docs, gsg: minor edits to kpr guide and note on hybrid use

b2d2d69 ("docs: Add how to remove kube-proxy from existing clusters") added the howto for removing kube-proxy right into the middle of the kubeadm setup given right afterwards we talk about kubeadm join. Detangle this to make it more clear that both don't have anything to do with each other. Also add a warning to removing kube-proxy that this is disruptive. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
cilium · May 17, 2021 · 107fb8f · 107fb8f
1 parent 5d5f5d2
commit 107fb8f
Showing 1 changed file with 23 additions and 12 deletions.
diff --git a/Documentation/gettingstarted/kubeproxy-free.rst b/Documentation/gettingstarted/kubeproxy-free.rst
@@ -40,17 +40,6 @@ installation of the ``kube-proxy`` add-on:
 
       kubeadm init --skip-phases=addon/kube-proxy
 
-For existing installations with ``kube-proxy`` running as a DaemonSet, remove it
-by using the following commands:
-
-.. code:: bash
-
-      kubectl -n kube-system delete ds kube-proxy
-      # Delete the configmap as well to avoid kube-proxy being reinstalled during a kubeadm upgrade (works only for K8s 1.19 and newer)
-      kubectl -n kube-system delete cm kube-proxy
-      # Run on each node:
-      iptables-restore <(iptables-save | grep -v KUBE)
-
 Afterwards, join worker nodes by specifying the control-plane node IP address and
 the token returned by ``kubeadm init``:
 
@@ -68,6 +57,19 @@ the token returned by ``kubeadm init``:
     each node has an ``InternalIP`` which is assigned to a device with the same
     name on each node.
 
+For existing installations with ``kube-proxy`` running as a DaemonSet, remove it
+by using the following commands below. **Careful:** Be aware that this will break
+existing service connections. It will also stop service related traffic until the
+Cilium replacement has been installed:
+
+.. code:: bash
+
+      kubectl -n kube-system delete ds kube-proxy
+      # Delete the configmap as well to avoid kube-proxy being reinstalled during a kubeadm upgrade (works only for K8s 1.19 and newer)
+      kubectl -n kube-system delete cm kube-proxy
+      # Run on each node:
+      iptables-restore <(iptables-save | grep -v KUBE)
+
 .. include:: k8s-install-download-release.rst
 
 Next, generate the required YAML files and deploy them. **Important:** Replace
@@ -1004,7 +1006,16 @@ Cilium's eBPF kube-proxy replacement can be configured in several modes, i.e. it
 replace kube-proxy entirely or it can co-exist with kube-proxy on the system if the
 underlying Linux kernel requirements do not support a full kube-proxy replacement.
 
-This section therefore elaborates on the various ``kubeProxyReplacement`` options:
+**Careful:** When deploying the eBPF kube-proxy replacement under co-existence with
+kube-proxy on the system, be aware that both mechanisms operate independent of each
+other. Meaning, if the eBPF kube-proxy replacement is added or removed on an already
+*running* cluster in order to delegate operation from respectively back to kube-proxy,
+then it must be expected that existing connections will break since, for example,
+both NAT tables are not aware of each other. If deployed in co-existence on a newly
+spawned up node/cluster which does not yet serve user traffic, then this is not an
+issue.
+
+This section elaborates on the various ``kubeProxyReplacement`` options:
 
 - ``kubeProxyReplacement=strict``: This option expects a kube-proxy-free
   Kubernetes setup where Cilium is expected to fully replace all kube-proxy