Add notes about Cilium's exclusive mode

Closes linkerd/linkerd2#11597

linkerd.io/content/2.15/features/cni.md

@@ -25,6 +25,13 @@ plugin, using _CNI chaining_. It handles only the Linkerd-specific
 configuration and does not replace the need for a CNI plugin.
 {{< /note >}}
 
+{{< note >}}
+If you're installing Linkerd's CNI on top of Cilium, make sure to install the
+latter with the option `cni.exclusive=false`, so Cilium doesn't take ownership
+over the CNI configurations directory, and allows other plugins to deploy their
+configurations there.
+{{< /note >}}
+
 ## Installation
 
 Usage of the Linkerd CNI plugin requires that the `linkerd-cni` DaemonSet be

linkerd.io/content/2.15/reference/cluster-configuration.md

@@ -78,6 +78,8 @@ gcloud compute firewall-rules describe gke-to-linkerd-control-plane
 
 ## Cilium
 
+### Turn Off Socket-Level Load Balancing
+
 Cilium can be configured to replace kube-proxy functionality through eBPF. When
 running in kube-proxy replacement mode, connections to a `ClusterIP` service
 will be established directly to the service's backend at the socket level (i.e.
@@ -97,6 +99,15 @@ pods](https://docs.cilium.io/en/v1.13/network/istio/#setup-cilium) through the
 CLI option `--config bpf-lb-sock-hostns-only=true`, or through the Helm value
 `socketLB.hostNamespaceOnly=true`.
 
+### Disable Exclusive Mode
+
+If you're using Cilium as your CNI and then want to install
+[linkerd-cni](../../features/cni/) on top of it, make sure you install Cilium
+with the option `cni.exclusive=false`. This avoids Cilium taking ownership over
+the CNI configurations directory. Other CNI plugins like linkerd-cni install
+themselves and operate in chain mode with the other deployed plugins by
+deploying their configuration into this directory.
+
 ## Lifecycle Hook Timeout
 
 Linkerd uses a `postStart` lifecycle hook for all control plane components, and