CRI: Container Runtime Interface in Depth

You SSH into a node reporting NotReady. The kubelet logs say container runtime status check failed. You run crictl info and get connection refused. Now what?

Everything past that point depends on understanding how the kubelet and the container runtime talk to each other. The kubelet knows nothing about how containers actually run. It speaks gRPC to a Unix socket, and whatever answers on the other side does the real work: creating namespaces, pulling images, mounting volumes, starting processes. That gRPC protocol is the Container Runtime Interface (CRI), and since the dockershim removal in Kubernetes 1.24, containerd and CRI-O are the two production implementations that speak it.