CRI-O — Lightweight Container Runtime for Kubernetes

Introduction

CRI-O is a lightweight container runtime built from the ground up for Kubernetes. Unlike general-purpose runtimes, it implements only what Kubernetes needs through the CRI specification, resulting in a smaller attack surface and tighter version alignment with Kubernetes releases.

What CRI-O Does

• Implements the Kubernetes Container Runtime Interface (CRI) for pod lifecycle management
• Pulls images from any OCI-compliant registry including Docker Hub, Quay, and private registries
• Runs containers using OCI runtimes (runc, crun, Kata Containers, gVisor)
• Manages container networking via CNI plugins
• Provides container storage through the containers/storage library with overlay and devicemapper support

Architecture Overview

CRI-O sits between the kubelet and the OCI runtime. When the kubelet requests a pod, CRI-O pulls the image using containers/image, sets up networking via CNI, prepares the root filesystem using containers/storage, and launches the container with the configured OCI runtime. Each Kubernetes minor version gets a matching CRI-O release, ensuring API compatibility.

Self-Hosting & Configuration

• Install from packages (RPM/DEB) or build from source with Go 1.21+
• Configure via /etc/crio/crio.conf for runtime, storage, and network settings
• Set the default OCI runtime to crun for better performance or kata for VM isolation
• Enable metrics endpoint on port 9090 for Prometheus monitoring
• Use crio-wipe on upgrades to clean stale container state safely

Key Features

• Version-locked to Kubernetes releases ensuring consistent behavior and no API drift
• 40%% lower memory usage compared to dockershim-based setups in Red Hat benchmarks
• Supports multiple OCI runtimes simultaneously per workload class (runc, crun, kata)
• Conmon process monitor provides container lifecycle management independent of the daemon
• Passes 100%% of Kubernetes conformance tests across every supported version

Comparison with Similar Tools

• containerd — general-purpose runtime with broader scope; CRI-O is Kubernetes-specific and leaner
• Docker Engine — full platform with build tools; CRI-O focuses solely on running containers for K8s
• Podman — daemonless container management for developers; CRI-O is a server runtime for K8s nodes
• Kata Containers — VM-based isolation runtime; CRI-O can use Kata as a pluggable OCI runtime
• gVisor — application kernel sandbox; CRI-O supports gVisor (runsc) as an OCI runtime option

FAQ

Q: Can I use CRI-O to build container images? A: No. CRI-O only runs containers. Use Buildah or Podman for image builds.

Q: Which Kubernetes distributions ship CRI-O? A: OpenShift uses CRI-O by default. It also works with kubeadm, kubespray, and most K8s installers.

Q: How does CRI-O handle image pulls? A: It uses the containers/image library supporting Docker v2, OCI image layouts, and signature verification.

Q: Is CRI-O production-ready? A: Yes. It powers every OpenShift cluster in production and is a CNCF graduated project.

Sources

• https://github.com/cri-o/cri-o
• https://cri-o.io