Kubernetes CRI
A3S Box CRI server — core pod and container lifecycle plus exec work end to end with crictl and kubelet, though it is not yet fully critest-conformant
Kubernetes CRI
A3S Box includes a Kubernetes CRI server. As of v2.0.5 it is reachable by crictl, the kubelet, and critest over its Unix domain socket, and the core pod sandbox + container lifecycle and exec work end to end. It is Linux-only, not yet fully critest-conformant, and not yet a drop-in production Kubernetes runtime — the broader product priority remains the local Docker-like runtime. Do not read this page as a production certification statement.
Windows CRI is intentionally unsupported.
What Exists
| CRI area | Current state |
|---|---|
| RuntimeService | Pod sandbox lifecycle, container lifecycle, status, stats, selected update/status paths. |
| ImageService | Pull, list, status, filesystem info, and remove paths backed by the local image store. |
| Streaming | exec works over the Kubernetes SPDY/3.1 remotecommand protocol (crictl exec / kubectl exec, TTY and non-TTY, stdin/stdout/stderr, exit-code propagation). attach is not yet working. |
| Networking | Sandbox port mappings and an a3s.box/network annotation path exist for A3S bridge networks. |
| Tests | The CRI is now reachable by crictl, the kubelet, and critest (a vendored h2 patch in v2.0.5 fixed the socket-path :authority rejection). critest baseline: about 23 of 80 run specs pass. |
Mental Model
kubelet / crictl
|
| CRI v1 gRPC
v
a3s-box-cri
RuntimeService + ImageService + streaming server
|
v
A3S Box runtime and MicroVMA pod sandbox maps to one Box microVM. The container lifecycle works end to end (CreateContainer/StartContainer/Stop/Remove, verified via crictl), and both non-TTY and PTY exec work. Container stdout/stderr are captured to the CRI log_path and readable via crictl logs. Note that attach and the stricter conformance specs (exact log format, Linux SecurityContext, seccomp/AppArmor, namespace sharing, mount propagation, port-forward) are still in progress.
Run for Evaluation
# From the Box repository
helm install a3s-box deploy/helm/a3s-box/ \
-n a3s-box-system --create-namespaceOr run the CRI binary directly in a controlled development environment and point crictl or kubelet at its socket.
RuntimeClass Example
apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
name: a3s-box
handler: a3s-boxapiVersion: v1
kind: Pod
metadata:
name: hello
spec:
runtimeClassName: a3s-box
containers:
- name: app
image: alpine:latest
command: ["sleep", "3600"]Known Boundaries
- No Windows CRI support (intentionally out of scope).
- Linux-only; host must provide image availability, virtualization support (e.g.
/dev/kvm), and the expected CRI tooling. attachis not yet working.- Not yet
critest-conformant: the stricter specs (exact CRI log format, LinuxSecurityContext, seccomp/AppArmor, namespace sharing, mount propagation, port-forward) are still in progress. Conformance is tracked in the Box repository'sdocs/cri-conformance.md.