18238 add cgroup v2 and containerd socket configuration options

schau87 · anthonyh209 · commit adec99a9fb49 · 2025-08-05T09:41:54.000+02:00
This werk adds configuration guidance for mounting containerd runtime sockets in cAdvisor pods to resolve
container metadata mapping issues on Kubernetes nodes running with cgroup v2.
When Kubernetes nodes run with cgroup v2, cAdvisor cannot properly map container metadata
(pod names, namespaces, labels) from cgroups alone, resulting in CPU and memory metrics missing
required labels. Mounting the containerd socket allows cAdvisor to query containerd directly for
metadata. Further information can be found in the values.yaml file.

Change-Id: Ib50cdca4bacf9c99870c5b992f0e3ce1309ab54f
diff --git a/.werks/18238.md b/.werks/18238.md
@@ -0,0 +1,19 @@
+[//]: # (werk v2)
+# add cgroup v2 and containerd socket configuration options
+
+key        | value
+---------- | ---
+date       | 2025-08-01T09:38:07+00:00
+version    | 1.8.0
+class      | feature
+edition    | cre
+component  | helm
+level      | 1
+compatible | yes
+
+This werk adds configuration guidance for mounting containerd runtime sockets in cAdvisor pods to resolve
+container metadata mapping issues on Kubernetes nodes running with cgroup v2.
+When Kubernetes nodes run with cgroup v2, cAdvisor cannot properly map container metadata
+(pod names, namespaces, labels) from cgroups alone, resulting in CPU and memory metrics missing
+required labels. Mounting the containerd socket allows cAdvisor to query containerd directly for
+metadata. Further information can be found in the values.yaml file.
diff --git a/deploy/charts/checkmk/templates/node-collector-container-metrics-ds.yaml b/deploy/charts/checkmk/templates/node-collector-container-metrics-ds.yaml
@@ -87,6 +87,13 @@ spec:
             - name: docker
               mountPath: /var/lib/docker
               readOnly: true
+            {{- if .Values.nodeCollector.cadvisor.containerdSocket }}
+            {{- if .Values.nodeCollector.cadvisor.containerdSocket.enabled }}
+            - name: containerdsock
+              mountPath: {{ .Values.nodeCollector.cadvisor.containerdSocket.mountPath | quote }}
+              readOnly: true
+            {{- end }}
+            {{- end }}
         - name: container-metrics-collector
           securityContext:
             {{- toYaml .Values.nodeCollector.containerMetricsCollector.securityContext | nindent 12 }}
@@ -133,6 +140,14 @@ spec:
         - name: docker
           hostPath:
             path: /var/lib/docker
+        {{- if .Values.nodeCollector.cadvisor.containerdSocket }}
+        {{- if .Values.nodeCollector.cadvisor.containerdSocket.enabled }}
+        - name: containerdsock
+          hostPath:
+              path: {{ .Values.nodeCollector.cadvisor.containerdSocket.hostPath | quote }}
+              type: Socket
+        {{- end }}
+        {{- end }}
       {{- if .Values.tlsCommunication.enabled }}
         - name: checkmk-ca-cert
           secret:
diff --git a/deploy/charts/checkmk/values.yaml b/deploy/charts/checkmk/values.yaml
@@ -242,6 +242,34 @@ nodeCollector:
       #   cpu: 150m
       #   memory: 200Mi
 
+    # Configuration for containerd socket (used by cadvisor in the node collector).
+    # This section is optional and only needed if CPU/Memory metrics are missing the required labels.
+    # Access to the container runtime socket (e.g., for metrics collection).
+    # Known limitation:
+    # - When Kubernetes nodes run with cgroup v2 (common in newer distros),
+    #   cAdvisor cannot properly map container metadata (pod name, namespace, labels)
+    #   from cgroups alone.
+    # - To work around this, the container runtime socket must be mounted inside the cAdvisor pod
+    #   so that cAdvisor can query containerd directly for metadata via its gRPC interface.
+    #
+    # To locate the correct socket path on your host node, run:
+    #   find / -type s -name 'containerd.sock' 2>/dev/null
+    #
+    # The path varies depending on your Kubernetes setup:
+    #   - MicroK8s: /var/snap/microk8s/common/run/containerd.sock
+    #   - Standard containerd: /run/containerd/containerd.sock
+    #   - k3s: /run/k3s/containerd/containerd.sock
+    #
+    # mountPath is where the socket is available inside the container.
+    # hostPath is the full path to the socket file on the Kubernetes node.
+    #
+    # Example to enable:
+    # containerdSocket:
+    #   enabled: true
+    #   name: containerdsock
+    #   mountPath: /var/snap/microk8s/common/run/containerd.sock
+    #   hostPath: /var/snap/microk8s/common/run/containerd.sock
+
   containerMetricsCollector:
     image:
       repository: checkmk/kubernetes-collector
