diff --git a/contrib/mesos/pkg/executor/service/service.go b/contrib/mesos/pkg/executor/service/service.go
index e3ff40e1696..68026af643b 100644
--- a/contrib/mesos/pkg/executor/service/service.go
+++ b/contrib/mesos/pkg/executor/service/service.go
@@ -99,12 +99,6 @@ func NewKubeletExecutorServer() *KubeletExecutorServer {
 	k.Address = net.ParseIP(defaultBindingAddress())
 	k.ShutdownFD = -1 // indicates unspecified FD
 
-	// empty string for all containers (= cgroup paths) which stop the kubelet
-	// from taking any control over the cgroups of itself and other system processes.
-	k.SystemContainer = ""
-	k.ResourceContainer = ""
-	k.DockerDaemonContainer = ""
-
 	return k
 }
 
@@ -137,11 +131,21 @@ func (s *KubeletExecutorServer) Run(hks hyperkube.Interface, _ []string) error {
 		log.Info(err)
 	}
 
-	// derive the executor cgroup and use it as docker cgroup root
+	// derive the executor cgroup and use it as docker container cgroup root
 	mesosCgroup := findMesosCgroup(s.cgroupPrefix)
 	s.cgroupRoot = mesosCgroup
 	log.V(2).Infof("passing cgroup %q to the kubelet as cgroup root", s.CgroupRoot)
 
+	// empty string for the docker and system containers (= cgroup paths). This
+	// stops the kubelet taking any control over other system processes.
+	s.SystemContainer = ""
+	s.DockerDaemonContainer = ""
+
+	// We set kubelet container to its own cgroup below the executor cgroup.
+	// In contrast to the docker and system container, this has no other
+	// undesired side-effects.
+	s.ResourceContainer = mesosCgroup + "/kubelet"
+
 	// create apiserver client
 	var apiclient *client.Client
 	clientConfig, err := s.CreateAPIServerClientConfig()