The eBPF-based kube-proxy replacement can coexist with the original kube-proxy. eBPF handles traffic
earlier in the network stack, before it reaches the netfilter layer where kube-proxy rules are applied.
See the
Cilium kube-proxy-hybrid-modes
for more information.
The kube-proxy-healthz is a simple health check utility designed to replace the default kube-proxy
binary in RKE1 (Rancher Kubernetes Engine) clusters. The kube-proxy container in RKE1 is hardcoded and
cannot be disabled. If the kube-proxy container does not report health, it is restarted, and the node is
marked as NotReady. This utility allows to run the RKE1 cluster without the default kube-proxy by
providing a health check that mimics the behavior of the kube-proxy.
There is an issue with kube-apiserver high availability (HA) that has been addressed
in the Cilium Issue #37601 and documented
in kubernetes-api-server-high-availability.
However, in Rancher-managed clusters, there is
the nginx-proxy
on every node managed by the Rancher agent. The Kubernetes API is always accessible at 127.0.0.1:6443.
- Ensure kube-proxy replacement (e.g. Cilium) is deployed on all nodes.
- Build the
kube-proxy-healthzbinary using the provided Makefile. - Deploy the
kube-proxy-healthzbinary to all RKE1 nodes wherekube-proxyis running. - Bind mount the
kube-proxy-healthzbinary into thekube-proxycontainer to replace the default binary.kubeproxy: extra_binds: - '/usr/local/bin/kube-proxy-healthz:/usr/local/bin/kube-proxy'
- Restart the nodes to ensure that the old kube-proxy iptables rules are cleared. Alternatively, use the
kube-proxy --cleanupcommand.
See the Rancher Terraform provider rke_config.services.kubeproxy.extra_binds resource for documentation.
- RKE Issue #1432.
- RKE Cluster BuildRKEConfigNodePlan.
- Kubernetes kube-proxy healthz HTTP server.