From ae6f08eefd08ad62f3838bf7fab7b936fc515600 Mon Sep 17 00:00:00 2001
From: Jordan Liggitt <liggitt@google.com>
Date: Tue, 27 Jan 2026 10:49:34 -0500
Subject: [PATCH] Remove kube proxy daemonset from cluster

---
 cluster/addons/kube-proxy/OWNERS              | 12 ---
 cluster/addons/kube-proxy/kube-proxy-ds.yaml  | 74 -------------------
 .../addons/kube-proxy/kube-proxy-rbac.yaml    | 22 ------
 cluster/gce/config-default.sh                 | 11 ---
 cluster/gce/config-test.sh                    | 11 ---
 cluster/gce/gci/configure-helper.sh           | 20 +----
 cluster/gce/manifests/kube-proxy.manifest     |  2 -
 cluster/gce/util.sh                           |  6 --
 8 files changed, 2 insertions(+), 156 deletions(-)
 delete mode 100644 cluster/addons/kube-proxy/OWNERS
 delete mode 100644 cluster/addons/kube-proxy/kube-proxy-ds.yaml
 delete mode 100644 cluster/addons/kube-proxy/kube-proxy-rbac.yaml

diff --git a/cluster/addons/kube-proxy/OWNERS b/cluster/addons/kube-proxy/OWNERS
deleted file mode 100644
index 92644a5a03a..00000000000
--- a/cluster/addons/kube-proxy/OWNERS
+++ /dev/null
@@ -1,12 +0,0 @@
-# See the OWNERS docs at https://go.k8s.io/owners
-
-approvers:
-  - bowei
-  - freehan
-  - mrhohn
-reviewers:
-  - bowei
-  - freehan
-  - mrhohn
-emeritus_approvers:
-  - jingax10
diff --git a/cluster/addons/kube-proxy/kube-proxy-ds.yaml b/cluster/addons/kube-proxy/kube-proxy-ds.yaml
deleted file mode 100644
index 75ea9043c48..00000000000
--- a/cluster/addons/kube-proxy/kube-proxy-ds.yaml
+++ /dev/null
@@ -1,74 +0,0 @@
-# Please keep kube-proxy configuration in-sync with:
-# cluster/saltbase/salt/kube-proxy/kube-proxy.manifest
-
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  labels:
-    k8s-app: kube-proxy
-    addonmanager.kubernetes.io/mode: Reconcile
-  name: kube-proxy
-  namespace: kube-system
-spec:
-  selector:
-    matchLabels:
-      k8s-app: kube-proxy
-  updateStrategy:
-    type: RollingUpdate
-    rollingUpdate:
-      maxUnavailable: 10%
-  template:
-    metadata:
-      labels:
-        k8s-app: kube-proxy
-    spec:
-      priorityClassName: system-node-critical
-      hostNetwork: true
-      nodeSelector:
-        kubernetes.io/os: linux
-        node.kubernetes.io/kube-proxy-ds-ready: "true"
-      tolerations:
-      - operator: "Exists"
-        effect: "NoExecute"
-      - operator: "Exists"
-        effect: "NoSchedule"
-      containers:
-      - name: kube-proxy
-        image: {{pillar['kube_docker_registry']}}/kube-proxy-{{pillar['host_arch']}}:{{pillar['kube-proxy_docker_tag']}}
-        resources:
-          requests:
-            cpu: {{ cpurequest }}
-            memory: {{ memoryrequest }}
-        command:
-        - /bin/sh
-        - -c
-        - kube-proxy {{cluster_cidr}} --oom-score-adj=-998 {{params}} 1>>/var/log/kube-proxy.log 2>&1
-        env:
-        - name: KUBERNETES_SERVICE_HOST
-          value: {{kubernetes_service_host_env_value}}
-        {{kube_cache_mutation_detector_env_name}}
-          {{kube_cache_mutation_detector_env_value}}
-        securityContext:
-          privileged: true
-        volumeMounts:
-        - mountPath: /var/log
-          name: varlog
-          readOnly: false
-        - mountPath: /run/xtables.lock
-          name: xtables-lock
-          readOnly: false
-        - mountPath: /lib/modules
-          name: lib-modules
-          readOnly: true
-      volumes:
-      - name: varlog
-        hostPath:
-          path: /var/log
-      - name: xtables-lock
-        hostPath:
-          path: /run/xtables.lock
-          type: FileOrCreate
-      - name: lib-modules
-        hostPath:
-          path: /lib/modules
-      serviceAccountName: kube-proxy
diff --git a/cluster/addons/kube-proxy/kube-proxy-rbac.yaml b/cluster/addons/kube-proxy/kube-proxy-rbac.yaml
deleted file mode 100644
index 0758fd025f0..00000000000
--- a/cluster/addons/kube-proxy/kube-proxy-rbac.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: kube-proxy
-  namespace: kube-system
-  labels:
-    addonmanager.kubernetes.io/mode: Reconcile
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: system:kube-proxy
-  labels:
-    addonmanager.kubernetes.io/mode: Reconcile
-subjects:
-  - kind: ServiceAccount
-    name: kube-proxy
-    namespace: kube-system
-roleRef:
-  kind: ClusterRole
-  name: system:node-proxier
-  apiGroup: rbac.authorization.k8s.io
diff --git a/cluster/gce/config-default.sh b/cluster/gce/config-default.sh
index 8b987700b85..c742e9b1671 100755
--- a/cluster/gce/config-default.sh
+++ b/cluster/gce/config-default.sh
@@ -469,17 +469,6 @@ PROMETHEUS_TO_SD_ENDPOINT="${PROMETHEUS_TO_SD_ENDPOINT:-https://monitoring.googl
 PROMETHEUS_TO_SD_PREFIX="${PROMETHEUS_TO_SD_PREFIX:-custom.googleapis.com}"
 ENABLE_PROMETHEUS_TO_SD="${ENABLE_PROMETHEUS_TO_SD:-false}"
 
-# TODO(#51292): Make kube-proxy Daemonset default and remove the configuration here.
-# Optional: [Experiment Only] Run kube-proxy as a DaemonSet if set to true, run as static pods otherwise.
-KUBE_PROXY_DAEMONSET="${KUBE_PROXY_DAEMONSET:-false}" # true, false
-
-# Control whether the startup scripts manage the lifecycle of kube-proxy
-# When true, the startup scripts do not enable kube-proxy either as a daemonset addon or as a static pod
-# regardless of the value of KUBE_PROXY_DAEMONSET.
-# When false, the value of KUBE_PROXY_DAEMONSET controls whether kube-proxy comes up as a static pod or
-# as an addon daemonset.
-KUBE_PROXY_DISABLE="${KUBE_PROXY_DISABLE:-false}" # true, false
-
 # Will be passed into the kube-proxy via `--detect-local-mode`
 DETECT_LOCAL_MODE="${DETECT_LOCAL_MODE:-}"
 
diff --git a/cluster/gce/config-test.sh b/cluster/gce/config-test.sh
index d48a312c59a..e9c40081155 100755
--- a/cluster/gce/config-test.sh
+++ b/cluster/gce/config-test.sh
@@ -522,17 +522,6 @@ PROMETHEUS_TO_SD_ENDPOINT=${PROMETHEUS_TO_SD_ENDPOINT:-https://monitoring.google
 PROMETHEUS_TO_SD_PREFIX=${PROMETHEUS_TO_SD_PREFIX:-custom.googleapis.com}
 ENABLE_PROMETHEUS_TO_SD=${ENABLE_PROMETHEUS_TO_SD:-true}
 
-# TODO(#51292): Make kube-proxy Daemonset default and remove the configuration here.
-# Optional: [Experiment Only] Run kube-proxy as a DaemonSet if set to true, run as static pods otherwise.
-KUBE_PROXY_DAEMONSET=${KUBE_PROXY_DAEMONSET:-false} # true, false
-
-# Control whether the startup scripts manage the lifecycle of kube-proxy
-# When true, the startup scripts do not enable kube-proxy either as a daemonset addon or as a static pod
-# regardless of the value of KUBE_PROXY_DAEMONSET.
-# When false, the value of KUBE_PROXY_DAEMONSET controls whether kube-proxy comes up as a static pod or
-# as an addon daemonset.
-KUBE_PROXY_DISABLE="${KUBE_PROXY_DISABLE:-false}" # true, false
-
 # Optional: Change the kube-proxy implementation. Choices are [iptables, ipvs, nftables].
 KUBE_PROXY_MODE=${KUBE_PROXY_MODE:-iptables}
 
diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh
index 67df1482d9f..4c78dfb6f9d 100755
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@@ -2170,7 +2170,6 @@ function update-legacy-addon-node-labels() {
     sleep 5
   done
   update-node-label "beta.kubernetes.io/metadata-proxy-ready=true,cloud.google.com/metadata-proxy-ready!=true" "cloud.google.com/metadata-proxy-ready=true"
-  update-node-label "beta.kubernetes.io/kube-proxy-ds-ready=true,node.kubernetes.io/kube-proxy-ds-ready!=true" "node.kubernetes.io/kube-proxy-ds-ready=true"
   update-node-label "beta.kubernetes.io/masq-agent-ds-ready=true,node.kubernetes.io/masq-agent-ds-ready!=true" "node.kubernetes.io/masq-agent-ds-ready=true"
 }
 
@@ -2893,17 +2892,6 @@ function start-kube-addons {
   fi
 
   # Set up manifests of other addons.
-  if [[ "${KUBE_PROXY_DAEMONSET:-}" == "true" ]] && [[ "${KUBE_PROXY_DISABLE:-}" != "true" ]]; then
-    if [ -n "${CUSTOM_KUBE_PROXY_YAML:-}" ]; then
-      # Replace with custom GKE kube proxy.
-      cat > "$src_dir/kube-proxy/kube-proxy-ds.yaml" <<EOF
-$CUSTOM_KUBE_PROXY_YAML
-EOF
-      update-daemon-set-prometheus-to-sd-parameters "$src_dir/kube-proxy/kube-proxy-ds.yaml"
-    fi
-    prepare-kube-proxy-manifest-variables "$src_dir/kube-proxy/kube-proxy-ds.yaml"
-    setup-addon-manifests "addons" "kube-proxy"
-  fi
   if [[ "${ENABLE_CLUSTER_LOGGING:-}" == "true" ]] &&
      [[ "${LOGGING_DESTINATION:-}" == "gcp" ]]; then
     if [[ "${ENABLE_METADATA_AGENT:-}" == "stackdriver" ]]; then
@@ -3626,9 +3614,7 @@ function main() {
   else
     log-wrap 'CreateNodePKI' create-node-pki
     log-wrap 'CreateKubeletKubeconfig' create-kubelet-kubeconfig "${KUBERNETES_MASTER_NAME}"
-    if [[ "${KUBE_PROXY_DAEMONSET:-}" != "true" ]] && [[ "${KUBE_PROXY_DISABLE:-}" != "true" ]]; then
-      log-wrap 'CreateKubeproxyUserKubeconfig' create-kubeproxy-user-kubeconfig
-    fi
+    log-wrap 'CreateKubeproxyUserKubeconfig' create-kubeproxy-user-kubeconfig
     if [[ "${ENABLE_NODE_PROBLEM_DETECTOR:-}" == "standalone" ]]; then
       if [[ -n "${NODE_PROBLEM_DETECTOR_TOKEN:-}" ]]; then
         log-wrap 'CreateNodeProblemDetectorKubeconfig' create-node-problem-detector-kubeconfig "${KUBERNETES_MASTER_NAME}"
@@ -3692,9 +3678,7 @@ function main() {
     log-wrap 'StartLBController' start-lb-controller
     log-wrap 'UpdateLegacyAddonNodeLabels' update-legacy-addon-node-labels &
   else
-    if [[ "${KUBE_PROXY_DAEMONSET:-}" != "true" ]] && [[ "${KUBE_PROXY_DISABLE:-}" != "true" ]]; then
-      log-wrap 'StartKubeProxy' start-kube-proxy
-    fi
+    log-wrap 'StartKubeProxy' start-kube-proxy
     if [[ "${ENABLE_NODE_PROBLEM_DETECTOR:-}" == "standalone" ]]; then
       log-wrap 'StartNodeProblemDetector' start-node-problem-detector
     fi
diff --git a/cluster/gce/manifests/kube-proxy.manifest b/cluster/gce/manifests/kube-proxy.manifest
index ede540b5a79..82e4310cdde 100644
--- a/cluster/gce/manifests/kube-proxy.manifest
+++ b/cluster/gce/manifests/kube-proxy.manifest
@@ -1,5 +1,3 @@
-# Please keep kube-proxy configuration in-sync with:
-# cluster/addons/kube-proxy/kube-proxy-ds.yaml
 apiVersion: v1
 kind: Pod
 metadata:
diff --git a/cluster/gce/util.sh b/cluster/gce/util.sh
index cbc361b0c7f..3434a546c60 100755
--- a/cluster/gce/util.sh
+++ b/cluster/gce/util.sh
@@ -627,11 +627,6 @@ function write-windows-node-env {
 function build-linux-node-labels {
   local node_type=$1
   local node_labels=""
-  if [[ "${KUBE_PROXY_DAEMONSET:-}" == "true" && "${node_type}" != "master" ]]; then
-    # Add kube-proxy daemonset label to node to avoid situation during cluster
-    # upgrade/downgrade when there are two instances of kube-proxy running on a node.
-    node_labels="node.kubernetes.io/kube-proxy-ds-ready=true"
-  fi
   if [[ -n "${NODE_LABELS:-}" ]]; then
     node_labels="${node_labels:+${node_labels},}${NODE_LABELS}"
   fi
@@ -1153,7 +1148,6 @@ LOCAL_DNS_IP: $(yaml-quote "${LOCAL_DNS_IP:-}")
 DNS_DOMAIN: $(yaml-quote "${DNS_DOMAIN:-}")
 DNS_MEMORY_LIMIT: $(yaml-quote "${DNS_MEMORY_LIMIT:-}")
 ENABLE_DNS_HORIZONTAL_AUTOSCALER: $(yaml-quote "${ENABLE_DNS_HORIZONTAL_AUTOSCALER:-false}")
-KUBE_PROXY_DAEMONSET: $(yaml-quote "${KUBE_PROXY_DAEMONSET:-false}")
 KUBE_PROXY_TOKEN: $(yaml-quote "${KUBE_PROXY_TOKEN:-}")
 KUBE_PROXY_MODE: $(yaml-quote "${KUBE_PROXY_MODE:-iptables}")
 DETECT_LOCAL_MODE: $(yaml-quote "${DETECT_LOCAL_MODE:-}")