From 41ca67bf54633edad7f65311dd95142a1f0f09cc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20Kr=C3=BCger?= <andreas@kruger.nu>
Date: Mon, 12 Feb 2018 10:21:38 +0100
Subject: [PATCH] Added iptables lock fix and ajusted oom-score

xtables lock was missing. Added new option for oom-score to make sure it's not killed in an OOM situation before regular pods.
---
 .../node/templates/manifests/kube-proxy.manifest.j2       | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2 b/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2
index 37163c486..7eb0dc44d 100644
--- a/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2
+++ b/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2
@@ -31,6 +31,7 @@ spec:
     - --bind-address={{ ip | default(ansible_default_ipv4.address) }}
     - --cluster-cidr={{ kube_pods_subnet }}
     - --proxy-mode={{ kube_proxy_mode }}
+    - --oom-score-adj=-998
 {% if kube_proxy_masquerade_all and kube_proxy_mode == "iptables" %}
     - --masquerade-all
 {% elif kube_proxy_mode == 'ipvs' %}
@@ -59,6 +60,9 @@ spec:
     - mountPath: /lib/modules
       name: lib-modules
       readOnly: true
+    - mountPath: /run/xtables.lock
+      name: xtables-lock
+      readOnly: false
   volumes:
   - name: ssl-certs-host
     hostPath:
@@ -79,3 +83,7 @@ spec:
   - hostPath:
       path: /lib/modules
     name: lib-modules
+  - hostPath:
+      path: /run/xtables.lock
+      type: FileOrCreate
+    name: xtables-lock