diff --git a/README.md b/README.md
index 68b1c7d356c866a2c495e322b873459b06ff0b69..e87b1a64f78d1c910de32649bb0c2ef9b4966f70 100644
--- a/README.md
+++ b/README.md
@@ -168,7 +168,7 @@ Note: Upstart/SysV init based OS types are not supported.
- [cri-o](http://cri-o.io/) v1.27 (experimental: see [CRI-O Note](docs/cri-o.md). Only on fedora, ubuntu and centos based OS)
- Network Plugin
- [cni-plugins](https://github.com/containernetworking/plugins) v1.2.0
- - [calico](https://github.com/projectcalico/calico) v3.25.2
+ - [calico](https://github.com/projectcalico/calico) v3.26.1
- [cilium](https://github.com/cilium/cilium) v1.13.4
- [flannel](https://github.com/flannel-io/flannel) v0.22.0
- [kube-ovn](https://github.com/alauda/kube-ovn) v1.11.5
diff --git a/roles/download/defaults/main/main.yml b/roles/download/defaults/main/main.yml
index 2211162839e49e4cc9004a399fe0e74ad38baab6..64f3d767fbf0818f448377d63892eedc53983a1d 100644
--- a/roles/download/defaults/main/main.yml
+++ b/roles/download/defaults/main/main.yml
@@ -100,7 +100,7 @@ github_image_repo: "ghcr.io"
# TODO(mattymo): Move calico versions to roles/network_plugins/calico/defaults
# after migration to container download
-calico_version: "v3.25.2"
+calico_version: "v3.26.1"
calico_ctl_version: "{{ calico_version }}"
calico_cni_version: "{{ calico_version }}"
calico_flexvol_version: "{{ calico_version }}"
diff --git a/roles/network_plugin/calico/templates/calico-cr.yml.j2 b/roles/network_plugin/calico/templates/calico-cr.yml.j2
index 2e379a364b85f093ac1e5afc1cf7e70c7352933d..d00c9e9a72fedc56bc1d5bb697203b3fe546e77b 100644
--- a/roles/network_plugin/calico/templates/calico-cr.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-cr.yml.j2
@@ -1,6 +1,39 @@
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: calico-cni-plugin
+rules:
+ - apiGroups: [""]
+ resources:
+ - pods
+ - nodes
+ - namespaces
+ verbs:
+ - get
+ - apiGroups: [""]
+ resources:
+ - pods/status
+ verbs:
+ - patch
+ - apiGroups: ["crd.projectcalico.org"]
+ resources:
+ - blockaffinities
+ - ipamblocks
+ - ipamhandles
+ - clusterinformations
+ - ippools
+ - ipreservations
+ - ipamconfigs
+ verbs:
+ - get
+ - list
+ - create
+ - update
+ - delete
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: calico-node
namespace: kube-system
@@ -78,6 +111,7 @@ rules:
- globalfelixconfigs
- felixconfigurations
- bgppeers
+ - bgpfilters
- globalbgpconfigs
- bgpconfigurations
- ippools
@@ -164,6 +198,6 @@ rules:
resources:
- serviceaccounts/token
resourceNames:
- - calico-node
+ - calico-cni-plugin
verbs:
- create
diff --git a/roles/network_plugin/calico/templates/calico-crb.yml.j2 b/roles/network_plugin/calico/templates/calico-crb.yml.j2
index f747bfd18171a0bd9d89ee78e87c5c92b0b050e9..add99ba5253a70186c3f7c86be01429d369855b9 100644
--- a/roles/network_plugin/calico/templates/calico-crb.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-crb.yml.j2
@@ -11,3 +11,18 @@ subjects:
- kind: ServiceAccount
name: calico-node
namespace: kube-system
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: calico-cni-plugin
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: calico-cni-plugin
+subjects:
+- kind: ServiceAccount
+ name: calico-cni-plugin
+ namespace: kube-system
diff --git a/roles/network_plugin/calico/templates/calico-node-sa.yml.j2 b/roles/network_plugin/calico/templates/calico-node-sa.yml.j2
index ea721b3f3d8f28c28205e85f55add543116c0051..07433039bdd8b9ee99c425e04dd320c20fab7e11 100644
--- a/roles/network_plugin/calico/templates/calico-node-sa.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-node-sa.yml.j2
@@ -4,3 +4,10 @@ kind: ServiceAccount
metadata:
name: calico-node
namespace: kube-system
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: calico-cni-plugin
+ namespace: kube-system