About cgroup v2

    The kubelet and the underlying container runtime need to interface with cgroups to enforce which includes cpu/memory requests and limits for containerized workloads.

    There are two versions of cgroups in Linux: cgroup v1 and cgroup v2. cgroup v2 is the new generation of the API.

    FEATURE STATE: Kubernetes v1.25 [stable]

    cgroup v2 is the next version of the Linux cgroup API. cgroup v2 provides a unified control system with enhanced resource management capabilities.

    cgroup v2 offers several improvements over cgroup v1, such as the following:

    • Single unified hierarchy design in API
    • Safer sub-tree delegation to containers
    • Enhanced resource allocation management and isolation across multiple resources
      • Unified accounting for different types of memory allocations (network memory, kernel memory, etc)
      • Accounting for non-immediate resource changes such as page cache write backs

    The recommended way to use cgroup v2 is to use a Linux distribution that enables and uses cgroup v2 by default.

    To check if your distribution uses cgroup v2, refer to Identify cgroup version on Linux nodes.

    cgroup v2 has the following requirements:

    • OS distribution enables cgroup v2
    • Linux Kernel version is 5.8 or later
    • Container runtime supports cgroup v2. For example:
    • The kubelet and the container runtime are configured to use the systemd cgroup driver

    For a list of Linux distributions that use cgroup v2, refer to the cgroup v2 documentation

    • Ubuntu (since 21.10, 22.04+ recommended)
    • Debian GNU/Linux (since Debian 11 bullseye)
    • Fedora (since 31)
    • Arch Linux (since April 2021)
    • RHEL and RHEL-like distributions (since 9)

    To check if your distribution is using cgroup v2, refer to your distribution’s documentation or follow the instructions in .

    To migrate to cgroup v2, ensure that you meet the , then upgrade to a kernel version that enables cgroup v2 by default.

    The kubelet automatically detects that the OS is running on cgroup v2 and performs accordingly with no additional configuration required.

    There should not be any noticeable difference in the user experience when switching to cgroup v2, unless users are accessing the cgroup file system directly, either on the node or from within the containers.

    cgroup v2 uses a different API than cgroup v1, so if there are any applications that directly access the cgroup file system, they need to be updated to newer versions that support cgroup v2. For example:

    • Some third-party monitoring and security agents may depend on the cgroup filesystem. Update these agents to versions that support cgroup v2.
    • If you run cAdvisor as a stand-alone DaemonSet for monitoring pods and containers, update it to v0.43.0 or later.
    • If you use JDK, prefer to use JDK 11.0.16 and later or JDK 15 and later, which .

    The cgroup version depends on the Linux distribution being used and the default cgroup version configured on the OS. To check which cgroup version your distribution uses, run the stat -fc %T /sys/fs/cgroup/ command on the node:

    For cgroup v1, the output is

    • Learn more about cgroups
    • Learn more about