diff --git a/docs/cilium.md b/docs/cilium.md
new file mode 100644
index 0000000000000000000000000000000000000000..ea4294a94c8e87e1a7c4cd8db9921992ae7dc705
--- /dev/null
+++ b/docs/cilium.md
@@ -0,0 +1,13 @@
+# Cilium
+
+## Kube-proxy replacement with Cilium
+
+Cilium can run without kube-proxy by setting `cilium_kube_proxy_replacement`
+to `strict`.
+
+Without kube-proxy, cilium needs to know the address of the kube-apiserver
+and this must be set globally for all cilium components (agents and operators).
+Hence, in this configuration in Kubespray, Cilium will always contact
+the external loadbalancer (even from a node in the control plane)
+and if there is no external load balancer It will ignore any local load
+balancer deployed by Kubespray and **only contacts the first master**.
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index 5b7e5cd123c92dd0b97b5803fede9744bae848c2..e30575f0c2d0f71801c2715489aba4174c078eb6 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -448,6 +448,12 @@ loadbalancer_apiserver_localhost: "{{ loadbalancer_apiserver is not defined }}"
loadbalancer_apiserver_type: "nginx"
# applied if only external loadbalancer_apiserver is defined, otherwise ignored
apiserver_loadbalancer_domain_name: "lb-apiserver.kubernetes.local"
+kube_apiserver_global_endpoint: |-
+ {% if loadbalancer_apiserver is defined -%}
+ https://{{ apiserver_loadbalancer_domain_name }}:{{ loadbalancer_apiserver.port|default(kube_apiserver_port) }}
+ {%- else -%}
+ https://{{ first_kube_master }}:{{ kube_apiserver_port }}
+ {%- endif %}
kube_apiserver_endpoint: |-
{% if loadbalancer_apiserver is defined -%}
https://{{ apiserver_loadbalancer_domain_name }}:{{ loadbalancer_apiserver.port|default(kube_apiserver_port) }}
diff --git a/roles/network_plugin/cilium/templates/cilium-deploy.yml.j2 b/roles/network_plugin/cilium/templates/cilium-deploy.yml.j2
index 18fdad7bc5adc0b6fcb8ee3a8c59160296d3b26e..bf89286e2c2bb15402a5cc65c7167fa27dec191b 100644
--- a/roles/network_plugin/cilium/templates/cilium-deploy.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-deploy.yml.j2
@@ -84,6 +84,12 @@ spec:
key: AWS_DEFAULT_REGION
name: cilium-aws
optional: true
+{% if cilium_kube_proxy_replacement == 'strict' %}
+ - name: KUBERNETES_SERVICE_HOST
+ value: "{{ kube_apiserver_global_endpoint | urlsplit('hostname') }}"
+ - name: KUBERNETES_SERVICE_PORT
+ value: "{{ kube_apiserver_global_endpoint | urlsplit('port') }}"
+{% endif %}
image: "{{ cilium_operator_image_repo }}:{{ cilium_operator_image_tag }}"
imagePullPolicy: {{ k8s_image_pull_policy }}
name: cilium-operator
diff --git a/roles/network_plugin/cilium/templates/cilium-ds.yml.j2 b/roles/network_plugin/cilium/templates/cilium-ds.yml.j2
index 9393c6f377f739cf147e9ba3052adf21a858285e..dbf26ab0f1d7a35daff1497704ba3bed1dfb764d 100755
--- a/roles/network_plugin/cilium/templates/cilium-ds.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-ds.yml.j2
@@ -43,6 +43,12 @@ spec:
fieldPath: metadata.namespace
- name: CILIUM_CLUSTERMESH_CONFIG
value: /var/lib/cilium/clustermesh/
+{% if cilium_kube_proxy_replacement == 'strict' %}
+ - name: KUBERNETES_SERVICE_HOST
+ value: "{{ kube_apiserver_global_endpoint | urlsplit('hostname') }}"
+ - name: KUBERNETES_SERVICE_PORT
+ value: "{{ kube_apiserver_global_endpoint | urlsplit('port') }}"
+{% endif %}
image: "{{cilium_image_repo}}:{{cilium_image_tag}}"
imagePullPolicy: {{ k8s_image_pull_policy }}
resources:
diff --git a/tests/files/packet_debian10-cilium-svc-proxy.yml b/tests/files/packet_debian10-cilium-svc-proxy.yml
index eb163332c97505539c1a36c3ed095b1b15cf7f2e..9565a6ab6362693b2dfdc1101fd4dd2b2dd6e068 100644
--- a/tests/files/packet_debian10-cilium-svc-proxy.yml
+++ b/tests/files/packet_debian10-cilium-svc-proxy.yml
@@ -1,7 +1,7 @@
---
# Instance settings
cloud_image: debian-10
-mode: separate
+mode: ha
# Kubespray settings
kube_network_plugin: cilium