diff --git a/roles/network_plugin/calico/tasks/install.yml b/roles/network_plugin/calico/tasks/install.yml
index 7959773c9ff..d27710aac9a 100644
--- a/roles/network_plugin/calico/tasks/install.yml
+++ b/roles/network_plugin/calico/tasks/install.yml
@@ -370,6 +370,21 @@
     - inventory_hostname in groups['kube_control_plane']
     - typha_enabled and calico_datastore == "kdd"
 
+- name: Calico | get calico apiserver caBundle
+  command: "{{ bin_dir }}/kubectl get secret -n calico-apiserver calico-apiserver-certs -o jsonpath='{.data.apiserver\\.crt}'"
+  changed_when: false
+  register: calico_apiserver_cabundle
+  when:
+    - inventory_hostname == groups['kube_control_plane'][0]
+    - calico_apiserver_enabled and calico_datastore == "kdd"
+
+- name: Calico | set calico apiserver caBundle fact
+  set_fact:
+    calico_apiserver_cabundle: "{{ calico_apiserver_cabundle.stdout }}"
+  when:
+    - inventory_hostname == groups['kube_control_plane'][0]
+    - calico_apiserver_enabled and calico_datastore == "kdd"
+
 - name: Calico | Create calico manifests for apiserver
   template:
     src: "{{ item.file }}.j2"
diff --git a/roles/network_plugin/calico/templates/calico-apiserver.yml.j2 b/roles/network_plugin/calico/templates/calico-apiserver.yml.j2
index facb7dfd87a..6a7710952e3 100644
--- a/roles/network_plugin/calico/templates/calico-apiserver.yml.j2
+++ b/roles/network_plugin/calico/templates/calico-apiserver.yml.j2
@@ -118,6 +118,7 @@ metadata:
 spec:
   group: projectcalico.org
   groupPriorityMinimum: 1500
+  caBundle: {{ calico_apiserver_cabundle }}
   service:
     name: calico-api
     namespace: calico-apiserver