Training Agenda

Containerd & CRI-O

Containerd and CRI-O are the two dominant container runtimes used by Kubernetes — they sit between the kubelet and the low-level OCI runtime (runc or gVisor). Understanding how they work matters for platform engineers troubleshooting container startup failures, configuring runtime security, or evaluating runtime performance characteristics at the node level.

1 day On-site, remote, or hybrid Up to 20 participants German or English
What We Cover
The container runtime stack — from OCI spec to running containers and runtime security
Module 1

OCI Ecosystem & Containerd Deep Dive

  • OCI specifications: image-spec (layer format, manifest, config), runtime-spec (container config.json, lifecycle hooks)
  • Container runtime layers: CRI (kubelet API) → high-level runtime (containerd/CRI-O) → low-level OCI runtime (runc, crun)
  • Containerd architecture: containerd daemon, containerd-shim (shim v2 protocol), snapshotter plugins (overlayfs, zfs, devmapper)
  • Containerd namespaces: k8s.io namespace for Kubernetes containers, default namespace for standalone containers
  • crictl for debugging: crictl ps, logs, inspect, exec, pods — the essential tool for node-level container debugging
  • nerdctl: Docker-compatible CLI for containerd — build, run, push, compose support without Docker daemon
  • config.toml: registry mirrors for Harbor/Docker Hub, custom runtimes (gVisor, Kata), snapshotter selection
Module 2

CRI-O & Runtime Security

  • CRI-O design philosophy: minimal surface area (Kubernetes-only CRI), no CLI, no image build — just run containers
  • CRI-O vs containerd: startup performance, memory footprint, feature surface, operational considerations for each
  • gVisor (runsc): user-space kernel for syscall interception, security boundary for untrusted workloads, performance trade-offs
  • Kata Containers: lightweight VM per pod via containerd-shim-kata-v2, hardware isolation, use cases for regulated workloads
  • RuntimeClass in Kubernetes: configuring handler field, assigning RuntimeClass to pods, overhead spec for resource accounting
  • Seccomp profiles: default RuntimeDefault profile, custom profiles (allowlist-based), profile creation with seccomp-operator
  • AppArmor for containers: annotation-based profile assignment, default deny profiles, integration with containerd and CRI-O
Learning Outcomes
What your team walks away with

Participants gain working knowledge of the full container runtime stack — from OCI specifications to production security hardening — enabling them to debug, configure, and evaluate container runtimes at the Kubernetes node level.

Book the Containerd & CRI-O training

Reach out to schedule a session for your team — remote, on-site, or hybrid, in German or English.

Get in touch