diff --git a/roles/network_plugin/canal/templates/canal-node.yaml.j2 b/roles/network_plugin/canal/templates/canal-node.yaml.j2
index 6ef251af8f6ed97eba5c783994fb157ae15c8de1..e1fec660bc5081ba3c3bdd38b9be3276d13bb808 100644
--- a/roles/network_plugin/canal/templates/canal-node.yaml.j2
+++ b/roles/network_plugin/canal/templates/canal-node.yaml.j2
@@ -51,6 +51,10 @@ spec:
         - name: "canal-certs"
           hostPath:
             path: "{{ canal_cert_dir }}"
+        - name: xtables-lock
+          hostPath:
+            path: /run/xtables.lock
+            type: FileOrCreate
       containers:
         # Runs the flannel daemon to enable vxlan networking between
         # container hosts.
@@ -128,6 +132,9 @@ spec:
             - name: "canal-certs"
               mountPath: "{{ canal_cert_dir }}"
               readOnly: true
+            - name: xtables-lock
+              mountPath: /run/xtables.lock
+              readOnly: false
         # Runs calico/node container on each Kubernetes node.  This
         # container programs network policy and local routes on each
         # host.