Comment 3 for bug 1962599

While troubleshooting this, we observed that ICMP packets going from the pod -> kubernetes-worker made it through the iptables PREROUTING chains, where the packet was ultimately accepted, but then the packet never went to INPUT. It looked like something in the kernel outside of iptables was filtering the packets. This only occurred with packets from the container sent to the kubernetes-worker unit's bondM interface; the container had no issues pinging kubernetes-worker IPs attached to other interfaces.

With Flannel, traffic from the worker to the pod uses the source IP belonging to the cni0 interface instead of the default interface. I suspect that is why the issue only occurs with Calico.

I'm marking this as Incomplete for now because we are unable to reproduce. We will need more information to find the underlying issue.