diff --git a/cluster/addons/calico-policy-controller/calico-clusterrole.yaml b/cluster/addons/calico-policy-controller/calico-clusterrole.yaml
index 11c4ba41c68..b3adead79a9 100644
--- a/cluster/addons/calico-policy-controller/calico-clusterrole.yaml
+++ b/cluster/addons/calico-policy-controller/calico-clusterrole.yaml
@@ -14,6 +14,12 @@ rules:
       - namespaces
     verbs:
       - get
+  # calico/node checks configmaps for cluster CIDR.
+  - apiGroups: [""]
+    resources:
+      - configmaps
+    verbs:
+      - get
   - apiGroups: [""]
     resources:
       - endpoints
@@ -55,7 +61,7 @@ rules:
     verbs:
       - patch
   # Calico monitors various CRDs for config.
-  # Note: Though we are not using ipam from calico, calico node still needs those permission
+  # Note: Though we are not using ipam from calico, calico node still needs those permissions
   #       to boot.
   - apiGroups: ["crd.projectcalico.org"]
     resources:
diff --git a/cluster/addons/calico-policy-controller/calico-node-daemonset.yaml b/cluster/addons/calico-policy-controller/calico-node-daemonset.yaml
index 66f0741ec0e..88d8cc1859f 100644
--- a/cluster/addons/calico-policy-controller/calico-node-daemonset.yaml
+++ b/cluster/addons/calico-policy-controller/calico-node-daemonset.yaml
@@ -27,7 +27,7 @@ spec:
       terminationGracePeriodSeconds: 0
       initContainers:
         - name: install-cni
-          image: gcr.io/projectcalico-org/cni:v3.8.4
+          image: gcr.io/projectcalico-org/cni:v3.15.2
           command: ["/install-cni.sh"]
           env:
             - name: CNI_CONF_NAME
@@ -78,7 +78,7 @@ spec:
         # container programs network policy and routes on each
         # host.
         - name: calico-node
-          image: gcr.io/projectcalico-org/node:v3.8.4
+          image: gcr.io/projectcalico-org/node:v3.15.2
           env:
             - name: CALICO_MANAGE_CNI
               value: "true"
diff --git a/cluster/addons/calico-policy-controller/typha-deployment.yaml b/cluster/addons/calico-policy-controller/typha-deployment.yaml
index c63dc0f1b94..fda8f945af7 100644
--- a/cluster/addons/calico-policy-controller/typha-deployment.yaml
+++ b/cluster/addons/calico-policy-controller/typha-deployment.yaml
@@ -23,7 +23,7 @@ spec:
       hostNetwork: true
       serviceAccountName: calico
       containers:
-      - image: gcr.io/projectcalico-org/typha:v3.8.4
+      - image: gcr.io/projectcalico-org/typha:v3.15.2
         name: calico-typha
         ports:
         - containerPort: 5473