From 421379889df996cfbd750f8b087ba5bedc7b8c56 Mon Sep 17 00:00:00 2001
From: George Kraft <george.kraft@canonical.com>
Date: Fri, 27 Oct 2017 11:04:56 -0500
Subject: [PATCH] Fix iptables FORWARD policy for Docker 1.13 in
 kubernetes-worker charm

---
 .../kubernetes-worker/reactive/kubernetes_worker.py    | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/cluster/juju/layers/kubernetes-worker/reactive/kubernetes_worker.py b/cluster/juju/layers/kubernetes-worker/reactive/kubernetes_worker.py
index d4e25bbf18a..2fc48358e77 100644
--- a/cluster/juju/layers/kubernetes-worker/reactive/kubernetes_worker.py
+++ b/cluster/juju/layers/kubernetes-worker/reactive/kubernetes_worker.py
@@ -848,6 +848,16 @@ def missing_kube_control():
             hookenv.service_name()))
 
 
+@when('docker.ready')
+def fix_iptables_for_docker_1_13():
+    """ Fix iptables FORWARD policy for Docker >=1.13
+    https://github.com/kubernetes/kubernetes/issues/40182
+    https://github.com/kubernetes/kubernetes/issues/39823
+    """
+    cmd = ['iptables', '-P', 'FORWARD', 'ACCEPT']
+    check_call(cmd)
+
+
 def _systemctl_is_active(application):
     ''' Poll systemctl to determine if the application is running '''
     cmd = ['systemctl', 'is-active', application]