diff --git a/README.md b/README.md
index d73c0390b..3abf8b0a4 100644
--- a/README.md
+++ b/README.md
@@ -125,7 +125,7 @@ Note: Upstart/SysV init based OS types are not supported.
   - [cni-plugins](https://github.com/containernetworking/plugins) v0.8.6
   - [calico](https://github.com/projectcalico/calico) v3.15.2
   - [canal](https://github.com/projectcalico/canal) (given calico/flannel versions)
-  - [cilium](https://github.com/cilium/cilium) v1.8.2
+  - [cilium](https://github.com/cilium/cilium) v1.8.3
   - [contiv](https://github.com/contiv/install) v1.2.1
   - [flanneld](https://github.com/coreos/flannel) v0.12.0
   - [kube-ovn](https://github.com/alauda/kube-ovn) v1.3.0
diff --git a/roles/download/defaults/main.yml b/roles/download/defaults/main.yml
index 57713a973..214790392 100644
--- a/roles/download/defaults/main.yml
+++ b/roles/download/defaults/main.yml
@@ -79,7 +79,7 @@ cni_version: "v0.8.7"
 weave_version: 2.7.0
 pod_infra_version: "3.2"
 contiv_version: 1.2.1
-cilium_version: "v1.8.2"
+cilium_version: "v1.8.3"
 kube_ovn_version: "v1.3.0"
 kube_router_version: "v1.0.1"
 multus_version: "v3.6"
diff --git a/roles/network_plugin/cilium/templates/cilium-deploy.yml.j2 b/roles/network_plugin/cilium/templates/cilium-deploy.yml.j2
index a747f43e6..bf65a746d 100644
--- a/roles/network_plugin/cilium/templates/cilium-deploy.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-deploy.yml.j2
@@ -29,6 +29,18 @@ spec:
         io.cilium/app: operator
         name: cilium-operator
     spec:
+      # In HA mode, cilium-operator pods must not be scheduled on the same
+      # node as they will clash with each other.
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchExpressions:
+              - key: io.cilium/app
+                operator: In
+                values:
+                - operator
+            topologyKey: "kubernetes.io/hostname"
       containers:
         - args:
             - --debug=$(CILIUM_DEBUG)
@@ -47,6 +59,11 @@ spec:
                 fieldRef:
                   apiVersion: v1
                   fieldPath: spec.nodeName
+            - name: CILIUM_K8S_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: metadata.namespace
             - name: CILIUM_DEBUG
               valueFrom:
                 configMapKeyRef:
@@ -131,6 +148,8 @@ spec:
       serviceAccount: cilium-operator
       serviceAccountName: cilium-operator
       hostNetwork: true
+      tolerations:
+        - operator: Exists
       volumes:
         # To read the etcd config stored in config maps
         - configMap:
diff --git a/roles/network_plugin/cilium/templates/cilium-ds.yml.j2 b/roles/network_plugin/cilium/templates/cilium-ds.yml.j2
index bede48dce..07eb78fb9 100755
--- a/roles/network_plugin/cilium/templates/cilium-ds.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-ds.yml.j2
@@ -20,6 +20,16 @@ spec:
       labels:
         k8s-app: cilium
     spec:
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchExpressions:
+              - key: k8s-app
+                operator: In
+                values:
+                - cilium
+            topologyKey: kubernetes.io/hostname
       containers:
       - args:
         - --kvstore=etcd
@@ -194,6 +204,10 @@ spec:
           name: bpf-maps
         - mountPath: /var/run/cilium
           name: cilium-run
+        resources:
+          requests:
+            cpu: 100m
+            memory: 100Mi
       priorityClassName: system-node-critical
       restartPolicy: Always
       serviceAccount: cilium