diff --git a/docs/calico.md b/docs/calico.md
index 954cce0c63357820a2820ea6876618383a695296..eefbcb6e22d01b6f7123e4a2b4d8198f13e9cc60 100644
--- a/docs/calico.md
+++ b/docs/calico.md
@@ -147,6 +147,16 @@ The inventory above will deploy the following topology assuming that calico's
+##### Optional : Define default endpoint to host action
+
+By default Calico blocks traffic from endpoints to the host itself by using an iptables DROP action. When using it in kubernetes the action has to be changed to RETURN (default in kargo) or ACCEPT (see https://github.com/projectcalico/felix/issues/660 and https://github.com/projectcalico/calicoctl/issues/1389). Otherwise all network packets from pods (with hostNetwork=False) to services endpoints (with hostNetwork=True) withing the same node are dropped.
+
+
+To re-define default action please set the following variable in your inventory:
+```
+calico_endpoint_to_host_action: "ACCEPT"
+```
+
Cloud providers configuration
=============================
diff --git a/roles/network_plugin/calico/templates/calico-node.service.j2 b/roles/network_plugin/calico/templates/calico-node.service.j2
index dfe8c4a3d26eb51491e9db152d033caa5880c4da..e84ceaba0d959a763c1d459a998d2e105d50fd21 100644
--- a/roles/network_plugin/calico/templates/calico-node.service.j2
+++ b/roles/network_plugin/calico/templates/calico-node.service.j2
@@ -12,6 +12,7 @@ ExecStart={{ docker_bin_dir }}/docker run --net=host --privileged \
-e IP=${CALICO_IP} \
-e IP6=${CALICO_IP6} \
-e CALICO_NETWORKING_BACKEND=${CALICO_NETWORKING_BACKEND} \
+ -e FELIX_DEFAULTENDPOINTTOHOSTACTION={{ calico_endpoint_to_host_action|default('RETURN') }} \
-e AS=${CALICO_AS} \
-e NO_DEFAULT_POOLS=${CALICO_NO_DEFAULT_POOLS} \
-e CALICO_LIBNETWORK_ENABLED=${CALICO_LIBNETWORK_ENABLED} \