I tried to "migrate" a RKE2 v1.32.7 from a default Cilium installation (as it is done from Rancher 2.12.2) to Cilium with kubeproxyreplacement mode. I set all the variables mentioned in https://support.scc.suse.com/s/kb/How-to-disable-kube-proxy-on-a-Rancher-managed-rke2-cluster-with-Cilium?language=en_US in the Cilium Add-on config and added

disable-kube-proxy: true

in the machineGlobalConfig of the cluster object. After some time the cilium pods were restarted and claimed that they are running in kubeproxy replacement mode. But the kube-proxy pods were still present. (Even though the disable option made it to /etc/rancher/rke2/config.yaml.d/50-rancher.yaml). The whole cluster seemed to continue to work, but it was looking weird. Restart of rke2-server|agent didn't change anything. I removed the static manifests from all nodes to get rid of kube-proxy. But this made it even worse. It was just a test cluster, so I simply removed it later. The question is: Is this even supposed to work? I know that switching CNIs is not supported with RKE2, but changing some parameters of the same CNI should work. Am I wrong? Or is it, maybe, just a Rancher issue? EDIT: I made a few more tests (this time without Rancher to prove the general function). tl;dr: It's working. But looks like the sequence matters. First change

disable-kube-proxy

to false in the rke2 config somewhere. Then manually delete the kube-proxy manifest /var/lib/rancher/rke2/server/manifests. Add the cilium manifest there also. Then either restart rke2 server or agent. This will keep some kube-proxy iptables rules but should work in general. If you also want to get rid of those, reboot the server instead of restarting rke2. At least this was working for me. Is that OK? "Supported"?