fix: skip kube-proxy-only tasks when kube_proxy_remove is true (#13228)

* fix: skip kube-proxy-only tasks when kube_proxy_remove is true Signed-off-by: Sumit Solanki <sumit.solanki@ibm.com> * refactor: use where defaults already define the var Signed-off-by: Sumit Solanki <sumit.solanki@ibm.com> --------- Signed-off-by: Sumit Solanki <sumit.solanki@ibm.com>
2026-05-08 18:07:39 -02:30 · 2026-05-07 18:31:20 +05:30
parent 09e9c43570
commit e97333dbf8
6 changed files with 17 additions and 3 deletions
--- a/roles/kubernetes-apps/metallb/tasks/main.yml
+++ b/roles/kubernetes-apps/metallb/tasks/main.yml
@@ -3,7 +3,8 @@
  fail:
    msg: "MetalLB require kube_proxy_strict_arp = true, see https://github.com/danderson/metallb/issues/153#issuecomment-518651132"
  when:
-    - "kube_proxy_mode == 'ipvs' and not kube_proxy_strict_arp"
+    - kube_proxy_mode == 'ipvs' and not kube_proxy_strict_arp
+    - not kube_proxy_remove

 - name: Kubernetes Apps | Check that the deprecated 'matallb_auto_assign' variable is not used anymore
  fail:
--- a/roles/kubernetes/node/tasks/loadbalancer/kube-vip.yml
+++ b/roles/kubernetes/node/tasks/loadbalancer/kube-vip.yml
@@ -4,6 +4,7 @@
    msg: "kube-vip require kube_proxy_strict_arp = true, see https://github.com/kube-vip/kube-vip/blob/main/docs/kubernetes/arp/index.md"
  when:
    - kube_proxy_mode == 'ipvs' and not kube_proxy_strict_arp
+    - not kube_proxy_remove
    - kube_vip_arp_enabled

 - name: Kube-vip | Check mutually exclusive BGP source settings
--- a/roles/kubernetes/node/tasks/main.yml
+++ b/roles/kubernetes/node/tasks/main.yml
@@ -114,7 +114,9 @@
    state: present
    persistent: present
  loop: "{{ kube_proxy_ipvs_modules }}"
-  when: kube_proxy_mode == 'ipvs'
+  when:
+    - kube_proxy_mode == 'ipvs'
+    - not kube_proxy_remove
  tags:
    - kube-proxy

@@ -130,6 +132,7 @@
    - nf_conntrack_ipv4
  when:
    - kube_proxy_mode == 'ipvs'
+    - not kube_proxy_remove
    - modprobe_conntrack_module is not defined or modprobe_conntrack_module is ansible.builtin.failed  # loop until first success
  tags:
    - kube-proxy
@@ -139,7 +142,9 @@
    name: "nf_tables"
    state: present
    persistent: present
-  when: kube_proxy_mode == 'nftables'
+  when:
+    - kube_proxy_mode == 'nftables'
+    - not kube_proxy_remove
  tags:
    - kube-proxy

--- a/roles/kubernetes/preinstall/tasks/0040-verify-settings.yml
+++ b/roles/kubernetes/preinstall/tasks/0040-verify-settings.yml
@@ -73,6 +73,7 @@
    that: ansible_kernel.split('-')[0] is version('5.13', '>=')
  when:
    - kube_proxy_mode == 'nftables'
+    - not kube_proxy_remove
    - not ignore_assert_errors

 - name: Stop if bad hostname
--- a/roles/kubespray_defaults/defaults/main/main.yml
+++ b/roles/kubespray_defaults/defaults/main/main.yml
@@ -33,6 +33,10 @@ kube_version_min_required: "{{ (kubelet_checksums['amd64'] | dict2items)[-1].key
 ## Kube Proxy mode One of ['ipvs', 'iptables', 'nftables']
 kube_proxy_mode: ipvs

+# When true, kubeadm skips the kube-proxy addon (for example Cilium kube-proxy replacement).
+# Node and package tasks that exist only for kube-proxy also honor this (IPVS/nftables modules, ipvsadm, strict_arp checks).
+kube_proxy_remove: false
+
 # Debugging option for the kubeadm config validate command
 # Set to false only for development and testing scenarios where validation is expected to fail (pre-release Kubernetes versions, etc.)
 kubeadm_config_validate_enabled: true
--- a/roles/system_packages/vars/main.yml
+++ b/roles/system_packages/vars/main.yml
@@ -65,6 +65,7 @@ pkgs:
    - "{{ ping_access_ip }}"
  ipvsadm:
    - "{{ kube_proxy_mode == 'ipvs' }}"
+    - "{{ not kube_proxy_remove }}"
    - "{{ 'k8s_cluster' in group_names }}"
  libseccomp:
    - "{{ ansible_os_family == 'RedHat' }}"
@@ -80,6 +81,7 @@ pkgs:
    - "{{ ansible_distribution_major_version == '12' }}"
  nftables:
    - "{{ kube_proxy_mode == 'nftables' }}"
+    - "{{ not kube_proxy_remove }}"
    - "{{ 'k8s_cluster' in group_names }}"
  nss:
    - "{{ ansible_os_family == 'RedHat' }}"