Switching Kubernetes Container Runtime from Docker to containerd and Managing It with crictl

This article demonstrates the process of migrating a Kubernetes cluster from Docker to containerd as the container runtime. It begins by placing the target node into maintenance mode using kubectl cordon and kubectl drain to evict Pods, then stops Docker, containerd, and kubelet services.

After stopping the services, it generates a default containerd configuration with containerd config default > /etc/containerd/config.toml , modifies the pause image and registry mirrors, and updates the kubelet configuration in /etc/sysconfig/kubelet to use the remote containerd endpoint. The services are then reloaded and restarted, and the node’s runtime is verified with kubectl get nodes -o wide .

The guide proceeds to install crictl by downloading the binary from the cri-tools releases, extracting it to the system PATH, and verifying the installation. It then covers common crictl commands for listing Pods, images, containers, executing commands inside containers, retrieving logs, and gathering resource statistics, providing example outputs for each.

A comparison table highlights the differences between Docker, containerd ( ctr ), and crictl for common operations such as listing containers, inspecting resources, pulling images, and managing Pods. The article also discusses log handling differences between Docker and containerd, showing how Docker stores logs under /var/lib/docker/containers while containerd relies on kubelet to write logs to /var/log/pods and /var/log/containers , with corresponding configuration snippets.

Finally, it notes that after switching to containerd, the Docker socket is no longer available for building images, and suggests alternative image-building approaches that do not depend on docker.sock . The article concludes with references to the cri-tools GitHub repository for further information.