Comment 2 for bug 1986704

From the crashdump, Calico CNI is getting a Forbidden response trying to talk to the Kubernetes API. From kubelet:

Failed to create pod sandbox: rpc error: code = Unknown desc = failed to setup network for sandbox "e61f7be828eb2f62bfef34c9388cb
592311becf8a8eb84fe2fd6594ab1217228": Get "https://10.5.0.157:6443/api/v1/namespaces/ingress-nginx-kubernetes-worker": Forbidden

It looks like your containerd charm is configured with:

http_proxy: http://squid.internal:3128
https_proxy: http://squid.internal:3128
no_proxy: <blank>

The Calico CNI plugin inherits HTTP proxy variables from containerd. When it tries to reach the Kubernetes API at 10.5.0.157, the request gets sent to the HTTP proxy, which refuses to proxy the request and replies with 403 Forbidden.

I recommend setting the containerd charm's no_proxy config to:

127.0.0.1,localhost,::1,10.5.0.0/16

to ensure that traffic to the 10.5.0.0/16 network does not go through the HTTP proxy. Can you give that a try and let us know if it works?