Reading Notes: Kubernetes Deprecating Docker
· Summary
∘ CRI (Container Runtime Interface)
∘ Containerd
· Conclusion
· References
Summary
Kubernetes works with all container runtimes that implement a standard known as the Container Runtime Interface (CRI). This is essentially a standard way of communicating between Kubernetes and the container runtime.
Docker does not implement the Container Runtime Interface (CRI). Kubernetes implemented the Docker shim, an additional layer to serve as an interface between Kubernetes and Docker. However, there are plenty of runtimes available that implement the CRI, and it no longer makes sense for Kubernetes to maintain special support for Docker.
I would like to organize related component information below.
CRI (Container Runtime Interface)
The CRI (Container Runtime Interface) is a plugin interface which enables the kubelet to use a wide variety of container runtimes, such as CRI-O, Containerd, and rkt without having a need to recompile the cluster components.
Purpose:
The Kubernetes Container Runtime Interface (CRI) defines the main gRPC protocol for the communication between the node components kubelet and container runtime.Components:
kubelet manages node state, and container runtime (e.g., CRI-O, Containerd, rkt) runs containers.How it works:
You need a working container runtime on each node in your cluster, so that the kubelet can launch Pods and their containers. The Container Runtime Interface (CRI) is the main protocol for the communication between the kubelet and Container Runtime.
Kubernetes Version 1.5
After the donation of the Docker daemon to CNCF, containerd emerged as a separate project. As a CNCF-hosted project, containerd must adhere to the CRI standard. However, Docker merely invokes containerd within Docker Engine, keeping its external interface unchanged, which means it is not compatible with CRI.
Containerd
containerd is an open-source container runtime tool that serves as a part of the Docker Engine, and implements the CRI specification which responsible for managing the lifecycle of containers.
There are two invocation chains in Kubernetes at this time:
- Using the CRI interface to call dockershim, which then calls Docker, and Docker further interacts with containerd to manipulate containers as below.
Dockershim is a component of Kubernetes designed primarily to interact with Docker through the Container Runtime Interface (CRI). In other words, kubelet needs to interact with the Docker daemon through Dockershim.
As we could see, Docker is not a actually a container runtime. Docker is just a middle-man between Kubernetes and Containerd.
2. Using the CRI interface to directly manipulate containers through containerd.
Specifically, containerd is responsible for several key aspects:
- Container Lifecycle Management: Managing the entire lifecycle of containers, from creation to destruction.
- Image Management: Handling the management of container images, including downloading, storing, and managing different image formats and storage backends.
- Container Runtime: Providing interfaces and functionality for container runtime operations, enabling containers to run independently on host machines and offering monitoring, log collection, and other features. such as starting, stopping, pausing, resuming, and monitoring containers.
- Container Networking: While containerd itself does not directly handle container networking, it provides interfaces for container networking integration, allowing containers to communicate over networks.
- Container Storage: Managing container storage volumes to allow containers to persistently store data using various storage backends.
Conclusion
Kubernetes is moving away from Docker as the default container runtime and adopting lightweight alternatives like containerd and cri-o. Moreover, Docker’s inability to fully meet the CRI requirements, particularly in terms of resource isolation, control plane interaction, image format compatibility, and performance, led to its removal from Kubernetes as the default container runtime.
As of version 1.24, the code for Dockershim has been removed from the kubelet.
