← Blog/clouddevops platforms

Kubernetes 1.20: Deprecating Dockershim and transitioning to CRI-compliant runtimes

Orchestrating container runtimes. We explore CRI specifications, containerd shims, and node runtime upgrades.

VP
SHIVAM ITCS·28 December 2020·10 min read·1 views
#kubernetes#dockershim#cri#containerd#devops

Technical Overview & Strategic Context

While Docker was the first container runtime used by Kubernetes, it was not designed to integrate with the Kubernetes Container Runtime Interface (CRI) specification. To support Docker, Kubernetes maintained a temporary shim layer called 'Dockershim'. This shim layer added complexity and overhead to the Kubernetes codebase. The release of Kubernetes 1.20 in December 2020 resolved this by announcing the deprecation of Dockershim, guiding the ecosystem toward standard CRI-compliant runtimes like containerd or CRI-O.

Architectural Principle: Use standard CRI-compliant container runtimes (like containerd) inside Kubernetes clusters. Standardizing runtime shims simplifies operations and improves security.

Core Concepts & Architectural Blueprint

The deprecation of Dockershim does not mean Docker images are obsolete: Docker images comply with the OCI (Open Container Initiative) standard, meaning they run consistently on any CRI-compliant runtime. Upgrading nodes to containerd bypasses Dockershim, reducing resource consumption and improving security.

Performance & Capability Comparison

Runtime StackDocker Daemon (Dockershim)CRI-compliant Runtime (containerd)Operational Scale Benefit
Runtime InterfaceAPI server routes through DockershimDirect API communication via CRIReduces container execution latency
Memory OverheadHigh (requires running Docker daemon)Low (lightweight containerd engine)Reduces node memory consumption
Image StandardsOCI-compliant images supportedOCI-compliant images supportedMaintains image compatibility

Implementation & Code Pattern

To migrate cluster nodes to CRI-compliant container runtimes, follow these steps:

  • Install containerd or CRI-O packages on all cluster nodes.
  • Configure kubelet flags to target the new runtime endpoint.
  • Verify node execution status using kubectl get nodes commands.
  • Remove Dockershim configurations from host environments.
bashcode
# Configure kubelet runtime endpoint to target containerd on node (2020)
# Edit /etc/default/kubelet configuration options
KUBELET_EXTRA_ARGS="--container-runtime=remote --container-runtime-endpoint=unix:///run/containerd/containerd.sock"

# Restart the kubelet service on host node
sudo systemctl daemon-reload
sudo systemctl restart kubelet

# Verify runtime configurations using kubectl commands
kubectl get nodes -o wide
# Output displays active runtime: containerd://1.4.1

Operational Governance & Future Outlook

The deprecation of Dockershim in Kubernetes 1.20 marked a transition toward standard CRI-compliant runtimes. Upgrading cluster nodes to containerd helps reduce resource consumption and improve cluster security.

VP
Vijay Paliwal
Founder, SHIVAM ITCS · 18+ years enterprise & AI engineering
MCA · Ex-HiveGPT USA · Ex-Social27 Seattle
← More PostsWork With Us →
Kubernetes 1.20: Deprecating Dockershim and transitioning to CRI-compliant runtimes | SHIVAM ITCS Blog | SHIVAM ITCS