Kubernetes Runtimes
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

 
$
%
123
 
 
 
 
 
 
 
 
 
ABCDEFGHIJKLMNOPQRSTUVWXYZAA
1
CRI-OContainerd CRI pluginDocker Engine (native)gVisor CRI pluginCRI-O Kata Containers
2
sponsorsCNCFCNCFDocker IncGoogleIntel
3
started20162015Mar 201320152017
4
version1.121.218.06runc1.3
5
runtimerunc (default)containerd managing runcruncrunsckata-runtime
6
kernelsharedsharedsharedpartially sharedisolated
7
syscall filteringnononoyesno
8
kernel blobsnonononoyes
9
footprint----30mb
10
start time<10ms<10ms<10ms<10ms<100ms
11
io performancehost performancehost performancehost performanceslowhost performance
12
network performancehost performancehost performancehost performanceslow (see comment)close to host performance
13
Docs
https://github.com/kubernetes-sigs/cri-o/
https://github.com/containerd/crihttps://github.com/moby/mobyhttps://github.com/google/gvisor
https://github.com/kata-containers/runtime
14
Why?Lightweight Kubernetes specific. No need for the Docker daemon. Default on OpenShift. Probably the best container based runtime.Installed by default with the latest Docker Engine. Kubernetes can now use ContainerD directly. Docker can also be used on the same hosts directly. No need to run the DockerD daemon. Beta on Google GKE.Most mature runtime that has been tested and iterated on by a massive number of users. Can use seccomp, SELinux and AppArmor to harden. Fastest start times. Lowest memory usage.Used by gcloud appengine as the isolation layer between customers. Good for stateless web apps. Adds two additional layers of security over standard containers.Arguably the most secure option. The major trade-offs for security don't actually seem that bad. Will anyone notice 100ms startup time increase on their micro service? Or an extra 30mb per container? Doubtful.
15
Why not?Same security issues as native Docker Engine. Still need to manage a bunch of security policy stuff that nobody ever does.This is slightly newer as it has been through a few iterations of being installed differently.Kubernetes is moving to the CRI plugin architecture. Hardening is too complex for most to manage. DockerD is quite bloated and running it as root is bad.Not versioned and shouldn't be used in production yet on Kubernetes. Not good for applications that make lots of syscalls. Not all 400 Linux syscalls implemented causing some apps to not work (e.g. postgres). The kata-runtime itself is v1 however I'm not sure how this translates to Kubernetes readiness. Less efficient binpacking due to 30mb memory overhead. Slower start times.
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Loading...
Main menu