Container orchestration platform Kubernetes announced in December 2020 that its third and final release, Kubernetes v1.20, would deprecate dockershim and subsequently Docker as a container runtime. This deprecation has brought multiple changes that admins must be aware of and accordingly respond to. 

To best understand these changes and how dockershim’s deprecation affects admins and their work, let’s quickly dive into what dockershim is, its relevance to container security, and the reasons behind Kubernetes’ decision to deprecate it.

What is Dockershim?

The dockershim module is part of Kubernetes’ solution to use multiple container runtimes on a single kubelet without forcing it to recompile. This solution is, more specifically, known as the Container Runtime Interface (CRI) plugin and was introduced after Kubernetes developed dockershim.

The CRI plugin was a success in that it gave Kubernetes cluster operators the freedom to interact with multiple container runtimes, but it also required that Kubernetes eventually create a way for the kubelet to recognize the Docker container runtime as a CRI-compatible one. Dockershim is the adaptor component that emerged as the response to this inevitable need.

Why Is Kubernetes deprecating Dockershim?

In its early years, the Kubernetes platform offered compatibility with only the Docker container runtime. Dockershim’s emergence as a middleman solution foreshadowed the problems it would cause with Docker’s container runtimes overall. The dockershim module transformed from a temporary solution to a permanent one and eventually became too much to maintain.

The dockershim module, in particular, placed too great of a strain on the operators responsible for maintaining the Kubernetes platform. According to DevOps expert Barbara Ericson, Kubernetes provides a self-contained environment “where every application has its source code, runtime, supporting files, configuration files and so on, thereby allowing the applications to execute in remote environments.”

The fact that Kubernetes’ support (Read more...)