diff --git a/nova/templates/bin/_fake-iptables.sh.tpl b/nova/templates/bin/_fake-iptables.sh.tpl
new file mode 100644
index 0000000000..02fa8718e9
--- /dev/null
+++ b/nova/templates/bin/_fake-iptables.sh.tpl
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+exit 0
diff --git a/nova/templates/configmap-bin.yaml b/nova/templates/configmap-bin.yaml
index ff6469fb57..312da9c130 100644
--- a/nova/templates/configmap-bin.yaml
+++ b/nova/templates/configmap-bin.yaml
@@ -47,3 +47,5 @@ data:
 {{ tuple "bin/_nova-consoleauth.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
   nova-scheduler.sh: |
 {{ tuple "bin/_nova-scheduler.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
+  fake-iptables.sh: |
+{{ tuple "bin/_fake-iptables.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
diff --git a/nova/templates/deployment-api-metadata.yaml b/nova/templates/deployment-api-metadata.yaml
index 98bc525c08..6b67a87052 100644
--- a/nova/templates/deployment-api-metadata.yaml
+++ b/nova/templates/deployment-api-metadata.yaml
@@ -56,12 +56,6 @@ spec:
               memory: {{ .Values.resources.nova_api_metadata.limits.memory | quote }}
               cpu: {{ .Values.resources.nova_api_metadata.limits.cpu | quote }}
           {{- end }}
-          # NOTE(portdirect): NET_ADMIN is needed as the api-metadata service
-          # expects to run some iptables commands, even when neutron is used.
-          securityContext:
-            capabilities:
-              add:
-                - NET_ADMIN
           command:
             - /tmp/nova-api-metadata.sh
             - start
@@ -81,6 +75,18 @@ spec:
               mountPath: /tmp/nova-api-metadata.sh
               subPath: nova-api-metadata.sh
               readOnly: true
+            - name: nova-bin
+              mountPath: /sbin/iptables
+              subPath: fake-iptables.sh
+              readOnly: true
+            - name: nova-bin
+              mountPath: /sbin/iptables-restore
+              subPath: fake-iptables.sh
+              readOnly: true
+            - name: nova-bin
+              mountPath: /sbin/iptables-save
+              subPath: fake-iptables.sh
+              readOnly: true
             - name: nova-etc
               mountPath: /etc/nova/nova.conf
               subPath: nova.conf