diff --git a/resources/calico/cluster-role.yaml b/resources/calico/cluster-role.yaml
index 4906921..750d677 100644
--- a/resources/calico/cluster-role.yaml
+++ b/resources/calico/cluster-role.yaml
@@ -57,6 +57,14 @@ rules:
       - pods/status
     verbs:
       - patch
+  # Used for creating service account tokens to be used by the CNI plugin
+  - apiGroups: [""]
+    resources:
+      - serviceaccounts/token
+    resourceNames:
+      - calico-node
+    verbs:
+      - create
   # Calico monitors its CRDs
   - apiGroups: ["crd.projectcalico.org"]
     resources:
diff --git a/variables.tf b/variables.tf
index 1b33c41..106f98e 100644
--- a/variables.tf
+++ b/variables.tf
@@ -60,8 +60,8 @@ variable "container_images" {
   description = "Container images to use"
 
   default = {
-    calico                  = "quay.io/calico/node:v3.23.1"
-    calico_cni              = "quay.io/calico/cni:v3.23.1"
+    calico                  = "quay.io/calico/node:v3.23.3"
+    calico_cni              = "quay.io/calico/cni:v3.23.3"
     cilium_agent            = "quay.io/cilium/cilium:v1.11.7"
     cilium_operator         = "quay.io/cilium/operator-generic:v1.11.7"
     coredns                 = "k8s.gcr.io/coredns/coredns:v1.8.6"