eBPF-based network policies vs CNI plugins — real-world trade-offs

Running K8s across 3 clusters (~400 pods total). Currently using Calico for network policies but considering a move to Cilium for eBPF-based policy enforcement. What we care about: - Per-pod visibility without sidecar overhead - L7 policy enforcement (HTTP path-level rules, not just IP+port) - Policy debuggability — when a call is dropped, can engineers self-serve the "why"? Teams running Cilium in prod: what broke that you didn't expect? Kernel version dependencies? eBPF verifier rejections on upgrade? How did you handle rollback? Jurisdiction: N/A — infrastructure architecture discussion.