CRI-O: Thriving in a Changing World, One Container at a Time

Transcript

1. None

2. CRI-O: Thriving in a Changing World, One Container at a

   Time Ayato Tokubi & Sohan Kunkerkar, Red Hat

3. Overview • Introduction • Challenges and Lessons Learned • New

   Project: CRI-O Credential Provider • Sig Node Initiatives • OCI Image Volume + Demo • Future work • Closing Remarks

4. Introduction Supports OCI based container images, runtimes, and registries Implementation

   of the Kubernetes Container Runtime Interface - compliant with the Open Container Balance stability and features Focus on security CNCF Graduated Project – widely adopted in Kubernetes & OpenShift

5. The Decision: Adopting crun as the default Evolving for Performance

   & Future Workloads • Goals ◦ Faster pod startup ◦ Lower memory footprint ◦ Future‑ready (WASM, next‑gen workloads) • What went well ◦ Improved performance & scalability ◦ Smooth adoption in most environments • Key message ◦ Right direction -> better foundations for where the ecosystem is going

6. Challenges and Lessons Learned Change Exposes Gaps → We Learn

   • Behavior differences surfaced • CI gaps amplified risk • Example: ◦ High-density CNV VM failure • Lesson: ◦ Feature parity ≠ behavioral parity

7. Shaping What Comes Next Growing Up →Informed Evolution • Runtime

   switch taught us: ◦ Test deeper before defaults ◦ Validate lifecycle & teardown paths ◦ CI must reflect real-world workloads • This directly influences: ◦ Next step → conmon → conmon-rs ◦ We will battle-test first, then consider default

8. New Project: CRI-O Credential Provider A new credential plugin within

   the CRI-O ecosystem • Dynamically supplies credentials for CRI-O image pulls • Uses Kubernetes namespace-scoped Secrets for registry authentication • Writes short-lived auth files into /etc/crio/auth/… • Compatible with standard container registry authentication • Works with both plain Kubernetes and OpenShift Why does it exist? • Avoids node-wide static credentials • Supports secure, multi-tenant clusters • Allows integration with registry mirrors and pull-through caches

9. Architecture

10. Use Cases & Roadmap Key Use Cases • Multi-tenant clusters

    where each namespace controls its own registry credentials • Workloads pulling from registry mirrors / pull-through caches • Environments requiring frequent credential rotation without node reconfiguration Roadmap • Add more secret backends (cloud, Vault) • Improve observability + debugging • Streamline kubelet integration • Expand registry ecosystem support

11. Future Work Explore and contribute to CRI-O's feature roadmap: https://github.com/orgs/cri-o/projects/1

    Upcoming Highlights:

12. Reach out to us Github Slack

13. Thanks!

14. None