diff --git a/cluster/plan.go b/cluster/plan.go
index 264f96bd..80536314 100644
--- a/cluster/plan.go
+++ b/cluster/plan.go
@@ -57,6 +57,8 @@ const (
 	MaxEtcdNoStrictTLSVersion = "v3.4.14-rancher99"
 
 	EncryptionProviderConfigArgument = "encryption-provider-config"
+
+	KubeletCRIDockerdNameEnv = "RKE_KUBELET_CRIDOCKERD"
 )
 
 var admissionControlOptionNames = []string{"enable-admission-plugins", "admission-control"}
@@ -436,6 +438,10 @@ func (c *Cluster) BuildKubeletProcess(host *hosts.Host, serviceOptions v3.Kubern
 		CommandArgs["tls-cert-file"] = pki.GetCertPath(pki.GetCrtNameForHost(host, pki.KubeletCertName))
 		CommandArgs["tls-private-key-file"] = pki.GetCertPath(fmt.Sprintf("%s-key", pki.GetCrtNameForHost(host, pki.KubeletCertName)))
 	}
+	if c.IsCRIDockerdEnabled() {
+		CommandArgs["container-runtime"] = "remote"
+		CommandArgs["container-runtime-endpoint"] = "/var/run/dockershim.sock"
+	}
 
 	if serviceOptions.Kubelet != nil {
 		for k, v := range serviceOptions.Kubelet {
@@ -508,6 +514,12 @@ func (c *Cluster) BuildKubeletProcess(host *hosts.Host, serviceOptions v3.Kubern
 
 	Env := host.GetExtraEnv(kubelet.BaseService)
 
+	if c.IsCRIDockerdEnabled() {
+		Env = append(Env,
+			// Enable running cri-dockerd
+			fmt.Sprintf("%s=%s", KubeletCRIDockerdNameEnv, "true"))
+	}
+
 	if len(c.CloudProvider.Name) > 0 {
 		Env = append(Env,
 			fmt.Sprintf("%s=%s", CloudConfigSumEnv, getStringChecksum(c.CloudConfigFile)))
@@ -1096,3 +1108,13 @@ func appendArgs(command []string, args map[string]string) []string {
 	}
 	return command
 }
+
+func (c *Cluster) IsCRIDockerdEnabled() bool {
+	if c == nil {
+		return false
+	}
+	if c.EnableCRIDockerd != nil && *c.EnableCRIDockerd {
+		return true
+	}
+	return false
+}
diff --git a/cluster/validation.go b/cluster/validation.go
index e406ad2a..6f07e97b 100644
--- a/cluster/validation.go
+++ b/cluster/validation.go
@@ -6,11 +6,13 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/blang/semver"
 	"github.com/rancher/rke/log"
 	"github.com/rancher/rke/metadata"
 	"github.com/rancher/rke/pki"
 	"github.com/rancher/rke/services"
 	"github.com/rancher/rke/util"
+	"github.com/sirupsen/logrus"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/validation"
 )
@@ -47,6 +49,11 @@ func (c *Cluster) ValidateCluster(ctx context.Context) error {
 		return err
 	}
 
+	// validate enabling CRIDockerd
+	if err := validateCRIDockerdOption(c); err != nil {
+		return err
+	}
+
 	// validate services options
 	return validateServicesOptions(c)
 }
@@ -576,3 +583,25 @@ func validateIngressImages(c *Cluster) error {
 	}
 	return nil
 }
+
+func validateCRIDockerdOption(c *Cluster) error {
+	if c.EnableCRIDockerd != nil && *c.EnableCRIDockerd {
+		k8sVersion := c.RancherKubernetesEngineConfig.Version
+		toMatch, err := semver.Make(k8sVersion[1:])
+		if err != nil {
+			return fmt.Errorf("%s is not valid semver", k8sVersion)
+		}
+		logrus.Debugf("Checking cri-dockerd for cluster version [%s]", k8sVersion)
+		// cri-dockerd can be enabled for k8s 1.21 and up
+		CRIDockerdAllowedRange, err := semver.ParseRange(">=1.21.0-rancher0")
+		if err != nil {
+			logrus.Warnf("Failed to parse semver range for checking cri-dockerd")
+		}
+		if !CRIDockerdAllowedRange(toMatch) {
+			logrus.Debugf("Cluster version [%s] is not allowed to enable cri-dockerd", k8sVersion)
+			return fmt.Errorf("Enabling cri-dockerd for cluster version [%s] is not supported", k8sVersion)
+		}
+		logrus.Infof("cri-dockerd is enabled for cluster version [%s]", k8sVersion)
+	}
+	return nil
+}