Merge pull request #46259 from Q-Lee/kube-proxy

Automatic merge from submit-queue (batch tested with PRs 46734, 46810, 46759, 46259, 46771) Add iptables lock-file mount to kube-proxy manifest **What this PR does / why we need it**: kube-proxy is broken in make bazel-release. The new iptables binary uses a lockfile in "/run", but the directory doesn't exist. This causes iptables-restore to fail. We need to share the same lock-file amongst all containers, so mount the host /run dir. This is similar to #46132 but expediency matters, since builds are broken. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #46103 **Special notes for your reviewer**: **Release note**: ```release-note ```
2025-09-13 21:25:09 +00:00 · 2017-06-05 06:51:29 -07:00
parent af64e0b8c9 6a380e8831
commit 0cfef01a44
1 changed files with 19 additions and 0 deletions
--- a/cluster/saltbase/salt/kube-proxy/kube-proxy.manifest
+++ b/cluster/saltbase/salt/kube-proxy/kube-proxy.manifest
@@ -54,6 +54,16 @@ metadata:
    component: kube-proxy
 spec:
  hostNetwork: true
+  initContainers:
+  - name: touch-lock
+    image: busybox
+    command: ['/bin/touch', '/run/xtables.lock']
+    securityContext:
+      privileged: true
+    volumeMounts:
+    - mountPath: /run
+      name: run
+      readOnly: false
  containers:
  - name: kube-proxy
    image: {{pillar['kube_docker_registry']}}/kube-proxy:{{pillar['kube-proxy_docker_tag']}}
@@ -80,6 +90,9 @@ spec:
    - mountPath: /var/lib/kube-proxy/kubeconfig
      name: kubeconfig
      readOnly: false
+    - mountPath: /run/xtables.lock
+      name: iptableslock
+      readOnly: false
  volumes:
  - hostPath:
      path: /usr/share/ca-certificates
@@ -93,3 +106,9 @@ spec:
  - hostPath:
      path: /var/log
    name: varlog
+  - hostPath:
+      path: /run
+    name: run
+  - hostPath:
+      path: /run/xtables.lock
+    name: iptableslock