Skip to content

Document bpfKubeProxyHealthzPort conflict when kube-proxy cannot be disabled #2575

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tomastigera wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Document bpfKubeProxyHealthzPort conflict when kube-proxy cannot be disabled #2575

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
42bd256
Document MKE VXLAN port conflict for eBPF dataplane
tomastigera Mar 6, 2026
730ec85
Address PR review feedback for MKE VXLAN port docs
tomastigera Mar 6, 2026
53bf550
Document bpfKubeProxyHealthzPort conflict with Kubernetes kube-proxy
tomastigera Mar 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions calico-enterprise/operations/ebpf/enabling-ebpf.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -185,6 +185,38 @@ kubectl patch felixconfiguration default --patch='{"spec": {"bpfKubeProxyIptable

If both `kube-proxy` and `BPFKubeProxyIptablesCleanupEnabled` is enabled then `kube-proxy` will write its iptables rules and Felix will try to clean them up resulting in iptables flapping between the two.

You should also set `bpfKubeProxyHealthzPort` to `0` to disable the health check server in $[prodname]'s BPF kube-proxy replacement, which by default binds to port 10256 and would conflict with the Kubernetes `kube-proxy` already running on the node. The Kubernetes `kube-proxy` can serve the health check equally well, so there is no degradation.

```bash
kubectl patch felixconfiguration default --patch='{"spec": {"bpfKubeProxyHealthzPort": 0}}'
Comment on lines +188 to +191
Copy link

Copilot AI Mar 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This states that bpfKubeProxyHealthzPort: 0 disables the embedded health check server, but the generated Felix config reference (calico-enterprise/_includes/components/FelixConfig/config-params.json) currently documents this parameter only as an integer port and does not mention 0 as a disable value. Please add a version/feature gate note (and link) for when 0 is supported, or change the guidance to selecting an unused port (as in the versioned docs).

Suggested change
You should also set `bpfKubeProxyHealthzPort` to `0` to disable the health check server in $[prodname]'s BPF kube-proxy replacement, which by default binds to port 10256 and would conflict with the Kubernetes `kube-proxy` already running on the node. The Kubernetes `kube-proxy` can serve the health check equally well, so there is no degradation.
```bash
kubectl patch felixconfiguration default --patch='{"spec": {"bpfKubeProxyHealthzPort": 0}}'
You should also set `bpfKubeProxyHealthzPort` to an unused port to avoid conflicts with the health check server in $[prodname]'s BPF kube-proxy replacement, which by default binds to port 10256 and would conflict with the Kubernetes `kube-proxy` already running on the node. The Kubernetes `kube-proxy` can serve the health check equally well, so there is no degradation; the new port value is only to avoid the conflict. For example:
```bash
kubectl patch felixconfiguration default --patch='{"spec": {"bpfKubeProxyHealthzPort": 11256}}'

Copilot uses AI. Check for mistakes.
Copy link
Collaborator

@ctauchen ctauchen Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tomastigera Is this valid?

```

### MKE: Change the VXLAN port before enabling eBPF
Copy link
Collaborator

@ctauchen ctauchen Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this PR includes changes from the other PR #2574 . Can you separate them?


:::caution

MKE uses Docker Swarm overlay networking, which creates VXLAN devices on UDP port 4789 inside Docker network namespaces.
When $[prodname] switches to eBPF mode on kernels where BTF is available (typically v5.8+), Felix creates the `vxlan.calico` device in
flow mode, which acts as a catch-all on its UDP port. The kernel rejects this when another VXLAN device (Docker Swarm's)
already holds the same port, causing `vxlan.calico` to stay DOWN with `address already in use` errors.

**You must change the VXLAN port before enabling eBPF on MKE clusters:**

```bash
kubectl patch felixconfiguration default --type merge -p '{"spec":{"vxlanPort":4790}}'
```

Wait for all calico-node pods to recreate the VXLAN device on the new port, then verify on each node:

```bash
kubectl exec -n calico-system <calico-node-pod> -- ip -d link show vxlan.calico
```

Confirm the device shows `dstport 4790` (or your chosen port) and is UP before proceeding.
Ensure that the chosen UDP port is allowed by your underlying network between all nodes.

:::

### Enable eBPF mode

To enable eBPF mode, change the `spec.calicoNetwork.linuxDataplane` parameter in the operator's `Installation`
Expand Down
15 changes: 15 additions & 0 deletions calico-enterprise/operations/ebpf/install.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -175,6 +175,21 @@ can do that by setting `--kube-proxy-mode=disabled` and `--kube-default-drop-mas

More details can be found in [the MKE documentation](https://docs.mirantis.com/mke/current/install/predeployment/configure-networking/cluster-service-networking-options.html)

:::caution VXLAN port conflict

MKE's Docker Swarm overlay networking uses UDP port 4789 for its own VXLAN devices. In eBPF mode, when BTF is available on the node (typically kernel v5.8+),
$[prodname] creates the `vxlan.calico` device in flow mode, which conflicts with Docker Swarm's use of the same port.
You must change the VXLAN port before enabling eBPF:

```bash
kubectl patch felixconfiguration default --type merge -p '{"spec":{"vxlanPort":4790}}'
```
Comment on lines +178 to +186
Copy link

Copilot AI Mar 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This VXLAN port patch is in the pre-install portion of the guide, before Tigera Operator / Calico CRDs are installed. kubectl patch felixconfiguration default ... can fail if the FelixConfiguration CRD or the default resource doesn't exist yet. Consider moving this to after Calico installation (or instruct users to apply a FelixConfiguration manifest during install) but before enabling eBPF.

Copilot uses AI. Check for mistakes.

Ensure the chosen UDP port is allowed by your underlying network between all nodes.
See [Troubleshoot eBPF mode](troubleshoot-ebpf.mdx#mke-vxlan-device-down) for more details.

:::

</TabItem>

</Tabs>
Expand Down
49 changes: 49 additions & 0 deletions calico-enterprise/operations/ebpf/troubleshoot-ebpf.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -396,6 +396,55 @@ e2e` command. The command resets the profiling data after dumping it.

```

## MKE: VXLAN device DOWN

On MKE clusters, after enabling eBPF mode, the `vxlan.calico` device may stay DOWN with Felix logs showing:

```
Failed to set tunnel device up error=address already in use
```

This happens because MKE's Docker Swarm overlay networking creates VXLAN devices on UDP port 4789 inside Docker network namespaces (`/run/docker/netns/`). In eBPF mode, when BTF is available on the node (typically kernel v5.8+), Felix creates `vxlan.calico` in flow mode (`external`), which acts as a catch-all on its UDP port. The kernel rejects this because Docker Swarm's VXLAN device already holds port 4789.

In iptables mode this conflict doesn't occur because Calico's VXLAN device binds with a specific VNI (4096), which can coexist with Docker Swarm's VXLAN on the same port.

**Diagnosis:**

```bash
# Confirm the VXLAN device is DOWN
kubectl exec -n calico-system <calico-node-pod> -- ip -d link show vxlan.calico

# Check what holds port 4789 (shows a kernel-owned socket with no process name)
kubectl exec -n calico-system <calico-node-pod> -- ss -ulnp sport = :4789

# Find Docker Swarm VXLAN devices in Docker network namespaces (run on the node via SSH)
for ns in /run/docker/netns/*; do
echo "=== $(basename "$ns") ==="
nsenter --net="$ns" ip -d link show type vxlan 2>/dev/null
done
```

**Fix:** Change Calico's VXLAN port to avoid the conflict:

```bash
kubectl patch felixconfiguration default --type merge -p '{"spec":{"vxlanPort":4790}}'
```

Felix will recreate `vxlan.calico` on the new port within seconds. Verify on each node:

```bash
kubectl exec -n calico-system <calico-node-pod> -- ip -d link show vxlan.calico
# Should show: vxlan external ... dstport 4790 ... state UP
```

Ensure the chosen UDP port is allowed by your underlying network between all nodes.

:::tip

For MKE clusters, set the VXLAN port **before** enabling eBPF mode to avoid any disruption.

:::

## Debug high CPU usage

If you notice `$[noderunning]` using high CPU:
Expand Down
32 changes: 32 additions & 0 deletions calico-enterprise_versioned_docs/version-3.23-1/operations/ebpf/enabling-ebpf.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -185,6 +185,38 @@ kubectl patch felixconfiguration default --patch='{"spec": {"bpfKubeProxyIptable

If both `kube-proxy` and `BPFKubeProxyIptablesCleanupEnabled` is enabled then `kube-proxy` will write its iptables rules and Felix will try to clean them up resulting in iptables flapping between the two.

You should also change `bpfKubeProxyHealthzPort` to an unused port to avoid conflicting with the Kubernetes `kube-proxy`'s default health check port (10256). The Kubernetes `kube-proxy` can serve the health check equally well, so there is no degradation. Changing the health check port of the Kubernetes `kube-proxy` is typically not possible on managed platforms such as AKS. Choose a port that is not already in use on your nodes (for example, 10258; note that 10257 may be used by containerd).
Copy link

Copilot AI Mar 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The note "10257 may be used by containerd" is likely wrong (10257 is commonly reserved by kube-controller-manager). Please update/remove this example to avoid recommending a potentially in-use port; consider advising users to check node listeners and/or note the typical Kubernetes reserved ports (10257/10259).

Suggested change
You should also change `bpfKubeProxyHealthzPort` to an unused port to avoid conflicting with the Kubernetes `kube-proxy`'s default health check port (10256). The Kubernetes `kube-proxy` can serve the health check equally well, so there is no degradation. Changing the health check port of the Kubernetes `kube-proxy` is typically not possible on managed platforms such as AKS. Choose a port that is not already in use on your nodes (for example, 10258; note that 10257 may be used by containerd).
You should also change `bpfKubeProxyHealthzPort` to an unused port to avoid conflicting with the Kubernetes `kube-proxy`'s default health check port (10256). The Kubernetes `kube-proxy` can serve the health check equally well, so there is no degradation. Changing the health check port of the Kubernetes `kube-proxy` is typically not possible on managed platforms such as AKS. Choose a port that is not already in use on your nodes (for example, 10258), avoid typical Kubernetes reserved ports such as 10257 and 10259, and verify port availability by checking which ports are currently in use on your nodes.

Copilot uses AI. Check for mistakes.

```bash
kubectl patch felixconfiguration default --patch='{"spec": {"bpfKubeProxyHealthzPort": 10258}}'
```

### MKE: Change the VXLAN port before enabling eBPF

:::caution

MKE uses Docker Swarm overlay networking, which creates VXLAN devices on UDP port 4789 inside Docker network namespaces.
When $[prodname] switches to eBPF mode on kernels where BTF is available (typically v5.8+), Felix creates the `vxlan.calico` device in
flow mode, which acts as a catch-all on its UDP port. The kernel rejects this when another VXLAN device (Docker Swarm's)
already holds the same port, causing `vxlan.calico` to stay DOWN with `address already in use` errors.

**You must change the VXLAN port before enabling eBPF on MKE clusters:**

```bash
kubectl patch felixconfiguration default --type merge -p '{"spec":{"vxlanPort":4790}}'
```

Wait for all calico-node pods to recreate the VXLAN device on the new port, then verify on each node:

```bash
kubectl exec -n calico-system <calico-node-pod> -- ip -d link show vxlan.calico
```

Confirm the device shows `dstport 4790` (or your chosen port) and is UP before proceeding.
Ensure that the chosen UDP port is allowed by your underlying network between all nodes.

:::

### Enable eBPF mode

To enable eBPF mode, change the `spec.calicoNetwork.linuxDataplane` parameter in the operator's `Installation`
Expand Down
15 changes: 15 additions & 0 deletions calico-enterprise_versioned_docs/version-3.23-1/operations/ebpf/install.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -175,6 +175,21 @@ can do that by setting `--kube-proxy-mode=disabled` and `--kube-default-drop-mas

More details can be found in [the MKE documentation](https://docs.mirantis.com/mke/current/install/predeployment/configure-networking/cluster-service-networking-options.html)

:::caution VXLAN port conflict

MKE's Docker Swarm overlay networking uses UDP port 4789 for its own VXLAN devices. In eBPF mode, when BTF is available on the node (typically kernel v5.8+),
$[prodname] creates the `vxlan.calico` device in flow mode, which conflicts with Docker Swarm's use of the same port.
You must change the VXLAN port before enabling eBPF:

```bash
kubectl patch felixconfiguration default --type merge -p '{"spec":{"vxlanPort":4790}}'
Comment on lines +182 to +185
Copy link

Copilot AI Mar 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This VXLAN port patch is introduced before the guide installs the Tigera Operator / Calico CRDs. If the FelixConfiguration CRD or the default resource is not present yet, kubectl patch felixconfiguration ... will fail. Please move this instruction to a point after Calico CRDs/resources are installed (but still before enabling eBPF), or have users apply a FelixConfiguration manifest as part of the install.

Suggested change
You must change the VXLAN port before enabling eBPF:
```bash
kubectl patch felixconfiguration default --type merge -p '{"spec":{"vxlanPort":4790}}'
You must configure $[prodname] to use a different VXLAN port after installing the Tigera Operator and Calico CRDs, but before enabling eBPF. For example:
```bash
cat <<EOF | kubectl apply -f -
apiVersion: crd.projectcalico.org/v1
kind: FelixConfiguration
metadata:
name: default
spec:
vxlanPort: 4790
EOF

Copilot uses AI. Check for mistakes.
```

Ensure the chosen UDP port is allowed by your underlying network between all nodes.
See [Troubleshoot eBPF mode](troubleshoot-ebpf.mdx#mke-vxlan-device-down) for more details.

:::

</TabItem>

</Tabs>
Expand Down
49 changes: 49 additions & 0 deletions ...-enterprise_versioned_docs/version-3.23-1/operations/ebpf/troubleshoot-ebpf.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -396,6 +396,55 @@ e2e` command. The command resets the profiling data after dumping it.

```

## MKE: VXLAN device DOWN

On MKE clusters, after enabling eBPF mode, the `vxlan.calico` device may stay DOWN with Felix logs showing:

```
Failed to set tunnel device up error=address already in use
```

This happens because MKE's Docker Swarm overlay networking creates VXLAN devices on UDP port 4789 inside Docker network namespaces (`/run/docker/netns/`). In eBPF mode, when BTF is available on the node (typically kernel v5.8+), Felix creates `vxlan.calico` in flow mode (`external`), which acts as a catch-all on its UDP port. The kernel rejects this because Docker Swarm's VXLAN device already holds port 4789.

In iptables mode this conflict doesn't occur because Calico's VXLAN device binds with a specific VNI (4096), which can coexist with Docker Swarm's VXLAN on the same port.

**Diagnosis:**

```bash
# Confirm the VXLAN device is DOWN
kubectl exec -n calico-system <calico-node-pod> -- ip -d link show vxlan.calico

# Check what holds port 4789 (shows a kernel-owned socket with no process name)
kubectl exec -n calico-system <calico-node-pod> -- ss -ulnp sport = :4789

# Find Docker Swarm VXLAN devices in Docker network namespaces (run on the node via SSH)
for ns in /run/docker/netns/*; do
echo "=== $(basename "$ns") ==="
nsenter --net="$ns" ip -d link show type vxlan 2>/dev/null
done
```

**Fix:** Change Calico's VXLAN port to avoid the conflict:

```bash
kubectl patch felixconfiguration default --type merge -p '{"spec":{"vxlanPort":4790}}'
```

Felix will recreate `vxlan.calico` on the new port within seconds. Verify on each node:

```bash
kubectl exec -n calico-system <calico-node-pod> -- ip -d link show vxlan.calico
# Should show: vxlan external ... dstport 4790 ... state UP
```

Ensure the chosen UDP port is allowed by your underlying network between all nodes.

:::tip

For MKE clusters, set the VXLAN port **before** enabling eBPF mode to avoid any disruption.

:::

## Debug high CPU usage

If you notice `$[noderunning]` using high CPU:
Expand Down
32 changes: 32 additions & 0 deletions calico/operations/ebpf/enabling-ebpf.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -326,6 +326,38 @@ kubectl patch felixconfiguration default --patch='{"spec": {"bpfKubeProxyIptable

If both `kube-proxy` and `BPFKubeProxyIptablesCleanupEnabled` is enabled then `kube-proxy` will write its iptables rules and Felix will try to clean them up resulting in iptables flapping between the two.

You should also set `bpfKubeProxyHealthzPort` to `0` to disable the health check server in $[prodname]'s BPF kube-proxy replacement, which by default binds to port 10256 and would conflict with the Kubernetes `kube-proxy` already running on the node. The Kubernetes `kube-proxy` can serve the health check equally well, so there is no degradation.

```
kubectl patch felixconfiguration default --patch='{"spec": {"bpfKubeProxyHealthzPort": 0}}'
```
Comment on lines +329 to +333
Copy link

Copilot AI Mar 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This claims that setting bpfKubeProxyHealthzPort to 0 disables Felix's embedded health check server. However, the generated Felix configuration reference (calico/_includes/components/FelixConfig/config-params.json) documents this field only as an integer port (default 10256) and does not mention 0 having special meaning. Please either (a) add a version/feature availability note and link to the release that implements 0=disabled, or (b) keep the guidance consistent with released docs by choosing an unused port instead of 0.

Copilot uses AI. Check for mistakes.

### MKE: Change the VXLAN port before enabling eBPF

:::caution

MKE uses Docker Swarm overlay networking, which creates VXLAN devices on UDP port 4789 inside Docker network namespaces.
When $[prodname] switches to eBPF mode on kernels where BTF is available (typically v5.8+), Felix creates the `vxlan.calico` device in
flow mode, which acts as a catch-all on its UDP port. The kernel rejects this when another VXLAN device (Docker Swarm's)
already holds the same port, causing `vxlan.calico` to stay DOWN with `address already in use` errors.

**You must change the VXLAN port before enabling eBPF on MKE clusters:**

```bash
kubectl patch felixconfiguration default --type merge -p '{"spec":{"vxlanPort":4790}}'
```

Wait for all calico-node pods to recreate the VXLAN device on the new port, then verify on each node:

```bash
kubectl exec -n calico-system <calico-node-pod> -- ip -d link show vxlan.calico
```

Confirm the device shows `dstport 4790` (or your chosen port) and is UP before proceeding.
Ensure that the chosen UDP port is allowed by your underlying network between all nodes.

:::

### Enable eBPF mode

**The next step depends on whether you installed $[prodname] using the operator, or a manifest:**
Expand Down
15 changes: 15 additions & 0 deletions calico/operations/ebpf/install.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -203,6 +203,21 @@ can do that by setting `--kube-proxy-mode=disabled` and `--kube-default-drop-mas

More details can be found in [the MKE documentation](https://docs.mirantis.com/mke/current/install/predeployment/configure-networking/cluster-service-networking-options.html)

:::caution VXLAN port conflict

MKE's Docker Swarm overlay networking uses UDP port 4789 for its own VXLAN devices. In eBPF mode, when BTF is available on the node (typically kernel v5.8+),
$[prodname] creates the `vxlan.calico` device in flow mode, which conflicts with Docker Swarm's use of the same port.
You must change the VXLAN port before enabling eBPF:

```bash
kubectl patch felixconfiguration default --type merge -p '{"spec":{"vxlanPort":4790}}'
```
Comment on lines +206 to +214
Copy link

Copilot AI Mar 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The VXLAN port patch command appears in the "Create a suitable cluster" section, before the guide installs the Tigera Operator / Calico CRDs. At this point, the FelixConfiguration CRD (and the default resource) may not exist yet, so kubectl patch felixconfiguration default ... will fail. Consider moving this step to after Calico is installed (or instruct users to add/apply a FelixConfiguration manifest alongside custom-resources.yaml) but still before switching to eBPF mode.

Copilot uses AI. Check for mistakes.

Ensure the chosen UDP port is allowed by your underlying network between all nodes.
See [Troubleshoot eBPF mode](troubleshoot-ebpf.mdx#mke-vxlan-device-down) for more details.

:::

</TabItem>

</Tabs>
Expand Down
49 changes: 49 additions & 0 deletions calico/operations/ebpf/troubleshoot-ebpf.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -396,6 +396,55 @@ e2e` command. The command resets the profiling data after dumping it.

```

## MKE: VXLAN device DOWN

On MKE clusters, after enabling eBPF mode, the `vxlan.calico` device may stay DOWN with Felix logs showing:

```
Failed to set tunnel device up error=address already in use
```

This happens because MKE's Docker Swarm overlay networking creates VXLAN devices on UDP port 4789 inside Docker network namespaces (`/run/docker/netns/`). In eBPF mode, when BTF is available on the node (typically kernel v5.8+), Felix creates `vxlan.calico` in flow mode (`external`), which acts as a catch-all on its UDP port. The kernel rejects this because Docker Swarm's VXLAN device already holds port 4789.

In iptables mode this conflict doesn't occur because Calico's VXLAN device binds with a specific VNI (4096), which can coexist with Docker Swarm's VXLAN on the same port.

**Diagnosis:**

```bash
# Confirm the VXLAN device is DOWN
kubectl exec -n calico-system <calico-node-pod> -- ip -d link show vxlan.calico

# Check what holds port 4789 (shows a kernel-owned socket with no process name)
kubectl exec -n calico-system <calico-node-pod> -- ss -ulnp sport = :4789

# Find Docker Swarm VXLAN devices in Docker network namespaces (run on the node via SSH)
for ns in /run/docker/netns/*; do
echo "=== $(basename "$ns") ==="
nsenter --net="$ns" ip -d link show type vxlan 2>/dev/null
done
```

**Fix:** Change Calico's VXLAN port to avoid the conflict:

```bash
kubectl patch felixconfiguration default --type merge -p '{"spec":{"vxlanPort":4790}}'
```

Felix will recreate `vxlan.calico` on the new port within seconds. Verify on each node:

```bash
kubectl exec -n calico-system <calico-node-pod> -- ip -d link show vxlan.calico
# Should show: vxlan external ... dstport 4790 ... state UP
```

Ensure the chosen UDP port is allowed by your underlying network between all nodes.

:::tip

For MKE clusters, set the VXLAN port **before** enabling eBPF mode to avoid any disruption.

:::

## Debug high CPU usage

If you notice `$[noderunning]` using high CPU:
Expand Down
6 changes: 6 additions & 0 deletions calico_versioned_docs/version-3.30/operations/ebpf/enabling-ebpf.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -318,6 +318,12 @@ kubectl patch felixconfiguration default --patch='{"spec": {"bpfKubeProxyIptable

If both `kube-proxy` and `BPFKubeProxyIptablesCleanupEnabled` is enabled then `kube-proxy` will write its iptables rules and Felix will try to clean them up resulting in iptables flapping between the two.

You should also change `bpfKubeProxyHealthzPort` to an unused port to avoid conflicting with the Kubernetes `kube-proxy`'s default health check port (10256). The Kubernetes `kube-proxy` can serve the health check equally well, so there is no degradation. Changing the health check port of the Kubernetes `kube-proxy` is typically not possible on managed platforms such as AKS. Choose a port that is not already in use on your nodes (for example, 10258; note that 10257 may be used by containerd).
Copy link

Copilot AI Mar 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The note "10257 may be used by containerd" is likely inaccurate and could mislead users picking a port. Port 10257 is commonly used by the Kubernetes controller-manager (secure port), not containerd. Suggest removing the containerd reference and either avoid naming specific ports beyond 10256, or mention the typical Kubernetes component reservations (10257/10259) and instruct users to verify with ss/netstat on their nodes.

Suggested change
You should also change `bpfKubeProxyHealthzPort` to an unused port to avoid conflicting with the Kubernetes `kube-proxy`'s default health check port (10256). The Kubernetes `kube-proxy` can serve the health check equally well, so there is no degradation. Changing the health check port of the Kubernetes `kube-proxy` is typically not possible on managed platforms such as AKS. Choose a port that is not already in use on your nodes (for example, 10258; note that 10257 may be used by containerd).
You should also change `bpfKubeProxyHealthzPort` to an unused port to avoid conflicting with the Kubernetes `kube-proxy`'s default health check port (10256). The Kubernetes `kube-proxy` can serve the health check equally well, so there is no degradation. Changing the health check port of the Kubernetes `kube-proxy` is typically not possible on managed platforms such as AKS. Choose a port that is not already in use on your nodes (for example, 10258); note that other Kubernetes control plane components commonly use ports such as 10257 and 10259, so verify an unused port on your nodes with tools like `ss` or `netstat` before selecting one.

Copilot uses AI. Check for mistakes.

```
kubectl patch felixconfiguration default --patch='{"spec": {"bpfKubeProxyHealthzPort": 10258}}'
```

### Enable eBPF mode

**The next step depends on whether you installed $[prodname] using the operator, or a manifest:**
Expand Down
Loading
Loading