From 6a380e8831b42e88cbd15fc31efddcd287098d88 Mon Sep 17 00:00:00 2001
From: Quintin Lee <qlee@google.com>
Date: Mon, 22 May 2017 18:41:38 -0700
Subject: [PATCH] Add iptables lock-file mount to kube-proxy manifest

---
 .../salt/kube-proxy/kube-proxy.manifest       | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/cluster/saltbase/salt/kube-proxy/kube-proxy.manifest b/cluster/saltbase/salt/kube-proxy/kube-proxy.manifest
index 7767123ba2f..b07ff649e36 100644
--- a/cluster/saltbase/salt/kube-proxy/kube-proxy.manifest
+++ b/cluster/saltbase/salt/kube-proxy/kube-proxy.manifest
@@ -54,6 +54,16 @@ metadata:
     component: kube-proxy
 spec:
   hostNetwork: true
+  initContainers:
+  - name: touch-lock
+    image: busybox
+    command: ['/bin/touch', '/run/xtables.lock']
+    securityContext:
+      privileged: true
+    volumeMounts:
+    - mountPath: /run
+      name: run
+      readOnly: false
   containers:
   - name: kube-proxy
     image: {{pillar['kube_docker_registry']}}/kube-proxy:{{pillar['kube-proxy_docker_tag']}}
@@ -80,6 +90,9 @@ spec:
     - mountPath: /var/lib/kube-proxy/kubeconfig
       name: kubeconfig
       readOnly: false
+    - mountPath: /run/xtables.lock
+      name: iptableslock
+      readOnly: false
   volumes:
   - hostPath:
       path: /usr/share/ca-certificates
@@ -93,3 +106,9 @@ spec:
   - hostPath:
       path: /var/log
     name: varlog
+  - hostPath:
+      path: /run
+    name: run
+  - hostPath:
+      path: /run/xtables.lock
+    name: iptableslock