fix multicluster tests

Author: fealebenpae

scripts/dev/setup_kind_cluster.sh

@@ -212,6 +212,33 @@ function kind_install_calico() {
   echo "waiting for calico-kube-controllers to roll out"
   kubectl rollout status --kubeconfig "${kubeconfig_path}" \
     --namespace kube-system deployment/calico-kube-controllers --timeout=300s
+
+  # Allow traffic from the Docker bridge network so that Calico acts purely as
+  # a CNI plugin without acting as a network firewall. The kind Docker network
+  # is always 172.18.0.0/16 (hardcoded in docker_create_kind_network). MetalLB
+  # LoadBalancer traffic from other kind clusters arrives on eth0 sourced from
+  # that range and is not marked by a Calico interface, so without this policy
+  # Felix's cali-FORWARD chain drops it, breaking cross-cluster MongoDB
+  # replica-set formation.
+  kubectl apply --kubeconfig "${kubeconfig_path}" -f - <<EOF
+apiVersion: crd.projectcalico.org/v1
+kind: GlobalNetworkPolicy
+metadata:
+  name: allow-docker-bridge-traffic
+spec:
+  order: 1000
+  selector: all()
+  ingress:
+  - action: Allow
+    source:
+      nets:
+      - 172.18.0.0/16
+  egress:
+  - action: Allow
+    destination:
+      nets:
+      - 172.18.0.0/16
+EOF
 }
 
 function kind_install_metallb() {