If you are using a newer systemd then your container will get stuck in ContainerCreating state on your provider with gVisor enabled.
You may see the following Events in the logs upon use of kubectl describe pod
Warning FailedCreatePodSandBox 2m57s (x25 over 3m21s) kubelet
Failed to create pod sandbox: rpc error: code = Unknown desc = failed to
create containerd task: failed to create shim: OCI runtime create failed:
creating container: cgroups V2 is not yet supported. Enable cgroups V1 and\
retry: unknown
Warning FailedCreatePodSandBox 0s (x13 over 12s) kubelet Failed to
create pod sandbox: rpc error: code = Unknown desc = failed to create
containerd task: failed to create shim: OCI runtime create failed: creating
container: write
/sys/fs/cgroup/kubepods/besteffort/pod7a38b06d-4c96-49ff-bc4a-3d8288892b3b/cgroup.procs: device or resource busy: unknown
The new systemd 247.2-2 has switched to a new "unified" cgroup hierarchy (i.e. cgroup v2) which is not supported by gVisor.
Ubuntu version 21.10 is affected.
- systemd switches to the "unified" cgroup hierarchy documentation
- systemd-cgroup support in gVisor documentation
Apply the following on each Kubernetes node in order to switch back to cgroup v1
echo 'GRUB_CMDLINE_LINUX=systemd.unified_cgroup_hierarchy=false' > /etc/default/grub.d/cgroup.cfg
update-grub
reboot