diff --git a/README.md b/README.md
index 396e168e699c88237436bbe42bfd2c5cfe8395a2..d7dfe438501496818adb1133598d6a2dc8cab734 100644
--- a/README.md
+++ b/README.md
@@ -124,7 +124,7 @@ Note: Upstart/SysV init based OS types are not supported.
   - [cni-plugins](https://github.com/containernetworking/plugins) v0.8.6
   - [calico](https://github.com/projectcalico/calico) v3.14.1
   - [canal](https://github.com/projectcalico/canal) (given calico/flannel versions)
-  - [cilium](https://github.com/cilium/cilium) v1.7.4
+  - [cilium](https://github.com/cilium/cilium) v1.8.0
   - [contiv](https://github.com/contiv/install) v1.2.1
   - [flanneld](https://github.com/coreos/flannel) v0.12.0
   - [kube-ovn](https://github.com/alauda/kube-ovn) v1.2.0
diff --git a/roles/download/defaults/main.yml b/roles/download/defaults/main.yml
index 62aa6b0d037187823232c9e9ad692025e7c1f791..f5d1cadde5299b5b25e78ff1b5f9388ae5e2e594 100644
--- a/roles/download/defaults/main.yml
+++ b/roles/download/defaults/main.yml
@@ -79,7 +79,7 @@ cni_version: "v0.8.6"
 weave_version: 2.6.4
 pod_infra_version: "3.2"
 contiv_version: 1.2.1
-cilium_version: "v1.7.4"
+cilium_version: "v1.8.0"
 kube_ovn_version: "v1.2.0"
 kube_router_version: "v0.4.0"
 multus_version: "v3.4.2"
diff --git a/roles/network_plugin/cilium/templates/cilium-cr.yml.j2 b/roles/network_plugin/cilium/templates/cilium-cr.yml.j2
index 2b16f1f8664271e9860eb818f0dc99e03013ef83..1fbf26235d5bd4521a0208bc443da29696fa3e9e 100644
--- a/roles/network_plugin/cilium/templates/cilium-cr.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-cr.yml.j2
@@ -26,10 +26,12 @@ rules:
 - apiGroups:
   - ""
   resources:
+{% if cilium_version | regex_replace('v') is version('1.8', '<') %}
   # to automatically read from k8s and import the node's pod CIDR to cilium's
   # etcd so all nodes know how to reach another pod running in in a different
   # node.
   - nodes
+{% endif %}
   # to perform the translation of a CNP that contains `ToGroup` to its endpoints
   - services
   - endpoints
@@ -59,6 +61,14 @@ rules:
 {% endif %}
   verbs:
   - '*'
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - get
+  - list
+  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
diff --git a/roles/network_plugin/cilium/templates/cilium-deploy.yml.j2 b/roles/network_plugin/cilium/templates/cilium-deploy.yml.j2
index d379477ec35147274473e8aecff47057748be38a..18fdad7bc5adc0b6fcb8ee3a8c59160296d3b26e 100644
--- a/roles/network_plugin/cilium/templates/cilium-deploy.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-deploy.yml.j2
@@ -92,7 +92,7 @@ spec:
 {% if cilium_enable_ipv4 %}
               host: 127.0.0.1
 {% else %}
-              host: host: '[::1]'
+              host: '::1'
 {% endif %}
               path: /healthz
               port: 9234
diff --git a/roles/network_plugin/cilium/templates/cilium-ds.yml.j2 b/roles/network_plugin/cilium/templates/cilium-ds.yml.j2
index 43a96821fa81a37fa28bca25d2c185fe2fcd1eed..dd8e1b9100c3730b4ae300278bc65df5dbaaae1f 100755
--- a/roles/network_plugin/cilium/templates/cilium-ds.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-ds.yml.j2
@@ -59,11 +59,14 @@ spec:
               command:
               - /cni-uninstall.sh
         livenessProbe:
-          exec:
-            command:
-            - cilium
-            - status
-            - --brief
+          httpGet:
+            host: '127.0.0.1'
+            path: /healthz
+            port: 9876
+            scheme: HTTP
+            httpHeaders:
+            - name: "brief"
+              value: "true"
           failureThreshold: 10
           # The initial delay for the liveness probe is intentionally large to
           # avoid an endless kill & restart cycle if in the event that the initial
@@ -81,11 +84,14 @@ spec:
           protocol: TCP
 {% endif %}
         readinessProbe:
-          exec:
-            command:
-            - cilium
-            - status
-            - --brief
+          httpGet:
+            host: '127.0.0.1'
+            path: /healthz
+            port: 9876
+            scheme: HTTP
+            httpHeaders:
+            - name: "brief"
+              value: "true"
           failureThreshold: 3
           initialDelaySeconds: 5
           periodSeconds: 30
@@ -131,6 +137,8 @@ spec:
         - mountPath: /lib/modules
           name: lib-modules
           readOnly: true
+        - mountPath: /run/xtables.lock
+          name: xtables-lock
       dnsPolicy: ClusterFirstWithHostNet
       hostNetwork: true
       hostPID: false
@@ -138,7 +146,7 @@ spec:
       - command:
         - /init-container.sh
         env:
-        - name: CLEAN_CILIUM_STATE
+        - name: CILIUM_ALL_STATE
           valueFrom:
             configMapKeyRef:
               key: clean-cilium-state
@@ -214,6 +222,11 @@ spec:
       - hostPath:
           path: /lib/modules
         name: lib-modules
+        # To access iptables concurrently with other processes (e.g. kube-proxy)
+      - hostPath:
+          path: /run/xtables.lock
+          type: FileOrCreate
+        name: xtables-lock
         # To read the etcd config stored in config maps
       - configMap:
           defaultMode: 420