diff --git a/roles/network_plugin/calico/tasks/install.yml b/roles/network_plugin/calico/tasks/install.yml
index 54c3deba4ebaa3998f664324865b96c42ea30af9..11d5d2f09a8d2f74188304616fc33477265025d7 100644
--- a/roles/network_plugin/calico/tasks/install.yml
+++ b/roles/network_plugin/calico/tasks/install.yml
@@ -451,6 +451,7 @@
     - {name: calico, file: calico-ipamconfig.yml, type: ipam}
   when:
     - inventory_hostname in groups['kube_control_plane']
+    - calico_datastore == "kdd"
 
 - name: Calico | Create ipamconfig resources
   kube:
@@ -459,6 +460,7 @@
     state: "latest"
   when:
     - inventory_hostname == groups['kube_control_plane'][0]
+    - calico_datastore == "kdd"
 
 - include_tasks: peer_with_calico_rr.yml
   when:
diff --git a/roles/network_plugin/calico/templates/calico-cr.yml.j2 b/roles/network_plugin/calico/templates/calico-cr.yml.j2
index e309c04182706664ba0cfd6e3a77d783194a62ec..b911b8737f5d4165ba774b09fdf1f4de1ed58a8a 100644
--- a/roles/network_plugin/calico/templates/calico-cr.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-cr.yml.j2
@@ -157,6 +157,7 @@ rules:
       - daemonsets
     verbs:
       - get
+{% endif %}
   # Used for creating service account tokens to be used by the CNI plugin
   - apiGroups: [""]
     resources:
@@ -165,4 +166,3 @@ rules:
       - calico-node
     verbs:
       - create
-{% endif %}