iptables wrapper entrypoint isn't executable

The iptables wrapper entrypoint isn't executable and therefore we get a complaint from kube-proxy that it cannot be found on $PATH:

Error checking iptables version, assuming version at least 1.4.11: executable file not found in $PATH
...
...
E0821 12:17:29.629224       1 proxier.go:1876] Failed to execute iptables-save, syncing all rules: executable file not found in $PATH
E0821 12:17:29.629266       1 proxier.go:1876] Failed to execute iptables-save, syncing all rules: executable file not found in $PATH
E0821 12:17:29.629311       1 proxier.go:1842] Failed to ensure that nat chain KUBE-SERVICES exists: error creating chain "KUBE-SERVICES": executable file not found in $PATH:
E0821 12:17:29.694680       1 proxier.go:1562] Failed to execute iptables-restore: executable file not found in $PATH ()

From within the container we have:

update-alternatives --list

...
ip6tables               auto    /usr/sbin/iptables-wrapper
iptables                auto    /usr/sbin/iptables-wrapper

but its not executable:

-rw-r--r--. 1 root root 1682 Jul 31 17:50 /usr/sbin/iptables-wrapper

if i manually intervene and add execute permissions, now i can run iptables and it will get to the wrapper.