diff --git a/control_planes.tf b/control_planes.tf
index 927becf..f925cfe 100644
--- a/control_planes.tf
+++ b/control_planes.tf
@@ -49,19 +49,17 @@ resource "null_resource" "control_planes" {
       token                    = random_password.k3s_token.result
       disable-cloud-controller = true
       disable                  = local.disable_extras
+      flannel-iface            = "eth1"
       kubelet-arg              = "cloud-provider=external"
       node-ip                  = module.control_planes[count.index].private_ipv4_address
       advertise-address        = module.control_planes[count.index].private_ipv4_address
       node-taint               = var.allow_scheduling_on_control_plane ? [] : ["node-role.kubernetes.io/master:NoSchedule"]
       node-label               = var.automatically_upgrade_k3s ? ["k3s_upgrade=true"] : []
+      disable-network-policy   = var.cni_plugin == "calico" ? true : var.disable_network_policy
       },
-      var.cni_plugin == "flannel" ? {
-        flannel-iface = "eth1"
-      } : {},
       var.cni_plugin == "calico" ? {
-        flannel-backend             = "none",
-        disable-network-policy      = true,
-        kube-controller-manager-arg = "flex-volume-plugin-dir=/var/lib/kubelet/volumeplugins/nodeagent~uds",
+        flannel-backend             = "none"
+        kube-controller-manager-arg = "flex-volume-plugin-dir=/var/lib/kubelet/volumeplugins/nodeagent~uds"
     } : {}))
     destination = "/tmp/config.yaml"
   }
diff --git a/init.tf b/init.tf
index b2700e0..6656380 100644
--- a/init.tf
+++ b/init.tf
@@ -14,19 +14,17 @@ resource "null_resource" "first_control_plane" {
       cluster-init             = true
       disable-cloud-controller = true
       disable                  = local.disable_extras
+      flannel-iface            = "eth1"
       kubelet-arg              = "cloud-provider=external"
       node-ip                  = module.control_planes[0].private_ipv4_address
       advertise-address        = module.control_planes[0].private_ipv4_address
       node-taint               = var.allow_scheduling_on_control_plane ? [] : ["node-role.kubernetes.io/master:NoSchedule"]
       node-label               = var.automatically_upgrade_k3s ? ["k3s_upgrade=true"] : []
+      disable-network-policy   = var.cni_plugin == "calico" ? true : var.disable_network_policy
       },
-      var.cni_plugin == "flannel" ? {
-        flannel-iface = "eth1"
-      } : {},
       var.cni_plugin == "calico" ? {
-        flannel-backend             = "none",
-        disable-network-policy      = true,
-        kube-controller-manager-arg = "flex-volume-plugin-dir=/var/lib/kubelet/volumeplugins/nodeagent~uds",
+        flannel-backend             = "none"
+        kube-controller-manager-arg = "flex-volume-plugin-dir=/var/lib/kubelet/volumeplugins/nodeagent~uds"
     } : {}))
     destination = "/tmp/config.yaml"
   }
diff --git a/terraform.tfvars.example b/terraform.tfvars.example
index 95edd22..4b053ac 100644
--- a/terraform.tfvars.example
+++ b/terraform.tfvars.example
@@ -101,3 +101,7 @@ load_balancer_type        = "lb11"
 # If you want to configure a different CNI for k3s, use this flag
 # possible values: flannel (Default), calico
 # cni_plugin = "flannel"
+
+# If you want to disable the k3s default network policy controller, use this flag
+# Calico overrides this value to true automatically
+# disable_network_policy = false
diff --git a/variables.tf b/variables.tf
index b023b6d..3775930 100644
--- a/variables.tf
+++ b/variables.tf
@@ -145,6 +145,12 @@ variable "traefik_additional_options" {
 
 }
 
+variable "disable_network_policy" {
+  type        = bool
+  default     = false
+  description = "Disable k3s default network policy controller (default false, automatically true for calico)"
+}
+
 variable "cni_plugin" {
   type        = string
   default     = "flannel"