diff --git a/roles/container-engine/nerdctl/tasks/main.yml b/roles/container-engine/nerdctl/tasks/main.yml
index 4afddafafc6e66c7fc639f72049787e8eda0b3e2..ad088391f031c9bcca3584bbb1c634d856c36d8d 100644
--- a/roles/container-engine/nerdctl/tasks/main.yml
+++ b/roles/container-engine/nerdctl/tasks/main.yml
@@ -10,6 +10,27 @@
     dest: "{{ bin_dir }}/nerdctl"
     mode: 0755
     remote_src: true
+    owner: root
+    group: root
+  become: true
   notify:
     - Get nerdctl completion
     - Install nerdctl completion
+
+- name: nerdctl | Create configuration dir
+  file:
+    path: /etc/nerdctl
+    state: directory
+    mode: 0755
+    owner: root
+    group: root
+  become: true
+
+- name: nerdctl | Install nerdctl configuration
+  template:
+    src: nerdctl.toml.j2
+    dest: /etc/nerdctl/nerdctl.toml
+    mode: 0644
+    owner: root
+    group: root
+  become: true
diff --git a/roles/container-engine/nerdctl/templates/nerdctl.toml.j2 b/roles/container-engine/nerdctl/templates/nerdctl.toml.j2
new file mode 100644
index 0000000000000000000000000000000000000000..c12d6832edf08d75e631713baa235282e5027c08
--- /dev/null
+++ b/roles/container-engine/nerdctl/templates/nerdctl.toml.j2
@@ -0,0 +1,10 @@
+debug             = false
+debug_full        = false
+address           = "unix://{{ cri_socket }}"
+namespace         = "k8s.io"
+snapshotter       = "native"
+cni_path          = "/opt/cni/bin"
+cni_netconfpath   = "/etc/cni/net.d"
+cgroup_manager    = "{{ kubelet_cgroup_driver | default('systemd') }}"
+insecure_registry = {{ (containerd_insecure_registries is defined and containerd_insecure_registries|length>0) | bool | lower }}
+hosts_dir         = ["/etc/containerd/certs.d"]
diff --git a/roles/download/defaults/main.yml b/roles/download/defaults/main.yml
index a54822f3e52d604cead69f710155574d04a5cf0e..4b1c3b72486c8432dddcf585aac56b4526d51394 100644
--- a/roles/download/defaults/main.yml
+++ b/roles/download/defaults/main.yml
@@ -112,7 +112,7 @@ kube_ovn_version: "v1.8.1"
 kube_router_version: "v1.4.0"
 multus_version: "v3.8"
 helm_version: "v3.8.0"
-nerdctl_version: "0.15.0"
+nerdctl_version: "0.16.0"
 krew_version: "v0.4.2"
 
 # Get kubernetes major version (i.e. 1.17.4 => 1.17)
@@ -520,11 +520,11 @@ gvisor_containerd_shim_binary_checksums:
 
 nerdctl_archive_checksums:
   arm:
-    0.15.0: 4d3a2e9ecb9efd278313483e85e34e45605f4f8e61805480de440f69a298a649
+    0.16.0: bb1c336e9a1dab840c83d4d56914c2c060fc35433113e8e111f5075b5480d858
   arm64:
-    0.15.0: 7b79e2e8fd88b71ed4e0563c7e7dd27008b7ac7990ad2206efb012def850d150
+    0.16.0: 81e0c13e3c3036c1c5ef5d3c2e02c7b3e980e1856d732779b9e4e5afb9df4c6d
   amd64:
-    0.15.0: 1371da3f6bd461f331946654f6dd3ef2ef4b9da0dd7bc5f78ed1166f32ad5adc
+    0.16.0: 00abb395a6c7c19f2e0612a65e413534b6ec42e995bfbcabd59886b99ca5e43e
 
 containerd_archive_checksums:
   arm:
diff --git a/roles/reset/tasks/main.yml b/roles/reset/tasks/main.yml
index beaf944a2e38034ccf61bffb70d85fba39a14b3d..7f5edf7a89f5f39cd2817ece04add0969639869d 100644
--- a/roles/reset/tasks/main.yml
+++ b/roles/reset/tasks/main.yml
@@ -272,6 +272,7 @@
     - "{{ etcd_config_dir }}"
     - /var/log/calico
     - /etc/cni
+    - /etc/nerdctl
     - "{{ nginx_config_dir }}"
     - /etc/dnsmasq.d
     - /etc/dnsmasq.conf