Unable to setup calico Network Policy for multi-interface pod (multus)


We have setup our K8s Cluster on OpenStack environment using stacks. Our requirement is to have multiple interfaces so we are using multus CNI which further uses Calico CNI as primary networking plugin.

Now with this configuration when I try to setup NetworkPolicy based on a namespace then it works perfectly for the default eth0 interface but the policy rules are not applied to other interfaces created by multus i.e. net0, net1 etc (mapped to eth1, eth2… inside the Pod)

I am testing with a basic deny all NetworkPolicy:

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
  name: default-deny
  namespace: development
  selector: all()
  - Ingress
  - Egress

When I try to test with s simple ICMP ping. The policy is working for the default interface

bash-4.2# ping
PING ( 56(84) bytes of data.
--- ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3076ms

But it doesn’t seem to work for additional interfaces in the same Pod

bash-4.2# ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=1.38 ms
64 bytes from icmp_seq=2 ttl=64 time=0.680 ms
64 bytes from icmp_seq=3 ttl=64 time=0.507 ms
--- ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2036ms
rtt min/avg/max/mdev = 0.507/0.855/1.380/0.378 ms

Can anyone please suggest if anything is missing or is this an expected behaviour?