🔷 L7 Observability: Hubble provides full HTTP, DNS, gRPC flow visibility natively — not just IP-set counters like felix_cluster_num_policies
🔷 L7 Identity Policy: "This service can call /api/v1/users but not /admin" — without a sidecar proxy
🔷 Service Mesh Question: Do you even need Istio? eBPF handles encryption + observability + traffic policy natively
🔷 Cloud Default: GKE Dataplane V2, AKS Azure CNI Powered by Cilium, EKS greenfield → all chose Cilium
WHERE CALICO/FELIX STILL WINS
⚓ BGP Routing: Integrates cleanly with physical network infrastructure — if you have on-prem BGP peering, Calico is the right call
⚓ Windows Nodes: Calico multi-dataplane supports Windows HNS — Cilium eBPF is Linux-only
⚓ Hybrid VM/K8s: Non-containerised workloads in the same network — Calico handles this cleanly
⚓ GitOps Recovery:git revert → Felix rolls back. Simpler to reason about than eBPF kernel debugging.
⚖ HONEST VERDICT — L3 yLAW FLOOR
"The DP-CDNET-037 pattern is production-grade, well-structured, and correct for Calico clusters. But if you were designing a new cluster today with no legacy constraints, the equivalent document for Cilium + CiliumNetworkPolicy + Hubble would score higher on nearly every STE-6 axis."
FEP (paradigm switching): Cilium eBPF-native = better. Felix multi-dataplane = more compatible. FOF (emergence): Cilium L7 visibility unlocks emergent network intelligence. Felix L3/L4 = governance, not art. The tradeoff: eBPF debugging is harder. git revert is simpler. Pick your environment honestly.
DP-CDNET-037: γ₁ ✅ HOLDS (Calico env)
CHALLENGER-001: FILED · MDSMS ✅
BOTH LAWS VALID · ENV DETERMINES WHICH
CHALLENGER-002 · OPEN
eBPF-native without any CNI? XDP? DPDK? Another GOAT fires. LSOS judges. MDSMS stores. The law keeps evolving.