diff --git a/roles/network_plugin/calico/templates/calico-apiserver.yml.j2 b/roles/network_plugin/calico/templates/calico-apiserver.yml.j2
index dabc7a3f55fe19b044d92d07e0a27119c24ef73f..3af74c74accaf6bfdd39d43e26fe4294618167c5 100644
--- a/roles/network_plugin/calico/templates/calico-apiserver.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-apiserver.yml.j2
@@ -1,4 +1,4 @@
-# Policy to ensure the API server isn't cut off. Can be modified, but ensure 
+# Policy to ensure the API server isn't cut off. Can be modified, but ensure
 # that the main API server is always able to reach the Calico API server.
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
@@ -94,6 +94,8 @@ spec:
       tolerations:
       - effect: NoSchedule
         key: node-role.kubernetes.io/master
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/control-plane
       volumes:
       - name: calico-apiserver-certs
         secret:
@@ -104,8 +106,8 @@ spec:
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: calico-apiserver 
-  namespace: calico-apiserver 
+  name: calico-apiserver
+  namespace: calico-apiserver
 
 ---
 
diff --git a/roles/network_plugin/canal/templates/canal-calico-kube-controllers.yml.j2 b/roles/network_plugin/canal/templates/canal-calico-kube-controllers.yml.j2
index 1417022a82f9a9a834acb9905fdd0300efbd03a5..a77a5f6620a468bff7603ce8103cdecab7ae4818 100644
--- a/roles/network_plugin/canal/templates/canal-calico-kube-controllers.yml.j2
+++ b/roles/network_plugin/canal/templates/canal-calico-kube-controllers.yml.j2
@@ -31,6 +31,8 @@ spec:
           operator: Exists
         - key: node-role.kubernetes.io/master
           effect: NoSchedule
+        - key: node-role.kubernetes.io/control-plane
+          effect: NoSchedule
       serviceAccountName: calico-kube-controllers
       priorityClassName: system-cluster-critical
       # The controllers must run in the host network namespace so that