A container runtime is the low-level software responsible for:
- Pulling container images
- Creating and running containers
- Isolating them using Linux namespaces & cgroups
It’s the component that actually executes the containerized apps described in your Pods.
Kubernetes does NOT run containers directly. Instead:
- The kubelet talks to the container runtime
- The runtime does the real work of starting, stopping, and monitoring containers
This communication happens through a standardized interface: CRI (Container Runtime Interface).
The Container Runtime Interface (CRI) is a gRPC API used by kubelet to communicate with any container runtime.
| Without CRI | With CRI |
|---|---|
| Tight coupling | Loose, pluggable design |
| Only Docker support | Support for many runtimes |
| Hard to extend | Easy to swap runtimes |
| Runtime | Description |
|---|---|
| containerd | Lightweight, production-grade runtime used by most distros (including Docker under the hood) |
| CRI-O | Kubernetes-native, minimal runtime for OpenShift and RHEL |
| Docker | Legacy runtime (deprecated since K8s v1.20) |
| gVisor | Sandbox runtime focused on security |
| Kata Containers | Lightweight VMs instead of containers (for isolation) |
| Mirantis Container Runtime | Enterprise Docker continuation |
[kube-apiserver]
↓
kubelet
↓ (CRI gRPC)
[container runtime]
↓
Pull image, run container