Why it happened
“Docker” is a full stack. Buried inside it is containerd, the actual runtime. Docker wasn’t CRI-compliant, so a translation layer called dockershim had to sit between kubelet and Docker. Dockershim was extra complexity in kubelet — removed in K8s 1.24.
What changed
For developers: Nothing. Dockerfiles still work. Docker images are OCI-compliant, so containerd and CRI-O can pull and run them.
For cluster operators: Worker nodes must now use containerd or CRI-O instead of Docker.
Warning
DinD patterns break — Anything relying on
/var/run/docker.sock(Docker-in-Docker) breaks when switching to containerd or CRI-O. Usekaniko,buildah, orimginstead.
See also
- container-runtimes — containerd, CRI-O, and the OCI standard
- cri — the interface that replaced dockershim