CNCF that further opened it up for the entire developer community.
To begin with, it was developed by Docker as a container runtime. It’s responsible for handling the container life cycle in both virtual and physical environments. Everything related to containers’ existence like their construction, functionality starting or stopping, and construction is handled by it.
Its functionality extends with:
As explained previously in the post, containerd become a part of CNCF and become a peer of CoreDNS, Envoy, and other resources.
The advent of containerd was a game-changer for k8s as it permits them to have a hold over mission-critical low-level Docker elements. With k8s containerd, it doesn’t require the use of Docker for container-runtime.
You may be confused about Docker containerd as these 2 terms are closely-linked. So, let us clarify.
In Kubernetes and otherwise, containerd is not more than a crisp abstraction of multiple Linux kernel features demanding syscalls for the set-up.
As a container resource, it drops at the low-level wiring level and works as a client layer. While working as a client layer, it allows container software to build over it.
Its use simplifies Kubernetes' use. In the beginning stage, Kubernetes development was mainly relying upon two choices. The first one was constant shim writing in and around the Docker interface. The second approach we had was constantly interacting with relevant Linux kernel features.
Both these approaches were too confusing and tedious. When Docker disintegrated containerd, the development world had a new k8s development approach that was using containerd shim at a system abstraction layer. This approach, by adding kubernetes containerd to the process, kept Docker's involvement as less as possible.
The acronym of Open Container Initiative, OCI is the governing body handling everything related to defining the container standards and deciding how a container must look and behave in real life. The globally-recognized specifications define a highly functional interface for the effective working of containers.
Containerd is mainly based on OCI as it follows the OCI specifications rigorously. The key purpose of OCI here is to support container usage. It makes sure that the concerned images are accessible by any concerned platform with any contradictory disagreements.
Containerd is not the only container element to be concerned about. There are other closely-knit elements as well. Next, we’re going to provide you with a close comparison of a few key container terms.
CRI-O: Though a container runtime just like containerd, it doesn’t have complex Linux capabilities. Hence, its attack surface is reduced. Also, containerd is OS-level based while CRI-O is OCI compatible implementation of CRI.
CRI or Container Runtime Interface: It is the API that helps k8s gain full control over container runtimes. It’s the containerd CRI that enables Kubernetes to communicate with all the possible runtimes. Unlike Containerd, CRI will need additional support in order to behave like an actual container runtime.
Runs: Contrary to containerd, which is a high-level runtime, runs at low-level and acts like a resource offering functional capabilities. For instance, namespace management or communicating with Linux kernel features.
As cloud deployment increases, the risks involved have also swelled up. The use of containers has increased the security complexity of the cloud ecosystem. Those who’re planning to use K8 containerd must play extra smart and adopt the security strategy for their product.
Even if containerd doesn’t use SSH or containerd CLI interface, it bears high-security risk as anyone can gain access to (or control over) containerd socket file. After this, it is very easy to download elements like nerdctl or crictl for the threat actor.
Containerd has a wide attack surface because of
Thankfully, there are ways to shrink the containerd attack surface. Let’s have a look at the best options.
With containerd, Docker's capabilities are simplified, Kubernetes is empowered, and containers are empowered. However, it has a vast attack surface and prospective users must learn to deal with them. Practices like verifying image secrets, updating containerd, and others that we've shared are of great help.
Subscribe for the latest news