docker run vs. kubectl apply

Márk Sági-Kazár

2022-10-27 @ Let’s Code meetup


Márk Sági-Kazár

SRE Tech Lead @ Cisco



  • Containers
  • Docker
  • Kubernetes
  • Summary


What is a container?

  • Isolated Linux process (well…usually)
  • ”Virtualized OS”
    • Filesystem
    • Network
    • etc

Container components

  • Root filesystem (container image)
  • Command (+argumants)
  • Environment variables
  • etc

Advantages of containers

  • Run applications in isolation
  • Package applications into portable bundles

OCI: Open Container Initiative

OCI specs

  • Runtime
  • Image (“Docker image”)
  • Distribution (“Docker registry”)

OCI Runtime

  • Bundle
    • Root FS
    • Config (command, limits, mounts, etc)
  • Runtime starts the container 1

Container runtime: runc

  • OCI-compatible runtime (ref. implementation)
  • Extracted from Docker
  • Single executable
  • Launches containers as isolated Linux processes

Other OCI runtimes

  • crun (written in C, can be used as a lib)
  • runsc (user-space implementation)

Container management

  • OCI runtime: low-level (manages one container)
  • Need a „high-level” runtime to
    • Manage multiple containers
    • Manage container images
    • Manage cross-container networking
    • etc

Container runtime: containerd

  • Extracted from Docker
  • Used runc as the low-level OCI-runtime (in the past)
  • Pluggable low-level runtimes through shims
  • Available shims: runc, firecracker, etc

Container runtime: cri-o

  • Kubernetes-centric container runtime
  • Integrates OCI-runtimes
  • Implements CRI: Container Runtime Interface

CRI: Container Runtime Interface

  • gRPC API for managing containers
  • Runtimes: containerd, cri-o
  • Remember dockershim?

Container runtime???

  • Low-level: OCI-runtime
  • High-level
    • Container „manager” / „engine”
    • Interacts with low-level runtimes


Docker environments

  • Docker Engine
  • Docker Swarm
  • Docker Desktop


Pods vs containers

  • Smallest deployable unit
  • One or more containers
  • Shared storage and networking
  • Scaling unit
apiVersion: v1
kind: Pod
  name: nginx
    - name: nginx
      image: nginx:1.14.2
        - containerPort: 8

Kubernetes API server

  • Control plane frontend
  • Stores desired state
  • Tracks actual state


  • Finds the best Node to run the Pod on
  • Scheduling operation:
    • Filtering
    • Scoring


  • Node agent
  • Gets the list of Pods from the API server
  • Ensures that the containers in Pods are running and healthy

CRI: Container Runtime Interface

  • gRPC API for managing containers
  • Runtimes: containerd, cri-o
  • Remember dockershim?



  • Docker: manage containers directly (well…usually)
  • Kube: configure desired state, Kubernetes „makes it happen”

  • Docker: containerd+runc
  • Kube: CRI


  • Generally both uses OCI
  • Containerd is the most common runtime

The End

Any questions?


Read more