CNCF to Host CRI-O as Incubated Project

The Cloud Native Computing Foundation (CNCF) has voted to accept CRI-O as an incubation level project in a move that lead CRI-O project maintainer Vincent Batts says is a first of its kind.
“No project has come in at a graduated level before, but it’s already something that’s in production, that has maintainers from several companies, and people are using it,” said Batts in an interview. “It’s been 1.0 for a couple of years now. So, in some ways, it is already a very established project.”
Batts, a Red Hat employee, explained that CRI-O, which is an implementation of the Kubernetes Container Runtime Interface (CRI) designed to enable the use of Open Container Initiative (OCI) compatible runtimes, had previously been hosted in the Kubernetes special interest groups (SIGs). As a part of Kubernetes SIGs, CRI-O was viewed by some as less than what it really was, said Batts.
“Kubernetes SIGS is a place for the Kubernetes community at large to work on ideas that are directly relevant to Kubernetes itself. So it wasn’t an incubator in the same way of having any kind of guidance from CNCF or presence that CNCF is doing. It was just a place for the Kubernetes community to function,” said Batts. “Because it was so bound to Kubernetes and because it was living in this special interest groups organization, CRI-O was always seen as just kind of a side thing, but it wasn’t just a side project or helper utility. It was a substantial part of the Kubernetes strategy. Taking it out of the wings so to speak and letting it stand on its own two feet is, in that way, bringing it into the family. The CNCF family is not just an in-the-wings kind of a helper project.”
CRI was introduced in 2016 as “a plugin interface that gives kubelet (a cluster node agent used to create pods and start containers) the ability to use different container runtimes, without needing to recompile Kubernetes,” according to a CNCF statement. From there, the CRI-O project was developed to provide a lightweight runtime that was strictly bound to Kubernetes. CRI-O is versioned in step with Kubernetes and, as Batts explained, works to keep Kubernetes “boring,” secure and stable.
“All the other tools like Containerd and Docker and otherwise support multiple use cases. In that way, CRI-O is very opinionated in that it is narrowly supporting the Kubernetes use case only. It gives it the freedom to push out how minimal it is, making sure the security footprint is thoroughly thought through,” said Batts. “Not having to accommodate all the bells and whistles but really doing what it does effectively, stable, secure, boring. A lot of the engineers that have contributed to CRI-O are also contributing to upstream communities like systemd and the kernel for better secret handling and user namespace handling because, it’s like, be opinionated about the use case and then push it to the far, far ends of making sure that the use case is 100%.”
CRI-O joins a number of other projects at the incubation level including OpenTracing, Fluentd, Linkerd, gRPC, rkt, CNI, Jaeger, Notary, TUF, Vitess, NATS, Linkerd, Helm, Rook, Harbor, and etcd, as well as OPA, which just graduated from sandbox last week.
The Cloud Native Computing Foundation is a sponsor of The New Stack.
Feature image by mmuller from Pixabay.