How to run Docker in a Kubernetes pod powered by a Kata container:

  1. Make sure that you are running containerd >= 1.3.
  2. Configure containerd as described at Kata Containers as a Runtime Class in the Kata Containers documentation.
  3. Add privileged_without_host_devices = true to the [plugins.cri.containerd.runtimes.kata] section of containerd’s config.toml file. This ensures that privileged Kata containers can only access the guest VM managed by the Kata containers runtime and not also the host system.
  4. Create a Kubernetes pod running an ubuntu:20.04 container with securityContext: {privileged: true} set and runtimeClassName: kata. You may wish to double-check that host devices are really inaccessible (for example by checking whether the host’s root disk is visible in /dev) before you proceed.
  5. Enter the Kubernetes pod, install Docker by running apt update; apt install -y --no-install-recommends docker.io, and type dockerd --storage-driver=vfs. Docker should now be running.

If you are migrating an existing kubeadm-managed, Docker-based cluster to Containerd, see my post on how to migrate kubeadm to Containerd.