A big THANK YOU!
I also upgraded from an old rancher 2.2 installation to 2.5.5 and upgraded to k8s v1.19.6 and expierienced RBAC errors in the calico-kube-controllers which prevented other services to start too.
Failed to create pod sandbox: rpc error: code = Unknown desc = [failed to set up sandbox container "9432925e5ab168c63b37d973e3ebb77d4768dda0ff9019b46826828c2b7d5304" network for pod "memcached-vdqs7-0": networkPlugin cni failed to set up pod "memcached-vdqs7-0_memcached-pmlbw" network: error getting ClusterInformation: connection is unauthorized: clusterinformations.crd.projectcalico.org "default" is forbidden: User "system:node" cannot get resource "clusterinformations" in API group "crd.projectcalico.org" at the cluster scope: RBAC: clusterrole.rbac.authorization.k8s.io "calico-node" not found, failed to clean up sandbox container "9432925e5ab168c63b37d973e3ebb77d4768dda0ff9019b46826828c2b7d5304" network for pod "memcached-vdqs7-0": networkPlugin cni failed to teardown pod "memcached-vdqs7-0_memcached-pmlbw" network: error getting ClusterInformation: connection is unauthorized: clusterinformations.crd.projectcalico.org "default" is forbidden: User "system:node" cannot get resource "clusterinformations" in API group "crd.projectcalico.org" at the cluster scope: RBAC: clusterrole.rbac.authorization.k8s.io "calico-node" not found]
After trying the old comment from github (2) which did not help I finally found your comment.
Your last tip to apply the default from calico-node-rbac.yaml from https://docs.projectcalico.org/manifests/canal.yaml
through calling
kubectl auth reconcile -f /tmp/calico-node-rbac.yaml
did solve the problem for me.
Now I can deploy new Apps from catalog like memcached which was not possible.