diff --git a/.github/workflows/cgroup2.yaml b/.github/workflows/cgroup2.yaml
new file mode 100644
index 00000000000..8a2d1decaae
--- /dev/null
+++ b/.github/workflows/cgroup2.yaml
@@ -0,0 +1,60 @@
+name: cgroup2
+on: [push, pull_request]
+jobs:
+  build:
+    name: "Build"
+    runs-on: ubuntu-20.04
+    timeout-minutes: 40
+    steps:
+    - name: "Checkout"
+      uses: actions/checkout@v2
+      with:
+        fetch-depth: 1
+    - name: "Make"
+      run: DOCKER_BUILDKIT=1 SKIP_VALIDATE=1 make
+    - name: "Upload k3s binary"
+      uses: actions/upload-artifact@v2
+      with:
+        name: k3s
+        path: dist/artifacts/k3s
+  test:
+    name: "Test"
+    needs: build
+    # nested virtualization is only available on macOS hosts
+    runs-on: macos-10.15
+    timeout-minutes: 40
+    steps:
+    - name: "Checkout"
+      uses: actions/checkout@v2
+      with:
+        fetch-depth: 1
+    - name: "Download k3s binary"
+      uses: actions/download-artifact@v2
+      with:
+        name: k3s
+        path: ./tests/cgroup2
+    - name: "Boot Fedora VM"
+      run: |
+        cp k3s.service ./tests/cgroup2
+        cd ./tests/cgroup2
+        vagrant up
+        vagrant ssh-config >> ~/.ssh/config
+    # Sonobuoy requires CoreDNS to be ready
+    - name: "Waiting fore CoreDNS to be ready"
+      run: |
+        counter=0
+        # `kubectl wait` fails when the pods with the specified label are not created yet
+        until ssh default -- sudo k3s kubectl wait --for=condition=ready pods --namespace=kube-system -l k8s-app=kube-dns; do
+          sleep 10
+          ((counter++))
+          if [[ $counter -eq 10 ]]; then
+            echo "CoreDNS not running?"
+            ssh default -- sudo k3s kubectl get pods -A
+            ssh default -- sudo k3s kubectl get nodes -o wide
+            exit 1
+          fi
+        done
+    # Vagrant is slow, so we set --mode=quick here
+    - name: "Run Sonobuoy (--mode=quick)"
+      run: |
+        ssh default -- sudo KUBECONFIG=/etc/rancher/k3s/k3s.yaml /usr/local/bin/sonobuoy run --mode=quick --wait
diff --git a/tests/cgroup2/.gitignore b/tests/cgroup2/.gitignore
new file mode 100644
index 00000000000..747971f830b
--- /dev/null
+++ b/tests/cgroup2/.gitignore
@@ -0,0 +1,3 @@
+k3s
+k3s.service
+.vagrant/
diff --git a/tests/cgroup2/Vagrantfile b/tests/cgroup2/Vagrantfile
new file mode 100644
index 00000000000..555f0a65767
--- /dev/null
+++ b/tests/cgroup2/Vagrantfile
@@ -0,0 +1,34 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+# Vagrant box for testing k3s with cgroup v2.
+# Invoked via k3s/.github/workflows/cgroup2.yaml .
+#
+# The following files need to be present in this directory:
+# - k3s
+# - k3s.service
+Vagrant.configure("2") do |config|
+  config.vm.box = "fedora/33-cloud-base"
+  memory = 2048
+  cpus = 2
+  config.vm.provider :virtualbox do |v|
+    v.memory = memory
+    v.cpus = cpus
+  end
+  config.vm.provider :libvirt do |v|
+    v.memory = memory
+    v.cpus = cpus
+  end
+  config.vm.provision "install-k3s", type: "shell", run: "once" do |sh|
+    sh.inline = <<~SHELL
+    set -eux -o pipefail
+    install -m 755  /vagrant/k3s /usr/local/bin
+    cp -f /vagrant/k3s.service /etc/systemd/system/k3s.service
+    touch /etc/systemd/system/k3s.service.env
+    systemctl daemon-reload
+    systemctl enable --now k3s.service || { systemctl status --full --no-pager k3s.service ; exit 1; }
+
+    curl -fsSL https://github.com/vmware-tanzu/sonobuoy/releases/download/v0.20.0/sonobuoy_0.20.0_linux_amd64.tar.gz | tar xzvC /usr/local/bin sonobuoy
+    SHELL
+  end
+end