diff --git a/docs/calico.md b/docs/calico.md
index 433d4ce1b27aab58ffbe9425a396a026bd092c5a..937cc05d39a59e345bd1002303c6aec8b42aa0dd 100644
--- a/docs/calico.md
+++ b/docs/calico.md
@@ -376,12 +376,7 @@ Calico node, typha and kube-controllers need to be able to talk to the kubernete
Kubespray sets up the `kubernetes-services-endpoint` configmap based on the contents of the `loadbalancer_apiserver` inventory variable documented in [HA Mode](/docs/ha-mode.md).
-If no external loadbalancer is used, Calico eBPF can also use the localhost loadbalancer option. In this case Calico Automatic Host Endpoints need to be enabled to allow services like `coredns` and `metrics-server` to communicate with the kubernetes host endpoint. See [this blog post](https://www.projectcalico.org/securing-kubernetes-nodes-with-calico-automatic-host-endpoints/) on enabling automatic host endpoints.
-
-```yaml
-loadbalancer_apiserver_localhost: true
-use_localhost_as_kubeapi_loadbalancer: true
-```
+If no external loadbalancer is used, Calico eBPF can also use the localhost loadbalancer option. We are able to do so only if you use the same port for the localhost apiserver loadbalancer and the kube-apiserver. In this case Calico Automatic Host Endpoints need to be enabled to allow services like `coredns` and `metrics-server` to communicate with the kubernetes host endpoint. See [this blog post](https://www.projectcalico.org/securing-kubernetes-nodes-with-calico-automatic-host-endpoints/) on enabling automatic host endpoints.
### Tunneled versus Direct Server Return
diff --git a/docs/cilium.md b/docs/cilium.md
index 033ea6a292237eb48db94d2ceea55919c6ece392..4141e383e602e6927d913b877a78f736de12aa83 100644
--- a/docs/cilium.md
+++ b/docs/cilium.md
@@ -6,11 +6,9 @@ Cilium can run without kube-proxy by setting `cilium_kube_proxy_replacement`
to `strict`.
Without kube-proxy, cilium needs to know the address of the kube-apiserver
-and this must be set globally for all cilium components (agents and operators).
-Hence, in this configuration in Kubespray, Cilium will always contact
-the external loadbalancer (even from a node in the control plane)
-and if there is no external load balancer It will ignore any local load
-balancer deployed by Kubespray and **only contacts the first master**.
+and this must be set globally for all Cilium components (agents and operators).
+We can only use the localhost apiserver loadbalancer in this mode
+whenever it uses the same port as the kube-apiserver (by default it does).
## Cilium Operator
diff --git a/inventory/sample/group_vars/all/all.yml b/inventory/sample/group_vars/all/all.yml
index b9639a8a8dfa98f67bc30873db8a4594c5ba9eb6..d8a13dead5f1a41eb3f4f1c2e9f2ece8476f8ec9 100644
--- a/inventory/sample/group_vars/all/all.yml
+++ b/inventory/sample/group_vars/all/all.yml
@@ -21,11 +21,6 @@ bin_dir: /usr/local/bin
# valid options are "nginx" or "haproxy"
# loadbalancer_apiserver_type: nginx # valid values "nginx" or "haproxy"
-## If the cilium is going to be used in strict mode, we can use the
-## localhost connection and not use the external LB. If this parameter is
-## not specified, the first node to connect to kubeapi will be used.
-# use_localhost_as_kubeapi_loadbalancer: true
-
## Local loadbalancer should use this port
## And must be set port 6443
loadbalancer_apiserver_port: 6443
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index e691ad1630fb752de5b068d43b0cea74d06e353d..f569e6d71fd74ea749547a1007ca6ac243f50ade 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -551,8 +551,8 @@ apiserver_loadbalancer_domain_name: "lb-apiserver.kubernetes.local"
kube_apiserver_global_endpoint: |-
{% if loadbalancer_apiserver is defined -%}
https://{{ apiserver_loadbalancer_domain_name }}:{{ loadbalancer_apiserver.port|default(kube_apiserver_port) }}
- {%- elif use_localhost_as_kubeapi_loadbalancer|default(False)|bool -%}
- https://127.0.0.1:{{ kube_apiserver_port }}
+ {%- elif loadbalancer_apiserver_localhost and (loadbalancer_apiserver_port is not defined or loadbalancer_apiserver_port == kube_apiserver_port) -%}
+ https://localhost:{{ kube_apiserver_port }}
{%- else -%}
https://{{ first_kube_control_plane_address }}:{{ kube_apiserver_port }}
{%- endif %}
diff --git a/roles/network_plugin/calico/templates/kubernetes-services-endpoint.yml.j2 b/roles/network_plugin/calico/templates/kubernetes-services-endpoint.yml.j2
index 7ececd4f5a5b36e63fd0203faf4c8dde51c729e8..f1e81776edb6033fde00513376a504938a36ace0 100644
--- a/roles/network_plugin/calico/templates/kubernetes-services-endpoint.yml.j2
+++ b/roles/network_plugin/calico/templates/kubernetes-services-endpoint.yml.j2
@@ -6,14 +6,6 @@ metadata:
name: kubernetes-services-endpoint
data:
{% if calico_bpf_enabled %}
-{% if loadbalancer_apiserver is defined %}
- KUBERNETES_SERVICE_HOST: "{{ apiserver_loadbalancer_domain_name }}"
- KUBERNETES_SERVICE_PORT: "{{ loadbalancer_apiserver.port | default(kube_apiserver_port) }}"
-{%- elif use_localhost_as_kubeapi_loadbalancer|default(False)|bool %}
- KUBERNETES_SERVICE_HOST: "127.0.0.1"
- KUBERNETES_SERVICE_PORT: "{{ kube_apiserver_port }}"
-{%- else %}
- KUBERNETES_SERVICE_HOST: "{{ first_kube_control_plane_address }}"
- KUBERNETES_SERVICE_PORT: "{{ kube_apiserver_port }}"
-{%- endif %}
+ KUBERNETES_SERVICE_HOST: "{{ kube_apiserver_global_endpoint | urlsplit('hostname') }}"
+ KUBERNETES_SERVICE_PORT: "{{ kube_apiserver_global_endpoint | urlsplit('port') }}"
{% endif %}
diff --git a/tests/files/packet_almalinux8-calico-ha-ebpf.yml b/tests/files/packet_almalinux8-calico-ha-ebpf.yml
index ee443f1d06865f8ede92e6daabd24bbfaca72225..e4f4bb658332fd70772dba417281054b81e5732a 100644
--- a/tests/files/packet_almalinux8-calico-ha-ebpf.yml
+++ b/tests/files/packet_almalinux8-calico-ha-ebpf.yml
@@ -7,5 +7,4 @@ vm_memory: 3072Mi
# Kubespray settings
calico_bpf_enabled: true
loadbalancer_apiserver_localhost: true
-use_localhost_as_kubeapi_loadbalancer: true
auto_renew_certificates: true