From 20d797467541633042abd654333ebe8b2049acdb Mon Sep 17 00:00:00 2001
From: Kris Gambirazzi <kris.gambirazzi@transferwise.com>
Date: Tue, 1 Sep 2020 19:35:21 +0100
Subject: [PATCH] Mount /run/xtables.lock to prevent race conditions where
 multiple programs are manipulating iptables at the same time.

---
 config/master/aws-k8s-cni-cn.yaml            | 5 +++++
 config/master/aws-k8s-cni-us-gov-east-1.yaml | 5 +++++
 config/master/aws-k8s-cni-us-gov-west-1.yaml | 5 +++++
 config/master/aws-k8s-cni.yaml               | 5 +++++
 config/master/manifests.jsonnet              | 2 ++
 5 files changed, 22 insertions(+)

diff --git a/config/master/aws-k8s-cni-cn.yaml b/config/master/aws-k8s-cni-cn.yaml
index 738d785b9a..fbaaf86809 100644
--- a/config/master/aws-k8s-cni-cn.yaml
+++ b/config/master/aws-k8s-cni-cn.yaml
@@ -189,6 +189,8 @@
           "name": "run-dir"
         - "mountPath": "/var/run/dockershim.sock"
           "name": "dockershim"
+        - "mountPath": "/run/xtables.lock"
+          "name": "xtables-lock"
       "hostNetwork": true
       "initContainers":
       - "image": "961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/amazon-k8s-cni-init:latest"
@@ -214,6 +216,9 @@
       - "hostPath":
           "path": "/var/run/dockershim.sock"
         "name": "dockershim"
+      - "hostPath":
+          "path": "/run/xtables.lock"
+        "name": "xtables-lock"
       - "hostPath":
           "path": "/var/log/aws-routed-eni"
           "type": "DirectoryOrCreate"
diff --git a/config/master/aws-k8s-cni-us-gov-east-1.yaml b/config/master/aws-k8s-cni-us-gov-east-1.yaml
index 067d81a262..81ce6620a7 100644
--- a/config/master/aws-k8s-cni-us-gov-east-1.yaml
+++ b/config/master/aws-k8s-cni-us-gov-east-1.yaml
@@ -189,6 +189,8 @@
           "name": "run-dir"
         - "mountPath": "/var/run/dockershim.sock"
           "name": "dockershim"
+        - "mountPath": "/run/xtables.lock"
+          "name": "xtables-lock"
       "hostNetwork": true
       "initContainers":
       - "image": "151742754352.dkr.ecr.us-gov-east-1.amazonaws.com/amazon-k8s-cni-init:latest"
@@ -214,6 +216,9 @@
       - "hostPath":
           "path": "/var/run/dockershim.sock"
         "name": "dockershim"
+      - "hostPath":
+          "path": "/run/xtables.lock"
+        "name": "xtables-lock"
       - "hostPath":
           "path": "/var/log/aws-routed-eni"
           "type": "DirectoryOrCreate"
diff --git a/config/master/aws-k8s-cni-us-gov-west-1.yaml b/config/master/aws-k8s-cni-us-gov-west-1.yaml
index 2f077054d8..d7aa51f802 100644
--- a/config/master/aws-k8s-cni-us-gov-west-1.yaml
+++ b/config/master/aws-k8s-cni-us-gov-west-1.yaml
@@ -189,6 +189,8 @@
           "name": "run-dir"
         - "mountPath": "/var/run/dockershim.sock"
           "name": "dockershim"
+        - "mountPath": "/run/xtables.lock"
+          "name": "xtables-lock"
       "hostNetwork": true
       "initContainers":
       - "image": "013241004608.dkr.ecr.us-gov-west-1.amazonaws.com/amazon-k8s-cni-init:latest"
@@ -214,6 +216,9 @@
       - "hostPath":
           "path": "/var/run/dockershim.sock"
         "name": "dockershim"
+      - "hostPath":
+          "path": "/run/xtables.lock"
+        "name": "xtables-lock"
       - "hostPath":
           "path": "/var/log/aws-routed-eni"
           "type": "DirectoryOrCreate"
diff --git a/config/master/aws-k8s-cni.yaml b/config/master/aws-k8s-cni.yaml
index e28fbe5589..da182435e5 100644
--- a/config/master/aws-k8s-cni.yaml
+++ b/config/master/aws-k8s-cni.yaml
@@ -189,6 +189,8 @@
           "name": "run-dir"
         - "mountPath": "/var/run/dockershim.sock"
           "name": "dockershim"
+        - "mountPath": "/run/xtables.lock"
+          "name": "xtables-lock"
       "hostNetwork": true
       "initContainers":
       - "image": "602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni-init:latest"
@@ -214,6 +216,9 @@
       - "hostPath":
           "path": "/var/run/dockershim.sock"
         "name": "dockershim"
+      - "hostPath":
+          "path": "/run/xtables.lock"
+        "name": "xtables-lock"
       - "hostPath":
           "path": "/var/log/aws-routed-eni"
           "type": "DirectoryOrCreate"
diff --git a/config/master/manifests.jsonnet b/config/master/manifests.jsonnet
index 10a76b2322..b8cb4a2eed 100644
--- a/config/master/manifests.jsonnet
+++ b/config/master/manifests.jsonnet
@@ -198,6 +198,7 @@ local awsnode = {
                 {mountPath: "/host/var/log/aws-routed-eni", name: "log-dir"},
                 {mountPath: "/var/run/aws-node", name: "run-dir"},
                 {mountPath: "/var/run/dockershim.sock", name: "dockershim"},
+                {mountPath: "/run/xtables.lock", name: "xtables-lock"},
               ],
             },
           },
@@ -206,6 +207,7 @@ local awsnode = {
             {name: "cni-bin-dir", hostPath: {path: "/opt/cni/bin"}},
             {name: "cni-net-dir", hostPath: {path: "/etc/cni/net.d"}},
             {name: "dockershim", hostPath: {path: "/var/run/dockershim.sock"}},
+            {name: "xtables-lock", hostPath: {path: "/run/xtables.lock"}},
             {name: "log-dir",
               hostPath: {
                 path: "/var/log/aws-routed-eni",