Containers and Container Runtimes

When you run kubectl run nginx --image=nginx, at least three separate pieces of software collaborate before a single process starts inside that container. The kubelet talks to a high-level runtime over gRPC, the high-level runtime calls a low-level runtime, and the low-level runtime asks the Linux kernel to set up the isolation boundaries. None of these components are optional, and each follows a different specification.

This layered architecture sits at the heart of the KCNA Kubernetes Fundamentals domain (44% of the exam). The stack has three layers, each governed by its own specification: OCI at the bottom, CRI in the middle, and the kubelet at the top.