diff --git a/roles/network_plugin/canal/defaults/main.yml b/roles/network_plugin/canal/defaults/main.yml
index f8482fb1a..60adff59f 100644
--- a/roles/network_plugin/canal/defaults/main.yml
+++ b/roles/network_plugin/canal/defaults/main.yml
@@ -14,6 +14,9 @@ canal_log_level: "info"
 canal_cert_dir: /etc/canal/certs
 etcd_cert_dir: /etc/ssl/etcd/ssl
 
+# Canal Network Policy directory
+canal_policy_dir: /etc/kubernetes/policy
+
 # Limits for apps
 calico_node_memory_limit: 500M
 calico_node_cpu_limit: 200m
@@ -23,3 +26,8 @@ flannel_memory_limit: 500M
 flannel_cpu_limit: 200m
 flannel_memory_requests: 256M
 flannel_cpu_requests: 100m
+calicoctl_memory_limit: 170M
+calicoctl_cpu_limit: 100m
+calicoctl_memory_requests: 70M
+calicoctl_cpu_requests: 50m
+
diff --git a/roles/network_plugin/canal/tasks/main.yml b/roles/network_plugin/canal/tasks/main.yml
index 3d3b19bdc..7ccbcdf2e 100644
--- a/roles/network_plugin/canal/tasks/main.yml
+++ b/roles/network_plugin/canal/tasks/main.yml
@@ -59,3 +59,17 @@
   delay: "{{ retry_stagger | random + 3 }}"
   changed_when: false
   tags: [hyperkube, upgrade]
+
+- name: Canal | Install calicoctl container script
+  template:
+    src: calicoctl-container.j2
+    dest: "{{ bin_dir }}/calicoctl"
+    mode: 0755
+    owner: root
+    group: root
+  changed_when: false
+
+- name: Canal | Create network policy directory
+  file:
+    path: "{{ canal_policy_dir }}"
+    state: directory
diff --git a/roles/network_plugin/canal/templates/calicoctl-container.j2 b/roles/network_plugin/canal/templates/calicoctl-container.j2
new file mode 100644
index 000000000..d65d88d46
--- /dev/null
+++ b/roles/network_plugin/canal/templates/calicoctl-container.j2
@@ -0,0 +1,15 @@
+#!/bin/bash
+{{ docker_bin_dir }}/docker run -i --privileged --rm \
+--net=host --pid=host \
+-e ETCD_ENDPOINTS={{ etcd_access_endpoint }} \
+-e ETCD_CA_CERT_FILE={{ canal_cert_dir }}/ca_cert.crt \
+-e ETCD_CERT_FILE={{ canal_cert_dir }}/cert.crt \
+-e ETCD_KEY_FILE={{ canal_cert_dir }}/key.pem \
+-v {{ docker_bin_dir }}/docker:{{ docker_bin_dir }}/docker \
+-v /var/run/docker.sock:/var/run/docker.sock \
+-v /var/run/calico:/var/run/calico \
+-v {{ canal_cert_dir }}:{{ canal_cert_dir }}:ro \
+-v {{ canal_policy_dir }}:{{ canal_policy_dir }}:ro \
+--memory={{ calicoctl_memory_limit|regex_replace('Mi', 'M') }} --cpu-shares={{ calicoctl_cpu_limit|regex_replace('m', '') }} \
+{{ calicoctl_image_repo }}:{{ calicoctl_image_tag}} \
+$@