diff --git a/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml b/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
index c43cd83c8..7c64707c5 100644
--- a/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
+++ b/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
@@ -171,6 +171,32 @@ dns_domain: "{{ cluster_name }}"
 ## docker for docker, crio for cri-o and containerd for containerd.
 container_manager: docker
 
+## Settings for containerd runtimes (only used when container_manager is set to containerd)
+#
+# Settings for default containerd runtime
+# containerd_default_runtime:
+#   type: io.containerd.runtime.v1.linux
+#   engine: ''
+#   root: ''
+#
+# Settings for additional runtimes for containerd configuration
+# containerd_runtimes:
+#   - name: ""
+#     type: ""
+#     engine: ""
+#     root: ""
+# Example for Kata Containers as additional runtime:
+# containerd_runtimes:
+#   - name: kata
+#     type: io.containerd.kata.v2
+#     engine: ""
+#     root: ""
+#
+# Settings for untrusted containerd runtime
+# containerd_untrusted_runtime_type: ''
+# containerd_untrusted_runtime_engine: ''
+# containerd_untrusted_runtime_root: ''
+
 ## Settings for containerized control plane (kubelet/secrets)
 kubelet_deployment_type: host
 helm_deployment_type: host
diff --git a/roles/container-engine/containerd/defaults/main.yml b/roles/container-engine/containerd/defaults/main.yml
index ac797ec37..adeda97f9 100644
--- a/roles/container-engine/containerd/defaults/main.yml
+++ b/roles/container-engine/containerd/defaults/main.yml
@@ -48,3 +48,22 @@ containerd_debian_repo_base_url: 'https://download.docker.com/linux/debian'
 containerd_debian_repo_gpgkey: 'https://download.docker.com/linux/debian/gpg'
 containerd_debian_repo_repokey: '9DC858229FC7DD38854AE2D88D81803C0EBFCD88'
 containerd_debian_repo_component: 'stable'
+
+containerd_default_runtime:
+  type: io.containerd.runtime.v1.linux
+  engine: ''
+  root: ''
+
+# Additional runtimes for containerd configuration
+#
+# Example for Kata Containers:
+# containerd_runtimes:
+#   - name: kata
+#     type: io.containerd.kata.v2
+#     engine: ""
+#     root: ""
+containerd_runtimes: []
+
+containerd_untrusted_runtime_type: ''
+containerd_untrusted_runtime_engine: ''
+containerd_untrusted_runtime_root: ''
diff --git a/roles/container-engine/containerd/templates/config.toml.j2 b/roles/container-engine/containerd/templates/config.toml.j2
index 78aad1287..db1527e71 100644
--- a/roles/container-engine/containerd/templates/config.toml.j2
+++ b/roles/container-engine/containerd/templates/config.toml.j2
@@ -31,10 +31,23 @@ disabled_plugins = ["restart"]
   {{ param }} = {{ value }}
 {% endfor %}
 {% endif %}
+
+[plugins.cri.containerd.default_runtime]
+  runtime_type = "{{ containerd_default_runtime.type }}"
+  runtime_engine = "{{ containerd_default_runtime.engine }}"
+  runtime_root = "{{ containerd_default_runtime.root }}"
+
+{% for runtime in containerd_runtimes %}
+[plugins.cri.containerd.runtimes.{{ runtime.name }}]
+  runtime_type = "{{ runtime.type }}"
+  runtime_engine = "{{ runtime.engine }}"
+  runtime_root = "{{ runtime.root }}"
+{% endfor %}
+
 [plugins.cri.containerd.untrusted_workload_runtime]
-  runtime_type = ""
-  runtime_engine = ""
-  runtime_root = ""
+  runtime_type = "{{ containerd_untrusted_runtime_type }}"
+  runtime_engine = "{{ containerd_untrusted_runtime_engine }}"
+  runtime_root = "{{ containerd_untrusted_runtime_root }}"
 
 {% if 'registries' in containerd_config %}
 [plugins.cri.registry]