From 284323a9b4b58e1915949ca01d39a5f5b88ee6e1 Mon Sep 17 00:00:00 2001
From: Benjamin Elder <bentheelder@google.com>
Date: Sun, 20 Oct 2019 21:35:54 -0700
Subject: [PATCH] mount xtables lock file and lib/modules in kindnetd

---
 pkg/build/node/cni.go | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/pkg/build/node/cni.go b/pkg/build/node/cni.go
index 3a5f372618..a1258bfdff 100644
--- a/pkg/build/node/cni.go
+++ b/pkg/build/node/cni.go
@@ -51,6 +51,8 @@ spec:
     - hostPath
   allowedHostPaths:
     - pathPrefix: "/etc/cni/net.d"
+    - pathPrefix: "/run"
+    - pathPrefix: "/lib"
   readOnlyRootFilesystem: false
   # Users and groups
   runAsUser:
@@ -159,6 +161,12 @@ spec:
         volumeMounts:
         - name: cni-cfg
           mountPath: /etc/cni/net.d
+        - name: xtables-lock
+          mountPath: /run/xtables.lock
+          readOnly: false
+        - name: lib-modules
+          mountPath: /lib/modules
+          readOnly: true
         resources:
           requests:
             cpu: "100m"
@@ -171,8 +179,15 @@ spec:
           capabilities:
             add: ["NET_RAW", "NET_ADMIN"]
       volumes:
-        - name: cni-cfg
-          hostPath:
-            path: /etc/cni/net.d
+      - name: cni-cfg
+        hostPath:
+          path: /etc/cni/net.d
+      - name: xtables-lock
+        hostPath:
+          path: /run/xtables.lock
+          type: FileOrCreate
+      - name: lib-modules
+        hostPath:
+          path: /lib/modules
 ---
 `