Red Hat initiated CRI-O, an OCI-based (Open Container Initiative) implementation of the Kubernetes Container Runtime Interface, is the latest project voted into the ranks of the Cloud Native Computing Foundation. It will join the organisation as an incubation-level hosted project, and is supposed to graduate the process within the next two years.
To get there, a project needs to adopt the foundation’s code of conduct, complete security audits, receive a best practices badge from the core infrastructure initiative, and define a governance and committer process. It also has to have committers from at least two organisations, and a public list of project adopters.
The former won’t be a problem for CRI-O, since Intel and Suse are on its list of maintainers. It also is part of Red Hat’s enterprise offering OpenShift, so the company probably won’t simply drop it into the foundation and leave them to it.
Those familiar with the cloud native ecosystem and especially other CNCF projects might wonder how it differs from similar runtimes such as containerd or the Docker daemon. In an announcement blog post Red Hat Senior Principal Engineer Vincent Batts offered the narrow scope of the project as its unique selling point, since it for example doesn’t include APIs to build containers, which is meant to help with following the security principle of least privilege.
The scope is tied to the scope of the Container Runtime Interface (CRI), which restricts the project to supporting multiple image formats as well as multiple means to download images, container image and process lifecycle management, and monitoring, logging and resource isolation along the CRI’s requirements. CRI-Os purpose is to allow Kubernetes to directly launch and manage OCI containers, using libraries and other OCI projects such as runc and CNI for different tasks. Its release cycle and deprecation policy is the same as Kubernetes’.
The CNCF is part of the Linux Foundation, which tries to foster and sustain open source, vendor-neutral projects of the cloud native computing kind. Projects that have been through the incubation process include monitoring project Prometheus as well as the popular container orchestrator Kubernetes. Only last week the foundation’s technical oversight committee heaved policy engine OPA from the sandbox stage into the incubator.