Why containerd Is Becoming the Preferred Runtime for Kubernetes

containerd is an open‑source, industry‑standard container runtime focused on simplicity, stability, and portability, supporting both Linux and Windows.

History: Docker donated containerd to an independent community on 2016‑12‑14, with initial members including Alibaba Cloud, AWS, Google, IBM, and Microsoft. In March 2017 Docker contributed containerd to the CNCF, accelerating its development. Docker Engine uses containerd for container lifecycle management, and Kubernetes officially supported containerd as a runtime in May 2018. CNCF marked containerd as a graduated project in February 2019.

Since version 1.1, containerd includes built‑in CRI support, simplifying Kubernetes integration. Its architecture (illustrated in the original diagrams) shows a lightweight runtime with lower resource consumption and faster startup compared to the full Docker Engine.

Compared to the competing CRI‑O project, containerd offers better performance and broader community support.

containerd’s extensible plug‑in mechanism supports any OCI‑compatible runtime, such as runc, KataContainers, gVisor, and Firecracker.

Getting Started with Minikube

Minikube provides the simplest way to try containerd as the Kubernetes runtime. Create a Minikube VM with the flag --container-runtime=containerd and configure an Alibaba Cloud image mirror for faster image pulls.

$ minikube start \
    --image-mirror-country cn \
    --iso-url=https://kubernetes.oss-cn-hangzhou.aliyuncs.com/minikube/iso/minikube-v1.5.0.iso \
    --registry-mirror=https://YOUR_MIRROR.aliyuncs.com \
    --container-runtime=containerd

Deploy a test nginx pod:

apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
  - name: nginx
    image: nginx

Enable gVisor sandbox support in Minikube:

$ minikube addons enable gvisor
$ kubectl get pod,runtimeclass gvisor -n kube-system

When a pod runs with runtimeClassName: gvisor, it uses the gVisor sandbox, which has an independent kernel, providing stronger isolation than runc containers that share the host kernel.

Managing Containers with ctr and crictl

Inside the Minikube VM, you can list namespaces, images, and containers using ctr:

$ sudo ctr namespaces ls
NAME   LABELS
k8s.io

$ sudo ctr --namespace=k8s.io images ls
... (list of images)

$ sudo ctr --namespace=k8s.io containers ls
... (list of containers)

For a higher‑level view, use crictl to list pods and inspect details:

$ sudo crictl pods
$ sudo crictl pods --name nginx -v

containerd vs Docker Engine

containerd is now the mainstream runtime implementation, backed by both Docker and Kubernetes communities. Docker Engine still provides a richer developer toolchain (image building, logging, storage, networking, Swarm, etc.) and enjoys broader ecosystem support, though containerd support is rapidly improving.

For workloads that prioritize security, efficiency, and customisation, containerd is a strong choice; for general development, Docker Engine remains convenient.

Alibaba Cloud Support

Alibaba Cloud Kubernetes Service (ACK) uses containerd as the default runtime, enabling mixed deployments of secure sandbox containers (e.g., gVisor, runV) and standard runc containers. Future plans include Intel SGX‑based trusted sandbox containers.

containerd’s flexible plug‑in architecture also powers the Serverless Kubernetes (ASK) environment, where a trimmed‑down runtime runs in a nodeless setting.