In Kubernetes 1.24, dockershim will be removed. What does it mean, let’s take a look the container stackbefore and after dockershim removal.

Objective

To walkthrough container stack on a Kubernetes node.

Before 1.24 release

Kubernetes Container Stack Before 1.24

Since 1.24 release

Kubernetes Container Stack Since 1.24

Walk-through

Using the opportunity, we can walkthrough the container stack and corresponding tooling on a Kubernetes node from top to bottom.

apiserver

apiserver sits on the Kubernetes master, validates and configures data for the api objects which include pods, services, replicationcontrollers and others. The API Server services REST operations and provides the cluster’s shared state.

kubelet

kublet is the primary node agent that runs on each Kubernetes node and register the node with the apiserver. kubelet manages pod using PodSpec in YAML or JSON format. kubelet implement the CRI client, and also have dockershim before Kubernete 1.24.

CRI Container Runtime

A container runtime is software that executes containers and manage container images. Container Runtime Interface(CRI) is a plugin interface which enables kubelet to use a wide variety of container runtimes without recompiling. CRI consists of a protocol buffers, gRPC API, and libraries. Popular contianer runtimes include docker engine, cri-o, contaienrd, and rktlet, frakti. dockershim in kubelet implements CRI interfaces; cri-o implements OCI conformant runtime; frakti is hypervisor-based container runtime while rktlet is the rkt contaienr runtime that is in frozen state.

containerd is an OCI compliant core container runtime and provides minimum set of functinoality to execute containers and manages images. Other than container lifecycle management and image management, networking(CNI), volume(CSI) and persistent logging are not the scope of containerd. Now the original cri-containerd elvoves into cri package in containerd, and containerd becomes the default runtime in Kubernetes.

The biggest change in Kubernetes 1.24 is dockershim removal from kubelet source code. To keep docker engine as a container runtime, cri-dockerd is invented to bridge the gap.

OCI Runtime

Performance, security and compability results in multiple OCI compatible runtimes in Kubernetes Ecosystem.

runc is the default OCI runtime in kubernetes that spawns and runs containers on Linux. While crun is a fast and low-memory footprint OCI Ctontainer Runtime fully written in C. runsc in gVisor implement a sandbox mechanism by mapping system calls invoked in applications to less Linux system calls on the host kernel. runnc in Nabla Containers achieve the same by using less Linux system calls. kata-runtime is the OCI runtime in Kata Containers that builds a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs.