From ac4ef719cc9d9fc2f567fe95941d58a19a9907fd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fernando=20Crespo=20Gr=C3=A1valos?= <fcgravalos@gmail.com>
Date: Wed, 29 Aug 2018 11:42:11 +0200
Subject: [PATCH] canal should mount xtables.lock to share the lock with other
 processes like kube-proxy

---
 roles/network_plugin/canal/templates/canal-node.yaml.j2 | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/roles/network_plugin/canal/templates/canal-node.yaml.j2 b/roles/network_plugin/canal/templates/canal-node.yaml.j2
index 6ef251af8..e1fec660b 100644
--- a/roles/network_plugin/canal/templates/canal-node.yaml.j2
+++ b/roles/network_plugin/canal/templates/canal-node.yaml.j2
@@ -51,6 +51,10 @@ spec:
         - name: "canal-certs"
           hostPath:
             path: "{{ canal_cert_dir }}"
+        - name: xtables-lock
+          hostPath:
+            path: /run/xtables.lock
+            type: FileOrCreate
       containers:
         # Runs the flannel daemon to enable vxlan networking between
         # container hosts.
@@ -128,6 +132,9 @@ spec:
             - name: "canal-certs"
               mountPath: "{{ canal_cert_dir }}"
               readOnly: true
+            - name: xtables-lock
+              mountPath: /run/xtables.lock
+              readOnly: false
         # Runs calico/node container on each Kubernetes node.  This
         # container programs network policy and local routes on each
         # host.