deckhouse · MrZuwZuw · Jan 20, 2026 · Jan 19, 2026 · Jan 19, 2026 · Jan 19, 2026
diff --git a/charts/helm_lib/Chart.yaml b/charts/helm_lib/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
 type: library
 name: deckhouse_lib_helm
-version: 1.69.3
+version: 1.70.0
 description: "Helm utils template definitions for Deckhouse modules."
diff --git a/charts/helm_lib/README.md b/charts/helm_lib/README.md
@@ -78,6 +78,7 @@
 | [helm_lib_module_init_container_chown_nobody_volume](#helm_lib_module_init_container_chown_nobody_volume) |
 | [helm_lib_module_init_container_chown_deckhouse_volume](#helm_lib_module_init_container_chown_deckhouse_volume) |
 | [helm_lib_module_init_container_check_linux_kernel](#helm_lib_module_init_container_check_linux_kernel) |
+| [helm_lib_module_init_container_iptables_wrapper](#helm_lib_module_init_container_iptables_wrapper) |
 | **Module Labels** |
 | [helm_lib_module_labels](#helm_lib_module_labels) |
 | **Module Public Domain** |
@@ -900,6 +901,19 @@ list:
 -  Template context with .Values, .Chart, etc 
 -  Semver constraint 
 
+
+### helm_lib_module_init_container_iptables_wrapper
+
+ returns initContainer with iptables-wrapper 
+
+#### Usage
+
+`{{ include "helm_lib_module_init_container_iptables_wrapper" . }} `
+
+#### Arguments
+
+-  Template context with .Values, .Chart, etc 
+
 ## Module Labels
 
 ### helm_lib_module_labels

diff --git a/charts/helm_lib/templates/_module_init_container.tpl b/charts/helm_lib/templates/_module_init_container.tpl
@@ -64,3 +64,36 @@
     requests:
       {{- include "helm_lib_module_ephemeral_storage_only_logs" $context | nindent 6 }}
 {{- end }}
+
+{{- /* Usage: {{ include "helm_lib_module_init_container_iptables_wrapper" . }} */ -}}
+{{- /* returns initContainer with iptables-wrapper */ -}}
+{{- define "helm_lib_module_init_container_iptables_wrapper" -}}
+  {{- $context := . -}} {{- /* Template context with .Values, .Chart, etc */ -}}
+  - name: iptables-wrapper-init
+  {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all_and_add" (list . (list "NET_ADMIN" "NET_RAW")) | nindent 2 }}
+    runAsNonRoot: false
+    runAsUser: 0
+    runAsGroup: 0
+  image: {{ include "helm_lib_module_image" (list $context  "iptablesWrapperInit") }}
+  command:
+  - /bin/bash
+  - -ec
+  - |
+    /usr/bin/cp /iptables-wrapper /sbin/ -rv
+    /usr/bin/cp /_sbin/* /sbin/ -rv
+    /usr/bin/cp /relocate/sbin/* /sbin/ -rv
+    /sbin/iptables --version
+    /usr/bin/rm /sbin/iptables-wrapper -v
+  volumeMounts:
+  - mountPath: /sbin
+    name: sbin
+  - name: xtables-lock
+    mountPath: /run/xtables.lock      
+  resources:
+    requests:
+      {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 6 }}
+  {{- if not ( $context.Values.global.enabledModules | has "vertical-pod-autoscaler") }}
+    cpu: 10m
+    memory: 10Mi
+  {{- end }}
+{{- end }}
diff --git a/tests/templates/helm_lib_module_init_container.yaml b/tests/templates/helm_lib_module_init_container.yaml
@@ -3,3 +3,6 @@ chownDeckhouseVolume:
 
 checkLinuxKernel:
 {{ include "helm_lib_module_init_container_check_linux_kernel" (list . ">= 4.9.17") }}
+
+checkIptablesWrapper:
+{{ include "helm_lib_module_init_container_iptables_wrapper" . }}
diff --git a/tests/tests/helm_lib_module_init_container_test.yaml b/tests/tests/helm_lib_module_init_container_test.yaml
@@ -14,6 +14,8 @@ tests:
               init: sha256
               alpine: sha2
               checkKernelVersion: sha256:kernel123
+            testModule:
+              iptablesWrapperInit: sha256:iptables123
 
     asserts:
       - equal:
@@ -47,6 +49,8 @@ tests:
             common:
               alpine: sha2
               checkKernelVersion: sha256:kernel123
+            testModule:
+              iptablesWrapperInit: sha256:iptables123
     asserts:
       - equal:
           path: "chownDeckhouseVolume"
@@ -79,6 +83,8 @@ tests:
             common:
               checkKernelVersion: sha256:kernel123
               alpine: sha256:alpine123
+            testModule:
+              iptablesWrapperInit: sha256:iptables123
     asserts:
       - equal:
           path: "checkLinuxKernel"
@@ -103,3 +109,101 @@ tests:
                 runAsUser: 64535
                 seccompProfile:
                   type: RuntimeDefault
+  - it: should render the iptables wrapper container if not has enabledModules "vertical-pod-autoscaler"
+    set:
+      global:
+        modulesImages:
+          registry:
+            base: "deckhouse.io/deckhouse/ce"
+          digests:
+            common: 
+              alpine: sha256:alpine
+              checkKernelVersion: sha256:kernel
+            testModule:
+              iptablesWrapperInit: sha256:iptables123
+    asserts:
+      - equal:
+          path: "checkIptablesWrapper"
+          value:
+            - command:
+                - /bin/bash
+                - -ec
+                - |
+                  /usr/bin/cp /iptables-wrapper /sbin/ -rv
+                  /usr/bin/cp /_sbin/* /sbin/ -rv
+                  /usr/bin/cp /relocate/sbin/* /sbin/ -rv
+                  /sbin/iptables --version
+                  /usr/bin/rm /sbin/iptables-wrapper -v
+              image: deckhouse.io/deckhouse/ce@sha256:iptables123
+              name: iptables-wrapper-init
+              resources:
+                cpu: 10m
+                memory: 10Mi
+                requests:
+                    ephemeral-storage: 60Mi
+              securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                    add:
+                        - NET_ADMIN
+                        - NET_RAW
+                    drop:
+                        - ALL
+                readOnlyRootFilesystem: true
+                runAsGroup: 0
+                runAsNonRoot: false
+                runAsUser: 0
+              volumeMounts:
+                - mountPath: /sbin
+                  name: sbin
+                - mountPath: /run/xtables.lock
+                  name: xtables-lock
+  - it: should render the iptables wrapper container if has enabledModules "vertical-pod-autoscaler"
+    set:
+      global:
+        enabledModules:
+        - vertical-pod-autoscaler
+        modulesImages:
+          registry:
+            base: "deckhouse.io/deckhouse/ce"
+          digests:
+            common: 
+              alpine: sha256:alpine
+              checkKernelVersion: sha256:kernel
+            testModule:
+              iptablesWrapperInit: sha256:iptables123
+    asserts:
+      - equal:
+          path: "checkIptablesWrapper"
+          value:
+            - command:
+                - /bin/bash
+                - -ec
+                - |
+                  /usr/bin/cp /iptables-wrapper /sbin/ -rv
+                  /usr/bin/cp /_sbin/* /sbin/ -rv
+                  /usr/bin/cp /relocate/sbin/* /sbin/ -rv
+                  /sbin/iptables --version
+                  /usr/bin/rm /sbin/iptables-wrapper -v
+              image: deckhouse.io/deckhouse/ce@sha256:iptables123
+              name: iptables-wrapper-init
+              resources:
+                requests:
+                    ephemeral-storage: 60Mi
+              securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                    add:
+                        - NET_ADMIN
+                        - NET_RAW
+                    drop:
+                        - ALL
+                readOnlyRootFilesystem: true
+                runAsGroup: 0
+                runAsNonRoot: false
+                runAsUser: 0
+              volumeMounts:
+                - mountPath: /sbin
+                  name: sbin
+                - mountPath: /run/xtables.lock
+                  name: xtables-lock