Describes CRI-O, an implementation of the Kubernetes Container Runtime Interface.

When you deploy Kubernetes worker nodes, CRI-O is also deployed. CRI-O is an implementation of the Kubernetes Container Runtime Interface (CRI) to enable using Open Container Initiative (OCI) compatible runtimes. CRI-O is a lightweight alternative to using Docker as the runtime for Kubernetes. With CRI-O, Kubernetes can use any OCI-compliant runtime as the container runtime for pods.

CRI-O delegates containers to run on appropriate nodes, based on the configuration set in pod files. Privileged pods can be run using the runC runtime engine (runc), and unprivileged pods can be run using the Kata Containers runtime engine (kata-runtime). The status of containers as trusted or untrusted is configured in the Kubernetes pod or deployment file.

For information on how to set the container runtime, see Creating Kata Containers.