CRI-O Container Runtime

CRI-O is a lightweight, Open Container Initiative OCI-compliant container runtime designed specifically for Kubernetes, implementing the Kubernetes Container Runtime Interface CRI. Initiated by Red Hat engineers including Antonio Murdaca and Mrunal Patel in 2016, CRI-O is a graduated CNCF project and the default container runtime for OpenShift. Key features: Kubernetes-native (purpose-built for Kubernetes CRI interface, implementing only the functionality needed by Kubernetes without unnecessary features found in general-purpose runtimes). OCI compliance (fully compliant with OCI Image Spec and OCI Runtime Spec, supporting any OCI-compatible container image from Docker Hub, Quay, and private registries). Runtime support (pluggable runtime with support for runc as default OCI runtime, plus Kata Containers for VM-level isolation, crun for C-based lightweight runtime, and youki for Rust-based runtime). Storage drivers (overlay, btrfs, zfs, and device mapper storage drivers for container filesystem layer management). Networking (CNI Container Network Interface support for pluggable networking including Calico, Flannel, Weave, and OpenShift SDN). Image management (container image pull, push, tag, and management with signature verification via policy.json for supply chain security). Resource management (cgroup v1 and v2 support for CPU, memory, and I/O resource limits per container). Security (SELinux and AppArmor support, user namespace remapping, seccomp profiles, and capabilities management for container isolation). Monitoring (Prometheus metrics endpoint for runtime statistics including container count, image cache, and operation latency). Lightweight (significantly smaller binary and memory footprint compared to Docker and containerd, reducing attack surface). AppArmor and SELinux enabled by default in OpenShift deployments. Integrates with kubelet via gRPC CRI socket, providing container lifecycle management including create, start, stop, and remove operations.