Comment 3 for bug 1870590

> Networking to metrics server does not work on master and another worker host. Not sure if it should be that way, i.e. hosts not supposed to reach pod networks directly.

It should not be that way. All master and worker hosts should be able to reach the metrics server, either by Service IP or Pod IP.

Your `ip r l` output looks normal and correct to me, for both the masters and workers.

> Not sure what means blackhole (need more RTFM :D)

Me neither, lol. But I see the same blackhole route on a test cluster where I can reach the metrics-server pod just fine, so I'm not too suspicious of it.

Can you run `sysctl net.ipv4.ip_forward` on your workers and make sure it is set to 1?

How are your KVM instances networked together? Is it possible that Calico traffic is being filtered by a firewall? On AWS, for example, they filter any traffic where the packet's Destination IP does not match where the packet is actually being sent. That kind of filtering causes problems for Calico, which works by routing packets to pods directly through the host worker via routing table entries.

If you don't have a specific need for Calico to use direct routing, then you could try configuring Calico to use IP-in-IP encapsulation by setting the calico charm's ipip option to 'Always'. That can bypass these sorts of issues sometimes.