In case this helps anyone else, the “easiest” fix turned out to be a one liner.
For NON-cgroupv2 systems (eg. default CentOS8 and default Oracle Linux 8) the above-referenced line in the profile is sufficient for handling /dev/kmsg:
sys:rw\nlxc.mount.entry = /dev/kmsg dev/kmsg none defaults,bind,create=file
However, if you are running kubernetes on cgroup v2 (e.g. default Fedora 31+ which uses cgroupv2 and nftables) you will also need to run this command in addition to the line in the profile:
lxc config device add "ContainerName" "kmsg" unix-char source="/dev/kmsg" path="/dev/kmsg"
The “acid test” for successful configuration from an operational pov for kubernetes kubelet purposes is that this command must succeed inside the container:
cat /dev/kmsg