If you deploy a control plane with CNI enabled and then a control plane with CNI disabled, the operator deletes the ClusterRole and ClusterRoleBinding used by the CNI plugin. The plugin then can't retrieve the Pod data from the API server and doesn't configure iptables for the pod.

Similarly, if you deploy multiple control planes with CNI, only one of them will work properly, as only one of the istio CNI plugins will have the proper permission to retrieve the pod object from the API server.