This message was deleted.

In

/etc/rancher/rke2/config.yaml.d/50-rancher.yaml

I do see

disable-kube-proxy: true

you’d need to restart the servers first, then the agents. That should have been done for you when you modified the cluster config via Rancher though.

Servers as in rke2-server? and agents as in rke2-agent? Not the hosts, and rancher-system-agent? I did try manually restarting rke2-server and rancher-system-agent, as well as rebooting nodes, but no luck. kube-proxy always comes back and adds the iptables rules.

that doesn’t sound right. What version of RKE2 are you using? Can you provide the output of

kubectl get node -o yaml | grep node-args

?

v1.30.3+rke2r1

and rancher v2.9

<http://rke2.io/node-args|rke2.io/node-args>: '["server","--agent-token","********","--cluster-cidr","10.64.0.0/16","--cluster-dns","10.65.0.10","--cni","cilium","--disable","rke2-ingress-nginx","--disable","rke2-cilium","--disable-kube-proxy","true","--etcd-expose-metrics","true","--etcd-snapshot-retention","5","--etcd-snapshot-schedule-cron","0
      <http://rke2.io/node-args|rke2.io/node-args>: '["server","--agent-token","********","--cluster-cidr","10.64.0.0/16","--cluster-dns","10.65.0.10","--cni","cilium","--disable","rke2-ingress-nginx","--disable","rke2-cilium","--disable-kube-proxy","true","--etcd-expose-metrics","true","--etcd-snapshot-retention","5","--etcd-snapshot-schedule-cron","0
      <http://rke2.io/node-args|rke2.io/node-args>: '["server","--agent-token","********","--cluster-cidr","10.64.0.0/16","--cluster-dns","10.65.0.10","--cni","cilium","--disable","rke2-ingress-nginx","--disable","rke2-cilium","--disable-kube-proxy","true","--etcd-expose-metrics","true","--etcd-snapshot-retention","5","--etcd-snapshot-schedule-cron","0

That should work… you could try deleting the kube-proxy static pod manifest from /var/lib/rancher/rke2/agent/pod-manifests/ but that shouldn’t be necessary if you start with --disable-kube-proxy

This seems to be working. Thanks!