diff --git a/charts/cluster-addons/templates/cni-cilium.yaml b/charts/cluster-addons/templates/cni-cilium.yaml
index d903dbb..cf5c16c 100644
--- a/charts/cluster-addons/templates/cni-cilium.yaml
+++ b/charts/cluster-addons/templates/cni-cilium.yaml
@@ -2,6 +2,37 @@
 {{- include "cluster-addons.job.defaults" (list . "cni-cilium") }}
 installType: helm
 helm: {{ toYaml .Values.cni.cilium | nindent 2 }}
+{{- $kubeProxyReplacement := dig "kubeProxyReplacement" "probe" .Values.cni.cilium.release.values }}
+{{- if eq $kubeProxyReplacement "strict" }}
+{{- $hasServiceHost := hasKey .Values.cni.cilium.release.values "k8sServiceHost" }}
+{{- $hasServicePort := hasKey .Values.cni.cilium.release.values "k8sServicePort" }}
+{{- if or (and $hasServiceHost $hasServicePort) .Values.kubeconfigSecret.name }}
+{{- if not (and $hasServiceHost $hasServicePort) }}
+hooks:
+  {{/* Point Cilium at the Kubernetes server targetted by the kubeconfig file */}}
+  preInstall: |
+    SERVER="$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')"
+    SCHEME="$(echo "$SERVER" | cut -d':' -f1)"
+    ADDRESS="$(echo "$SERVER" | cut -d'/' -f3)"
+    HOST="$(echo "$ADDRESS" | cut -d':' -f1)"
+    if grep -q ":" <<< "$ADDRESS"; then
+      PORT="$(echo "$ADDRESS" | cut -d':' -f2)"
+    else
+      if [ "$SCHEME" = "http" ]; then
+        PORT=80
+      else
+        PORT=443
+      fi
+    fi
+
+    HELM_EXTRA_ARGS="--set k8sServiceHost=$HOST"
+    HELM_EXTRA_ARGS="$HELM_EXTRA_ARGS --set k8sServicePort=$PORT"
+    export HELM_EXTRA_ARGS
+{{- end }}
+{{- else }}
+{{- fail "k8sServiceHost and k8sServicePort must be specified when using a service account with kubeProxyReplacement=strict" }}
+{{- end }}
+{{- end }}
 {{- end }}
 
 {{-
diff --git a/charts/openstack-cluster/templates/control-plane/kubeadm-control-plane.yaml b/charts/openstack-cluster/templates/control-plane/kubeadm-control-plane.yaml
index 231eee5..2a7202e 100644
--- a/charts/openstack-cluster/templates/control-plane/kubeadm-control-plane.yaml
+++ b/charts/openstack-cluster/templates/control-plane/kubeadm-control-plane.yaml
@@ -1,18 +1,32 @@
 {{/*
-Produces the spec for the controlplane kubeadmconfig object, with support for KubeProxyConfiguration.
+Produces the spec for the controlplane kubeadmconfig object, with support for KubeProxyConfiguration
+and the skipPhases flag of InitConfiguration.
 */}}
 {{- define "openstack-cluster.controlplane.kubeadmConfigSpec" -}}
-{{- $kubeadmConfigSpec := omit . "kubeProxyConfiguration" "files" "preKubeadmCommands" }}
+{{- $kubeadmConfigSpec := omit . "initConfiguration" "kubeProxyConfiguration" "files" "preKubeadmCommands" }}
+{{- $initConfiguration := omit (dig "initConfiguration" dict .) "skipPhases" }}
+{{- $skipPhases := dig "initConfiguration" "skipPhases" list . }}
 {{- $kubeProxyConfiguration := dig "kubeProxyConfiguration" dict . }}
 {{- $files := dig "files" list . }}
 {{- $preKubeadmCommands := dig "preKubeadmCommands" list . }}
 {{- with $kubeadmConfigSpec }}
 {{- toYaml . }}
 {{- end }}
+{{- with $initConfiguration }}
+initConfiguration: {{ toYaml $initConfiguration | nindent 2 }}
+{{- end }}
+{{- if or $files $skipPhases $kubeProxyConfiguration }}
 files:
   {{- range $files }}
   - {{ toYaml . | nindent 4 }}
   {{- end }}
+  {{- if $skipPhases }}
+  - path: /run/kubeadm/skip-phases.yaml
+    content: |
+      skipPhases: {{ toYaml $skipPhases | nindent 8 }}
+    owner: root:root
+    permissions: "0644"
+  {{- end }}
   {{- with $kubeProxyConfiguration }}
   - path: /run/kubeadm/kube-proxy-configuration.yaml
     content: |
@@ -23,14 +37,25 @@ files:
     owner: root:root
     permissions: "0644"
   {{- end }}
+{{- end }}
+{{- if or $preKubeadmCommands $skipPhases $kubeProxyConfiguration }}
 preKubeadmCommands:
   {{- range $preKubeadmCommands }}
   - {{ . }}
   {{- end }}
+  {{- if $skipPhases }}
+  - cat /run/kubeadm/skip-phases.yaml >> /run/kubeadm/kubeadm.yaml
+  {{- end }}
   {{- if $kubeProxyConfiguration }}
   - cat /run/kubeadm/kube-proxy-configuration.yaml >> /run/kubeadm/kubeadm.yaml
   {{- end }}
 {{- end }}
+{{- end }}
+
+{{- $skipPhases := dig "kubeadmConfigSpec" "initConfiguration" "skipPhases" list .Values.controlPlane }}
+{{- if and $skipPhases (semverCompare "<1.22.0" .Values.global.kubernetesVersion) }}
+{{- fail "skipPhases is only supported for Kubernetes 1.22 and higher" }}
+{{- end }}
 
 ---
 apiVersion: controlplane.cluster.x-k8s.io/v1beta1
diff --git a/charts/openstack-cluster/values.yaml b/charts/openstack-cluster/values.yaml
index 2581859..24d1ab7 100644
--- a/charts/openstack-cluster/values.yaml
+++ b/charts/openstack-cluster/values.yaml
@@ -116,6 +116,9 @@ controlPlane:
         name: '{{ local_hostname }}'
         kubeletExtraArgs:
           cloud-provider: external
+      # In the default configuration, Cilium is the CNI and we want to use the kube-proxy replacement
+      skipPhases:
+        - addon/kube-proxy
     # As well as enabling an external cloud provider, we set the bind addresses for the
     # etcd metrics, controller-manager, scheduler and kube-proxy to 0.0.0.0 so that Prometheus
     # can reach them to collect metrics
@@ -246,6 +249,15 @@ addons:
   kubeconfigSecret:
     name: "{{ include \"openstack-cluster.componentName\" (list . \"kubeconfig\") }}"
     key: value
+  # Deploy Cilium with the kube-proxy replacement enabled
+  cni:
+    cilium:
+      release:
+        values:
+          kubeProxyReplacement: strict
+          bpf:
+            hostRouting: false
+            masquerade: true
   # By default, enable the OpenStack integrations
   openstack:
     enabled: true