github.com/containerd/containerd/v2@v2.0.0-rc.2/docs/cri/architecture.md

github.com/containerd/containerd/v2@v2.0.0-rc.2/docs/cri/architecture.md (about)

     1  # Architecture of The CRI Plugin
     2  This document describes the architecture of the `cri` plugin for `containerd`.
     3  
     4  This plugin is an implementation of Kubernetes [container runtime interface (CRI)](https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto). Containerd operates on the same node as the [Kubelet](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/). The `cri` plugin inside containerd handles all CRI service requests from the Kubelet and uses containerd internals to manage containers and container images.
     5  
     6  The `cri` plugin uses containerd to manage the full container lifecycle and all container images. As also shown below, `cri` manages pod networking via [CNI](https://github.com/containernetworking/cni) (another CNCF project).
     7  
     8  ![architecture](./architecture.png)
     9  
    10  Let's use an example to demonstrate how the `cri` plugin works for the case when Kubelet creates a single-container pod:
    11  * Kubelet calls the `cri` plugin, via the CRI runtime service API, to create a pod;
    12  * `cri` creates the pod’s network namespace, and then configures it using CNI;
    13  * `cri` uses containerd internal to create and start a special [pause container](https://www.ianlewis.org/en/almighty-pause-container) (the sandbox container) and put that container inside the pod’s cgroups and namespace (steps omitted for brevity);
    14  * Kubelet subsequently calls the `cri` plugin, via the CRI image service API, to pull the application container image;
    15  * `cri` further uses containerd to pull the image if the image is not present on the node;
    16  * Kubelet then calls `cri`, via the CRI runtime service API, to create and start the application container inside the pod using the pulled container image;
    17  * `cri` finally uses containerd internal to create the application container, put it inside the pod’s cgroups and namespace, then to start the pod’s new application container.
    18  After these steps, a pod and its corresponding application container is created and running.