Switching CNIs

[hown3d]

How to categorize this topic?

/area networking
/kind enhancement
/label teamsize/medium

What is the topic about?:
Currently it is not possible to switch CNIs in gardener since it is marked as immutable in the shoot spec.
While it makes total sense to have that footgun locked behind closed doors as it is possible to encounter downtime in your cluster, it might be worthwhile to experiment with.

With both CNIs in native routing mode, a router controller from your cloud controller manager running and some migration code in gardener, it should be possible to achieve such a switch without downtime.
For reference:

• Switching your CNI — Simone Sciarrati & Federico Hernandez at Container Days 2023

There are a lot of blogs and docs about doing Cilium migrations with overlay networking, but I think it's the most easiest to focus on native routing as it should be the easiest.

• https://cilium.io/blog/2023/09/07/db-schenker-migration-to-cilium/
• https://cilium.io/blog/2020/10/06/skybet-cilium-migration/
• https://docs.cilium.io/en/stable/installation/k8s-install-migration/

Special notes for your reviewer:
At STACKIT Kubernetes Engine we currently run Calico for all clusters in our environment but want to offer Cilium as well which we would like to run our ManagedSeeds with as well.
Because we cannot change our existing seeds to Cilium, we would need to do Control plane migrations, which causes downtime for our customers.