For best performance and in some cases functionality, it is best to expose base Ethernet interfaces to the firewall. If you want to use bonding/link aggregation, it is better to expose the member interfaces to the firewall, as-is, and configure link aggregation interface in the firewall configuration than to expose a bond-device to the pod. Same with VLAN, it is better to expose the Ethernet interface than some virtual VLAN interface, however that might be harder since the Ethernet interface might be needed elsewhere as well.

For VLAN and SR-IOV it is possible to set a single VLAN directly on the SR-IOV VF, that is, set the vlan parameter in the configuration for the SR-IOV CNI plugin, and then just treat that as any Ethernet interface as far as the firewall is concerned having the NIC automatically adding and stripping the VLAN tag. The firewall will then be restricted to that VLAN only.