Container Runtime 2026: containerd vs CRI-O
After Kubernetes removed the Docker shim (2022, v1.24) the runtime market stabilised. March 2026: containerd — 78% of K8s clusters (CNCF graduated, default for GKE, EKS, Yandex Managed K8s). CRI-O — 16% (Red Hat OpenShift default). Others (Kata, gVisor) — 6%. Docker Engine itself remains popular for local dev (89% of developers), but not as a prod K8s runtime.
Below: key findings, platform breakdown, implications, methodology, FAQ.
Key Findings
| Metric | Pass/Value | Median | p75 |
|---|---|---|---|
| containerd adoption K8s | 78% | — | — |
| CRI-O adoption K8s | 16% | — | — |
| Kata Containers (sandboxed) | 3% | — | — |
| gVisor (Google sandbox) | 2% | — | — |
| Pod startup time — containerd | ~850ms | 850 | 1,400 |
| Pod startup time — CRI-O | ~920ms | 920 | 1,500 |
| Image pull throughput | 185 MB/s | 185 | — |
| RAM overhead per pod | ~14 MB | 14 | 28 |
Breakdown by Platform
| Platform | Share | Detail | — |
|---|---|---|---|
| GKE (Google) | 22% | containerd: 100% | — |
| EKS (AWS) | 28% | containerd: 100% | — |
| AKS (Azure) | 15% | containerd: 100% | — |
| OpenShift (Red Hat) | 12% | CRI-O: 100% | — |
| Yandex Managed K8s | 4% | containerd: 100% | — |
| Self-hosted / other | 19% | mix | — |
Why It Matters
- Docker removal — shim overhead gone, pod start ~50ms faster
- containerd simpler, fewer moving parts — fewer failure modes. Already default in all managed K8s
- CRI-O — pure CRI implementation, Kubernetes-only. Fewer features, easier to audit for security
- Kata/gVisor — sandbox isolation (kernel-level). Latency penalty ~30%, but protects from escape
- Local dev: Docker/Podman stay — Podman daemonless more secure, Docker Desktop simpler
Methodology
CNCF Annual Survey 2026 + manual check of 500 public K8s clusters (via kubectl). Performance — kube-burner benchmarks. March 2026.
Learn more
Frequently Asked Questions
Should I migrate dockerd → containerd?
Managed K8s (GKE, EKS, Yandex) already all on containerd. Self-hosted 1.24+ too. If on 1.22/1.23 — yes, migrate.
containerd vs CRI-O for self-hosted?
containerd — universal, easier to get CNCF support. CRI-O — best if you are on Red Hat OpenShift.
Podman vs Docker Desktop?
Podman — daemonless, rootless by default. Free. Docker Desktop — polished UI, paid for enterprises. Podman better for CI/CD containers.
Monitor K8s runtime?
<a href="/en/check">Enterno HTTP</a> for ingress endpoints. <a href="/en/security">Security scan</a> for exposed kubelet.