diff --git a/image-builder/assets/playbooks/roles/osconfig/tasks/hanging-cgroup-release.yaml b/image-builder/assets/playbooks/roles/osconfig/tasks/hanging-cgroup-release.yaml
new file mode 100644
index 0000000..03c776d
--- /dev/null
+++ b/image-builder/assets/playbooks/roles/osconfig/tasks/hanging-cgroup-release.yaml
@@ -0,0 +1,69 @@
+- name: hanging-cgroup-release.sh
+  copy:
+    dest: '/opt/hanging-cgroup-release.sh'
+    content: |
+      #!/bin/bash
+      set -ex
+      set -o pipefail
+
+      cgroup_count() {
+        echo "Current cgroup count: $(find /sys/fs/cgroup/*/system.slice -name tasks | wc -l)"
+      }
+
+      DATE=$(date)
+      echo "$(cgroup_count)"
+      echo   # Stop systemd mount unit that isn't actually mounted
+      echo "Stopping Kubernetes systemd mount units that are not mounted to the system."
+      echo "sed extracts systemd output to just be the unit ($1) and the mountpoint ($2)."
+      echo "1st xargs filters it by test -d $2 || echo $1."
+      echo "2nd xargs removes the entries ($1) one by one."
+      systemctl list-units --state=running | \
+        sed -rn '/Kubernetes.transient.mount/s,(run-\S+).+(/var/lib/kubelet/pods/.+),\1 \2,p' | \
+        xargs -r -l1 sh -c 'test -d $2 || echo $1' -- | \
+        xargs -r -tl1 systemctl stop |& wc -l
+      echo "$(cgroup_count)"
+    owner: root
+    group: root
+    mode: '0755'
+- name: hanging-cgroup-release.service
+  copy:
+    dest: '/etc/systemd/system/hanging-cgroup-release.service'
+    content: |
+      [Unit]
+      Description=hanging-cgroup-release service
+      After=network.target
+
+      [Service]
+      ExecStart=/opt/hanging-cgroup-release.sh
+
+      [Install]
+      WantedBy=multi-user.target
+    owner: root
+    group: root
+    mode: '0644'
+- name: start-cgroup-service
+  systemd:
+    name: hanging-cgroup-release.service
+    enabled: yes
+- name: hanging-cgroup-release.timer
+  copy:
+    dest: '/etc/systemd/system/hanging-cgroup-release.timer'
+    content: |
+      [Unit]
+      Description=10min Timer Target
+      Requires=hanging-cgroup-release.service
+      After=network.target
+
+      [Timer]
+      Unit=hanging-cgroup-release.service
+      OnCalendar=*:0/10
+
+      [Install]
+      WantedBy=multi-user.target
+    owner: root
+    group: root
+    mode: '0644'
+- name: start-cgroup-timer
+  systemd:
+    name: hanging-cgroup-release.timer
+    enabled: yes
diff --git a/image-builder/assets/playbooks/roles/osconfig/tasks/main.yaml b/image-builder/assets/playbooks/roles/osconfig/tasks/main.yaml
index 483ea40..638bf9a 100644
--- a/image-builder/assets/playbooks/roles/osconfig/tasks/main.yaml
+++ b/image-builder/assets/playbooks/roles/osconfig/tasks/main.yaml
@@ -46,6 +46,9 @@
 - name: "fetch url resource"
   include_tasks: fetch-from-url.yaml
   when: run_context == default_run_context
+- name: "cgroup count"
+  include_tasks: hanging-cgroup-release.yaml
+  when: run_context == default_run_context
 
 # Context-dependent tasks
 - name: "write user-provided files"