When an existing Istio Ambient deployment using the iptables backend is upgraded to the nftables backend, IstioCNI shouldn’t switch to nftables silently. Doing so leaves stale iptables rules/IPsets on the host. If this happens along with reconcileIptablesOnStartup setting, the pod network namespaces end up with both nftables rules and the old iptables rules. In both cases, the stale iptables rules can cause issues until the node is rebooted. 

Acceptance Criteria:

Support safe upgrade from iptables to nftables for pods in ambient mode.