diff --git a/roles/network_plugin/canal/defaults/main.yml b/roles/network_plugin/canal/defaults/main.yml
index f8482fb1a..7caf6dcd9 100644
--- a/roles/network_plugin/canal/defaults/main.yml
+++ b/roles/network_plugin/canal/defaults/main.yml
@@ -23,3 +23,7 @@ flannel_memory_limit: 500M
 flannel_cpu_limit: 200m
 flannel_memory_requests: 256M
 flannel_cpu_requests: 100m
+calicoctl_memory_limit: 170M
+calicoctl_cpu_limit: 100m
+calicoctl_memory_requests: 70M
+calicoctl_cpu_requests: 50m
diff --git a/roles/network_plugin/canal/tasks/main.yml b/roles/network_plugin/canal/tasks/main.yml
index 3d3b19bdc..dcfb5e118 100644
--- a/roles/network_plugin/canal/tasks/main.yml
+++ b/roles/network_plugin/canal/tasks/main.yml
@@ -59,3 +59,12 @@
   delay: "{{ retry_stagger | random + 3 }}"
   changed_when: false
   tags: [hyperkube, upgrade]
+
+- name: Canal | Install calicoctl container script
+  template:
+    src: calicoctl-container.j2
+    dest: "{{ bin_dir }}/calicoctl"
+    mode: 0755
+    owner: root
+    group: root
+  changed_when: false
diff --git a/roles/network_plugin/canal/templates/calicoctl-container.j2 b/roles/network_plugin/canal/templates/calicoctl-container.j2
new file mode 100644
index 000000000..df11a85ef
--- /dev/null
+++ b/roles/network_plugin/canal/templates/calicoctl-container.j2
@@ -0,0 +1,14 @@
+#!/bin/bash
+{{ docker_bin_dir }}/docker run -i --privileged --rm \
+--net=host --pid=host \
+-e ETCD_ENDPOINTS={{ etcd_access_endpoint }} \
+-e ETCD_CA_CERT_FILE={{ canal_cert_dir }}/ca_cert.crt \
+-e ETCD_CERT_FILE={{ canal_cert_dir }}/cert.crt \
+-e ETCD_KEY_FILE={{ canal_cert_dir }}/key.pem \
+-v {{ docker_bin_dir }}/docker:{{ docker_bin_dir }}/docker \
+-v /var/run/docker.sock:/var/run/docker.sock \
+-v /var/run/calico:/var/run/calico \
+-v {{ canal_cert_dir }}:{{ calico_cert_dir }}:ro \
+--memory={{ calicoctl_memory_limit|regex_replace('Mi', 'M') }} --cpu-shares={{ calicoctl_cpu_limit|regex_replace('m', '') }} \
+{{ calicoctl_image_repo }}:{{ calicoctl_image_tag}} \
+$@