diff --git a/oci/spec_opts.go b/oci/spec_opts.go
index 7b91ba876..5a952f616 100644
--- a/oci/spec_opts.go
+++ b/oci/spec_opts.go
@@ -273,6 +273,28 @@ func WithMounts(mounts []specs.Mount) SpecOpts {
 	}
 }
 
+// WithoutMounts removes mounts
+func WithoutMounts(dests ...string) SpecOpts {
+	return func(_ context.Context, _ Client, _ *containers.Container, s *Spec) error {
+		var (
+			mounts  []specs.Mount
+			current = s.Mounts
+		)
+	mLoop:
+		for _, m := range current {
+			mDestination := filepath.Clean(m.Destination)
+			for _, dest := range dests {
+				if mDestination == dest {
+					continue mLoop
+				}
+			}
+			mounts = append(mounts, m)
+		}
+		s.Mounts = mounts
+		return nil
+	}
+}
+
 // WithHostNamespace allows a task to run inside the host's linux namespace
 func WithHostNamespace(ns specs.LinuxNamespaceType) SpecOpts {
 	return func(_ context.Context, _ Client, _ *containers.Container, s *Spec) error {
diff --git a/oci/spec_opts_linux.go b/oci/spec_opts_linux.go
index b0a7d3bbd..b20930d0e 100644
--- a/oci/spec_opts_linux.go
+++ b/oci/spec_opts_linux.go
@@ -247,3 +247,8 @@ var WithAllKnownCapabilities = func(ctx context.Context, client Client, c *conta
 	caps := cap.Known()
 	return WithCapabilities(caps)(ctx, client, c, s)
 }
+
+// WithoutRunMount removes the `/run` inside the spec
+func WithoutRunMount(ctx context.Context, client Client, c *containers.Container, s *Spec) error {
+	return WithoutMounts("/run")(ctx, client, c, s)
+}
diff --git a/oci/spec_opts_test.go b/oci/spec_opts_test.go
index d0d585a38..7cc94b956 100644
--- a/oci/spec_opts_test.go
+++ b/oci/spec_opts_test.go
@@ -25,6 +25,7 @@ import (
 	"io/ioutil"
 	"log"
 	"os"
+	"path/filepath"
 	"reflect"
 	"runtime"
 	"strings"
@@ -601,3 +602,59 @@ func getShmSize(opts []string) string {
 	}
 	return ""
 }
+
+func TestWithoutMounts(t *testing.T) {
+	t.Parallel()
+	var s Spec
+
+	x := func(s string) string {
+		if runtime.GOOS == "windows" {
+			return filepath.Join("C:\\", filepath.Clean(s))
+		}
+		return s
+	}
+	opts := []SpecOpts{
+		WithMounts([]specs.Mount{
+			{
+				Destination: x("/dst1"),
+				Source:      x("/src1"),
+			},
+			{
+				Destination: x("/dst2"),
+				Source:      x("/src2"),
+			},
+			{
+				Destination: x("/dst3"),
+				Source:      x("/src3"),
+			},
+		}),
+		WithoutMounts(x("/dst2"), x("/dst3")),
+		WithMounts([]specs.Mount{
+			{
+				Destination: x("/dst4"),
+				Source:      x("/src4"),
+			},
+		}),
+	}
+
+	expected := []specs.Mount{
+		{
+			Destination: x("/dst1"),
+			Source:      x("/src1"),
+		},
+		{
+			Destination: x("/dst4"),
+			Source:      x("/src4"),
+		},
+	}
+
+	for _, opt := range opts {
+		if err := opt(nil, nil, nil, &s); err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	if !reflect.DeepEqual(expected, s.Mounts) {
+		t.Fatalf("expected %+v, got %+v", expected, s.Mounts)
+	}
+}
diff --git a/pkg/cri/opts/spec_linux.go b/pkg/cri/opts/spec_linux.go
index e43f7d84c..67a652e91 100644
--- a/pkg/cri/opts/spec_linux.go
+++ b/pkg/cri/opts/spec_linux.go
@@ -76,22 +76,6 @@ func mergeGids(gids1, gids2 []uint32) []uint32 {
 	return gids
 }
 
-// WithoutRunMount removes the `/run` inside the spec
-func WithoutRunMount(_ context.Context, _ oci.Client, c *containers.Container, s *runtimespec.Spec) error {
-	var (
-		mounts  []runtimespec.Mount
-		current = s.Mounts
-	)
-	for _, m := range current {
-		if filepath.Clean(m.Destination) == "/run" {
-			continue
-		}
-		mounts = append(mounts, m)
-	}
-	s.Mounts = mounts
-	return nil
-}
-
 // WithoutDefaultSecuritySettings removes the default security settings generated on a spec
 func WithoutDefaultSecuritySettings(_ context.Context, _ oci.Client, c *containers.Container, s *runtimespec.Spec) error {
 	if s.Process == nil {
diff --git a/pkg/cri/server/container_create_linux.go b/pkg/cri/server/container_create_linux.go
index 63648b221..7d9c4b536 100644
--- a/pkg/cri/server/container_create_linux.go
+++ b/pkg/cri/server/container_create_linux.go
@@ -122,7 +122,7 @@ func (c *criService) containerSpec(
 	ociRuntime config.Runtime,
 ) (_ *runtimespec.Spec, retErr error) {
 	specOpts := []oci.SpecOpts{
-		customopts.WithoutRunMount,
+		oci.WithoutRunMount,
 	}
 	// only clear the default security settings if the runtime does not have a custom
 	// base runtime spec spec.  Admins can use this functionality to define
diff --git a/pkg/cri/server/sandbox_run_linux.go b/pkg/cri/server/sandbox_run_linux.go
index aa9cc35ec..27ef2f6ef 100644
--- a/pkg/cri/server/sandbox_run_linux.go
+++ b/pkg/cri/server/sandbox_run_linux.go
@@ -41,7 +41,7 @@ func (c *criService) sandboxContainerSpec(id string, config *runtime.PodSandboxC
 	// Creates a spec Generator with the default spec.
 	// TODO(random-liu): [P1] Compare the default settings with docker and containerd default.
 	specOpts := []oci.SpecOpts{
-		customopts.WithoutRunMount,
+		oci.WithoutRunMount,
 		customopts.WithoutDefaultSecuritySettings,
 		customopts.WithRelativeRoot(relativeRootfsPath),
 		oci.WithEnv(imageConfig.Env),