From 016d4ebd0c39c487d7eb7858aee7221dd5ef2744 Mon Sep 17 00:00:00 2001
From: Nesc58 <nesc58@gmail.com>
Date: Fri, 17 Jul 2020 14:23:44 +0200
Subject: [PATCH] Mount /run/xtables.lock in flannel Daemonset

* Mount xtables.lock (like Calico and Cilium) since iptables
may be called by other processes (kube-proxy)
---
 resources/flannel/daemonset.yaml    | 7 +++++++
 resources/manifests/kube-proxy.yaml | 7 +++++++
 2 files changed, 14 insertions(+)

diff --git a/resources/flannel/daemonset.yaml b/resources/flannel/daemonset.yaml
index 075f675..3d343e4 100644
--- a/resources/flannel/daemonset.yaml
+++ b/resources/flannel/daemonset.yaml
@@ -75,6 +75,8 @@ spec:
               mountPath: /etc/kube-flannel/
             - name: run-flannel
               mountPath: /run/flannel
+            - name: xtables-lock
+              mountPath: /run/xtables.lock
       volumes:
         - name: flannel-config
           configMap:
@@ -89,3 +91,8 @@ spec:
         - name: cni-conf-dir
           hostPath:
             path: /etc/kubernetes/cni/net.d
+        # Access iptables concurrently
+        - name: xtables-lock
+          hostPath:
+            type: FileOrCreate
+            path: /run/xtables.lock
diff --git a/resources/manifests/kube-proxy.yaml b/resources/manifests/kube-proxy.yaml
index 36bfdfd..05e3297 100644
--- a/resources/manifests/kube-proxy.yaml
+++ b/resources/manifests/kube-proxy.yaml
@@ -74,6 +74,8 @@ spec:
         - name: ssl-certs-host
           mountPath: /etc/ssl/certs
           readOnly: true
+        - name: xtables-lock
+          mountPath: /run/xtables.lock
       volumes:
       - name: kubeconfig
         configMap:
@@ -84,3 +86,8 @@ spec:
       - name: ssl-certs-host
         hostPath:
           path: ${trusted_certs_dir}
+      # Access iptables concurrently
+      - name: xtables-lock
+        hostPath:
+          type: FileOrCreate
+          path: /run/xtables.lock