diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-cr.yml.j2 b/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-cr.yml.j2
index 3677ec660a8b6cf7a089d1f7b4cbd1251ecf123d..0e8abfcfb17c79e97b9a83a8aae8d95da5cd76c9 100644
--- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-cr.yml.j2
+++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-cr.yml.j2
@@ -52,6 +52,7 @@ rules:
   - apiGroups: ["crd.projectcalico.org"]
     resources:
       - ippools
+      - ipreservations
     verbs:
       - list
   - apiGroups: ["crd.projectcalico.org"]
diff --git a/roles/network_plugin/calico/templates/calico-cr.yml.j2 b/roles/network_plugin/calico/templates/calico-cr.yml.j2
index 5a3d9286f00cf89560c6b788069a1226c90d88df..826f441005301cecb0b082eadf6f1525167025c7 100644
--- a/roles/network_plugin/calico/templates/calico-cr.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-cr.yml.j2
@@ -83,6 +83,7 @@ rules:
       - globalbgpconfigs
       - bgpconfigurations
       - ippools
+      - ipreservations
       - ipamblocks
       - globalnetworkpolicies
       - globalnetworksets
@@ -91,6 +92,7 @@ rules:
       - clusterinformations
       - hostendpoints
       - blockaffinities
+      - caliconodestatuses
     verbs:
       - get
       - list
@@ -104,6 +106,12 @@ rules:
     verbs:
       - create
       - update
+  # Calico must update some CRDs.
+  - apiGroups: [ "crd.projectcalico.org" ]
+    resources:
+      - caliconodestatuses
+    verbs:
+      - update
   # Calico stores some configuration information on the node.
   - apiGroups: [""]
     resources:
diff --git a/roles/network_plugin/calico/templates/calico-node.yml.j2 b/roles/network_plugin/calico/templates/calico-node.yml.j2
index 21833e827e0d8bc64ae1cb26f28973aac2e34b0d..e0f2cf62d6faa82fab2126225740eb52e153e93f 100644
--- a/roles/network_plugin/calico/templates/calico-node.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-node.yml.j2
@@ -72,6 +72,11 @@ spec:
         - name: install-cni
           image: {{ calico_cni_image_repo }}:{{ calico_cni_image_tag }}
           command: ["/opt/cni/bin/install"]
+          envFrom:
+          - configMapRef:
+              # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode.
+              name: kubernetes-services-endpoint
+              optional: true
           env:
             # Name of the CNI config file to create.
             - name: CNI_CONF_NAME
@@ -214,11 +219,6 @@ spec:
 #            # Configure the IP Pool from which Pod IPs will be chosen.
 #            - name: CALICO_IPV4POOL_CIDR
 #              value: "{{ calico_pool_cidr | default(kube_pods_subnet) }}"
-{% if calico_veth_mtu is defined %}
-# Set MTU for the Wireguard tunnel device.
-            - name: FELIX_WIREGUARDMTU
-              value: "{{ calico_veth_mtu }}"
-{% endif %}
             - name: CALICO_IPV4POOL_IPIP
               value: "{{ calico_ipv4pool_ipip }}"
             - name: FELIX_IPV6SUPPORT
@@ -234,8 +234,15 @@ spec:
               value: "{{ calico_usage_reporting }}"
             # Set MTU for tunnel device used if ipip is enabled
 {% if calico_mtu is defined %}
+            # Set MTU for tunnel device used if ipip is enabled
             - name: FELIX_IPINIPMTU
               value: "{{ calico_veth_mtu | default(calico_mtu) }}"
+            # Set MTU for the VXLAN tunnel device.
+            - name: FELIX_VXLANMTU
+              value: "{{ calico_veth_mtu | default(calico_mtu) }}"
+            # Set MTU for the Wireguard tunnel device.
+            - name: FELIX_WIREGUARDMTU
+              value: "{{ calico_veth_mtu | default(calico_mtu) }}"
 {% endif %}
             - name: FELIX_CHAININSERTMODE
               value: "{{ calico_felix_chaininsertmode }}"
@@ -270,6 +277,12 @@ spec:
                 fieldRef:
                   fieldPath: status.hostIP
 {% endif %}
+            # Disable file logging so `kubectl logs` works.
+            - name: CALICO_DISABLE_FILE_LOGGING
+              value: "true"
+            # Set Felix endpoint to host default action to ACCEPT.
+            - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
+              value: "ACCEPT"
             - name: NODENAME
               valueFrom:
                 fieldRef:
@@ -295,6 +308,14 @@ spec:
             requests:
               cpu: {{ calico_node_cpu_requests }}
               memory: {{ calico_node_memory_requests }}
+{% if calico_version is version('v3.21.0', '>=') %}
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                - /bin/calico-node
+                - -shutdown
+{% endif %}
           livenessProbe:
             exec:
               command:
@@ -336,8 +357,10 @@ spec:
             - name: xtables-lock
               mountPath: /run/xtables.lock
               readOnly: false
+            # For maintaining CNI plugin API credentials.
             - mountPath: /host/etc/cni/net.d
               name: cni-net-dir
+              readOnly: false
 {% if typha_secure %}
             - name: typha-client
               mountPath: /etc/typha-client