cilium · tklauser · May 17, 2021 · May 17, 2021
diff --git a/Documentation/gettingstarted/kubeproxy-free.rst b/Documentation/gettingstarted/kubeproxy-free.rst
@@ -40,17 +40,6 @@ installation of the ``kube-proxy`` add-on:
 
       kubeadm init --skip-phases=addon/kube-proxy
 
-For existing installations with ``kube-proxy`` running as a DaemonSet, remove it
-by using the following commands:
-
-.. code:: bash
-
-      kubectl -n kube-system delete ds kube-proxy
-      # Delete the configmap as well to avoid kube-proxy being reinstalled during a kubeadm upgrade (works only for K8s 1.19 and newer)
-      kubectl -n kube-system delete cm kube-proxy
-      # Run on each node:
-      iptables-restore <(iptables-save | grep -v KUBE)
-
 Afterwards, join worker nodes by specifying the control-plane node IP address and
 the token returned by ``kubeadm init``:
 
@@ -68,6 +57,19 @@ the token returned by ``kubeadm init``:
     each node has an ``InternalIP`` which is assigned to a device with the same
     name on each node.
 
+For existing installations with ``kube-proxy`` running as a DaemonSet, remove it
+by using the following commands below. **Careful:** Be aware that this will break
+existing service connections. It will also stop service related traffic until the
+Cilium replacement has been installed:
+
+.. code:: bash
+
+      kubectl -n kube-system delete ds kube-proxy
+      # Delete the configmap as well to avoid kube-proxy being reinstalled during a kubeadm upgrade (works only for K8s 1.19 and newer)
+      kubectl -n kube-system delete cm kube-proxy
+      # Run on each node:
+      iptables-restore <(iptables-save | grep -v KUBE)
+
 .. include:: k8s-install-download-release.rst
 
 Next, generate the required YAML files and deploy them. **Important:** Replace
@@ -1004,7 +1006,16 @@ Cilium's eBPF kube-proxy replacement can be configured in several modes, i.e. it
 replace kube-proxy entirely or it can co-exist with kube-proxy on the system if the
 underlying Linux kernel requirements do not support a full kube-proxy replacement.
 
-This section therefore elaborates on the various ``kubeProxyReplacement`` options:
+**Careful:** When deploying the eBPF kube-proxy replacement under co-existence with
+kube-proxy on the system, be aware that both mechanisms operate independent of each
+other. Meaning, if the eBPF kube-proxy replacement is added or removed on an already
+*running* cluster in order to delegate operation from respectively back to kube-proxy,
+then it must be expected that existing connections will break since, for example,
+both NAT tables are not aware of each other. If deployed in co-existence on a newly
+spawned up node/cluster which does not yet serve user traffic, then this is not an
+issue.
+
+This section elaborates on the various ``kubeProxyReplacement`` options:
 
 - ``kubeProxyReplacement=strict``: This option expects a kube-proxy-free
   Kubernetes setup where Cilium is expected to fully replace all kube-proxy