diff --git a/contrib/mesos/pkg/minion/server.go b/contrib/mesos/pkg/minion/server.go
index ef5058b1e7c..1588fb10847 100644
--- a/contrib/mesos/pkg/minion/server.go
+++ b/contrib/mesos/pkg/minion/server.go
@@ -22,6 +22,7 @@ import (
 	"io/ioutil"
 	"os"
 	"os/exec"
+	"strings"
 	"time"
 
 	exservice "k8s.io/kubernetes/contrib/mesos/pkg/executor/service"
@@ -49,6 +50,8 @@ type MinionServer struct {
 	done           chan struct{} // closed when shutting down
 	exit           chan error    // to signal fatal errors
 
+	pathOverride string // the PATH environment for the sub-processes
+
 	logMaxSize      resource.Quantity
 	logMaxBackups   int
 	logMaxAgeInDays int
@@ -113,6 +116,9 @@ func (ms *MinionServer) launchProxyServer() {
 	if ms.clientConfig.Host != "" {
 		args = append(args, fmt.Sprintf("--master=%s", ms.clientConfig.Host))
 	}
+	if ms.KubeletExecutorServer.HostnameOverride != "" {
+		args = append(args, fmt.Sprintf("--hostname-override=%s", ms.KubeletExecutorServer.HostnameOverride))
+	}
 
 	ms.launchHyperkubeServer(hyperkube.CommandProxy, &args, "proxy.log")
 }
@@ -204,6 +210,18 @@ func (ms *MinionServer) launchHyperkubeServer(server string, args *[]string, log
 		log.Infof("wrote %d bytes to %v", written, logFileName)
 	}()
 
+	// use given environment, but add /usr/sbin to the path for the iptables binary used in kube-proxy
+	if ms.pathOverride != "" {
+		env := os.Environ()
+		cmd.Env = make([]string, 0, len(env))
+		for _, e := range env {
+			if !strings.HasPrefix(e, "PATH=") {
+				cmd.Env = append(cmd.Env, e)
+			}
+		}
+		cmd.Env = append(cmd.Env, "PATH="+ms.pathOverride)
+	}
+
 	// if the server fails to start then we exit the executor, otherwise
 	// wait for the proxy process to end (and release resources after).
 	if err := cmd.Start(); err != nil {
@@ -258,6 +276,7 @@ func (ms *MinionServer) AddExecutorFlags(fs *pflag.FlagSet) {
 func (ms *MinionServer) AddMinionFlags(fs *pflag.FlagSet) {
 	// general minion flags
 	fs.BoolVar(&ms.privateMountNS, "private-mountns", ms.privateMountNS, "Enter a private mount NS before spawning procs (linux only). Experimental, not yet compatible with k8s volumes.")
+	fs.StringVar(&ms.pathOverride, "path-override", ms.pathOverride, "Override the PATH in the environment of the sub-processes.")
 
 	// log file flags
 	fs.Var(resource.NewQuantityFlagValue(&ms.logMaxSize), "max-log-size", "Maximum log file size for the executor and proxy before rotation")
diff --git a/contrib/mesos/pkg/scheduler/service/service.go b/contrib/mesos/pkg/scheduler/service/service.go
index 8e146c5a369..a9e3a8ead3c 100644
--- a/contrib/mesos/pkg/scheduler/service/service.go
+++ b/contrib/mesos/pkg/scheduler/service/service.go
@@ -107,6 +107,7 @@ type SchedulerServer struct {
 	ProxyBindall bool
 	ProxyLogV    int
 
+	MinionPathOverride    string
 	MinionLogMaxSize      resource.Quantity
 	MinionLogMaxBackups   int
 	MinionLogMaxAgeInDays int
@@ -237,6 +238,7 @@ func (s *SchedulerServer) addCoreFlags(fs *pflag.FlagSet) {
 	fs.BoolVar(&s.RunProxy, "run-proxy", s.RunProxy, "Run the kube-proxy as a side process of the executor.")
 	fs.IntVar(&s.ProxyLogV, "proxy-logv", s.ProxyLogV, "Logging verbosity of spawned minion proxy processes.")
 
+	fs.StringVar(&s.MinionPathOverride, "minion-path-override", s.MinionPathOverride, "Override the PATH in the environment of the minion sub-processes.")
 	fs.Var(resource.NewQuantityFlagValue(&s.MinionLogMaxSize), "minion-max-log-size", "Maximum log file size for the executor and proxy before rotation")
 	fs.IntVar(&s.MinionLogMaxAgeInDays, "minion-max-log-age", s.MinionLogMaxAgeInDays, "Maximum log file age of the executor and proxy in days")
 	fs.IntVar(&s.MinionLogMaxBackups, "minion-max-log-backups", s.MinionLogMaxBackups, "Maximum log file backups of the executor and proxy to keep after rotation")
@@ -327,6 +329,7 @@ func (s *SchedulerServer) prepareExecutorInfo(hks hyperkube.Interface) (*mesos.E
 		ci.Arguments = append(ci.Arguments, fmt.Sprintf("--proxy-bindall=%v", s.ProxyBindall))
 		ci.Arguments = append(ci.Arguments, fmt.Sprintf("--proxy-logv=%d", s.ProxyLogV))
 
+		ci.Arguments = append(ci.Arguments, fmt.Sprintf("--path-override=%s", s.MinionPathOverride))
 		ci.Arguments = append(ci.Arguments, fmt.Sprintf("--max-log-size=%v", s.MinionLogMaxSize.String()))
 		ci.Arguments = append(ci.Arguments, fmt.Sprintf("--max-log-backups=%d", s.MinionLogMaxBackups))
 		ci.Arguments = append(ci.Arguments, fmt.Sprintf("--max-log-age=%d", s.MinionLogMaxAgeInDays))
diff --git a/hack/verify-flags/known-flags.txt b/hack/verify-flags/known-flags.txt
index 7a3c37ae1e8..d94e8720475 100644
--- a/hack/verify-flags/known-flags.txt
+++ b/hack/verify-flags/known-flags.txt
@@ -156,6 +156,7 @@ minimum-container-ttl-duration
 minion-max-log-age
 minion-max-log-backups
 minion-max-log-size
+minion-path-override
 min-pr-number
 min-request-timeout
 namespace-sync-period
@@ -176,6 +177,7 @@ oidc-username-claim
 oom-score-adj
 output-version
 out-version
+path-override
 pod-cidr
 pod-eviction-timeout
 pod-infra-container-image