diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2 b/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2
index 35e4959bb9a42945277707237d41a4ebb8134015..bd15082f0891f44dafec779a35fa5f3d8a582a68 100644
--- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2
+++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2
@@ -21,9 +21,10 @@ spec:
     spec:
       nodeSelector:
         {{ calico_policy_controller_deployment_nodeselector }}
-      hostNetwork: true
       serviceAccountName: calico-kube-controllers
       tolerations:
+        - key: CriticalAddonsOnly
+          operator: Exists
         - key: node-role.kubernetes.io/master
           effect: NoSchedule
         - key: node-role.kubernetes.io/control-plane