diff --git a/boot/rootlesskit.sh b/boot/rootlesskit.sh
index a187d78..2bff38d 100755
--- a/boot/rootlesskit.sh
+++ b/boot/rootlesskit.sh
@@ -13,7 +13,7 @@ rk_state_dir=$XDG_RUNTIME_DIR/usernetes/rootlesskit
 : ${U7S_ROOTLESSKIT_FLAGS=}
 : ${U7S_ROOTLESSKIT_PORTS=}
 : ${U7S_FLANNEL=}
-: ${U7S_CALICO=}
+: ${U7S_CALICO=0}
 
 : ${_U7S_CHILD=0}
 if [[ $_U7S_CHILD == 0 ]]; then
@@ -66,8 +66,9 @@ else
 
 	# Copy CNI config to /etc/cni/net.d (Likely to be hardcoded in CNI installers)
 	mkdir -p /etc/cni/net.d
-	# Disabled default cni because we are using calico
-	if [[ $U7S_CALICO != 1 ]]; then
+	
+	# Disable bridge cni when using calico
+	if [[ $U7S_CALICO == 0 ]]; then
 		cp -f $U7S_BASE_DIR/config/cni_net.d/* /etc/cni/net.d
 	fi
 	if [[ $U7S_FLANNEL == 1 ]]; then
diff --git a/install.sh b/install.sh
index 6ea746e..4fdde2f 100755
--- a/install.sh
+++ b/install.sh
@@ -429,6 +429,13 @@ EOF
 	fi
 fi
 
+# Need to enable calico before starting rootlesskit
+if [ "$cni" = "calico" ]; then
+	cat <<EOF >>${config_dir}/usernetes/env
+U7S_CALICO=1
+EOF
+fi
+
 ### Secret encryption
 if [ ! -f ${config_dir}/usernetes/master/secrets-encryption.yml ]; then
 	INFO "Enabling secrets encryption"
@@ -492,9 +499,6 @@ subjects:
     name: kubernetes
 EOF
 	if [ "$cni" = "calico" ]; then
-		cat <<EOF >>${config_dir}/usernetes/env
-U7S_CALICO=1
-EOF
 		INFO "Installing calico"
 		set -x
 		kubectl create -f ${base}/manifests/calico/tigera-operator.yml