diff --git a/kind/calico/custom-resources.yaml b/kind/calico/custom-resources.yaml
new file mode 100644
index 0000000..dbd4bf3
--- /dev/null
+++ b/kind/calico/custom-resources.yaml
@@ -0,0 +1,26 @@
+# This section includes base Calico installation configuration.
+# For more information, see: https://projectcalico.docs.tigera.io/master/reference/installation/api#operator.tigera.io/v1.Installation
+apiVersion: operator.tigera.io/v1
+kind: Installation
+metadata:
+  name: default
+spec:
+  # Configures Calico networking.
+  calicoNetwork:
+    # Note: The ipPools section cannot be modified post-install.
+    ipPools:
+    - blockSize: 26
+      cidr: 10.244.0.0/16
+      encapsulation: VXLANCrossSubnet
+      natOutgoing: Enabled
+      nodeSelector: all()
+
+---
+
+# This section configures the Calico API server.
+# For more information, see: https://projectcalico.docs.tigera.io/master/reference/installation/api#operator.tigera.io/v1.APIServer
+apiVersion: operator.tigera.io/v1
+kind: APIServer
+metadata:
+  name: default
+spec: {}
\ No newline at end of file
diff --git a/kind/quickstart.md b/kind/quickstart.md
index bf0a38f..f1062ee 100644
--- a/kind/quickstart.md
+++ b/kind/quickstart.md
@@ -20,8 +20,11 @@ export DEVBOX_INGRESS=nginx
 export OIDC_ISSUER_URL=https://keycloak.quadtreeworld.net/realms/master
 # use a mirror for dockerhub
 export DOCKERHUB_PROXY=https://docker-mirror.quadtreeworld.net
-# use canal (flannel + calico) instead of default CNI to test NetworkPolicies
+
+# Install custom CNI
+#export DISABLE_DEFAULT_CNI=true
 export USE_CANAL=1
+#export USE_CALICO=1
 
 # Delete cluster if exists
 kind delete clusters devbox
diff --git a/kind/quickstart.sh b/kind/quickstart.sh
index e671ad3..0b3e2fe 100644
--- a/kind/quickstart.sh
+++ b/kind/quickstart.sh
@@ -8,7 +8,8 @@ echo "-- kind/quickstart.sh"
 echo "---------------------------------------------"
 
 USE_CANAL=${USE_CANAL:-0}
-if [ "$USE_CANAL" != "0" ];
+USE_CALICO=${USE_CALICO:-0}
+if [ "$USE_CANAL" != "0" ] || [ "$USE_CALICO" != "0" ];
 then
     export DISABLE_DEFAULT_CNI=true
 fi
@@ -26,8 +27,27 @@ then
         --for=condition=ready pod \
         --selector=k8s-app=canal \
         --timeout=90s
+
 fi
 
+#---------------------------------------------------------------------------
+# Install calico
+# see https://docs.tigera.io/calico/latest/getting-started/kubernetes/quickstart#install-calico
+#---------------------------------------------------------------------------
+if [ "$USE_CALICO" != "0" ];
+then
+    kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.26.1/manifests/tigera-operator.yaml
+    # wait for tigera-operator
+    kubectl wait --namespace tigera-operator \
+        --for=condition=ready pod \
+        --selector=k8s-app=tigera-operator \
+        --timeout=90s
+
+    # install calico with consistent pod subnet
+    kubectl apply -f ${SCRIPT_DIR}/calico/custom-resources.yaml
+fi
+
+
 #----------------------------------------
 # Install metric-server
 #----------------------------------------