From d149a2000d83122e10340ebcff4cf51533ab6bad Mon Sep 17 00:00:00 2001
From: Drew Newberry <anewberry@nvidia.com>
Date: Mon, 16 Mar 2026 10:29:16 -0700
Subject: [PATCH] fix(bootstrap): support cgroup v1 hosts by disabling kubelet
 failCgroupV1 check

Kubernetes 1.35 (k3s v1.35.x) rejects cgroup v1 by default via the
failCgroupV1 kubelet config option. This breaks gateway startup on
distros that still use cgroup v1 (e.g. Rocky Linux 8, CentOS 7/8).

Detect cgroup v1 at container startup by checking for the absence of
/sys/fs/cgroup/cgroup.controllers and pass
--kubelet-arg=fail-cgroupv1=false so kubelet warns instead of exiting.
---
 deploy/docker/cluster-entrypoint.sh | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/deploy/docker/cluster-entrypoint.sh b/deploy/docker/cluster-entrypoint.sh
index f2e768c6..19fae35d 100644
--- a/deploy/docker/cluster-entrypoint.sh
+++ b/deploy/docker/cluster-entrypoint.sh
@@ -482,10 +482,25 @@ fi
 # Pre-creating the directory eliminates this failure mode.
 mkdir -p /run/flannel
 
+# ---------------------------------------------------------------------------
+# Detect cgroup version and set kubelet compatibility flags
+# ---------------------------------------------------------------------------
+# Kubernetes 1.35+ (k3s v1.35.x) rejects cgroup v1 by default. Hosts running
+# older distros (e.g. Rocky Linux 8, CentOS 7/8, Ubuntu 18.04) still use
+# cgroup v1. When we detect cgroup v1, pass --kubelet-arg=fail-cgroupv1=false
+# so kubelet warns instead of refusing to start. This flag can be removed once
+# cgroup v1 support is no longer needed.
+EXTRA_KUBELET_ARGS=""
+if [ ! -f /sys/fs/cgroup/cgroup.controllers ]; then
+    echo "Detected cgroup v1 — adding kubelet compatibility flag (fail-cgroupv1=false)"
+    EXTRA_KUBELET_ARGS="--kubelet-arg=fail-cgroupv1=false"
+fi
+
 # Docker Desktop can briefly start the container before its bridge default route
 # is fully installed. k3s exits immediately in that state, so wait briefly for
 # routing to settle first.
 wait_for_default_route
 
 # Execute k3s with explicit resolv-conf.
-exec /bin/k3s "$@" --resolv-conf="$RESOLV_CONF"
+# shellcheck disable=SC2086
+exec /bin/k3s "$@" --resolv-conf="$RESOLV_CONF" $EXTRA_KUBELET_ARGS