How Kubelet, CRI, and CNI Collaborate to Launch a New Pod
When a new Pod is created, Kubelet coordinates with the CRI and CNI components to set up the sandbox, configure networking, pull images, create and start containers, using gRPC calls and command‑line interactions, with details varying across container runtimes such as containerd, cri‑o, and Docker.
Pod creation flow: Kubelet → CRI → CNI
When the API server schedules a Pod to a node, the kubelet on that node initiates a series of gRPC calls to the Container Runtime Interface (CRI). The CRI creates a pod sandbox, invokes the Container Network Interface (CNI) to configure networking, pulls the container image, creates the container, and finally starts it.
Step‑by‑step sequence
Pod scheduling notification – kubelet receives a watch event from the kube‑apiserver that a new Pod must be created on its node.
Create pod sandbox
kubelet calls RuntimeService.RunPodSandbox (gRPC) on the CRI.
The CRI creates the network namespace, mounts the sandbox filesystem and launches the sandbox container.
During sandbox creation the CRI executes the CNI binary (e.g., cni‑add) to allocate a pod IP and set up the pod’s network namespace.
kubelet calls RuntimeService.PodSandboxStatus to verify that the sandbox is ready.
Container creation phase
kubelet calls ImageService.PullImage on the CRI to download the container image (supports docker://, oci:// etc.).
kubelet calls RuntimeService.CreateContainer with the sandbox ID, image reference and container spec (environment variables, mounts, command, etc.).
kubelet calls RuntimeService.StartContainer to start the container process inside the already‑configured network namespace.
Key points
Creating the sandbox first guarantees that the pod’s network namespace exists even if the user container later fails to start.
Since Kubernetes v1.24 the kubelet no longer invokes CNI directly; the CRI is responsible for calling the CNI plugin.
CRI implementations
Common CRI back‑ends are containerd, cri‑o and the legacy docker shim. In each case the CRI implements the gRPC RuntimeService and ImageService defined in the CRI API.
CRI and CNI specifications
The CRI uses gRPC with protobuf definitions. The primary service definitions are:
service RuntimeService {
rpc RunPodSandbox(RunPodSandboxRequest) returns (RunPodSandboxResponse);
rpc PodSandboxStatus(PodSandboxStatusRequest) returns (PodSandboxStatusResponse);
rpc CreateContainer(CreateContainerRequest) returns (CreateContainerResponse);
rpc StartContainer(StartContainerRequest) returns (StartContainerResponse);
// … other methods
}
service ImageService {
rpc PullImage(PullImageRequest) returns (PullImageResponse);
// … other methods
}The CNI specification defines six commands (ADD, DEL, CHECK, etc.) that are executed as binaries by the CRI.
References
https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/
https://github.com/kubernetes/cri-api/blob/master/pkg/apis/runtime/v1/api.proto
https://github.com/containernetworking/cni/blob/main/SPEC.md
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
System Architect Go
Programming, architecture, application development, message queues, middleware, databases, containerization, big data, image processing, machine learning, AI, personal growth.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.