diff --git a/README.md b/README.md
index 8e9abd7953eb6d94f067b848469f7fd14ed30a83..aee4bc66b68cf8c0291f563aa49c97475f3ab0b9 100644
--- a/README.md
+++ b/README.md
@@ -121,7 +121,7 @@ Note: Upstart/SysV init based OS types are not supported.
   - [cri-o](http://cri-o.io/) v1.17 (experimental: see [CRI-O Note](docs/cri-o.md). Only on fedora, ubuntu and centos based OS)
 - Network Plugin
   - [cni-plugins](https://github.com/containernetworking/plugins) v0.8.5
-  - [calico](https://github.com/projectcalico/calico) v3.13.2
+  - [calico](https://github.com/projectcalico/calico) v3.13.3
   - [canal](https://github.com/projectcalico/canal) (given calico/flannel versions)
   - [cilium](https://github.com/cilium/cilium) v1.7.3
   - [contiv](https://github.com/contiv/install) v1.2.1
diff --git a/roles/download/defaults/main.yml b/roles/download/defaults/main.yml
index 146efd9d392159f77b312dae778c51e8af82f065..2d583bce5313b5bd0c6afa78e0c977a638c6615b 100644
--- a/roles/download/defaults/main.yml
+++ b/roles/download/defaults/main.yml
@@ -68,11 +68,11 @@ alauda_image_repo: "index.alauda.cn"
 
 # TODO(mattymo): Move calico versions to roles/network_plugins/calico/defaults
 # after migration to container download
-calico_version: "v3.13.2"
-calico_ctl_version: "v3.13.2"
-calico_cni_version: "v3.13.2"
-calico_policy_version: "v3.13.2"
-calico_typha_version: "v3.13.2"
+calico_version: "v3.13.3"
+calico_ctl_version: "v3.13.3"
+calico_cni_version: "v3.13.3"
+calico_policy_version: "v3.13.3"
+calico_typha_version: "v3.13.3"
 typha_enabled: false
 
 flannel_version: "v0.12.0"
@@ -420,26 +420,17 @@ cni_binary_checksums:
   amd64: bd682ffcf701e8f83283cdff7281aad0c83b02a56084d6e601216210732833f9
 calicoctl_binary_checksums:
   arm:
+    v3.13.3: 0
     v3.13.2: 0
     v3.11.1: 0
-    v3.7.3: 0
-    v3.6.1: 0
-    v3.5.4: 0
-    v3.4.4: 0
   amd64:
+    v3.13.3: 570539d436df51bb349bb1a8c6b200a3a6f20803a9d391aa2c5cf19a70a083d4
     v3.13.2: 5b0361e8935e450b1b39147d5690f75474a0ab7eb5936d65fa21a5eb8bcf66d7
     v3.11.1: 045fdbfdb30789194c499ba17c8eac6d1704fe20d05e3c10027eb570767386db
-    v3.7.3: 932f68e893e80e95e10f064f1e7745e438d456f41a6ff12d11bb16ca0cab735c
-    v3.6.1: 3b01336de37550e020343d62a38c96c4605d33a3ed7ddba2fe38bc172a5b42b5
-    v3.5.4: 197194b838cc2a9a7455c2ebd5505a5e24f8f3d994eb75c17f5dd568944100b8
-    v3.4.4: 93bd084e053cf1bf3b7fef369677bd6767c30fe7135e2c7e044e31693422ef61
   arm64:
+    v3.13.3: 0c47acd6d200ba1f8348b389cd7a54771542158fef657afc633a30ddad97e272
     v3.13.2: 7936ad0a5a40a1d50e3b9a555c101d1372bc424a98e4480e6471afd3abf92451
     v3.11.1: 770e0fce9acf1927726d64a885f8350d44a3fcbf248017d0aceec58bd41fa1b8
-    v3.7.3: 7cfaab25c287f7ef93b2682d060b55bf39f76b668540de50376b5ed174209832
-    v3.6.1: 60fbaeb257061647bdf12b5ede7a0d4298a5ee216f6472e5a92bb14ef5c2a5d3
-    v3.5.4: a4481178665658658a73e4ceca9a1dff5cccded4179615c91d1c3e49fd96f237
-    v3.4.4: ff35d9e8b5c00e9fe47d05e8f5123ec98fd641370f8cd93f4fbb3d913da77ab6
 
 etcd_binary_checksum: "{{ etcd_binary_checksums[image_arch] }}"
 cni_binary_checksum: "{{ cni_binary_checksums[image_arch] }}"
diff --git a/roles/network_plugin/canal/templates/canal-cr-calico.yml.j2 b/roles/network_plugin/canal/templates/canal-cr-calico.yml.j2
index 1a797eaa1679104526f089a3ec8295ca5d6dec32..477a01dea97926fec89d10f52d5c2f508c2cbaa5 100644
--- a/roles/network_plugin/canal/templates/canal-cr-calico.yml.j2
+++ b/roles/network_plugin/canal/templates/canal-cr-calico.yml.j2
@@ -5,79 +5,34 @@ metadata:
   name: calico
   namespace: kube-system
 rules:
-  - apiGroups: [""]
-    resources:
-      - namespaces
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups: [""]
-    resources:
-      - pods/status
-    verbs:
-      - update
   - apiGroups: [""]
     resources:
       - pods
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups: [""]
-    resources:
       - nodes
+      - namespaces
+      - configmaps
     verbs:
       - get
-      - list
-      - update
-      - watch
-  - apiGroups: ["extensions"]
-    resources:
-      - thirdpartyresources
-    verbs:
-      - create
-      - get
-      - list
-      - watch
-  - apiGroups: ["extensions"]
+  - apiGroups: [""]
     resources:
-      - networkpolicies
+      - endpoints
+      - services
     verbs:
-      - get
-      - list
       - watch
-  - apiGroups: ["projectcalico.org"]
-    resources:
-      - globalbgppeers
-    verbs:
-      - get
       - list
-  - apiGroups: ["projectcalico.org"]
-    resources:
-      - globalconfigs
-      - globalbgpconfigs
-    verbs:
-      - create
-      - get
-      - list
-      - update
-      - watch
-  - apiGroups: ["projectcalico.org"]
+  - apiGroups: [""]
     resources:
-      - ippools
+      - nodes/status
     verbs:
-      - create
-      - get
-      - list
-      - update
-      - watch
-  - apiGroups: ["alpha.projectcalico.org"]
+      - patch
+  - apiGroups:
+    - policy
+    resourceNames:
+    - privileged
     resources:
-      - systemnetworkpolicies
+    - podsecuritypolicies
     verbs:
-      - get
-      - list
+    - use
   - apiGroups:
     - policy
     resourceNames: