From 4d7808d3ea363f4056f78e000ec0a95141702ec3 Mon Sep 17 00:00:00 2001
From: David Shepherd <david.shepherd@ironnetcybersecurity.com>
Date: Wed, 4 Dec 2019 22:27:54 -0500
Subject: [PATCH] Add /run/xtables.lock mount to kube-flannel.yml

This prevents iptables contention with kube-proxy and the host OS.

Fixes #988.
---
 Documentation/kube-flannel.yml | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/Documentation/kube-flannel.yml b/Documentation/kube-flannel.yml
index bfed51be4..74d246817 100644
--- a/Documentation/kube-flannel.yml
+++ b/Documentation/kube-flannel.yml
@@ -214,6 +214,8 @@ spec:
           mountPath: /run/flannel
         - name: flannel-cfg
           mountPath: /etc/kube-flannel/
+        - name: xtables-lock
+          mountPath: /run/xtables.lock
       volumes:
         - name: run
           hostPath:
@@ -224,6 +226,10 @@ spec:
         - name: flannel-cfg
           configMap:
             name: kube-flannel-cfg
+        - name: xtables-lock
+          hostPath:
+            path: /run/xtables.lock
+            type: FileOrCreate
 ---
 apiVersion: apps/v1
 kind: DaemonSet
@@ -308,6 +314,8 @@ spec:
           mountPath: /run/flannel
         - name: flannel-cfg
           mountPath: /etc/kube-flannel/
+        - name: xtables-lock
+          mountPath: /run/xtables.lock
       volumes:
         - name: run
           hostPath:
@@ -318,6 +326,10 @@ spec:
         - name: flannel-cfg
           configMap:
             name: kube-flannel-cfg
+        - name: xtables-lock
+          hostPath:
+            path: /run/xtables.lock
+            type: FileOrCreate
 ---
 apiVersion: apps/v1
 kind: DaemonSet
@@ -402,6 +414,8 @@ spec:
           mountPath: /run/flannel
         - name: flannel-cfg
           mountPath: /etc/kube-flannel/
+        - name: xtables-lock
+          mountPath: /run/xtables.lock
       volumes:
         - name: run
           hostPath:
@@ -412,6 +426,10 @@ spec:
         - name: flannel-cfg
           configMap:
             name: kube-flannel-cfg
+        - name: xtables-lock
+          hostPath:
+            path: /run/xtables.lock
+            type: FileOrCreate
 ---
 apiVersion: apps/v1
 kind: DaemonSet
@@ -496,6 +514,8 @@ spec:
           mountPath: /run/flannel
         - name: flannel-cfg
           mountPath: /etc/kube-flannel/
+        - name: xtables-lock
+          mountPath: /run/xtables.lock
       volumes:
         - name: run
           hostPath:
@@ -506,6 +526,10 @@ spec:
         - name: flannel-cfg
           configMap:
             name: kube-flannel-cfg
+        - name: xtables-lock
+          hostPath:
+            path: /run/xtables.lock
+            type: FileOrCreate
 ---
 apiVersion: apps/v1
 kind: DaemonSet
@@ -590,6 +614,8 @@ spec:
           mountPath: /run/flannel
         - name: flannel-cfg
           mountPath: /etc/kube-flannel/
+        - name: xtables-lock
+          mountPath: /run/xtables.lock
       volumes:
         - name: run
           hostPath:
@@ -600,3 +626,8 @@ spec:
         - name: flannel-cfg
           configMap:
             name: kube-flannel-cfg
+        - name: xtables-lock
+          hostPath:
+            path: /run/xtables.lock
+            type: FileOrCreate
+