I wonder the difference between kube-proxy and cni.
Does calico also use iptables to set policies? In this case, the role overlaps with the kube-proxy, what's the difference between the two?
Why kube-proxy disable for Calico eBPF mode? Since kube-proxy uses iptables, do you disable kube-proxy that uses iptables to use eBPF?
If I disable kube-proxy, will the existing iptables policies be removed?
Thank you.
Calico defaults to using iptables to set network policies. Calico iptables chains/rules sit along side and integrate with the kube-proxy rules (when kube-proxy is in iptables mode).
The BPF code Calico implements intercepts the packets before the kube-proxy iptables rules are able to. You don't have to disable kube-proxy, but there is no reason to run kube-proxy (and the overhead of it managing iptables rules) once Calico can communicate directly with the kube-apiserver service and manage kubernetes services via BPF.
If kube-proxy is not running, it will not add any k8s iptables rules. If you have been left with rules after kube-proxy is shutdown, a manual iptables flush
iptables --flushor a reload of your base iptables config will do. Otherwise akube-proxy --cleanup.