Lead Image © Corina Rosu, 123rf.com
CRI-O and Kubernetes Security
Critical Tool
Container runtimes continue to evolve at a fast rate, and Red Hat has shifted their focus in the direction of their own Podman container runtime in favor of Docker. Red Hat's open source contributions to Kubernetes also means that CRI-O has been adopted by their OpenShift enterprise platform as the runtime, and Red Hat Enterprise Linux will offer Podman for user interaction with containers in the future.
Although Docker still continues to be used as the universal container runtime, the popular Kubernetes container orchestrator moved over to CRI-O as a lightweight default runtime alternative a number of versions ago. CRI-O (Container Runtime Interface) began life at Red Hat in 2016 and was passed on to Kubernetes in 2019. Red Hat described the runtime when it was launched as benefiting from a "narrow focus [that] drives stability, performance and security features down the stack, allowing the cloud native ecosystem to reliably focus at the Kubernetes layer and above" [1].
Because CRI-O is likely to be entrenched in Kubernetes for the foreseeable future, learning about this relatively nascent and critical component is a useful exercise. For further information on alternative Kubernetes runtimes, you can refer to a document about container runtimes on the Kubernetes website [2].
In this article, I look at CRI-O in more detail and how the use of a troubleshooting tool in combination with an unexpected debugging companion enables developers to access Kubernetes resources without having to make changes directly to the Kubernetes cluster itself.
Jigsaw Puzzle
The precise definition of a container runtime is surrounded by confusion and ambiguity. The CRI-O runtime [3] is an Open Container Initiative (OCI)-compliant
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Alternative container runtimes thanks to the Open Container Initiative
Most users tend to think of Docker when they hear the word "containers," but for some time now it has been possible to operate containers with other runtimes. We take a closer look at Docker and the CRI-O project. -
Kubernetes containers, fleet management, and applications
Kubernetes is all the rage, but many admins find themselves struggling to get started. We present the basic architecture and the most important components and terms. -
Simple, small-scale Kubernetes distributions for the edge
We look at three scaled-down, compact Kubernetes distributions for operation on edge devices or in small branch office environments. -
Securing the container environment
Implement a good, robust defense with an in-depth strategy of applying multiple layers of security to all components, including the human factor. -
Optimally combine Kubernetes and Ceph with Rook
Ceph distributed storage and Kubernetes container orchestration come together with Rook.