = ["https://registry-1.docker.io"]
crictl: Debugging Kubernetes Containers

crictl is a CLI tool for interacting with CRI-compatible runtimes. It's the primary tool for debugging containers on Kubernetes nodes.

# Install crictl VERSION="v1.28.0" curl -L https://github.com/kubernetes-sigs/cri-tools/releases/download/$VERSION/crictl-$VERSION-linux-amd64.tar.gz -o crictl.tar.gz sudo tar Cxzvf /usr/local/bin crictl.tar.gz # List pods crictl pods crictl pods --name nginx # List containers crictl ps crictl ps -a # List images crictl images crictl images -v # Pull image crictl pull nginx:alpine # Container logs crictl logs # Execute command crictl exec -it sh # Remove container crictl rm
crictl is invaluable for debugging Kubernetes nodes. Use it to inspect pods and containers directly without kubectl.
containerd vs CRI-O: CRI Runtimes
  • containerd: Broader feature set, used by Docker and Kubernetes, default for most distributions.
  • CRI-O: Lightweight, focused purely on Kubernetes, default for OpenShift.
Both are excellent choices. containerd is the most widely adopted and recommended for new Kubernetes clusters.
Troubleshooting the CRI Plugin
# Check containerd status sudo systemctl status containerd # Check containerd logs sudo journalctl -u containerd -f # Check kubelet logs sudo journalctl -u kubelet -f | grep -i containerd # Verify CRI plugin is loaded containerd plugin ls | grep cri # Test CRI connectivity crictl info # Check pod sandbox status crictl pods # View container details crictl inspect
Frequently Asked Questions
Is containerd the default runtime for Kubernetes?
Yes! Since Kubernetes v1.24, containerd is the default and recommended runtime. The dockershim was removed in v1.24, making containerd the standard choice.
What is the pause container?
The pause container (sandbox) holds the network namespace for a pod. It's created first and all other containers in the pod share its network namespace. This is how pods achieve network sharing.
How do I change the default runtime for Kubernetes?
Modify the containerd config.toml `default_runtime_name` and restart containerd. For kubelet, you may need to specify the runtime endpoint.
Can I use Docker Engine with Kubernetes now?
Yes, but it requires the cri-dockerd adapter. Docker Engine is no longer natively supported. containerd is the recommended alternative.
What's the difference between crictl and kubectl?
kubectl interacts with the Kubernetes API server. crictl interacts directly with the container runtime (CRI) on a node. crictl is for node-level debugging.
How do I check which runtime my Kubernetes node is using?
Run `kubectl get nodes -o wide` to see the container runtime column. Or run `crictl info` on the node to see runtime details.
Does containerd CRI support Windows containers?
Yes, containerd supports Windows containers. The CRI plugin supports Windows nodes with the appropriate configuration.
How do I update the pause image?
Update the `sandbox_image` in the containerd config.toml and restart containerd. The new pause image will be used for new pods.
Previous: nerdctl compose Next: crictl Commands

The containerd CRI plugin is the backbone of Kubernetes container runtime. Understanding it helps you debug and optimize your Kubernetes nodes.