diff --git a/docs/config.md b/docs/config.md
index 6f363a8b1..8f218363f 100644
--- a/docs/config.md
+++ b/docs/config.md
@@ -117,6 +117,11 @@ version = 2
       # * OCI: https://github.com/opencontainers/image-spec/blob/master/annotations.md
       pod_annotations = []
 
+      # container_annotations is a list of container annotations passed through to the OCI config of the containers.
+      # Container annotations in CRI are usually generated by other Kubernetes node components (i.e., not users).
+      # Currently, only device plugins populate the annotations.
+      container_annotations = []
+
       # privileged_without_host_devices allows overloading the default behaviour of passing host
       # devices through to privileged containers. This is useful when using a runtime where it does
       # not make sense to pass host devices to the container when privileged. Defaults to false -
diff --git a/pkg/config/config.go b/pkg/config/config.go
index 134c4dacb..89b9a2004 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -38,6 +38,10 @@ type Runtime struct {
 	// PodAnnotations is a list of pod annotations passed to both pod sandbox as well as
 	// container OCI annotations.
 	PodAnnotations []string `toml:"pod_annotations" json:"PodAnnotations"`
+	// ContainerAnnotations is a list of container annotations passed through to the OCI config of the containers.
+	// Container annotations in CRI are usually generated by other Kubernetes node components (i.e., not users).
+	// Currently, only device plugins populate the annotations.
+	ContainerAnnotations []string `toml:"container_annotations" json:"ContainerAnnotations"`
 	// Root is the directory used by containerd for runtime state.
 	// DEPRECATED: use Options instead. Remove when shim v1 is deprecated.
 	// This only works for runtime type "io.containerd.runtime.v1.linux".