Avoid use of github.com/pkg/errors functions that capture stack

We are not making use of the stack traces that these functions capture, so we should avoid using them as unnecessary overhead. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> (cherry picked from commit bed1f668) Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

Avoid use of github.com/pkg/errors functions that capture stack
3cb6c2dc · Brad Davidson · Brad Davidson · ab09acdc · 3cb6c2dc · 3cb6c2dc
Commit 3cb6c2dc authored Mar 04, 2025 by Brad Davidson Committed by Brad Davidson Mar 07, 2025
70 changed files
--- a/cmd/k3s/main.go
+++ b/cmd/k3s/main.go
@@ -3,6 +3,7 @@ package main
 import (
 	"bytes"
 	"context"
+	"errors"
 	"io"
 	"io/fs"
 	"os"
@@ -20,7 +21,7 @@ import (
 	"github.com/k3s-io/k3s/pkg/flock"
 	"github.com/k3s-io/k3s/pkg/untar"
 	"github.com/k3s-io/k3s/pkg/version"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/rancher/wrangler/v3/pkg/resolvehome"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/pflag"
@@ -207,7 +208,7 @@ func stageAndRunCLI(cli *cli.Context, cmd string, dataDir string, args []string)
 func stageAndRun(dataDir, cmd string, args []string, calledAsInternal bool) error {
 	dir, err := extract(dataDir)
 	if err != nil {
-		return errors.Wrap(err, "extracting data")
+		return pkgerrors.WithMessage(err, "extracting data")
 	}
 	logrus.Debugf("Asset dir %s", dir)

--- a/cmd/k3s/main_linux.go
+++ b/cmd/k3s/main_linux.go
@@ -7,14 +7,14 @@ import (
 	"os"
 	"syscall"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 )
 const programPostfix = ""
 func runExec(cmd string, args []string, calledAsInternal bool) (err error) {
 	if err := syscall.Exec(cmd, args, os.Environ()); err != nil {
-		return errors.Wrapf(err, "exec %s failed", cmd)
+		return pkgerrors.WithMessagef(err, "exec %s failed", cmd)
 	}
 	return nil
 }
--- a/pkg/agent/config/config.go
+++ b/pkg/agent/config/config.go
@@ -9,6 +9,7 @@ import (
 	"crypto/x509"
 	"encoding/hex"
 	"encoding/pem"
+	"errors"
 	"fmt"
 	"io"
 	"net"
@@ -32,7 +33,7 @@ import (
 	"github.com/k3s-io/k3s/pkg/util"
 	"github.com/k3s-io/k3s/pkg/version"
 	"github.com/k3s-io/k3s/pkg/vpn"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	certutil "github.com/rancher/dynamiclistener/cert"
 	"github.com/rancher/wharfie/pkg/registries"
 	"github.com/rancher/wrangler/v3/pkg/slice"
@@ -247,7 +248,7 @@ func upgradeOldNodePasswordPath(oldNodePasswordFile, newNodePasswordFile string)
 func getKubeletServingCert(nodeName string, nodeIPs []net.IP, certFile, keyFile, nodePasswordFile string, info *clientaccess.Info) error {
 	csr, err := getCSRBytes(keyFile)
 	if err != nil {
-		return errors.Wrapf(err, "failed to create certificate request %s", certFile)
+		return pkgerrors.WithMessagef(err, "failed to create certificate request %s", certFile)
 	}
 	basename := filepath.Base(certFile)
@@ -261,11 +262,11 @@ func getKubeletServingCert(nodeName string, nodeIPs []net.IP, certFile, keyFile,
 	// must be used instead of the one we signed the CSR with.
 	certBytes, keyBytes := splitCertKeyPEM(body)
 	if err := os.WriteFile(certFile, certBytes, 0600); err != nil {
-		return errors.Wrapf(err, "failed to write cert %s", certFile)
+		return pkgerrors.WithMessagef(err, "failed to write cert %s", certFile)
 	}
 	if len(keyBytes) > 0 {
 		if err := os.WriteFile(keyFile, keyBytes, 0600); err != nil {
-			return errors.Wrapf(err, "failed to write key %s", keyFile)
+			return pkgerrors.WithMessagef(err, "failed to write key %s", keyFile)
 		}
 	}
 	return nil
@@ -279,7 +280,7 @@ func getHostFile(filename string, info *clientaccess.Info) error {
 		return err
 	}
 	if err := os.WriteFile(filename, fileBytes, 0600); err != nil {
-		return errors.Wrapf(err, "failed to write cert %s", filename)
+		return pkgerrors.WithMessagef(err, "failed to write cert %s", filename)
 	}
 	return nil
 }
@@ -291,7 +292,7 @@ func getHostFile(filename string, info *clientaccess.Info) error {
 func getClientCert(certFile, keyFile string, info *clientaccess.Info) error {
 	csr, err := getCSRBytes(keyFile)
 	if err != nil {
-		return errors.Wrapf(err, "failed to create certificate request %s", certFile)
+		return pkgerrors.WithMessagef(err, "failed to create certificate request %s", certFile)
 	}
 	basename := filepath.Base(certFile)
@@ -305,11 +306,11 @@ func getClientCert(certFile, keyFile string, info *clientaccess.Info) error {
 	// must be used instead of the one we signed the CSR with.
 	certBytes, keyBytes := splitCertKeyPEM(fileBytes)
 	if err := os.WriteFile(certFile, certBytes, 0600); err != nil {
-		return errors.Wrapf(err, "failed to write cert %s", certFile)
+		return pkgerrors.WithMessagef(err, "failed to write cert %s", certFile)
 	}
 	if len(keyBytes) > 0 {
 		if err := os.WriteFile(keyFile, keyBytes, 0600); err != nil {
-			return errors.Wrapf(err, "failed to write key %s", keyFile)
+			return pkgerrors.WithMessagef(err, "failed to write key %s", keyFile)
 		}
 	}
 	return nil
@@ -352,7 +353,7 @@ func splitCertKeyPEM(bytes []byte) (certPem []byte, keyPem []byte) {
 func getKubeletClientCert(certFile, keyFile, nodeName string, nodeIPs []net.IP, nodePasswordFile string, info *clientaccess.Info) error {
 	csr, err := getCSRBytes(keyFile)
 	if err != nil {
-		return errors.Wrapf(err, "failed to create certificate request %s", certFile)
+		return pkgerrors.WithMessagef(err, "failed to create certificate request %s", certFile)
 	}
 	basename := filepath.Base(certFile)
@@ -366,11 +367,11 @@ func getKubeletClientCert(certFile, keyFile, nodeName string, nodeIPs []net.IP, 
 	// must be used instead of the one we signed the CSR with.
 	certBytes, keyBytes := splitCertKeyPEM(body)
 	if err := os.WriteFile(certFile, certBytes, 0600); err != nil {
-		return errors.Wrapf(err, "failed to write cert %s", certFile)
+		return pkgerrors.WithMessagef(err, "failed to write cert %s", certFile)
 	}
 	if len(keyBytes) > 0 {
 		if err := os.WriteFile(keyFile, keyBytes, 0600); err != nil {
-			return errors.Wrapf(err, "failed to write key %s", keyFile)
+			return pkgerrors.WithMessagef(err, "failed to write key %s", keyFile)
 		}
 	}
 	return nil
@@ -437,13 +438,13 @@ func get(ctx context.Context, envInfo *cmds.Agent, proxy proxy.Proxy) (*config.N
 	controlConfig, err := getConfig(info)
 	if err != nil {
-		return nil, errors.Wrap(err, "failed to retrieve configuration from server")
+		return nil, pkgerrors.WithMessage(err, "failed to retrieve configuration from server")
 	}
 	// If the supervisor and externally-facing apiserver are not on the same port, tell the proxy where to find the apiserver.
 	if controlConfig.SupervisorPort != controlConfig.HTTPSPort {
 		isIPv6 := utilsnet.IsIPv6(net.ParseIP(util.GetFirstValidIPString(envInfo.NodeIP)))
 		if err := proxy.SetAPIServerPort(controlConfig.HTTPSPort, isIPv6); err != nil {
-			return nil, errors.Wrapf(err, "failed to set apiserver port to %d", controlConfig.HTTPSPort)
+			return nil, pkgerrors.WithMessagef(err, "failed to set apiserver port to %d", controlConfig.HTTPSPort)
 		}
 	}
 	apiServerURL := proxy.APIServerURL()
@@ -452,7 +453,7 @@ func get(ctx context.Context, envInfo *cmds.Agent, proxy proxy.Proxy) (*config.N
 	if controlConfig.FlannelBackend != config.FlannelBackendNone && len(envInfo.FlannelIface) > 0 {
 		flannelIface, err = net.InterfaceByName(envInfo.FlannelIface)
 		if err != nil {
-			return nil, errors.Wrapf(err, "unable to find interface %s", envInfo.FlannelIface)
+			return nil, pkgerrors.WithMessagef(err, "unable to find interface %s", envInfo.FlannelIface)
 		}
 	}
@@ -508,7 +509,7 @@ func get(ctx context.Context, envInfo *cmds.Agent, proxy proxy.Proxy) (*config.N
 				vpnIPs = append(vpnIPs, vpnInfo.IPv4Address)
 			}
 		} else {
-			return nil, errors.Errorf("address family mismatch when assigning VPN addresses to node: node=%v, VPN ipv4=%v ipv6=%v", nodeIPs, vpnInfo.IPv4Address, vpnInfo.IPv6Address)
+			return nil, fmt.Errorf("address family mismatch when assigning VPN addresses to node: node=%v, VPN ipv4=%v ipv6=%v", nodeIPs, vpnInfo.IPv4Address, vpnInfo.IPv6Address)
 		}
 		// Overwrite nodeip and flannel interface and throw a warning if user explicitly set those parameters
@@ -523,7 +524,7 @@ func get(ctx context.Context, envInfo *cmds.Agent, proxy proxy.Proxy) (*config.N
 			nodeIPs = vpnIPs
 			flannelIface, err = net.InterfaceByName(vpnInfo.VPNInterface)
 			if err != nil {
-				return nil, errors.Wrapf(err, "unable to find vpn interface: %s", vpnInfo.VPNInterface)
+				return nil, pkgerrors.WithMessagef(err, "unable to find vpn interface: %s", vpnInfo.VPNInterface)
 			}
 		}
 	}
@@ -558,12 +559,12 @@ func get(ctx context.Context, envInfo *cmds.Agent, proxy proxy.Proxy) (*config.N
 	// Ask the server to sign our kubelet server cert.
 	if err := getKubeletServingCert(nodeName, nodeExternalAndInternalIPs, servingKubeletCert, servingKubeletKey, newNodePasswordFile, info); err != nil {
-		return nil, errors.Wrap(err, servingKubeletCert)
+		return nil, pkgerrors.WithMessage(err, servingKubeletCert)
 	}
 	// Ask the server to sign our kubelet client cert.
 	if err := getKubeletClientCert(clientKubeletCert, clientKubeletKey, nodeName, nodeIPs, newNodePasswordFile, info); err != nil {
-		return nil, errors.Wrap(err, clientKubeletCert)
+		return nil, pkgerrors.WithMessage(err, clientKubeletCert)
 	}
 	// Generate a kubeconfig for the kubelet.
@@ -577,7 +578,7 @@ func get(ctx context.Context, envInfo *cmds.Agent, proxy proxy.Proxy) (*config.N
 	// Ask the server to sign our kube-proxy client cert.
 	if err := getClientCert(clientKubeProxyCert, clientKubeProxyKey, info); err != nil {
-		return nil, errors.Wrap(err, clientKubeProxyCert)
+		return nil, pkgerrors.WithMessage(err, clientKubeProxyCert)
 	}
 	// Generate a kubeconfig for kube-proxy.
@@ -591,7 +592,7 @@ func get(ctx context.Context, envInfo *cmds.Agent, proxy proxy.Proxy) (*config.N
 	// Ask the server to sign our agent controller client cert.
 	if err := getClientCert(clientK3sControllerCert, clientK3sControllerKey, info); err != nil {
-		return nil, errors.Wrap(err, clientK3sControllerCert)
+		return nil, pkgerrors.WithMessage(err, clientK3sControllerCert)
 	}
 	// Generate a kubeconfig for the agent controller.
@@ -653,7 +654,7 @@ func get(ctx context.Context, envInfo *cmds.Agent, proxy proxy.Proxy) (*config.N
 	} else {
 		listenAddress, _, _, err := util.GetDefaultAddresses(nodeIPs[0])
 		if err != nil {
-			return nil, errors.Wrap(err, "cannot configure IPv4/IPv6 node-ip")
+			return nil, pkgerrors.WithMessage(err, "cannot configure IPv4/IPv6 node-ip")
 		}
 		nodeConfig.AgentConfig.ListenAddress = listenAddress
 	}
@@ -684,7 +685,7 @@ func get(ctx context.Context, envInfo *cmds.Agent, proxy proxy.Proxy) (*config.N
 	if !nodeConfig.NoFlannel {
 		hostLocal, err := exec.LookPath("host-local")
 		if err != nil {
-			return nil, errors.Wrapf(err, "failed to find host-local")
+			return nil, pkgerrors.WithMessagef(err, "failed to find host-local")
 		}
 		if envInfo.FlannelConf == "" {
@@ -851,7 +852,7 @@ func getKubeProxyDisabled(ctx context.Context, node *config.Node, proxy proxy.Pr
 	controlConfig, err := getConfig(info)
 	if err != nil {
-		return false, errors.Wrap(err, "failed to retrieve configuration from server")
+		return false, pkgerrors.WithMessage(err, "failed to retrieve configuration from server")
 	}
 	return controlConfig.DisableKubeProxy, nil

--- a/pkg/agent/config/config_linux.go
+++ b/pkg/agent/config/config_linux.go
@@ -4,13 +4,14 @@
 package config
 import (
+	"errors"
 	"os"
 	"path/filepath"
 	"github.com/k3s-io/k3s/pkg/agent/containerd"
 	"github.com/k3s-io/k3s/pkg/cli/cmds"
 	"github.com/k3s-io/k3s/pkg/daemons/config"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
@@ -24,17 +25,17 @@ func applyContainerdOSSpecificConfig(nodeConfig *config.Node) error {
 	switch nodeConfig.AgentConfig.Snapshotter {
 	case "overlayfs":
 		if err := containerd.OverlaySupported(nodeConfig.Containerd.Root); err != nil {
-			return errors.Wrapf(err, "\"overlayfs\" snapshotter cannot be enabled for %q, try using \"fuse-overlayfs\" or \"native\"",
+			return pkgerrors.WithMessagef(err, "\"overlayfs\" snapshotter cannot be enabled for %q, try using \"fuse-overlayfs\" or \"native\"",
 				nodeConfig.Containerd.Root)
 		}
 	case "fuse-overlayfs":
 		if err := containerd.FuseoverlayfsSupported(nodeConfig.Containerd.Root); err != nil {
-			return errors.Wrapf(err, "\"fuse-overlayfs\" snapshotter cannot be enabled for %q, try using \"native\"",
+			return pkgerrors.WithMessagef(err, "\"fuse-overlayfs\" snapshotter cannot be enabled for %q, try using \"native\"",
 				nodeConfig.Containerd.Root)
 		}
 	case "stargz":
 		if err := containerd.StargzSupported(nodeConfig.Containerd.Root); err != nil {
-			return errors.Wrapf(err, "\"stargz\" snapshotter cannot be enabled for %q, try using \"overlayfs\" or \"native\"",
+			return pkgerrors.WithMessagef(err, "\"stargz\" snapshotter cannot be enabled for %q, try using \"overlayfs\" or \"native\"",
 				nodeConfig.Containerd.Root)
 		}
 		nodeConfig.AgentConfig.ImageServiceSocket = "/run/containerd-stargz-grpc/containerd-stargz-grpc.sock"

--- a/pkg/agent/config/config_windows.go
+++ b/pkg/agent/config/config_windows.go
@@ -8,7 +8,7 @@ import (
 	"github.com/k3s-io/k3s/pkg/cli/cmds"
 	"github.com/k3s-io/k3s/pkg/daemons/config"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/rancher/permissions/pkg/access"
 	"github.com/rancher/permissions/pkg/acl"
 	"github.com/rancher/permissions/pkg/sid"
@@ -46,7 +46,7 @@ func configureACL(file string) error {
 		access.GrantSid(windows.GENERIC_ALL, sid.LocalSystem()),
 		access.GrantSid(windows.GENERIC_ALL, sid.BuiltinAdministrators()),
 	}...); err != nil {
-		return errors.Wrapf(err, "failed to configure Access Control List For %s", file)
+		return pkgerrors.WithMessagef(err, "failed to configure Access Control List For %s", file)
 	}
 	return nil

--- a/pkg/agent/containerd/config_linux.go
+++ b/pkg/agent/containerd/config_linux.go
@@ -4,6 +4,7 @@
 package containerd
 import (
+	"fmt"
 	"os"
 	containerd "github.com/containerd/containerd/v2/client"
@@ -16,7 +17,7 @@ import (
 	"github.com/k3s-io/k3s/pkg/daemons/config"
 	"github.com/k3s-io/k3s/pkg/version"
 	"github.com/moby/sys/userns"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
 	"k8s.io/cri-client/pkg/util"
@@ -78,7 +79,7 @@ func SetupContainerdConfig(cfg *config.Node) error {
 	// Verifies if the DefaultRuntime can be found
 	if _, ok := extraRuntimes[cfg.DefaultRuntime]; !ok && cfg.DefaultRuntime != "" {
-		return errors.Errorf("default runtime %s was not found", cfg.DefaultRuntime)
+		return fmt.Errorf("default runtime %s was not found", cfg.DefaultRuntime)
 	}
 	containerdConfig := templates.ContainerdConfig{
@@ -96,7 +97,7 @@ func SetupContainerdConfig(cfg *config.Node) error {
 	selEnabled, selConfigured, err := selinuxStatus()
 	if err != nil {
-		return errors.Wrap(err, "failed to detect selinux")
+		return pkgerrors.WithMessage(err, "failed to detect selinux")
 	}
 	switch {
 	case !cfg.SELinux && selEnabled:

--- a/pkg/agent/containerd/config_windows.go
+++ b/pkg/agent/containerd/config_windows.go
@@ -10,7 +10,7 @@ import (
 	"github.com/k3s-io/k3s/pkg/agent/templates"
 	"github.com/k3s-io/k3s/pkg/daemons/config"
 	util3 "github.com/k3s-io/k3s/pkg/util"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"k8s.io/cri-client/pkg/util"
 )
@@ -68,13 +68,13 @@ func Client(address string) (*containerd.Client, error) {
 }
 func OverlaySupported(root string) error {
-	return errors.Wrapf(util3.ErrUnsupportedPlatform, "overlayfs is not supported")
+	return pkgerrors.WithMessagef(util3.ErrUnsupportedPlatform, "overlayfs is not supported")
 }
 func FuseoverlayfsSupported(root string) error {
-	return errors.Wrapf(util3.ErrUnsupportedPlatform, "fuse-overlayfs is not supported")
+	return pkgerrors.WithMessagef(util3.ErrUnsupportedPlatform, "fuse-overlayfs is not supported")
 }
 func StargzSupported(root string) error {
-	return errors.Wrapf(util3.ErrUnsupportedPlatform, "stargz is not supported")
+	return pkgerrors.WithMessagef(util3.ErrUnsupportedPlatform, "stargz is not supported")
 }
--- a/pkg/agent/containerd/containerd.go
+++ b/pkg/agent/containerd/containerd.go
@@ -3,6 +3,7 @@ package containerd
 import (
 	"bufio"
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"os"
@@ -22,7 +23,7 @@ import (
 	"github.com/k3s-io/k3s/pkg/daemons/config"
 	"github.com/k3s-io/k3s/pkg/version"
 	"github.com/natefinch/lumberjack"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/rancher/wharfie/pkg/tarfile"
 	"github.com/rancher/wrangler/v3/pkg/merr"
 	"github.com/sirupsen/logrus"
@@ -145,12 +146,12 @@ func PreloadImages(ctx context.Context, cfg *config.Node) error {
 	// At startup all leases from k3s are cleared; we no longer use leases to lock content
 	if err := clearLeases(ctx, client); err != nil {
-		return errors.Wrap(err, "failed to clear leases")
+		return pkgerrors.WithMessage(err, "failed to clear leases")
 	}
 	// Clear the pinned labels on all images previously pinned by k3s
 	if err := clearLabels(ctx, client); err != nil {
-		return errors.Wrap(err, "failed to clear pinned labels")
+		return pkgerrors.WithMessage(err, "failed to clear pinned labels")
 	}
 	go watchImages(ctx, cfg)
@@ -207,7 +208,7 @@ func preloadFile(ctx context.Context, cfg *config.Node, client *containerd.Clien
 		logrus.Infof("Pulling images from %s", filePath)
 		images, err = prePullImages(ctx, client, imageClient, file)
 		if err != nil {
-			return errors.Wrap(err, "failed to pull images from "+filePath)
+			return pkgerrors.WithMessage(err, "failed to pull images from "+filePath)
 		}
 	} else {
 		opener, err := tarfile.GetOpener(filePath)
@@ -224,15 +225,15 @@ func preloadFile(ctx context.Context, cfg *config.Node, client *containerd.Clien
 		logrus.Infof("Importing images from %s", filePath)
 		images, err = client.Import(ctx, imageReader, containerd.WithAllPlatforms(true), containerd.WithSkipMissing())
 		if err != nil {
-			return errors.Wrap(err, "failed to import images from "+filePath)
+			return pkgerrors.WithMessage(err, "failed to import images from "+filePath)
 		}
 	}
 	if err := labelImages(ctx, client, images, filepath.Base(filePath)); err != nil {
-		return errors.Wrap(err, "failed to add pinned label to images")
+		return pkgerrors.WithMessage(err, "failed to add pinned label to images")
 	}
 	if err := retagImages(ctx, client, images, cfg.AgentConfig.AirgapExtraRegistry); err != nil {
-		return errors.Wrap(err, "failed to retag images")
+		return pkgerrors.WithMessage(err, "failed to retag images")
 	}
 	for _, image := range images {
@@ -271,7 +272,7 @@ func clearLabels(ctx context.Context, client *containerd.Client) error {
 		delete(image.Labels, k3sPinnedImageLabelKey)
 		delete(image.Labels, criPinnedImageLabelKey)
 		if _, err := imageService.Update(ctx, image, "labels"); err != nil {
-			errs = append(errs, errors.Wrap(err, "failed to delete labels from image "+image.Name))
+			errs = append(errs, pkgerrors.WithMessage(err, "failed to delete labels from image "+image.Name))
 		}
 	}
 	return merr.NewErrors(errs...)
@@ -296,7 +297,7 @@ func labelImages(ctx context.Context, client *containerd.Client, images []images
 		image.Labels[criPinnedImageLabelKey] = criPinnedImageLabelValue
 		updatedImage, err := imageService.Update(ctx, image, "labels")
 		if err != nil {
-			errs = append(errs, errors.Wrap(err, "failed to add labels to image "+image.Name))
+			errs = append(errs, pkgerrors.WithMessage(err, "failed to add labels to image "+image.Name))
 		} else {
 			images[i] = updatedImage
 		}
@@ -313,7 +314,7 @@ func retagImages(ctx context.Context, client *containerd.Client, images []images
 	for _, image := range images {
 		name, err := parseNamedTagged(image.Name)
 		if err != nil {
-			errs = append(errs, errors.Wrap(err, "failed to parse tags for image "+image.Name))
+			errs = append(errs, pkgerrors.WithMessage(err, "failed to parse tags for image "+image.Name))
 			continue
 		}
 		for _, registry := range registries {
@@ -325,15 +326,15 @@ func retagImages(ctx context.Context, client *containerd.Client, images []images
 			if _, err = imageService.Create(ctx, image); err != nil {
 				if errdefs.IsAlreadyExists(err) {
 					if err = imageService.Delete(ctx, image.Name); err != nil {
-						errs = append(errs, errors.Wrap(err, "failed to delete existing image "+image.Name))
+						errs = append(errs, pkgerrors.WithMessage(err, "failed to delete existing image "+image.Name))
 						continue
 					}
 					if _, err = imageService.Create(ctx, image); err != nil {
-						errs = append(errs, errors.Wrap(err, "failed to tag after deleting existing image "+image.Name))
+						errs = append(errs, pkgerrors.WithMessage(err, "failed to tag after deleting existing image "+image.Name))
 						continue
 					}
 				} else {
-					errs = append(errs, errors.Wrap(err, "failed to tag image "+image.Name))
+					errs = append(errs, pkgerrors.WithMessage(err, "failed to tag image "+image.Name))
 					continue
 				}
 			}

--- a/pkg/agent/containerd/watcher.go
+++ b/pkg/agent/containerd/watcher.go
@@ -13,7 +13,7 @@ import (
 	"github.com/fsnotify/fsnotify"
 	"github.com/k3s-io/k3s/pkg/agent/cri"
 	"github.com/k3s-io/k3s/pkg/daemons/config"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/rancher/wharfie/pkg/tarfile"
 	"github.com/rancher/wrangler/v3/pkg/merr"
 	"github.com/sirupsen/logrus"
@@ -52,7 +52,7 @@ func isFileSupported(path string) bool {
 func (w *Watcher) HandleWatch(path string) error {
 	if err := w.watcher.Add(path); err != nil {
-		return errors.Wrap(err, fmt.Sprintf("failed to watch from %s directory: %v", path, err))
+		return pkgerrors.WithMessage(err, fmt.Sprintf("failed to watch from %s directory: %v", path, err))
 	}
 	return nil

--- a/pkg/agent/cridockerd/config_linux.go
+++ b/pkg/agent/cridockerd/config_linux.go
@@ -9,7 +9,7 @@ import (
 	"github.com/docker/docker/client"
 	"github.com/k3s-io/k3s/pkg/daemons/config"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 )
 const socketPrefix = "unix://"
@@ -25,11 +25,11 @@ func setupDockerCRIConfig(ctx context.Context, cfg *config.Node) error {
 	}
 	c, err := client.NewClientWithOpts(clientOpts...)
 	if err != nil {
-		return errors.Wrap(err, "failed to create docker client")
+		return pkgerrors.WithMessage(err, "failed to create docker client")
 	}
 	i, err := c.Info(ctx)
 	if err != nil {
-		return errors.Wrap(err, "failed to get docker runtime info")
+		return pkgerrors.WithMessage(err, "failed to get docker runtime info")
 	}
 	// note: this mutatation of the passed agent.Config is later used to set the
 	// kubelet's cgroup-driver flag. This may merit moving to somewhere else in order

--- a/pkg/agent/flannel/flannel.go
+++ b/pkg/agent/flannel/flannel.go
@@ -15,6 +15,7 @@
 package flannel
 import (
+	"errors"
 	"fmt"
 	"math/big"
 	"net"
@@ -28,7 +29,7 @@ import (
 	"github.com/flannel-io/flannel/pkg/subnet/kube"
 	"github.com/flannel-io/flannel/pkg/trafficmngr/iptables"
 	"github.com/joho/godotenv"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/net/context"
@@ -53,7 +54,7 @@ var (
 func flannel(ctx context.Context, flannelIface *net.Interface, flannelConf, kubeConfigFile string, flannelIPv6Masq bool, netMode int) error {
 	extIface, err := LookupExtInterface(flannelIface, netMode)
 	if err != nil {
-		return errors.Wrap(err, "failed to find the interface")
+		return pkgerrors.WithMessage(err, "failed to find the interface")
 	}
 	sm, err := kube.NewSubnetManager(ctx,
@@ -63,12 +64,12 @@ func flannel(ctx context.Context, flannelIface *net.Interface, flannelConf, kube
 		flannelConf,
 		false)
 	if err != nil {
-		return errors.Wrap(err, "failed to create the SubnetManager")
+		return pkgerrors.WithMessage(err, "failed to create the SubnetManager")
 	}
 	config, err := sm.GetNetworkConfig(ctx)
 	if err != nil {
-		return errors.Wrap(err, "failed to get the network config")
+		return pkgerrors.WithMessage(err, "failed to get the network config")
 	}
 	// Create a backend manager then use it to create the backend and register the network with it.
@@ -76,17 +77,17 @@ func flannel(ctx context.Context, flannelIface *net.Interface, flannelConf, kube
 	be, err := bm.GetBackend(config.BackendType)
 	if err != nil {
-		return errors.Wrap(err, "failed to create the flannel backend")
+		return pkgerrors.WithMessage(err, "failed to create the flannel backend")
 	}
 	bn, err := be.RegisterNetwork(ctx, &sync.WaitGroup{}, config)
 	if err != nil {
-		return errors.Wrap(err, "failed to register flannel network")
+		return pkgerrors.WithMessage(err, "failed to register flannel network")
 	}
 	trafficMngr := &iptables.IPTablesManager{}
 	err = trafficMngr.Init(ctx, &sync.WaitGroup{})
 	if err != nil {
-		return errors.Wrap(err, "failed to initialize flannel ipTables manager")
+		return pkgerrors.WithMessage(err, "failed to initialize flannel ipTables manager")
 	}
 	if netMode == (ipv4+ipv6) || netMode == ipv4 {
@@ -108,7 +109,7 @@ func flannel(ctx context.Context, flannelIface *net.Interface, flannelConf, kube
 		err = trafficMngr.SetupAndEnsureMasqRules(ctx, config.Network, prevSubnet, prevNetwork, ip.IP6Net{}, prevIPv6Subnet, prevIPv6Network, bn.Lease(), 60)
 	}
 	if err != nil {
-		return errors.Wrap(err, "failed to setup masq rules")
+		return pkgerrors.WithMessage(err, "failed to setup masq rules")
 	}
 	//setup forward rules
@@ -136,11 +137,11 @@ func LookupExtInterface(iface *net.Interface, netMode int) (*backend.ExternalInt
 		logrus.Debug("No interface defined for flannel in the config. Fetching the default gateway interface")
 		if netMode == ipv4 || netMode == (ipv4+ipv6) {
 			if iface, err = ip.GetDefaultGatewayInterface(); err != nil {
-				return nil, errors.Wrap(err, "failed to get default interface")
+				return nil, pkgerrors.WithMessage(err, "failed to get default interface")
 			}
 		} else {
 			if iface, err = ip.GetDefaultV6GatewayInterface(); err != nil {
-				return nil, errors.Wrap(err, "failed to get default interface")
+				return nil, pkgerrors.WithMessage(err, "failed to get default interface")
 			}
 		}
 	}
@@ -150,14 +151,14 @@ func LookupExtInterface(iface *net.Interface, netMode int) (*backend.ExternalInt
 	case ipv4:
 		ifaceAddr, err = ip.GetInterfaceIP4Addrs(iface)
 		if err != nil {
-			return nil, errors.Wrap(err, "failed to find IPv4 address for interface")
+			return nil, pkgerrors.WithMessage(err, "failed to find IPv4 address for interface")
 		}
 		logrus.Infof("The interface %s with ipv4 address %s will be used by flannel", iface.Name, ifaceAddr[0])
 		ifacev6Addr = append(ifacev6Addr, nil)
 	case ipv6:
 		ifacev6Addr, err = ip.GetInterfaceIP6Addrs(iface)
 		if err != nil {
-			return nil, errors.Wrap(err, "failed to find IPv6 address for interface")
+			return nil, pkgerrors.WithMessage(err, "failed to find IPv6 address for interface")
 		}
 		logrus.Infof("The interface %s with ipv6 address %s will be used by flannel", iface.Name, ifacev6Addr[0])
 		ifaceAddr = append(ifaceAddr, nil)
@@ -264,7 +265,6 @@ func ReadCIDRsFromSubnetFile(path string, CIDRKey string) []ip.IP4Net {
 	return prevCIDRs
 }
 // ReadIP6CIDRFromSubnetFile reads the flannel subnet file and extracts the value of IPv6 network CIDRKey
 func ReadIP6CIDRFromSubnetFile(path string, CIDRKey string) ip.IP6Net {
 	prevCIDRs := ReadIP6CIDRsFromSubnetFile(path, CIDRKey)

--- a/pkg/agent/flannel/setup.go
+++ b/pkg/agent/flannel/setup.go
@@ -2,6 +2,7 @@ package flannel
 import (
 	"context"
+	"errors"
 	"fmt"
 	"net"
 	"os"
@@ -12,7 +13,7 @@ import (
 	agentutil "github.com/k3s-io/k3s/pkg/agent/util"
 	"github.com/k3s-io/k3s/pkg/daemons/config"
 	"github.com/k3s-io/k3s/pkg/util"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	authorizationv1 "k8s.io/api/authorization/v1"
 	v1 "k8s.io/api/core/v1"
@@ -74,11 +75,11 @@ func Run(ctx context.Context, nodeConfig *config.Node) error {
 	// Compatibility code for AuthorizeNodeWithSelectors feature-gate.
 	// If the kubelet cannot list nodes, then wait for the k3s-controller RBAC to become ready, and use that kubeconfig instead.
 	if canListNodes, err := util.CheckRBAC(ctx, kubeConfig, resourceAttrs, ""); err != nil {
-		return errors.Wrap(err, "failed to check if RBAC allows node list")
+		return pkgerrors.WithMessage(err, "failed to check if RBAC allows node list")
 	} else if !canListNodes {
 		kubeConfig = nodeConfig.AgentConfig.KubeConfigK3sController
 		if err := util.WaitForRBACReady(ctx, kubeConfig, util.DefaultAPIServerReadyTimeout, resourceAttrs, ""); err != nil {
-			return errors.Wrap(err, "flannel failed to wait for RBAC")
+			return pkgerrors.WithMessage(err, "flannel failed to wait for RBAC")
 		}
 	}
@@ -88,12 +89,12 @@ func Run(ctx context.Context, nodeConfig *config.Node) error {
 	}
 	if err := waitForPodCIDR(ctx, nodeConfig.AgentConfig.NodeName, coreClient.CoreV1().Nodes()); err != nil {
-		return errors.Wrap(err, "flannel failed to wait for PodCIDR assignment")
+		return pkgerrors.WithMessage(err, "flannel failed to wait for PodCIDR assignment")
 	}
 	netMode, err := findNetMode(nodeConfig.AgentConfig.ClusterCIDRs)
 	if err != nil {
-		return errors.Wrap(err, "failed to check netMode for flannel")
+		return pkgerrors.WithMessage(err, "failed to check netMode for flannel")
 	}
 	go func() {
 		err := flannel(ctx, nodeConfig.FlannelIface, nodeConfig.FlannelConfFile, kubeConfig, nodeConfig.FlannelIPv6Masq, netMode)
@@ -128,7 +129,7 @@ func waitForPodCIDR(ctx context.Context, nodeName string, nodes typedcorev1.Node
 	}
 	if _, err := toolswatch.UntilWithSync(ctx, lw, &v1.Node{}, nil, condition); err != nil {
-		return errors.Wrap(err, "failed to wait for PodCIDR assignment")
+		return pkgerrors.WithMessage(err, "failed to wait for PodCIDR assignment")
 	}
 	logrus.Info("Flannel found PodCIDR assigned for node " + nodeName)

--- a/pkg/agent/loadbalancer/httpproxy.go
+++ b/pkg/agent/loadbalancer/httpproxy.go
@@ -10,7 +10,7 @@ import (
 	"github.com/k3s-io/k3s/pkg/version"
 	http_dialer "github.com/mwitkow/go-http-dialer"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/net/http/httpproxy"
 	"golang.org/x/net/proxy"
@@ -32,14 +32,14 @@ func SetHTTPProxy(address string) error {
 	serverURL, err := url.Parse(address)
 	if err != nil {
-		return errors.Wrapf(err, "failed to parse address %s", address)
+		return pkgerrors.WithMessagef(err, "failed to parse address %s", address)
 	}
 	// Call this directly instead of using the cached environment used by http.ProxyFromEnvironment to allow for testing
 	proxyFromEnvironment := httpproxy.FromEnvironment().ProxyFunc()
 	proxyURL, err := proxyFromEnvironment(serverURL)
 	if err != nil {
-		return errors.Wrapf(err, "failed to get proxy for address %s", address)
+		return pkgerrors.WithMessagef(err, "failed to get proxy for address %s", address)
 	}
 	if proxyURL == nil {
 		logrus.Debug(version.ProgramUpper + "_AGENT_HTTP_PROXY_ALLOWED is true but no proxy is configured for URL " + serverURL.String())
@@ -48,7 +48,7 @@ func SetHTTPProxy(address string) error {
 	dialer, err := proxyDialer(proxyURL, defaultDialer)
 	if err != nil {
-		return errors.Wrapf(err, "failed to create proxy dialer for %s", proxyURL)
+		return pkgerrors.WithMessagef(err, "failed to create proxy dialer for %s", proxyURL)
 	}
 	defaultDialer = dialer

--- a/pkg/agent/netpol/netpol.go
+++ b/pkg/agent/netpol/netpol.go
@@ -27,7 +27,7 @@ import (
 	"github.com/k3s-io/k3s/pkg/daemons/config"
 	"github.com/k3s-io/k3s/pkg/metrics"
 	"github.com/k3s-io/k3s/pkg/util"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	v1core "k8s.io/api/core/v1"
 	"k8s.io/client-go/informers"
@@ -86,7 +86,7 @@ func Run(ctx context.Context, nodeConfig *config.Node) error {
 		}
 		return true, nil
 	}); err != nil {
-		return errors.Wrapf(err, "network policy controller failed to wait for %s taint to be removed from Node %s", cloudproviderapi.TaintExternalCloudProvider, nodeConfig.AgentConfig.NodeName)
+		return pkgerrors.WithMessagef(err, "network policy controller failed to wait for %s taint to be removed from Node %s", cloudproviderapi.TaintExternalCloudProvider, nodeConfig.AgentConfig.NodeName)
 	}
 	krConfig := options.NewKubeRouterConfig()
@@ -123,13 +123,13 @@ func Run(ctx context.Context, nodeConfig *config.Node) error {
 	if nodeConfig.AgentConfig.EnableIPv4 {
 		iptHandler, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 		if err != nil {
-			return errors.Wrap(err, "failed to create iptables handler")
+			return pkgerrors.WithMessage(err, "failed to create iptables handler")
 		}
 		iptablesCmdHandlers[v1core.IPv4Protocol] = iptHandler
 		ipset, err := utils.NewIPSet(false)
 		if err != nil {
-			return errors.Wrap(err, "failed to create ipset handler")
+			return pkgerrors.WithMessage(err, "failed to create ipset handler")
 		}
 		ipSetHandlers[v1core.IPv4Protocol] = ipset
 	}
@@ -137,13 +137,13 @@ func Run(ctx context.Context, nodeConfig *config.Node) error {
 	if nodeConfig.AgentConfig.EnableIPv6 {
 		ipt6Handler, err := iptables.NewWithProtocol(iptables.ProtocolIPv6)
 		if err != nil {
-			return errors.Wrap(err, "failed to create iptables handler")
+			return pkgerrors.WithMessage(err, "failed to create iptables handler")
 		}
 		iptablesCmdHandlers[v1core.IPv6Protocol] = ipt6Handler
 		ipset, err := utils.NewIPSet(true)
 		if err != nil {
-			return errors.Wrap(err, "failed to create ipset handler")
+			return pkgerrors.WithMessage(err, "failed to create ipset handler")
 		}
 		ipSetHandlers[v1core.IPv6Protocol] = ipset
 	}
@@ -172,7 +172,7 @@ func Run(ctx context.Context, nodeConfig *config.Node) error {
 	npc, err := netpol.NewNetworkPolicyController(client, krConfig, podInformer, npInformer, nsInformer, &sync.Mutex{},
 		iptablesCmdHandlers, ipSetHandlers)
 	if err != nil {
-		return errors.Wrap(err, "unable to initialize network policy controller")
+		return pkgerrors.WithMessage(err, "unable to initialize network policy controller")
 	}
 	podInformer.AddEventHandler(npc.PodEventHandler)

--- a/pkg/agent/proxy/apiproxy.go
+++ b/pkg/agent/proxy/apiproxy.go
@@ -10,7 +10,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/k3s-io/k3s/pkg/agent/loadbalancer"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 )
 type Proxy interface {
@@ -58,7 +58,7 @@ func NewSupervisorProxy(ctx context.Context, lbEnabled bool, dataDir, supervisor
 	u, err := url.Parse(p.initialSupervisorURL)
 	if err != nil {
-		return nil, errors.Wrapf(err, "failed to parse %s", p.initialSupervisorURL)
+		return nil, pkgerrors.WithMessagef(err, "failed to parse %s", p.initialSupervisorURL)
 	}
 	p.fallbackSupervisorAddress = u.Host
 	p.supervisorPort = u.Port()
@@ -140,7 +140,7 @@ func (p *proxy) SetAPIServerPort(port int, isIPv6 bool) error {
 	u, err := url.Parse(p.initialSupervisorURL)
 	if err != nil {
-		return errors.Wrapf(err, "failed to parse server URL %s", p.initialSupervisorURL)
+		return pkgerrors.WithMessagef(err, "failed to parse server URL %s", p.initialSupervisorURL)
 	}
 	p.apiServerPort = strconv.Itoa(port)
 	u.Host = sysnet.JoinHostPort(u.Hostname(), p.apiServerPort)

--- a/pkg/agent/run.go
+++ b/pkg/agent/run.go
@@ -2,6 +2,7 @@ package agent
 import (
 	"context"
+	"errors"
 	"fmt"
 	"net"
 	"os"
@@ -34,7 +35,7 @@ import (
 	"github.com/k3s-io/k3s/pkg/spegel"
 	"github.com/k3s-io/k3s/pkg/util"
 	"github.com/k3s-io/k3s/pkg/version"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/equality"
@@ -57,20 +58,20 @@ import (
 func run(ctx context.Context, cfg cmds.Agent, proxy proxy.Proxy) error {
 	nodeConfig, err := config.Get(ctx, cfg, proxy)
 	if err != nil {
-		return errors.Wrap(err, "failed to retrieve agent configuration")
+		return pkgerrors.WithMessage(err, "failed to retrieve agent configuration")
 	}
 	dualCluster, err := utilsnet.IsDualStackCIDRs(nodeConfig.AgentConfig.ClusterCIDRs)
 	if err != nil {
-		return errors.Wrap(err, "failed to validate cluster-cidr")
+		return pkgerrors.WithMessage(err, "failed to validate cluster-cidr")
 	}
 	dualService, err := utilsnet.IsDualStackCIDRs(nodeConfig.AgentConfig.ServiceCIDRs)
 	if err != nil {
-		return errors.Wrap(err, "failed to validate service-cidr")
+		return pkgerrors.WithMessage(err, "failed to validate service-cidr")
 	}
 	dualNode, err := utilsnet.IsDualStackIPs(nodeConfig.AgentConfig.NodeIPs)
 	if err != nil {
-		return errors.Wrap(err, "failed to validate node-ip")
+		return pkgerrors.WithMessage(err, "failed to validate node-ip")
 	}
 	serviceIPv4 := utilsnet.IsIPv4CIDR(nodeConfig.AgentConfig.ServiceCIDR)
 	clusterIPv4 := utilsnet.IsIPv4CIDR(nodeConfig.AgentConfig.ClusterCIDR)
@@ -99,7 +100,7 @@ func run(ctx context.Context, cfg cmds.Agent, proxy proxy.Proxy) error {
 	conntrackConfig, err := getConntrackConfig(nodeConfig)
 	if err != nil {
-		return errors.Wrap(err, "failed to validate kube-proxy conntrack configuration")
+		return pkgerrors.WithMessage(err, "failed to validate kube-proxy conntrack configuration")
 	}
 	syssetup.Configure(enableIPv6, conntrackConfig)
 	nodeConfig.AgentConfig.EnableIPv4 = enableIPv4
@@ -111,19 +112,19 @@ func run(ctx context.Context, cfg cmds.Agent, proxy proxy.Proxy) error {
 		}
 		if err := spegel.DefaultRegistry.Start(ctx, nodeConfig); err != nil {
-			return errors.Wrap(err, "failed to start embedded registry")
+			return pkgerrors.WithMessage(err, "failed to start embedded registry")
 		}
 	}
 	if nodeConfig.SupervisorMetrics {
 		if err := metrics.DefaultMetrics.Start(ctx, nodeConfig); err != nil {
-			return errors.Wrap(err, "failed to serve metrics")
+			return pkgerrors.WithMessage(err, "failed to serve metrics")
 		}
 	}
 	if nodeConfig.EnablePProf {
 		if err := profile.DefaultProfiler.Start(ctx, nodeConfig); err != nil {
-			return errors.Wrap(err, "failed to serve pprof")
+			return pkgerrors.WithMessage(err, "failed to serve pprof")
 		}
 	}
@@ -174,7 +175,7 @@ func run(ctx context.Context, cfg cmds.Agent, proxy proxy.Proxy) error {
 	}
 	if err := util.WaitForAPIServerReady(ctx, nodeConfig.AgentConfig.KubeConfigKubelet, util.DefaultAPIServerReadyTimeout); err != nil {
-		return errors.Wrap(err, "failed to wait for apiserver ready")
+		return pkgerrors.WithMessage(err, "failed to wait for apiserver ready")
 	}
 	// Use the kubelet kubeconfig to update annotations on the local node
@@ -267,7 +268,7 @@ func RunStandalone(ctx context.Context, cfg cmds.Agent) error {
 	nodeConfig, err := config.Get(ctx, cfg, proxy)
 	if err != nil {
-		return errors.Wrap(err, "failed to retrieve agent configuration")
+		return pkgerrors.WithMessage(err, "failed to retrieve agent configuration")
 	}
 	if err := executor.Bootstrap(ctx, nodeConfig, cfg); err != nil {
@@ -287,13 +288,13 @@ func RunStandalone(ctx context.Context, cfg cmds.Agent) error {
 	if nodeConfig.SupervisorMetrics {
 		if err := metrics.DefaultMetrics.Start(ctx, nodeConfig); err != nil {
-			return errors.Wrap(err, "failed to serve metrics")
+			return pkgerrors.WithMessage(err, "failed to serve metrics")
 		}
 	}
 	if nodeConfig.EnablePProf {
 		if err := profile.DefaultProfiler.Start(ctx, nodeConfig); err != nil {
-			return errors.Wrap(err, "failed to serve pprof")
+			return pkgerrors.WithMessage(err, "failed to serve pprof")
 		}
 	}
@@ -429,7 +430,7 @@ func configureNode(ctx context.Context, nodeConfig *daemonconfig.Node, nodes typ
 	}
 	if _, err := toolswatch.UntilWithSync(ctx, lw, &v1.Node{}, nil, condition); err != nil {
-		return errors.Wrap(err, "failed to configure node")
+		return pkgerrors.WithMessage(err, "failed to configure node")
 	}
 	return nil
 }

--- a/pkg/agent/util/file.go
+++ b/pkg/agent/util/file.go
 package util
 import (
+	"errors"
 	"os"
 	"path/filepath"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 )
 func WriteFile(name string, content string) error {
 	os.MkdirAll(filepath.Dir(name), 0755)
 	err := os.WriteFile(name, []byte(content), 0644)
 	if err != nil {
-		return errors.Wrapf(err, "writing %s", name)
+		return pkgerrors.WithMessagef(err, "writing %s", name)
 	}
 	return nil
 }
@@ -22,11 +23,11 @@ func CopyFile(sourceFile string, destinationFile string, ignoreNotExist bool) er
 	if errors.Is(err, os.ErrNotExist) && ignoreNotExist {
 		return nil
 	} else if err != nil {
-		return errors.Wrapf(err, "copying %s to %s", sourceFile, destinationFile)
+		return pkgerrors.WithMessagef(err, "copying %s to %s", sourceFile, destinationFile)
 	}
 	err = os.WriteFile(destinationFile, input, 0644)
 	if err != nil {
-		return errors.Wrapf(err, "copying %s to %s", sourceFile, destinationFile)
+		return pkgerrors.WithMessagef(err, "copying %s to %s", sourceFile, destinationFile)
 	}
 	return nil
 }
--- a/pkg/bootstrap/bootstrap.go
+++ b/pkg/bootstrap/bootstrap.go
@@ -8,7 +8,7 @@ import (
 	"time"
 	"github.com/k3s-io/k3s/pkg/daemons/config"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
@@ -71,13 +71,13 @@ func WriteToDiskFromStorage(files PathsDataformat, bootstrap *config.ControlRunt
 		}
 		if err := os.MkdirAll(filepath.Dir(path), 0700); err != nil {
-			return errors.Wrapf(err, "failed to mkdir %s", filepath.Dir(path))
+			return pkgerrors.WithMessagef(err, "failed to mkdir %s", filepath.Dir(path))
 		}
 		if err := os.WriteFile(path, bsf.Content, 0600); err != nil {
-			return errors.Wrapf(err, "failed to write to %s", path)
+			return pkgerrors.WithMessagef(err, "failed to write to %s", path)
 		}
 		if err := os.Chtimes(path, bsf.Timestamp, bsf.Timestamp); err != nil {
-			return errors.Wrapf(err, "failed to update modified time on %s", path)
+			return pkgerrors.WithMessagef(err, "failed to update modified time on %s", path)
 		}
 	}

--- a/pkg/cli/agent/agent.go
+++ b/pkg/cli/agent/agent.go
@@ -21,7 +21,7 @@ import (
 	"github.com/k3s-io/k3s/pkg/util/permissions"
 	"github.com/k3s-io/k3s/pkg/version"
 	"github.com/k3s-io/k3s/pkg/vpn"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/rancher/wrangler/v3/pkg/signals"
 	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli"
@@ -48,7 +48,7 @@ func Run(ctx *cli.Context) error {
 	if !cmds.AgentConfig.Rootless {
 		if err := permissions.IsPrivileged(); err != nil {
-			return errors.Wrap(err, "agent requires additional privilege if not run with --rootless")
+			return pkgerrors.WithMessage(err, "agent requires additional privilege if not run with --rootless")
 		}
 	}

--- a/pkg/cli/cert/cert.go
+++ b/pkg/cli/cert/cert.go
@@ -2,6 +2,7 @@ package cert
 import (
 	"bytes"
+	"errors"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -21,7 +22,7 @@ import (
 	"github.com/k3s-io/k3s/pkg/util/services"
 	"github.com/k3s-io/k3s/pkg/version"
 	"github.com/otiai10/copy"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	certutil "github.com/rancher/dynamiclistener/cert"
 	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli"
@@ -302,7 +303,7 @@ func rotateCA(app *cli.Context, cfg *cmds.Server, sync *cmds.CertRotateCA) error
 	url := fmt.Sprintf("/v1-%s/cert/cacerts?force=%t", version.Program, sync.Force)
 	if err = info.Put(url, buf.Bytes()); err != nil {
-		return errors.Wrap(err, "see server log for details")
+		return pkgerrors.WithMessage(err, "see server log for details")
 	}
 	fmt.Println("certificates saved to datastore")

--- a/pkg/cli/cmds/init_linux.go
+++ b/pkg/cli/cmds/init_linux.go
@@ -6,7 +6,7 @@ import (
 	"os"
 	"github.com/moby/sys/userns"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/rootless-containers/rootlesskit/pkg/parent/cgrouputil"
 )
@@ -17,7 +17,7 @@ func EvacuateCgroup2() error {
 		// The root cgroup has to be empty to enable subtree_control, so evacuate it by placing
 		// ourselves in the init cgroup.
 		if err := cgrouputil.EvacuateCgroup2("init"); err != nil {
-			return errors.Wrap(err, "failed to evacuate root cgroup")
+			return pkgerrors.WithMessage(err, "failed to evacuate root cgroup")
 		}
 	}
 	return nil

--- a/pkg/cli/cmds/log_linux.go
+++ b/pkg/cli/cmds/log_linux.go
@@ -14,7 +14,7 @@ import (
 	"github.com/k3s-io/k3s/pkg/proctitle"
 	"github.com/k3s-io/k3s/pkg/version"
 	"github.com/natefinch/lumberjack"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"golang.org/x/sys/unix"
 )
@@ -46,7 +46,7 @@ func forkIfLoggingOrReaping() error {
 		pwd, err := os.Getwd()
 		if err != nil {
-			return errors.Wrap(err, "failed to get working directory")
+			return pkgerrors.WithMessage(err, "failed to get working directory")
 		}
 		if enableReaping {

--- a/pkg/cli/etcdsnapshot/etcd_snapshot.go
+++ b/pkg/cli/etcdsnapshot/etcd_snapshot.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -21,7 +22,7 @@ import (
 	"github.com/k3s-io/k3s/pkg/proctitle"
 	"github.com/k3s-io/k3s/pkg/server"
 	util2 "github.com/k3s-io/k3s/pkg/util"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -92,7 +93,7 @@ func wrapServerError(err error) error {
 		// since the operation may have actualy succeeded despite the client timing out the request.
 		return err
 	}
-	return errors.Wrap(err, "see server log for details")
+	return pkgerrors.WithMessage(err, "see server log for details")
 }
 // Save triggers an on-demand etcd snapshot operation

--- a/pkg/cli/secretsencrypt/secrets_encrypt.go
+++ b/pkg/cli/secretsencrypt/secrets_encrypt.go
@@ -17,7 +17,7 @@ import (
 	"github.com/k3s-io/k3s/pkg/server"
 	"github.com/k3s-io/k3s/pkg/server/handlers"
 	"github.com/k3s-io/k3s/pkg/version"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/urfave/cli"
 	"k8s.io/utils/ptr"
 )
@@ -44,7 +44,7 @@ func commandPrep(cfg *cmds.Server) (*clientaccess.Info, error) {
 }
 func wrapServerError(err error) error {
-	return errors.Wrap(err, "see server log for details")
+	return pkgerrors.WithMessage(err, "see server log for details")
 }
 func Enable(app *cli.Context) error {

--- a/pkg/cli/server/server.go
+++ b/pkg/cli/server/server.go
@@ -2,6 +2,7 @@ package server
 import (
 	"context"
+	"errors"
 	"fmt"
 	"net"
 	"os"
@@ -29,7 +30,7 @@ import (
 	"github.com/k3s-io/k3s/pkg/util/permissions"
 	"github.com/k3s-io/k3s/pkg/version"
 	"github.com/k3s-io/k3s/pkg/vpn"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/rancher/wrangler/v3/pkg/signals"
 	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli"
@@ -75,7 +76,7 @@ func run(app *cli.Context, cfg *cmds.Server, leaderControllers server.CustomCont
 	if !cfg.DisableAgent && !cfg.Rootless {
 		if err := permissions.IsPrivileged(); err != nil {
-			return errors.Wrap(err, "server requires additional privilege when not run with --rootless and/or --disable-agent")
+			return pkgerrors.WithMessage(err, "server requires additional privilege when not run with --rootless and/or --disable-agent")
 		}
 	}
@@ -327,7 +328,7 @@ func run(app *cli.Context, cfg *cmds.Server, leaderControllers server.CustomCont
 	for _, cidr := range util.SplitStringSlice(cmds.ServerConfig.ClusterCIDR) {
 		_, parsed, err := net.ParseCIDR(cidr)
 		if err != nil {
-			return errors.Wrapf(err, "invalid cluster-cidr %s", cidr)
+			return pkgerrors.WithMessagef(err, "invalid cluster-cidr %s", cidr)
 		}
 		serverConfig.ControlConfig.ClusterIPRanges = append(serverConfig.ControlConfig.ClusterIPRanges, parsed)
 	}
@@ -342,7 +343,7 @@ func run(app *cli.Context, cfg *cmds.Server, leaderControllers server.CustomCont
 	for _, cidr := range util.SplitStringSlice(cmds.ServerConfig.ServiceCIDR) {
 		_, parsed, err := net.ParseCIDR(cidr)
 		if err != nil {
-			return errors.Wrapf(err, "invalid service-cidr %s", cidr)
+			return pkgerrors.WithMessagef(err, "invalid service-cidr %s", cidr)
 		}
 		serverConfig.ControlConfig.ServiceIPRanges = append(serverConfig.ControlConfig.ServiceIPRanges, parsed)
 	}
@@ -352,7 +353,7 @@ func run(app *cli.Context, cfg *cmds.Server, leaderControllers server.CustomCont
 	serverConfig.ControlConfig.ServiceNodePortRange, err = utilnet.ParsePortRange(cfg.ServiceNodePortRange)
 	if err != nil {
-		return errors.Wrapf(err, "invalid port range %s", cfg.ServiceNodePortRange)
+		return pkgerrors.WithMessagef(err, "invalid port range %s", cfg.ServiceNodePortRange)
 	}
 	// the apiserver service does not yet support dual-stack operation
@@ -370,7 +371,7 @@ func run(app *cli.Context, cfg *cmds.Server, leaderControllers server.CustomCont
 		for _, svcCIDR := range serverConfig.ControlConfig.ServiceIPRanges {
 			clusterDNS, err := utilsnet.GetIndexedIP(svcCIDR, 10)
 			if err != nil {
-				return errors.Wrap(err, "cannot configure default cluster-dns address")
+				return pkgerrors.WithMessage(err, "cannot configure default cluster-dns address")
 			}
 			serverConfig.ControlConfig.ClusterDNSs = append(serverConfig.ControlConfig.ClusterDNSs, clusterDNS)
 		}
@@ -420,7 +421,7 @@ func run(app *cli.Context, cfg *cmds.Server, leaderControllers server.CustomCont
 	serverConfig.ControlConfig.MinTLSVersion = tlsMinVersionArg
 	serverConfig.ControlConfig.TLSMinVersion, err = kubeapiserverflag.TLSVersion(tlsMinVersionArg)
 	if err != nil {
-		return errors.Wrap(err, "invalid tls-min-version")
+		return pkgerrors.WithMessage(err, "invalid tls-min-version")
 	}
 	serverConfig.StartupHooks = append(serverConfig.StartupHooks, cfg.StartupHooks...)
@@ -450,7 +451,7 @@ func run(app *cli.Context, cfg *cmds.Server, leaderControllers server.CustomCont
 	serverConfig.ControlConfig.CipherSuites = tlsCipherSuites
 	serverConfig.ControlConfig.TLSCipherSuites, err = kubeapiserverflag.TLSCipherSuites(tlsCipherSuites)
 	if err != nil {
-		return errors.Wrap(err, "invalid tls-cipher-suites")
+		return pkgerrors.WithMessage(err, "invalid tls-cipher-suites")
 	}
 	// If performing a cluster reset, make sure control-plane components are

--- a/pkg/cli/token/token.go
+++ b/pkg/cli/token/token.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -19,7 +20,7 @@ import (
 	"github.com/k3s-io/k3s/pkg/server/handlers"
 	"github.com/k3s-io/k3s/pkg/util"
 	"github.com/k3s-io/k3s/pkg/version"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/urfave/cli"
 	"gopkg.in/yaml.v2"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -121,7 +122,7 @@ func delete(app *cli.Context, cfg *cmds.Token) error {
 		}
 		secretName := bootstraputil.BootstrapTokenSecretName(token)
 		if err := client.CoreV1().Secrets(metav1.NamespaceSystem).Delete(context.TODO(), secretName, metav1.DeleteOptions{}); err != nil {
-			return errors.Wrapf(err, "failed to delete bootstrap token %q", err)
+			return pkgerrors.WithMessagef(err, "failed to delete bootstrap token %q", err)
 		}
 		fmt.Printf("bootstrap token %q deleted\n", token)
@@ -218,7 +219,7 @@ func list(app *cli.Context, cfg *cmds.Token) error {
 	secrets, err := client.CoreV1().Secrets(metav1.NamespaceSystem).List(context.TODO(), listOptions)
 	if err != nil {
-		return errors.Wrapf(err, "failed to list bootstrap tokens")
+		return pkgerrors.WithMessagef(err, "failed to list bootstrap tokens")
 	}
 	tokens := make([]*kubeadm.BootstrapToken, len(secrets.Items))

--- a/pkg/clientaccess/kubeconfig.go
+++ b/pkg/clientaccess/kubeconfig.go
@@ -3,7 +3,7 @@ package clientaccess
 import (
 	"os"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"k8s.io/client-go/tools/clientcmd"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 )
@@ -12,17 +12,17 @@ import (
 func WriteClientKubeConfig(destFile, url, serverCAFile, clientCertFile, clientKeyFile string) error {
 	serverCA, err := os.ReadFile(serverCAFile)
 	if err != nil {
-		return errors.Wrapf(err, "failed to read %s", serverCAFile)
+		return pkgerrors.WithMessagef(err, "failed to read %s", serverCAFile)
 	}
 	clientCert, err := os.ReadFile(clientCertFile)
 	if err != nil {
-		return errors.Wrapf(err, "failed to read %s", clientCertFile)
+		return pkgerrors.WithMessagef(err, "failed to read %s", clientCertFile)
 	}
 	clientKey, err := os.ReadFile(clientKeyFile)
 	if err != nil {
-		return errors.Wrapf(err, "failed to read %s", clientKeyFile)
+		return pkgerrors.WithMessagef(err, "failed to read %s", clientKeyFile)
 	}
 	config := clientcmdapi.NewConfig()

--- a/pkg/clientaccess/token.go
+++ b/pkg/clientaccess/token.go
@@ -7,6 +7,7 @@ import (
 	"crypto/x509"
 	"encoding/hex"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -16,7 +17,7 @@ import (
 	"time"
 	"github.com/k3s-io/k3s/pkg/kubeadm"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	certutil "github.com/rancher/dynamiclistener/cert"
 	"github.com/sirupsen/logrus"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -364,7 +365,7 @@ func (i *Info) Post(path string, body []byte, options ...any) ([]byte, error) {
 func (i *Info) setServer(server string) error {
 	url, err := url.Parse(server)
 	if err != nil {
-		return errors.Wrapf(err, "Invalid server url, failed to parse: %s", server)
+		return pkgerrors.WithMessagef(err, "Invalid server url, failed to parse: %s", server)
 	}
 	if url.Scheme != "https" {
@@ -424,7 +425,7 @@ func getCACerts(u url.URL) ([]byte, error) {
 	// Download the CA bundle using a client that does not validate certs.
 	cacerts, err := get(url, insecureClient, "", "", "")
 	if err != nil {
-		return nil, errors.Wrap(err, "failed to get CA certs")
+		return nil, pkgerrors.WithMessage(err, "failed to get CA certs")
 	}
 	// Request the CA bundle again, validating that the CA bundle can be loaded
@@ -432,7 +433,7 @@ func getCACerts(u url.URL) ([]byte, error) {
 	// get an empty CA bundle. or if the dynamiclistener cert is incorrectly signed.
 	_, err = get(url, GetHTTPClient(cacerts, "", ""), "", "", "")
 	if err != nil {
-		return nil, errors.Wrap(err, "CA cert validation failed")
+		return nil, pkgerrors.WithMessage(err, "CA cert validation failed")
 	}
 	return cacerts, nil

--- a/pkg/cloudprovider/instances.go
+++ b/pkg/cloudprovider/instances.go
@@ -2,22 +2,22 @@ package cloudprovider
 import (
 	"context"
+	"errors"
 	"fmt"
 	"strings"
 	"github.com/k3s-io/k3s/pkg/version"
-	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	corev1 "k8s.io/api/core/v1"
 	cloudprovider "k8s.io/cloud-provider"
 )
 var (
-	InternalIPKey = version.Program + ".io/internal-ip"
+	InternalIPKey  = version.Program + ".io/internal-ip"
-	ExternalIPKey = version.Program + ".io/external-ip"
+	ExternalIPKey  = version.Program + ".io/external-ip"
 	InternalDNSKey = version.Program + ".io/internal-dns"
 	ExternalDNSKey = version.Program + ".io/external-dns"
-	HostnameKey   = version.Program + ".io/hostname"
+	HostnameKey    = version.Program + ".io/hostname"
 )
 var _ cloudprovider.InstancesV2 = &k3s{}

--- a/pkg/cluster/bootstrap.go
+++ b/pkg/cluster/bootstrap.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net"
@@ -25,7 +26,7 @@ import (
 	"github.com/k3s-io/kine/pkg/client"
 	"github.com/k3s-io/kine/pkg/endpoint"
 	"github.com/otiai10/copy"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
@@ -34,7 +35,7 @@ import (
 // ControlRuntimeBootstrap struct, either via HTTP or from the datastore.
 func (c *Cluster) Bootstrap(ctx context.Context, clusterReset bool) error {
 	if err := c.assignManagedDriver(ctx); err != nil {
-		return errors.Wrap(err, "failed to set datastore driver")
+		return pkgerrors.WithMessage(err, "failed to set datastore driver")
 	}
 	// Check if we need to bootstrap, and whether or not the managed database has already
@@ -43,7 +44,7 @@ func (c *Cluster) Bootstrap(ctx context.Context, clusterReset bool) error {
 	// This also sets c.clientAccessInfo if c.config.JoinURL and c.config.Token are set.
 	shouldBootstrap, isInitialized, err := c.shouldBootstrapLoad(ctx)
 	if err != nil {
-		return errors.Wrap(err, "failed to check if bootstrap data has been initialized")
+		return pkgerrors.WithMessage(err, "failed to check if bootstrap data has been initialized")
 	}
 	if c.managedDB != nil {
@@ -51,7 +52,7 @@ func (c *Cluster) Bootstrap(ctx context.Context, clusterReset bool) error {
 			// secondary server with etcd disabled, start the etcd proxy so that we can attempt to use it
 			// when reconciling.
 			if err := c.startEtcdProxy(ctx); err != nil {
-				return errors.Wrap(err, "failed to start etcd proxy")
+				return pkgerrors.WithMessage(err, "failed to start etcd proxy")
 			}
 		} else if isInitialized && !clusterReset {
 			// For secondary servers with etcd, first attempt to connect and reconcile using the join URL.
@@ -123,7 +124,7 @@ func (c *Cluster) shouldBootstrapLoad(ctx context.Context) (bool, bool, error) {
 			// the hash in the token. The password isn't actually checked until later when actually bootstrapping.
 			info, err := clientaccess.ParseAndValidateToken(c.config.JoinURL, c.config.Token, opts...)
 			if err != nil {
-				return false, false, errors.Wrap(err, "failed to validate token")
+				return false, false, pkgerrors.WithMessage(err, "failed to validate token")
 			}
 			c.clientAccessInfo = info
@@ -333,7 +334,7 @@ func (c *Cluster) ReconcileBootstrapData(ctx context.Context, buf io.ReadSeeker,
 		updated, newer, err := isNewerFile(path, fileData)
 		if err != nil {
-			return errors.Wrapf(err, "failed to get update status of %s", pathKey)
+			return pkgerrors.WithMessagef(err, "failed to get update status of %s", pathKey)
 		}
 		if newer {
 			newerOnDisk = append(newerOnDisk, path)
@@ -350,10 +351,10 @@ func (c *Cluster) ReconcileBootstrapData(ctx context.Context, buf io.ReadSeeker,
 		logrus.Infof("Cluster reset: backing up certificates directory to " + tlsBackupDir)
 		if _, err := os.Stat(serverTLSDir); err != nil {
-			return errors.Wrap(err, "cluster reset failed to stat server TLS dir")
+			return pkgerrors.WithMessage(err, "cluster reset failed to stat server TLS dir")
 		}
 		if err := copy.Copy(serverTLSDir, tlsBackupDir); err != nil {
-			return errors.Wrap(err, "cluster reset failed to back up server TLS dir")
+			return pkgerrors.WithMessage(err, "cluster reset failed to back up server TLS dir")
 		}
 	} else if len(newerOnDisk) > 0 {
 		logrus.Fatal(strings.Join(newerOnDisk, ", ") + " newer than datastore and could cause a cluster outage. Remove the file(s) from disk and restart to be recreated from datastore.")
@@ -376,13 +377,13 @@ func isNewerFile(path string, file bootstrap.File) (updated bool, newerOnDisk bo
 			logrus.Warn(path + " doesn't exist. continuing...")
 			return true, false, nil
 		}
-		return false, false, errors.Wrapf(err, "reconcile failed to open")
+		return false, false, pkgerrors.WithMessagef(err, "reconcile failed to open")
 	}
 	defer f.Close()
 	data, err := io.ReadAll(f)
 	if err != nil {
-		return false, false, errors.Wrapf(err, "reconcile failed to read")
+		return false, false, pkgerrors.WithMessagef(err, "reconcile failed to read")
 	}
 	if bytes.Equal(file.Content, data) {
@@ -391,7 +392,7 @@ func isNewerFile(path string, file bootstrap.File) (updated bool, newerOnDisk bo
 	info, err := f.Stat()
 	if err != nil {
-		return false, false, errors.Wrapf(err, "reconcile failed to stat")
+		return false, false, pkgerrors.WithMessagef(err, "reconcile failed to stat")
 	}
 	if info.ModTime().Unix()-file.Timestamp.Unix() >= systemTimeSkew {
@@ -452,7 +453,7 @@ func (c *Cluster) bootstrap(ctx context.Context) error {
 	if c.managedDB != nil {
 		// Try to compare local config against the server we're joining.
 		if err := c.compareConfig(); err != nil {
-			return errors.Wrap(err, "failed to validate server configuration")
+			return pkgerrors.WithMessage(err, "failed to validate server configuration")
 		}
 		// Try to bootstrap from the datastore using the local etcd proxy.
 		if data, err := c.getBootstrapData(ctx, c.clientAccessInfo.Password); err != nil {

--- a/pkg/cluster/cluster.go
+++ b/pkg/cluster/cluster.go
@@ -12,7 +12,7 @@ import (
 	"github.com/k3s-io/k3s/pkg/daemons/config"
 	"github.com/k3s-io/k3s/pkg/etcd"
 	"github.com/k3s-io/kine/pkg/endpoint"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"k8s.io/apimachinery/pkg/util/wait"
 	utilsnet "k8s.io/utils/net"
@@ -35,7 +35,7 @@ type Cluster struct {
 func (c *Cluster) Start(ctx context.Context) (<-chan struct{}, error) {
 	// Set up the dynamiclistener and http request handlers
 	if err := c.initClusterAndHTTPS(ctx); err != nil {
-		return nil, errors.Wrap(err, "init cluster datastore and https")
+		return nil, pkgerrors.WithMessage(err, "init cluster datastore and https")
 	}
 	if c.config.DisableETCD {
@@ -46,7 +46,7 @@ func (c *Cluster) Start(ctx context.Context) (<-chan struct{}, error) {
 	// start managed database (if necessary)
 	if err := c.start(ctx); err != nil {
-		return nil, errors.Wrap(err, "start managed database")
+		return nil, pkgerrors.WithMessage(err, "start managed database")
 	}
 	// get the wait channel for testing managed database readiness
@@ -121,7 +121,7 @@ func (c *Cluster) startEtcdProxy(ctx context.Context) error {
 		for i, c := range clientURLs {
 			u, err := url.Parse(c)
 			if err != nil {
-				return errors.Wrap(err, "failed to parse etcd ClientURL")
+				return pkgerrors.WithMessage(err, "failed to parse etcd ClientURL")
 			}
 			clientURLs[i] = u.Host
 		}
@@ -162,7 +162,7 @@ func (c *Cluster) startStorage(ctx context.Context, bootstrap bool) error {
 	// start listening on the kine socket as an etcd endpoint, or return the external etcd endpoints
 	etcdConfig, err := endpoint.Listen(ctx, c.config.Datastore)
 	if err != nil {
-		return errors.Wrap(err, "creating storage endpoint")
+		return pkgerrors.WithMessage(err, "creating storage endpoint")
 	}
 	// Persist the returned etcd configuration. We decide if we're doing leader election for embedded controllers

--- a/pkg/cluster/managed.go
+++ b/pkg/cluster/managed.go
@@ -5,14 +5,13 @@ package cluster
 import (
 	"context"
+	"errors"
 	"fmt"
 	"net/http"
 	"net/url"
 	"os"
 	"time"
-	"github.com/pkg/errors"
 	"github.com/gorilla/mux"
 	"github.com/k3s-io/k3s/pkg/cluster/managed"
 	"github.com/k3s-io/k3s/pkg/etcd"

--- a/pkg/containerd/utility_windows.go
+++ b/pkg/containerd/utility_windows.go
@@ -5,17 +5,17 @@ package containerd
 import (
 	util2 "github.com/k3s-io/k3s/pkg/util"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 )
 func OverlaySupported(root string) error {
-	return errors.Wrapf(util2.ErrUnsupportedPlatform, "overlayfs is not supported")
+	return pkgerrors.WithMessagef(util2.ErrUnsupportedPlatform, "overlayfs is not supported")
 }
 func FuseoverlayfsSupported(root string) error {
-	return errors.Wrapf(util2.ErrUnsupportedPlatform, "fuse-overlayfs is not supported")
+	return pkgerrors.WithMessagef(util2.ErrUnsupportedPlatform, "fuse-overlayfs is not supported")
 }
 func StargzSupported(root string) error {
-	return errors.Wrapf(util2.ErrUnsupportedPlatform, "stargz is not supported")
+	return pkgerrors.WithMessagef(util2.ErrUnsupportedPlatform, "stargz is not supported")
 }
--- a/pkg/daemons/agent/agent.go
+++ b/pkg/daemons/agent/agent.go
@@ -10,6 +10,7 @@ import (
 	"github.com/k3s-io/k3s/pkg/agent/proxy"
 	daemonconfig "github.com/k3s-io/k3s/pkg/daemons/config"
 	"github.com/k3s-io/k3s/pkg/daemons/executor"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"k8s.io/component-base/logs"
 	logsapi "k8s.io/component-base/logs/api/v1"
@@ -24,7 +25,7 @@ func Agent(ctx context.Context, nodeConfig *daemonconfig.Node, proxy proxy.Proxy
 	defer logs.FlushLogs()
 	if err := startKubelet(ctx, &nodeConfig.AgentConfig); err != nil {
-		return err
+		return pkgerrors.WithMessage(err, "failed to start kubelet")
 	}
 	go func() {

--- a/pkg/daemons/control/proxy/proxy.go
+++ b/pkg/daemons/control/proxy/proxy.go
 package proxy
 import (
+	"errors"
 	"io"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
@@ -43,12 +44,12 @@ func (p *proxy) pipe(src, dst io.ReadWriter) {
 	for {
 		n, err := src.Read(buff)
 		if err != nil {
-			p.err(errors.Wrap(err, "read failed"))
+			p.err(pkgerrors.WithMessage(err, "read failed"))
 			return
 		}
 		_, err = dst.Write(buff[:n])
 		if err != nil {
-			p.err(errors.Wrap(err, "write failed"))
+			p.err(pkgerrors.WithMessage(err, "write failed"))
 			return
 		}
 	}

--- a/pkg/daemons/control/server.go
+++ b/pkg/daemons/control/server.go
@@ -2,6 +2,7 @@ package control
 import (
 	"context"
+	"errors"
 	"math/rand"
 	"os"
 	"path/filepath"
@@ -16,7 +17,7 @@ import (
 	"github.com/k3s-io/k3s/pkg/daemons/executor"
 	"github.com/k3s-io/k3s/pkg/util"
 	"github.com/k3s-io/k3s/pkg/version"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	authorizationv1 "k8s.io/api/authorization/v1"
 	v1 "k8s.io/api/core/v1"
@@ -40,12 +41,12 @@ func Server(ctx context.Context, cfg *config.Control) error {
 	logsapi.ReapplyHandling = logsapi.ReapplyHandlingIgnoreUnchanged
 	if err := prepare(ctx, cfg); err != nil {
-		return errors.Wrap(err, "preparing server")
+		return pkgerrors.WithMessage(err, "preparing server")
 	}
 	tunnel, err := setupTunnel(ctx, cfg)
 	if err != nil {
-		return errors.Wrap(err, "setup tunnel server")
+		return pkgerrors.WithMessage(err, "setup tunnel server")
 	}
 	cfg.Runtime.Tunnel = tunnel
@@ -307,15 +308,15 @@ func prepare(ctx context.Context, config *config.Control) error {
 	cluster := cluster.New(config)
 	if err := cluster.Bootstrap(ctx, config.ClusterReset); err != nil {
-		return errors.Wrap(err, "failed to bootstrap cluster data")
+		return pkgerrors.WithMessage(err, "failed to bootstrap cluster data")
 	}
 	if err := deps.GenServerDeps(config); err != nil {
-		return errors.Wrap(err, "failed to generate server dependencies")
+		return pkgerrors.WithMessage(err, "failed to generate server dependencies")
 	}
 	if ready, err := cluster.Start(ctx); err != nil {
-		return errors.Wrap(err, "failed to start cluster")
+		return pkgerrors.WithMessage(err, "failed to start cluster")
 	} else {
 		config.Runtime.ETCDReady = ready
 	}
@@ -514,7 +515,7 @@ func waitForUntaintedNode(ctx context.Context, kubeConfig string) error {
 	}
 	if _, err := toolswatch.UntilWithSync(ctx, lw, &v1.Node{}, nil, condition); err != nil {
-		return errors.Wrap(err, "failed to wait for untainted node")
+		return pkgerrors.WithMessage(err, "failed to wait for untainted node")
 	}
 	return nil
 }

--- a/pkg/daemons/control/tunnel.go
+++ b/pkg/daemons/control/tunnel.go
@@ -3,6 +3,7 @@ package control
 import (
 	"bufio"
 	"context"
+	"errors"
 	"io"
 	"net"
 	"net/http"
@@ -15,7 +16,6 @@ import (
 	"github.com/k3s-io/k3s/pkg/nodeconfig"
 	"github.com/k3s-io/k3s/pkg/util"
 	"github.com/k3s-io/k3s/pkg/version"
-	"github.com/pkg/errors"
 	"github.com/rancher/remotedialer"
 	"github.com/sirupsen/logrus"
 	"github.com/yl2chen/cidranger"

--- a/pkg/daemons/executor/embed.go
+++ b/pkg/daemons/executor/embed.go
@@ -5,6 +5,7 @@ package executor
 import (
 	"context"
+	"errors"
 	"flag"
 	"net/http"
 	"os"
@@ -18,7 +19,6 @@ import (
 	daemonconfig "github.com/k3s-io/k3s/pkg/daemons/config"
 	"github.com/k3s-io/k3s/pkg/util"
 	"github.com/k3s-io/k3s/pkg/version"
-	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	cloudprovider "k8s.io/cloud-provider"

--- a/pkg/datadir/datadir.go
+++ b/pkg/datadir/datadir.go
@@ -5,7 +5,7 @@ import (
 	"github.com/k3s-io/k3s/pkg/util/permissions"
 	"github.com/k3s-io/k3s/pkg/version"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/rancher/wrangler/v3/pkg/resolvehome"
 )
@@ -31,7 +31,7 @@ func LocalHome(dataDir string, forceLocal bool) (string, error) {
 	dataDir, err := resolvehome.Resolve(dataDir)
 	if err != nil {
-		return "", errors.Wrapf(err, "resolving %s", dataDir)
+		return "", pkgerrors.WithMessagef(err, "resolving %s", dataDir)
 	}
 	return filepath.Abs(dataDir)

--- a/pkg/deploy/controller.go
+++ b/pkg/deploy/controller.go
@@ -15,11 +15,11 @@ import (
 	"sync"
 	"time"
-	"github.com/k3s-io/k3s/pkg/agent/util"
 	apisv1 "github.com/k3s-io/api/k3s.cattle.io/v1"
 	controllersv1 "github.com/k3s-io/api/pkg/generated/controllers/k3s.cattle.io/v1"
+	"github.com/k3s-io/k3s/pkg/agent/util"
 	pkgutil "github.com/k3s-io/k3s/pkg/util"
-	errors2 "github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/rancher/wrangler/v3/pkg/apply"
 	"github.com/rancher/wrangler/v3/pkg/kv"
 	"github.com/rancher/wrangler/v3/pkg/merr"
@@ -165,7 +165,7 @@ func (w *watcher) listFilesIn(base string, force bool) error {
 		// Disabled files are not just skipped, but actively deleted from the filesystem
 		if shouldDisableFile(base, path, w.disables) {
 			if err := w.delete(path); err != nil {
-				errs = append(errs, errors2.Wrapf(err, "failed to delete %s", path))
+				errs = append(errs, pkgerrors.WithMessagef(err, "failed to delete %s", path))
 			}
 			continue
 		}
@@ -178,7 +178,7 @@ func (w *watcher) listFilesIn(base string, force bool) error {
 			continue
 		}
 		if err := w.deploy(path, !force); err != nil {
-			errs = append(errs, errors2.Wrapf(err, "failed to process %s", path))
+			errs = append(errs, pkgerrors.WithMessagef(err, "failed to process %s", path))
 		} else {
 			w.modTime[path] = modTime
 		}

--- a/pkg/deploy/stage.go
+++ b/pkg/deploy/stage.go
@@ -8,7 +8,7 @@ import (
 	"path/filepath"
 	"strings"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
@@ -38,7 +38,7 @@ staging:
 		os.MkdirAll(filepath.Dir(p), 0700)
 		logrus.Info("Writing manifest: ", p)
 		if err := os.WriteFile(p, content, 0600); err != nil {
-			return errors.Wrapf(err, "failed to write to %s", name)
+			return pkgerrors.WithMessagef(err, "failed to write to %s", name)
 		}
 	}

--- a/pkg/etcd/etcd.go
+++ b/pkg/etcd/etcd.go
@@ -5,6 +5,7 @@ import (
 	"context"
 	"crypto/tls"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io/fs"
 	"net"
@@ -33,7 +34,7 @@ import (
 	"github.com/k3s-io/kine/pkg/client"
 	endpoint2 "github.com/k3s-io/kine/pkg/endpoint"
 	cp "github.com/otiai10/copy"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	certutil "github.com/rancher/dynamiclistener/cert"
 	controllerv1 "github.com/rancher/wrangler/v3/pkg/generated/controllers/core/v1"
 	"github.com/rancher/wrangler/v3/pkg/start"
@@ -215,7 +216,7 @@ func (e *ETCD) Test(ctx context.Context) error {
 	status, err := e.status(ctx)
 	if err != nil {
-		return errors.Wrap(err, "failed to get etcd status")
+		return pkgerrors.WithMessage(err, "failed to get etcd status")
 	} else if status.IsLearner {
 		return errors.New("this server has not yet been promoted from learner to voting member")
 	} else if status.Leader == 0 {
@@ -229,19 +230,19 @@ func (e *ETCD) Test(ctx context.Context) error {
 	// defrag this node to reclaim freed space from compacted revisions
 	if err := e.defragment(ctx); err != nil {
-		return errors.Wrap(err, "failed to defragment etcd database")
+		return pkgerrors.WithMessage(err, "failed to defragment etcd database")
 	}
 	// clear alarms on this node
 	if err := e.clearAlarms(ctx, status.Header.MemberId); err != nil {
-		return errors.Wrap(err, "failed to disarm etcd alarms")
+		return pkgerrors.WithMessage(err, "failed to disarm etcd alarms")
 	}
 	// refresh status - note that errors may remain on other nodes, but this
 	// should not prevent us from continuing with startup.
 	status, err = e.status(ctx)
 	if err != nil {
-		return errors.Wrap(err, "failed to get etcd status")
+		return pkgerrors.WithMessage(err, "failed to get etcd status")
 	}
 	logrus.Infof("Datastore using %d of %d bytes after defragment", status.DbSizeInUse, status.DbSize)
@@ -334,7 +335,7 @@ func (e *ETCD) IsInitialized() (bool, error) {
 	} else if os.IsNotExist(err) {
 		return false, nil
 	} else {
-		return false, errors.Wrap(err, "invalid state for wal directory "+dir)
+		return false, pkgerrors.WithMessage(err, "invalid state for wal directory "+dir)
 	}
 }
@@ -410,16 +411,16 @@ func (e *ETCD) Reset(ctx context.Context, rebootstrap func() error) error {
 				if errors.Is(err, s3.ErrNoConfigSecret) {
 					return errors.New("cannot use S3 config secret when restoring snapshot; configuration must be set in CLI or config file")
 				} else {
-					return errors.Wrap(err, "failed to initialize S3 client")
+					return pkgerrors.WithMessage(err, "failed to initialize S3 client")
 				}
 			}
 			dir, err := snapshotDir(e.config, true)
 			if err != nil {
-				return errors.Wrap(err, "failed to get the snapshot dir")
+				return pkgerrors.WithMessage(err, "failed to get the snapshot dir")
 			}
 			path, err := s3client.Download(ctx, e.config.ClusterResetRestorePath, dir)
 			if err != nil {
-				return errors.Wrap(err, "failed to download snapshot from S3")
+				return pkgerrors.WithMessage(err, "failed to download snapshot from S3")
 			}
 			e.config.ClusterResetRestorePath = path
 			logrus.Infof("S3 download complete for %s", e.config.ClusterResetRestorePath)
@@ -452,7 +453,7 @@ func (e *ETCD) Reset(ctx context.Context, rebootstrap func() error) error {
 func (e *ETCD) Start(ctx context.Context, clientAccessInfo *clientaccess.Info) error {
 	isInitialized, err := e.IsInitialized()
 	if err != nil {
-		return errors.Wrapf(err, "failed to check for initialized etcd datastore")
+		return pkgerrors.WithMessagef(err, "failed to check for initialized etcd datastore")
 	}
 	if err := e.startClient(ctx); err != nil {
@@ -652,7 +653,7 @@ func (e *ETCD) Register(handler http.Handler) (http.Handler, error) {
 			// ensure client is started, as etcd startup may not have handled this if this is a control-plane-only node
 			if e.client == nil {
 				if err := e.startClient(ctx); err != nil {
-					panic(errors.Wrap(err, "failed to start etcd client"))
+					panic(pkgerrors.WithMessage(err, "failed to start etcd client"))
 				}
 			}
@@ -663,7 +664,7 @@ func (e *ETCD) Register(handler http.Handler) (http.Handler, error) {
 			// Re-run informer factory startup after core and leader-elected controllers have started.
 			// Additional caches may need to start for the newly added OnChange/OnRemove callbacks.
 			if err := start.All(ctx, 5, e.config.Runtime.K3s, e.config.Runtime.Core); err != nil {
-				panic(errors.Wrap(err, "failed to start wrangler controllers"))
+				panic(pkgerrors.WithMessage(err, "failed to start wrangler controllers"))
 			}
 		}
 	}
@@ -738,7 +739,7 @@ func (e *ETCD) infoHandler() http.Handler {
 		members, err := e.client.MemberList(ctx)
 		if err != nil {
-			util.SendError(errors.Wrap(err, "failed to get etcd MemberList"), rw, req, http.StatusInternalServerError)
+			util.SendError(pkgerrors.WithMessage(err, "failed to get etcd MemberList"), rw, req, http.StatusInternalServerError)
 			return
 		}
@@ -1321,7 +1322,7 @@ func (e *ETCD) trackLearnerProgress(ctx context.Context, progress *learnerProgre
 func (e *ETCD) getETCDStatus(ctx context.Context, url string) (*clientv3.StatusResponse, error) {
 	resp, err := e.client.Status(ctx, url)
 	if err != nil {
-		return resp, errors.Wrap(err, "failed to check etcd member status")
+		return resp, pkgerrors.WithMessage(err, "failed to check etcd member status")
 	}
 	if len(resp.Errors) != 0 {
 		return resp, errors.New("etcd member has status errors: " + strings.Join(resp.Errors, ","))
@@ -1554,7 +1555,7 @@ func (e *ETCD) Restore(ctx context.Context) error {
 	if strings.HasSuffix(e.config.ClusterResetRestorePath, snapshot.CompressedExtension) {
 		dir, err := snapshotDir(e.config, true)
 		if err != nil {
-			return errors.Wrap(err, "failed to get the snapshot dir")
+			return pkgerrors.WithMessage(err, "failed to get the snapshot dir")
 		}
 		decompressSnapshot, err := e.decompressSnapshot(dir, e.config.ClusterResetRestorePath)

--- a/pkg/etcd/member_controller.go
+++ b/pkg/etcd/member_controller.go
@@ -2,12 +2,12 @@ package etcd
 import (
 	"context"
+	"errors"
 	"fmt"
 	"strings"
 	"github.com/k3s-io/k3s/pkg/util"
 	"github.com/k3s-io/k3s/pkg/version"
-	"github.com/pkg/errors"
 	controllerv1 "github.com/rancher/wrangler/v3/pkg/generated/controllers/core/v1"
 	"github.com/sirupsen/logrus"
 	"go.etcd.io/etcd/api/v3/v3rpc/rpctypes"

--- a/pkg/etcd/s3/s3.go
+++ b/pkg/etcd/s3/s3.go
@@ -5,6 +5,7 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/base64"
+	"errors"
 	"fmt"
 	"io/ioutil"
 	"net/http"
@@ -26,7 +27,7 @@ import (
 	"github.com/k3s-io/k3s/pkg/version"
 	"github.com/minio/minio-go/v7"
 	"github.com/minio/minio-go/v7/pkg/credentials"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/rancher/wrangler/v3/pkg/generated/controllers/core"
 	"github.com/sirupsen/logrus"
 	v1 "k8s.io/api/core/v1"
@@ -99,13 +100,13 @@ func Start(ctx context.Context, config *config.Control) (*Controller, error) {
 				// cluster id hack: see https://groups.google.com/forum/#!msg/kubernetes-sig-architecture/mVGobfD4TpY/nkdbkX1iBwAJ
 				ns, err := c.core.V1().Namespace().Get(metav1.NamespaceSystem, metav1.GetOptions{})
 				if err != nil {
-					return false, errors.Wrap(err, "failed to set S3 snapshot cluster ID")
+					return false, pkgerrors.WithMessage(err, "failed to set S3 snapshot cluster ID")
 				}
 				c.clusterID = string(ns.UID)
 				tokenHash, err := util.GetTokenHash(config)
 				if err != nil {
-					return false, errors.Wrap(err, "failed to set S3 snapshot server token hash")
+					return false, pkgerrors.WithMessage(err, "failed to set S3 snapshot server token hash")
 				}
 				c.tokenHash = tokenHash
@@ -137,7 +138,7 @@ func (c *Controller) GetClient(ctx context.Context, etcdS3 *config.EtcdS3) (*Cli
 		if isDefault {
 			e, err := c.getConfigFromSecret(etcdS3.ConfigSecret)
 			if err != nil {
-				return nil, errors.Wrapf(err, "failed to get config from etcd-s3-config-secret %q", etcdS3.ConfigSecret)
+				return nil, pkgerrors.WithMessagef(err, "failed to get config from etcd-s3-config-secret %q", etcdS3.ConfigSecret)
 			}
 			logrus.Infof("Using etcd s3 configuration from etcd-s3-config-secret %q", etcdS3.ConfigSecret)
 			etcdS3 = e
@@ -196,7 +197,7 @@ func (c *Controller) GetClient(ctx context.Context, etcdS3 *config.EtcdS3) (*Cli
 		if etcdS3.Proxy != "none" {
 			u, err = url.Parse(etcdS3.Proxy)
 			if err != nil {
-				return nil, errors.Wrap(err, "failed to parse etcd-s3-proxy value as URL")
+				return nil, pkgerrors.WithMessage(err, "failed to parse etcd-s3-proxy value as URL")
 			}
 			if u.Scheme == "" || u.Host == "" {
 				return nil, fmt.Errorf("proxy URL must include scheme and host")
@@ -219,7 +220,7 @@ func (c *Controller) GetClient(ctx context.Context, etcdS3 *config.EtcdS3) (*Cli
 	})
 	if _, err := creds.Get(); err != nil {
-		return nil, errors.Wrap(err, "failed to get credentials")
+		return nil, pkgerrors.WithMessage(err, "failed to get credentials")
 	}
 	opt := minio.Options{
@@ -241,7 +242,7 @@ func (c *Controller) GetClient(ctx context.Context, etcdS3 *config.EtcdS3) (*Cli
 	exists, err := mc.BucketExists(ctx, etcdS3.Bucket)
 	if err != nil {
-		return nil, errors.Wrapf(err, "failed to test for existence of bucket %s", etcdS3.Bucket)
+		return nil, pkgerrors.WithMessagef(err, "failed to test for existence of bucket %s", etcdS3.Bucket)
 	}
 	if !exists {
 		return nil, fmt.Errorf("bucket %s does not exist", etcdS3.Bucket)

--- a/pkg/etcd/snapshot.go
+++ b/pkg/etcd/snapshot.go
@@ -5,6 +5,7 @@ import (
 	"context"
 	"encoding/base64"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"math/rand"
@@ -25,7 +26,7 @@ import (
 	"github.com/k3s-io/k3s/pkg/util"
 	"github.com/k3s-io/k3s/pkg/util/metrics"
 	"github.com/k3s-io/k3s/pkg/version"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/robfig/cron/v3"
 	"github.com/sirupsen/logrus"
 	snapshotv3 "go.etcd.io/etcd/client/v3/snapshot"
@@ -227,7 +228,7 @@ func (e *ETCD) snapshot(ctx context.Context) (_ *managed.SnapshotResult, rerr er
 	endpoints := getEndpoints(e.config)
 	status, err := e.client.Status(ctx, endpoints[0])
 	if err != nil {
-		return nil, errors.Wrap(err, "failed to check etcd status for snapshot")
+		return nil, pkgerrors.WithMessage(err, "failed to check etcd status for snapshot")
 	}
 	if status.IsLearner {
@@ -237,17 +238,17 @@ func (e *ETCD) snapshot(ctx context.Context) (_ *managed.SnapshotResult, rerr er
 	snapshotDir, err := snapshotDir(e.config, true)
 	if err != nil {
-		return nil, errors.Wrap(err, "failed to get etcd-snapshot-dir")
+		return nil, pkgerrors.WithMessage(err, "failed to get etcd-snapshot-dir")
 	}
 	cfg, err := getClientConfig(ctx, e.config)
 	if err != nil {
-		return nil, errors.Wrap(err, "failed to get config for etcd snapshot")
+		return nil, pkgerrors.WithMessage(err, "failed to get config for etcd snapshot")
 	}
 	tokenHash, err := util.GetTokenHash(e.config)
 	if err != nil {
-		return nil, errors.Wrap(err, "failed to get server token hash for etcd snapshot")
+		return nil, pkgerrors.WithMessage(err, "failed to get server token hash for etcd snapshot")
 	}
 	nodeName := os.Getenv("NODE_NAME")
@@ -277,7 +278,7 @@ func (e *ETCD) snapshot(ctx context.Context) (_ *managed.SnapshotResult, rerr er
 		}
 		logrus.Errorf("Failed to take etcd snapshot: %v", err)
 		if err := e.addSnapshotData(*sf); err != nil {
-			return nil, errors.Wrap(err, "failed to sync ETCDSnapshotFile")
+			return nil, pkgerrors.WithMessage(err, "failed to sync ETCDSnapshotFile")
 		}
 	}
@@ -293,7 +294,7 @@ func (e *ETCD) snapshot(ctx context.Context) (_ *managed.SnapshotResult, rerr er
 			}
 			if err != nil {
-				return nil, errors.Wrap(err, "failed to compress snapshot")
+				return nil, pkgerrors.WithMessage(err, "failed to compress snapshot")
 			}
 			snapshotPath = zipPath
 			logrus.Info("Compressed snapshot: " + snapshotPath)
@@ -301,7 +302,7 @@ func (e *ETCD) snapshot(ctx context.Context) (_ *managed.SnapshotResult, rerr er
 		f, err := os.Stat(snapshotPath)
 		if err != nil {
-			return nil, errors.Wrap(err, "unable to retrieve snapshot information from local snapshot")
+			return nil, pkgerrors.WithMessage(err, "unable to retrieve snapshot information from local snapshot")
 		}
 		sf = &snapshot.File{
@@ -343,7 +344,7 @@ func (e *ETCD) snapshot(ctx context.Context) (_ *managed.SnapshotResult, rerr er
 				logrus.Warnf("Unable to initialize S3 client: %v", err)
 				if !errors.Is(err, s3.ErrNoConfigSecret) {
 					metrics.ObserveWithStatus(snapshotSaveS3Count, s3Start, err)
-					err = errors.Wrap(err, "failed to initialize S3 client")
+					err = pkgerrors.WithMessage(err, "failed to initialize S3 client")
 					sf = &snapshot.File{
 						Name:     f.Name(),
 						NodeName: "s3",
@@ -398,7 +399,7 @@ func (e *ETCD) listLocalSnapshots() (map[string]snapshot.File, error) {
 	snapshots := make(map[string]snapshot.File)
 	snapshotDir, err := snapshotDir(e.config, true)
 	if err != nil {
-		return snapshots, errors.Wrap(err, "failed to get etcd-snapshot-dir")
+		return snapshots, pkgerrors.WithMessage(err, "failed to get etcd-snapshot-dir")
 	}
 	if err := filepath.Walk(snapshotDir, func(path string, file os.FileInfo, err error) error {
@@ -466,7 +467,7 @@ func (e *ETCD) getS3Client(ctx context.Context) (*s3.Client, error) {
 func (e *ETCD) PruneSnapshots(ctx context.Context) (*managed.SnapshotResult, error) {
 	snapshotDir, err := snapshotDir(e.config, false)
 	if err != nil {
-		return nil, errors.Wrap(err, "failed to get etcd-snapshot-dir")
+		return nil, pkgerrors.WithMessage(err, "failed to get etcd-snapshot-dir")
 	}
 	res := &managed.SnapshotResult{}
@@ -504,7 +505,7 @@ func (e *ETCD) ListSnapshots(ctx context.Context) (*k3s.ETCDSnapshotFileList, er
 		if s3client, err := e.getS3Client(ctx); err != nil {
 			logrus.Warnf("Unable to initialize S3 client: %v", err)
 			if !errors.Is(err, s3.ErrNoConfigSecret) {
-				return nil, errors.Wrap(err, "failed to initialize S3 client")
+				return nil, pkgerrors.WithMessage(err, "failed to initialize S3 client")
 			}
 		} else {
 			sfs, err := s3client.ListSnapshots(ctx)
@@ -538,7 +539,7 @@ func (e *ETCD) ListSnapshots(ctx context.Context) (*k3s.ETCDSnapshotFileList, er
 func (e *ETCD) DeleteSnapshots(ctx context.Context, snapshots []string) (*managed.SnapshotResult, error) {
 	snapshotDir, err := snapshotDir(e.config, false)
 	if err != nil {
-		return nil, errors.Wrap(err, "failed to get etcd-snapshot-dir")
+		return nil, pkgerrors.WithMessage(err, "failed to get etcd-snapshot-dir")
 	}
 	var s3client *s3.Client
@@ -547,7 +548,7 @@ func (e *ETCD) DeleteSnapshots(ctx context.Context, snapshots []string) (*manage
 		if err != nil {
 			logrus.Warnf("Unable to initialize S3 client: %v", err)
 			if !errors.Is(err, s3.ErrNoConfigSecret) {
-				return nil, errors.Wrap(err, "failed to initialize S3 client")
+				return nil, pkgerrors.WithMessage(err, "failed to initialize S3 client")
 			}
 		}
 	}
@@ -711,7 +712,7 @@ func (e *ETCD) reconcileSnapshotData(ctx context.Context, res *managed.SnapshotR
 			logrus.Warnf("Unable to initialize S3 client: %v", err)
 			if !errors.Is(err, s3.ErrNoConfigSecret) {
 				metrics.ObserveWithStatus(snapshotReconcileS3Count, s3Start, err)
-				return errors.Wrap(err, "failed to initialize S3 client")
+				return pkgerrors.WithMessage(err, "failed to initialize S3 client")
 			}
 		} else {
 			s3Snapshots, err := s3client.ListSnapshots(ctx)

--- a/pkg/etcd/snapshot_controller.go
+++ b/pkg/etcd/snapshot_controller.go
@@ -2,6 +2,7 @@ package etcd
 import (
 	"context"
+	"errors"
 	"os"
 	"sort"
 	"strconv"
@@ -10,11 +11,11 @@ import (
 	apisv1 "github.com/k3s-io/api/k3s.cattle.io/v1"
 	k3s "github.com/k3s-io/api/k3s.cattle.io/v1"
-	"github.com/k3s-io/k3s/pkg/etcd/snapshot"
 	controllersv1 "github.com/k3s-io/api/pkg/generated/controllers/k3s.cattle.io/v1"
+	"github.com/k3s-io/k3s/pkg/etcd/snapshot"
 	"github.com/k3s-io/k3s/pkg/util"
 	"github.com/k3s-io/k3s/pkg/version"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	controllerv1 "github.com/rancher/wrangler/v3/pkg/generated/controllers/core/v1"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/equality"
@@ -90,14 +91,14 @@ func (e *etcdSnapshotHandler) sync(key string, esf *apisv1.ETCDSnapshotFile) (*a
 	sfKey := sf.GenerateConfigMapKey()
 	m, err := sf.Marshal()
 	if err != nil {
-		return nil, errors.Wrap(err, "failed to marshal snapshot ConfigMap data")
+		return nil, pkgerrors.WithMessage(err, "failed to marshal snapshot ConfigMap data")
 	}
 	marshalledSnapshot := string(m)
 	snapshotConfigMap, err := e.configmaps.Get(metav1.NamespaceSystem, snapshotConfigMapName, metav1.GetOptions{})
 	if err != nil {
 		if !apierrors.IsNotFound(err) {
-			return nil, errors.Wrap(err, "failed to get snapshot ConfigMap")
+			return nil, pkgerrors.WithMessage(err, "failed to get snapshot ConfigMap")
 		}
 		snapshotConfigMap = &v1.ConfigMap{
 			ObjectMeta: metav1.ObjectMeta{
@@ -142,7 +143,7 @@ func (e *etcdSnapshotHandler) sync(key string, esf *apisv1.ETCDSnapshotFile) (*a
 	}
 	if err != nil {
-		err = errors.Wrap(err, "failed to sync snapshot to ConfigMap")
+		err = pkgerrors.WithMessage(err, "failed to sync snapshot to ConfigMap")
 	}
 	return nil, err
@@ -157,14 +158,14 @@ func (e *etcdSnapshotHandler) onRemove(key string, esf *apisv1.ETCDSnapshotFile)
 		if apierrors.IsNotFound(err) {
 			return nil, nil
 		}
-		return nil, errors.Wrap(err, "failed to get snapshot ConfigMap")
+		return nil, pkgerrors.WithMessage(err, "failed to get snapshot ConfigMap")
 	}
 	sfKey := generateETCDSnapshotFileConfigMapKey(*esf)
 	if _, ok := snapshotConfigMap.Data[sfKey]; ok {
 		delete(snapshotConfigMap.Data, sfKey)
 		if _, err := e.configmaps.Update(snapshotConfigMap); err != nil {
-			return nil, errors.Wrap(err, "failed to remove snapshot from ConfigMap")
+			return nil, pkgerrors.WithMessage(err, "failed to remove snapshot from ConfigMap")
 		}
 	}
 	e.etcd.emitEvent(esf)
@@ -243,7 +244,7 @@ func (e *etcdSnapshotHandler) reconcile() error {
 	snapshotConfigMap, err := e.configmaps.Get(metav1.NamespaceSystem, snapshotConfigMapName, metav1.GetOptions{})
 	if err != nil {
 		if !apierrors.IsNotFound(err) {
-			return errors.Wrap(err, "failed to get snapshot ConfigMap")
+			return pkgerrors.WithMessage(err, "failed to get snapshot ConfigMap")
 		}
 		snapshotConfigMap = &v1.ConfigMap{
 			ObjectMeta: metav1.ObjectMeta{

--- a/pkg/etcd/snapshot_handler.go
+++ b/pkg/etcd/snapshot_handler.go
@@ -11,7 +11,7 @@ import (
 	"github.com/k3s-io/k3s/pkg/cluster/managed"
 	"github.com/k3s-io/k3s/pkg/daemons/config"
 	"github.com/k3s-io/k3s/pkg/util"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
@@ -70,7 +70,7 @@ func (e *ETCD) snapshotHandler() http.Handler {
 func (e *ETCD) handleList(rw http.ResponseWriter, req *http.Request) error {
 	if e.config.EtcdS3 != nil {
 		if _, err := e.getS3Client(req.Context()); err != nil {
-			err = errors.Wrap(err, "failed to initialize S3 client")
+			err = pkgerrors.WithMessage(err, "failed to initialize S3 client")
 			util.SendError(err, rw, req, http.StatusBadRequest)
 			return nil
 		}
@@ -87,7 +87,7 @@ func (e *ETCD) handleList(rw http.ResponseWriter, req *http.Request) error {
 func (e *ETCD) handleSave(rw http.ResponseWriter, req *http.Request) error {
 	if e.config.EtcdS3 != nil {
 		if _, err := e.getS3Client(req.Context()); err != nil {
-			err = errors.Wrap(err, "failed to initialize S3 client")
+			err = pkgerrors.WithMessage(err, "failed to initialize S3 client")
 			util.SendError(err, rw, req, http.StatusBadRequest)
 			return nil
 		}
@@ -104,7 +104,7 @@ func (e *ETCD) handleSave(rw http.ResponseWriter, req *http.Request) error {
 func (e *ETCD) handlePrune(rw http.ResponseWriter, req *http.Request) error {
 	if e.config.EtcdS3 != nil {
 		if _, err := e.getS3Client(req.Context()); err != nil {
-			err = errors.Wrap(err, "failed to initialize S3 client")
+			err = pkgerrors.WithMessage(err, "failed to initialize S3 client")
 			util.SendError(err, rw, req, http.StatusBadRequest)
 			return nil
 		}
@@ -121,7 +121,7 @@ func (e *ETCD) handlePrune(rw http.ResponseWriter, req *http.Request) error {
 func (e *ETCD) handleDelete(rw http.ResponseWriter, req *http.Request, snapshots []string) error {
 	if e.config.EtcdS3 != nil {
 		if _, err := e.getS3Client(req.Context()); err != nil {
-			err = errors.Wrap(err, "failed to initialize S3 client")
+			err = pkgerrors.WithMessage(err, "failed to initialize S3 client")
 			util.SendError(err, rw, req, http.StatusBadRequest)
 			return nil
 		}

--- a/pkg/kubeadm/token.go
+++ b/pkg/kubeadm/token.go
 package kubeadm
 import (
+	"errors"
 	"github.com/k3s-io/k3s/pkg/cli/cmds"
 	"github.com/k3s-io/k3s/pkg/version"
-	"github.com/pkg/errors"
 	"github.com/urfave/cli"
 	bootstrapapi "k8s.io/cluster-bootstrap/token/api"
 	bootstraputil "k8s.io/cluster-bootstrap/token/util"

--- a/pkg/kubeadm/utils.go
+++ b/pkg/kubeadm/utils.go
 package kubeadm
 import (
+	"fmt"
 	"sort"
 	"strings"
 	"time"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	bootstrapapi "k8s.io/cluster-bootstrap/token/api"
@@ -32,7 +33,7 @@ func (bts BootstrapTokenString) String() string {
 func NewBootstrapTokenString(token string) (*BootstrapTokenString, error) {
 	substrs := bootstraputil.BootstrapTokenRegexp.FindStringSubmatch(token)
 	if len(substrs) != 3 {
-		return nil, errors.Errorf("the bootstrap token %q was not of the form %q", token, bootstrapapi.BootstrapTokenPattern)
+		return nil, fmt.Errorf("the bootstrap token %q was not of the form %q", token, bootstrapapi.BootstrapTokenPattern)
 	}
 	return &BootstrapTokenString{ID: substrs[1], Secret: substrs[2]}, nil
@@ -100,24 +101,24 @@ func BootstrapTokenFromSecret(secret *v1.Secret) (*BootstrapToken, error) {
 	// Get the Token ID field from the Secret data
 	tokenID := bootstrapsecretutil.GetData(secret, bootstrapapi.BootstrapTokenIDKey)
 	if len(tokenID) == 0 {
-		return nil, errors.Errorf("bootstrap Token Secret has no token-id data: %s", secret.Name)
+		return nil, fmt.Errorf("bootstrap Token Secret has no token-id data: %s", secret.Name)
 	}
 	// Enforce the right naming convention
 	if secret.Name != bootstraputil.BootstrapTokenSecretName(tokenID) {
-		return nil, errors.Errorf("bootstrap token name is not of the form '%s(token-id)'. Actual: %q. Expected: %q",
+		return nil, fmt.Errorf("bootstrap token name is not of the form '%s(token-id)'. Actual: %q. Expected: %q",
 			bootstrapapi.BootstrapTokenSecretPrefix, secret.Name, bootstraputil.BootstrapTokenSecretName(tokenID))
 	}
 	tokenSecret := bootstrapsecretutil.GetData(secret, bootstrapapi.BootstrapTokenSecretKey)
 	if len(tokenSecret) == 0 {
-		return nil, errors.Errorf("bootstrap Token Secret has no token-secret data: %s", secret.Name)
+		return nil, fmt.Errorf("bootstrap Token Secret has no token-secret data: %s", secret.Name)
 	}
 	// Create the BootstrapTokenString object based on the ID and Secret
 	bts, err := NewBootstrapTokenStringFromIDAndSecret(tokenID, tokenSecret)
 	if err != nil {
-		return nil, errors.Wrap(err, "bootstrap Token Secret is invalid and couldn't be parsed")
+		return nil, pkgerrors.WithMessage(err, "bootstrap Token Secret is invalid and couldn't be parsed")
 	}
 	// Get the description (if any) from the Secret
@@ -130,7 +131,7 @@ func BootstrapTokenFromSecret(secret *v1.Secret) (*BootstrapToken, error) {
 	if len(secretExpiration) > 0 {
 		expTime, err := time.Parse(time.RFC3339, secretExpiration)
 		if err != nil {
-			return nil, errors.Wrapf(err, "can't parse expiration time of bootstrap token %q", secret.Name)
+			return nil, pkgerrors.WithMessagef(err, "can't parse expiration time of bootstrap token %q", secret.Name)
 		}
 		expires = &metav1.Time{Time: expTime}
 	}

--- a/pkg/node/controller.go
+++ b/pkg/node/controller.go
@@ -8,7 +8,7 @@ import (
 	"strings"
 	"github.com/k3s-io/k3s/pkg/nodepassword"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	coreclient "github.com/rancher/wrangler/v3/pkg/generated/controllers/core/v1"
 	"github.com/sirupsen/logrus"
 	core "k8s.io/api/core/v1"
@@ -72,7 +72,7 @@ func (h *handler) updateHosts(node *core.Node, removed bool) (*core.Node, error)
 	}
 	if removed {
 		if err := h.removeNodePassword(nodeName); err != nil {
-			logrus.Warn(errors.Wrap(err, "Unable to remove node password"))
+			logrus.Warn(pkgerrors.WithMessage(err, "Unable to remove node password"))
 		}
 	}
 	if h.modCoreDNS {
@@ -99,7 +99,7 @@ func (h *handler) updateCoreDNSConfigMap(nodeName, hostName, nodeIPv4, nodeIPv6 
 	configMap, err := h.configMaps.Get("kube-system", "coredns", metav1.GetOptions{})
 	if err != nil || configMap == nil {
-		logrus.Warn(errors.Wrap(err, "Unable to fetch coredns config map"))
+		logrus.Warn(pkgerrors.WithMessage(err, "Unable to fetch coredns config map"))
 		return nil
 	}

--- a/pkg/nodeconfig/nodeconfig.go
+++ b/pkg/nodeconfig/nodeconfig.go
@@ -11,7 +11,7 @@ import (
 	"github.com/k3s-io/k3s/pkg/configfilearg"
 	"github.com/k3s-io/k3s/pkg/daemons/config"
 	"github.com/k3s-io/k3s/pkg/version"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	corev1 "k8s.io/api/core/v1"
 )
@@ -45,7 +45,7 @@ func getNodeArgs() (string, error) {
 	}
 	nodeArgs, err := json.Marshal(nodeArgsList)
 	if err != nil {
-		return "", errors.Wrap(err, "Failed to retrieve argument list for node")
+		return "", pkgerrors.WithMessage(err, "Failed to retrieve argument list for node")
 	}
 	return string(nodeArgs), nil
 }
@@ -65,7 +65,7 @@ func getNodeEnv() (string, error) {
 	}
 	k3sEnvJSON, err := json.Marshal(k3sEnv)
 	if err != nil {
-		return "", errors.Wrap(err, "Failed to retrieve environment map for node")
+		return "", pkgerrors.WithMessage(err, "Failed to retrieve environment map for node")
 	}
 	return string(k3sEnvJSON), nil
 }

--- a/pkg/nodepassword/nodepassword.go
+++ b/pkg/nodepassword/nodepassword.go
 package nodepassword
 import (
+	"errors"
 	"fmt"
 	"os"
 	"strings"
@@ -9,7 +10,7 @@ import (
 	"github.com/k3s-io/k3s/pkg/authenticator/hash"
 	"github.com/k3s-io/k3s/pkg/passwd"
 	"github.com/k3s-io/k3s/pkg/version"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	coreclient "github.com/rancher/wrangler/v3/pkg/generated/controllers/core/v1"
 	"github.com/sirupsen/logrus"
 	v1 "k8s.io/api/core/v1"
@@ -122,7 +123,7 @@ func MigrateFile(secretClient coreclient.SecretController, nodeClient coreclient
 	for _, nodeName := range nodeNames {
 		if pass, ok := passwd.Pass(nodeName); ok {
 			if err := Ensure(secretClient, nodeName, pass); err != nil {
-				logrus.Warn(errors.Wrapf(err, "error migrating node password entry for node '%s'", nodeName))
+				logrus.Warn(pkgerrors.WithMessagef(err, "error migrating node password entry for node '%s'", nodeName))
 			} else {
 				ensured++
 			}

--- a/pkg/nodepassword/validate.go
+++ b/pkg/nodepassword/validate.go
@@ -2,6 +2,7 @@ package nodepassword
 import (
 	"context"
+	"errors"
 	"net/http"
 	"os"
 	"path"
@@ -13,7 +14,7 @@ import (
 	"github.com/gorilla/mux"
 	"github.com/k3s-io/k3s/pkg/daemons/config"
 	"github.com/k3s-io/k3s/pkg/util"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	coreclient "github.com/rancher/wrangler/v3/pkg/generated/controllers/core/v1"
 	"github.com/sirupsen/logrus"
 	corev1 "k8s.io/api/core/v1"
@@ -149,16 +150,16 @@ func verifyLocalPassword(ctx context.Context, control *config.Control, mu *sync.
 	passBytes, err := os.ReadFile(nodePasswordFile)
 	if err != nil {
-		return "", http.StatusInternalServerError, errors.Wrap(err, "unable to read node password file")
+		return "", http.StatusInternalServerError, pkgerrors.WithMessage(err, "unable to read node password file")
 	}
 	passHash, err := Hasher.CreateHash(strings.TrimSpace(string(passBytes)))
 	if err != nil {
-		return "", http.StatusInternalServerError, errors.Wrap(err, "unable to hash node password file")
+		return "", http.StatusInternalServerError, pkgerrors.WithMessage(err, "unable to hash node password file")
 	}
 	if err := Hasher.VerifyHash(passHash, node.Password); err != nil {
-		return "", http.StatusForbidden, errors.Wrap(err, "unable to verify local node password")
+		return "", http.StatusForbidden, pkgerrors.WithMessage(err, "unable to verify local node password")
 	}
 	mu.Lock()
@@ -193,7 +194,7 @@ func verifyRemotePassword(ctx context.Context, control *config.Control, mu *sync
 func verifyNode(ctx context.Context, nodeClient coreclient.NodeController, node *nodeInfo) error {
 	if nodeName, isNodeAuth := identifier.NodeIdentity(node.User); isNodeAuth {
 		if _, err := nodeClient.Cache().Get(nodeName); err != nil {
-			return errors.Wrap(err, "unable to verify node identity")
+			return pkgerrors.WithMessage(err, "unable to verify node identity")
 		}
 	}
 	return nil

--- a/pkg/rootless/mounts.go
+++ b/pkg/rootless/mounts.go
@@ -10,7 +10,7 @@ import (
 	"path/filepath"
 	"strings"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
 )
@@ -41,7 +41,7 @@ func setupMounts(stateDir string) error {
 	for _, v := range mountMap {
 		if err := setupMount(v[0], v[1]); err != nil {
-			return errors.Wrapf(err, "failed to setup mount %s => %s", v[0], v[1])
+			return pkgerrors.WithMessagef(err, "failed to setup mount %s => %s", v[0], v[1])
 		}
 	}
@@ -75,16 +75,16 @@ func setupMount(target, dir string) error {
 	}
 	if err := os.MkdirAll(toCreate, 0700); err != nil {
-		return errors.Wrapf(err, "failed to create directory %s", toCreate)
+		return pkgerrors.WithMessagef(err, "failed to create directory %s", toCreate)
 	}
 	logrus.Debug("Mounting none ", toCreate, " tmpfs")
 	if err := unix.Mount("none", toCreate, "tmpfs", 0, ""); err != nil {
-		return errors.Wrapf(err, "failed to mount tmpfs to %s", toCreate)
+		return pkgerrors.WithMessagef(err, "failed to mount tmpfs to %s", toCreate)
 	}
 	if err := os.MkdirAll(target, 0700); err != nil {
-		return errors.Wrapf(err, "failed to create directory %s", target)
+		return pkgerrors.WithMessagef(err, "failed to create directory %s", target)
 	}
 	if dir == "" {
@@ -92,7 +92,7 @@ func setupMount(target, dir string) error {
 	}
 	if err := os.MkdirAll(dir, 0700); err != nil {
-		return errors.Wrapf(err, "failed to create directory %s", dir)
+		return pkgerrors.WithMessagef(err, "failed to create directory %s", dir)
 	}
 	logrus.Debug("Mounting ", dir, target, " none bind")

--- a/pkg/rootless/rootless.go
+++ b/pkg/rootless/rootless.go
@@ -4,6 +4,8 @@
 package rootless
 import (
+	"errors"
+	"fmt"
 	"net"
 	"os"
 	"os/exec"
@@ -12,7 +14,7 @@ import (
 	"strings"
 	"github.com/opencontainers/runc/libcontainer/cgroups"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/rootless-containers/rootlesskit/pkg/child"
 	"github.com/rootless-containers/rootlesskit/pkg/copyup/tmpfssymlink"
 	"github.com/rootless-containers/rootlesskit/pkg/network/slirp4netns"
@@ -97,7 +99,7 @@ func validateSysctl() error {
 	for key, expectedValue := range expected {
 		if actualValue, err := readSysctl(key); err == nil {
 			if expectedValue != actualValue {
-				return errors.Errorf("expected sysctl value %q to be %q, got %q; try adding \"%s=%s\" to /etc/sysctl.conf and running `sudo sysctl --system`",
+				return fmt.Errorf("expected sysctl value %q to be %q, got %q; try adding \"%s=%s\" to /etc/sysctl.conf and running `sudo sysctl --system`",
 					key, expectedValue, actualValue, key, expectedValue)
 			}
 		}
@@ -123,14 +125,14 @@ func parseCIDR(s string) (*net.IPNet, error) {
 		return nil, err
 	}
 	if !ip.Equal(ipnet.IP) {
-		return nil, errors.Errorf("cidr must be like 10.0.2.0/24, not like 10.0.2.100/24")
+		return nil, errors.New("host identifier bits must not be set in CIDR prefix")
 	}
 	return ipnet, nil
 }
 func createParentOpt(driver portDriver, stateDir string, enableIPv6 bool) (*parent.Opt, error) {
 	if err := os.MkdirAll(stateDir, 0755); err != nil {
-		return nil, errors.Wrapf(err, "failed to mkdir %s", stateDir)
+		return nil, pkgerrors.WithMessagef(err, "failed to mkdir %s", stateDir)
 	}
 	driver.SetStateDir(stateDir)

--- a/pkg/server/auth/auth.go
+++ b/pkg/server/auth/auth.go
 package auth
 import (
+	"errors"
 	"net"
 	"net/http"
 	"github.com/gorilla/mux"
 	"github.com/k3s-io/k3s/pkg/daemons/config"
 	"github.com/k3s-io/k3s/pkg/util"
-	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"k8s.io/apiserver/pkg/endpoints/request"
 )

--- a/pkg/server/context.go
+++ b/pkg/server/context.go
@@ -9,7 +9,7 @@ import (
 	"github.com/k3s-io/api/pkg/generated/controllers/k3s.cattle.io"
 	"github.com/k3s-io/k3s/pkg/util"
 	"github.com/k3s-io/k3s/pkg/version"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/rancher/wrangler/v3/pkg/crd"
 	"github.com/rancher/wrangler/v3/pkg/generated/controllers/apps"
 	"github.com/rancher/wrangler/v3/pkg/generated/controllers/batch"
@@ -57,7 +57,7 @@ func NewContext(ctx context.Context, config *Config, forServer bool) (*Context, 
 	if forServer {
 		recorder = util.BuildControllerEventRecorder(k8s, version.Program+"-supervisor", metav1.NamespaceAll)
 		if err := registerCrds(ctx, config, restConfig); err != nil {
-			return nil, errors.Wrap(err, "failed to register CRDs")
+			return nil, pkgerrors.WithMessage(err, "failed to register CRDs")
 		}
 	}

--- a/pkg/server/handlers/cert.go
+++ b/pkg/server/handlers/cert.go
@@ -6,6 +6,7 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"io/fs"
@@ -21,7 +22,7 @@ import (
 	"github.com/k3s-io/k3s/pkg/daemons/control/deps"
 	"github.com/k3s-io/k3s/pkg/util"
 	"github.com/k3s-io/k3s/pkg/version"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	certutil "github.com/rancher/dynamiclistener/cert"
 	"github.com/rancher/wrangler/v3/pkg/merr"
 	"github.com/sirupsen/logrus"
@@ -76,12 +77,12 @@ func caCertReplace(control *config.Control, buf io.ReadCloser, force bool) error
 	}
 	if err := defaultBootstrap(control, tmpControl); err != nil {
-		return errors.Wrap(err, "failed to set default bootstrap values")
+		return pkgerrors.WithMessage(err, "failed to set default bootstrap values")
 	}
 	if err := validateBootstrap(control, tmpControl); err != nil {
 		if !force {
-			return errors.Wrap(err, "failed to validate new CA certificates and keys")
+			return pkgerrors.WithMessage(err, "failed to validate new CA certificates and keys")
 		}
 		logrus.Warnf("Save of CA certificates and keys forced, ignoring validation errors: %v", err)
 	}
@@ -102,7 +103,7 @@ func defaultBootstrap(oldControl, newControl *config.Control) error {
 		newVal := newMeta.FieldByName(field.Name)
 		info, err := os.Stat(newVal.String())
 		if err != nil && !errors.Is(err, fs.ErrNotExist) {
-			errs = append(errs, errors.Wrap(err, field.Name))
+			errs = append(errs, pkgerrors.WithMessage(err, field.Name))
 			continue
 		}
@@ -140,19 +141,19 @@ func validateBootstrap(oldControl, newControl *config.Control) error {
 		// Check CA chain consistency and cert/key agreement
 		if strings.HasSuffix(field.Name, "CA") {
 			if err := validateCA(oldVal.String(), newVal.String()); err != nil {
-				errs = append(errs, errors.Wrap(err, field.Name))
+				errs = append(errs, pkgerrors.WithMessage(err, field.Name))
 			}
 			newKeyVal := newMeta.FieldByName(field.Name + "Key")
 			oldKeyVal := oldMeta.FieldByName(field.Name + "Key")
 			if err := validateCAKey(oldVal.String(), oldKeyVal.String(), newVal.String(), newKeyVal.String()); err != nil {
-				errs = append(errs, errors.Wrap(err, field.Name+"Key"))
+				errs = append(errs, pkgerrors.WithMessage(err, field.Name+"Key"))
 			}
 		}
 		// Check signing key rotation
 		if field.Name == "ServiceKey" {
 			if err := validateServiceKey(oldVal.String(), newVal.String()); err != nil {
-				errs = append(errs, errors.Wrap(err, field.Name))
+				errs = append(errs, pkgerrors.WithMessage(err, field.Name))
 			}
 		}
 	}
@@ -204,7 +205,7 @@ func validateCA(oldCAPath, newCAPath string) error {
 	// Verify the first cert in the bundle, using the combined roots and intermediates
 	_, err = newCerts[0].Verify(x509.VerifyOptions{Roots: roots, Intermediates: intermediates})
 	if err != nil {
-		err = errors.Wrap(err, "new CA cert cannot be verified using old CA chain")
+		err = pkgerrors.WithMessage(err, "new CA cert cannot be verified using old CA chain")
 	}
 	return err
 }
@@ -218,7 +219,7 @@ func validateCAKey(oldCAPath, oldCAKeyPath, newCAPath, newCAKeyPath string) erro
 	_, err := tls.LoadX509KeyPair(newCAPath, newCAKeyPath)
 	if err != nil {
-		err = errors.Wrap(err, "new CA cert and key cannot be loaded as X590KeyPair")
+		err = pkgerrors.WithMessage(err, "new CA cert and key cannot be loaded as X590KeyPair")
 	}
 	return err
 }

--- a/pkg/server/handlers/handlers.go
+++ b/pkg/server/handlers/handlers.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"crypto"
 	"crypto/x509"
+	"errors"
 	"fmt"
 	"io"
 	"net"
@@ -19,7 +20,7 @@ import (
 	"github.com/k3s-io/k3s/pkg/etcd"
 	"github.com/k3s-io/k3s/pkg/nodepassword"
 	"github.com/k3s-io/k3s/pkg/util"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	certutil "github.com/rancher/dynamiclistener/cert"
 	"github.com/sirupsen/logrus"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -133,7 +134,7 @@ func File(fileName ...string) http.Handler {
 		for _, f := range fileName {
 			bytes, err := os.ReadFile(f)
 			if err != nil {
-				util.SendError(errors.Wrapf(err, "failed to read %s", f), resp, req, http.StatusInternalServerError)
+				util.SendError(pkgerrors.WithMessagef(err, "failed to read %s", f), resp, req, http.StatusInternalServerError)
 				return
 			}
 			resp.Write(bytes)
@@ -164,7 +165,7 @@ func APIServers(control *config.Control) http.Handler {
 		endpoints := collectAddresses(ctx)
 		resp.Header().Set("content-type", "application/json")
 		if err := json.NewEncoder(resp).Encode(endpoints); err != nil {
-			util.SendError(errors.Wrap(err, "failed to encode apiserver endpoints"), resp, req, http.StatusInternalServerError)
+			util.SendError(pkgerrors.WithMessage(err, "failed to encode apiserver endpoints"), resp, req, http.StatusInternalServerError)
 		}
 	})
 }
@@ -178,7 +179,7 @@ func Config(control *config.Control, cfg *cmds.Server) http.Handler {
 		control.DisableKubeProxy = cfg.DisableKubeProxy
 		resp.Header().Set("content-type", "application/json")
 		if err := json.NewEncoder(resp).Encode(control); err != nil {
-			util.SendError(errors.Wrap(err, "failed to encode agent config"), resp, req, http.StatusInternalServerError)
+			util.SendError(pkgerrors.WithMessage(err, "failed to encode agent config"), resp, req, http.StatusInternalServerError)
 		}
 	})
 }

--- a/pkg/server/handlers/secrets-encrypt.go
+++ b/pkg/server/handlers/secrets-encrypt.go
@@ -5,6 +5,7 @@ import (
 	"crypto/rand"
 	"encoding/base64"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -17,7 +18,6 @@ import (
 	"github.com/k3s-io/k3s/pkg/daemons/config"
 	"github.com/k3s-io/k3s/pkg/secretsencrypt"
 	"github.com/k3s-io/k3s/pkg/util"
-	"github.com/pkg/errors"
 	"github.com/rancher/wrangler/v3/pkg/generated/controllers/core"
 	"github.com/sirupsen/logrus"
 	corev1 "k8s.io/api/core/v1"

--- a/pkg/server/server.go
+++ b/pkg/server/server.go
@@ -28,7 +28,7 @@ import (
 	"github.com/k3s-io/k3s/pkg/util"
 	"github.com/k3s-io/k3s/pkg/util/permissions"
 	"github.com/k3s-io/k3s/pkg/version"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/rancher/wrangler/v3/pkg/apply"
 	v1 "github.com/rancher/wrangler/v3/pkg/generated/controllers/core/v1"
 	"github.com/rancher/wrangler/v3/pkg/leader"
@@ -54,7 +54,7 @@ func StartServer(ctx context.Context, config *Config, cfg *cmds.Server) error {
 	}
 	if err := control.Server(ctx, &config.ControlConfig); err != nil {
-		return errors.Wrap(err, "starting kubernetes")
+		return pkgerrors.WithMessage(err, "starting kubernetes")
 	}
 	wg := &sync.WaitGroup{}
@@ -71,7 +71,7 @@ func StartServer(ctx context.Context, config *Config, cfg *cmds.Server) error {
 	}
 	for _, hook := range config.StartupHooks {
 		if err := hook(ctx, wg, shArgs); err != nil {
-			return errors.Wrap(err, "startup hook")
+			return pkgerrors.WithMessage(err, "startup hook")
 		}
 	}
 	go startOnAPIServerReady(ctx, config)
@@ -99,12 +99,12 @@ func runControllers(ctx context.Context, config *Config) error {
 	sc, err := NewContext(ctx, config, true)
 	if err != nil {
-		return errors.Wrap(err, "failed to create new server context")
+		return pkgerrors.WithMessage(err, "failed to create new server context")
 	}
 	controlConfig.Runtime.StartupHooksWg.Wait()
 	if err := stageFiles(ctx, sc, controlConfig); err != nil {
-		return errors.Wrap(err, "failed to stage files")
+		return pkgerrors.WithMessage(err, "failed to stage files")
 	}
 	// run migration before we set controlConfig.Runtime.Core
@@ -112,7 +112,7 @@ func runControllers(ctx context.Context, config *Config) error {
 		sc.Core.Core().V1().Secret(),
 		sc.Core.Core().V1().Node(),
 		controlConfig.Runtime.NodePasswdFile); err != nil {
-		logrus.Warn(errors.Wrap(err, "error migrating node-password file"))
+		logrus.Warn(pkgerrors.WithMessage(err, "error migrating node-password file"))
 	}
 	controlConfig.Runtime.K8s = sc.K8s
 	controlConfig.Runtime.K3s = sc.K3s
@@ -125,12 +125,12 @@ func runControllers(ctx context.Context, config *Config) error {
 	for _, controller := range config.Controllers {
 		if err := controller(ctx, sc); err != nil {
-			return errors.Wrapf(err, "failed to start %s controller", util.GetFunctionName(controller))
+			return pkgerrors.WithMessagef(err, "failed to start %s controller", util.GetFunctionName(controller))
 		}
 	}
 	if err := sc.Start(ctx); err != nil {
-		return errors.Wrap(err, "failed to start wranger controllers")
+		return pkgerrors.WithMessage(err, "failed to start wranger controllers")
 	}
 	if !controlConfig.DisableAPIServer {
@@ -164,14 +164,14 @@ func apiserverControllers(ctx context.Context, sc *Context, config *Config) {
 	}
 	for _, controller := range config.LeaderControllers {
 		if err := controller(ctx, sc); err != nil {
-			panic(errors.Wrapf(err, "failed to start %s leader controller", util.GetFunctionName(controller)))
+			panic(pkgerrors.WithMessagef(err, "failed to start %s leader controller", util.GetFunctionName(controller)))
 		}
 	}
 	// Re-run informer factory startup after core and leader-elected controllers have started.
 	// Additional caches may need to start for the newly added OnChange/OnRemove callbacks.
 	if err := sc.Start(ctx); err != nil {
-		panic(errors.Wrap(err, "failed to start wranger controllers"))
+		panic(pkgerrors.WithMessage(err, "failed to start wranger controllers"))
 	}
 }
@@ -478,11 +478,11 @@ func setupDataDirAndChdir(config *config.Control) error {
 	dataDir := config.DataDir
 	if err := os.MkdirAll(dataDir, 0700); err != nil {
-		return errors.Wrapf(err, "can not mkdir %s", dataDir)
+		return pkgerrors.WithMessagef(err, "can not mkdir %s", dataDir)
 	}
 	if err := os.Chdir(dataDir); err != nil {
-		return errors.Wrapf(err, "can not chdir %s", dataDir)
+		return pkgerrors.WithMessagef(err, "can not chdir %s", dataDir)
 	}
 	return nil

--- a/pkg/spegel/bootstrap.go
+++ b/pkg/spegel/bootstrap.go
@@ -3,6 +3,7 @@ package spegel
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"os"
 	"path/filepath"
 	"strings"
@@ -13,7 +14,7 @@ import (
 	"github.com/k3s-io/k3s/pkg/util"
 	"github.com/k3s-io/k3s/pkg/version"
 	"github.com/libp2p/go-libp2p/core/peer"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/rancher/wrangler/v3/pkg/merr"
 	"github.com/sirupsen/logrus"
 	"github.com/spegel-org/spegel/pkg/routing"
@@ -81,14 +82,14 @@ func (c *agentBootstrapper) Run(ctx context.Context, id string) error {
 		withCert := clientaccess.WithClientCertificate(c.clientCert, c.clientKey)
 		info, err := clientaccess.ParseAndValidateToken(c.server, c.token, withCert)
 		if err != nil {
-			return errors.Wrap(err, "failed to validate join token")
+			return pkgerrors.WithMessage(err, "failed to validate join token")
 		}
 		c.info = info
 	}
 	client, err := util.GetClientSet(c.kubeConfig)
 	if err != nil {
-		return errors.Wrap(err, "failed to create kubernetes client")
+		return pkgerrors.WithMessage(err, "failed to create kubernetes client")
 	}
 	nodes := client.CoreV1().Nodes()

--- a/pkg/spegel/spegel.go
+++ b/pkg/spegel/spegel.go
@@ -3,6 +3,7 @@ package spegel
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"log"
 	"net"
@@ -30,7 +31,7 @@ import (
 	"github.com/libp2p/go-libp2p"
 	"github.com/libp2p/go-libp2p/core/crypto"
 	"github.com/libp2p/go-libp2p/p2p/host/peerstore/pstoreds"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"github.com/spegel-org/spegel/pkg/metrics"
 	"github.com/spegel-org/spegel/pkg/oci"
@@ -141,33 +142,33 @@ func (c *Config) Start(ctx context.Context, nodeConfig *config.Node) error {
 	ociOpts := []oci.Option{oci.WithContentPath(filepath.Join(nodeConfig.Containerd.Root, "io.containerd.content.v1.content"))}
 	ociClient, err := oci.NewContainerd(nodeConfig.Containerd.Address, registryNamespace, nodeConfig.Containerd.Registry, urls, ociOpts...)
 	if err != nil {
-		return errors.Wrap(err, "failed to create OCI client")
+		return pkgerrors.WithMessage(err, "failed to create OCI client")
 	}
 	// create or load persistent private key
 	keyFile := filepath.Join(nodeConfig.Containerd.Opt, "peer.key")
 	keyBytes, _, err := cert.LoadOrGenerateKeyFile(keyFile, false)
 	if err != nil {
-		return errors.Wrap(err, "failed to load or generate p2p private key")
+		return pkgerrors.WithMessage(err, "failed to load or generate p2p private key")
 	}
 	privKey, err := cert.ParsePrivateKeyPEM(keyBytes)
 	if err != nil {
-		return errors.Wrap(err, "failed to parse p2p private key")
+		return pkgerrors.WithMessage(err, "failed to parse p2p private key")
 	}
 	p2pKey, _, err := crypto.KeyPairFromStdKey(privKey)
 	if err != nil {
-		return errors.Wrap(err, "failed to convert p2p private key")
+		return pkgerrors.WithMessage(err, "failed to convert p2p private key")
 	}
 	// create a peerstore to allow persisting nodes across restarts
 	peerFile := filepath.Join(nodeConfig.Containerd.Opt, "peerstore.db")
 	ds, err := leveldb.NewDatastore(peerFile, nil)
 	if err != nil {
-		return errors.Wrap(err, "failed to create peerstore datastore")
+		return pkgerrors.WithMessage(err, "failed to create peerstore datastore")
 	}
 	ps, err := pstoreds.NewPeerstore(ctx, ds, pstoreds.DefaultOpts())
 	if err != nil {
-		return errors.Wrap(err, "failed to create peerstore")
+		return pkgerrors.WithMessage(err, "failed to create peerstore")
 	}
 	// get latest tag configuration override
@@ -198,13 +199,13 @@ func (c *Config) Start(ctx context.Context, nodeConfig *config.Node) error {
 	}
 	router, err := routing.NewP2PRouter(ctx, routerAddr, c.Bootstrapper, c.RegistryPort, opts...)
 	if err != nil {
-		return errors.Wrap(err, "failed to create P2P router")
+		return pkgerrors.WithMessage(err, "failed to create P2P router")
 	}
 	go router.Run(ctx)
 	caCert, err := os.ReadFile(c.ServerCAFile)
 	if err != nil {
-		return errors.Wrap(err, "failed to read server CA")
+		return pkgerrors.WithMessage(err, "failed to read server CA")
 	}
 	client := clientaccess.GetHTTPClient(caCert, c.ClientCertFile, c.ClientKeyFile)
 	metrics.Register()
@@ -219,7 +220,7 @@ func (c *Config) Start(ctx context.Context, nodeConfig *config.Node) error {
 	reg := registry.NewRegistry(ociClient, router, registryOpts...)
 	regSvr, err := reg.Server(":" + c.RegistryPort)
 	if err != nil {
-		return errors.Wrap(err, "failed to create embedded registry server")
+		return pkgerrors.WithMessage(err, "failed to create embedded registry server")
 	}
 	// Track images available in containerd and publish via p2p router

--- a/pkg/static/stage.go
+++ b/pkg/static/stage.go
@@ -6,7 +6,7 @@ import (
 	"os"
 	"path/filepath"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
@@ -20,7 +20,7 @@ func Stage(dataDir string) error {
 		logrus.Info("Writing static file: ", p)
 		os.MkdirAll(filepath.Dir(p), 0700)
 		if err := os.WriteFile(p, content, 0600); err != nil {
-			return errors.Wrapf(err, "failed to write to %s", name)
+			return pkgerrors.WithMessagef(err, "failed to write to %s", name)
 		}
 	}

--- a/pkg/util/api.go
+++ b/pkg/util/api.go
@@ -2,6 +2,7 @@ package util
 import (
 	"context"
+	"errors"
 	"fmt"
 	"net"
 	"net/http"
@@ -9,7 +10,7 @@ import (
 	"strconv"
 	"time"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/rancher/wrangler/v3/pkg/merr"
 	"github.com/rancher/wrangler/v3/pkg/schemes"
 	"github.com/sirupsen/logrus"
@@ -83,7 +84,7 @@ func WaitForAPIServerReady(ctx context.Context, kubeconfigPath string, timeout t
 		healthStatus := 0
 		result := restClient.Get().AbsPath("/readyz").Do(ctx).StatusCode(&healthStatus)
 		if rerr := result.Error(); rerr != nil {
-			lastErr = errors.Wrap(rerr, "failed to get apiserver /readyz status")
+			lastErr = pkgerrors.WithMessage(rerr, "failed to get apiserver /readyz status")
 			return false, nil
 		}
 		if healthStatus != http.StatusOK {

--- a/pkg/util/apierrors.go
+++ b/pkg/util/apierrors.go
@@ -2,12 +2,12 @@ package util
 import (
 	"crypto/rand"
+	"errors"
 	"fmt"
 	"math/big"
 	"net/http"
 	"github.com/k3s-io/api/pkg/generated/clientset/versioned/scheme"
-	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

--- a/pkg/util/file.go
+++ b/pkg/util/file.go
 package util
 import (
+	"errors"
 	"os"
 	"os/user"
 	"path/filepath"
@@ -8,7 +9,6 @@ import (
 	"strings"
 	"time"
-	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )

--- a/pkg/util/permissions/permissions_windows.go
+++ b/pkg/util/permissions/permissions_windows.go
@@ -6,7 +6,7 @@ package permissions
 import (
 	"fmt"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"golang.org/x/sys/windows"
 )
@@ -27,7 +27,7 @@ func IsPrivileged() error {
 		0, 0, 0, 0, 0, 0,
 		&sid)
 	if err != nil {
-		return errors.Wrap(err, "failed to create Windows SID")
+		return pkgerrors.WithMessage(err, "failed to create Windows SID")
 	}
 	defer windows.FreeSid(sid)
@@ -36,7 +36,7 @@ func IsPrivileged() error {
 	member, err := token.IsMember(sid)
 	if err != nil {
-		return errors.Wrap(err, "failed to check group membership")
+		return pkgerrors.WithMessage(err, "failed to check group membership")
 	}
 	if !member {

--- a/pkg/util/token.go
+++ b/pkg/util/token.go
@@ -5,12 +5,12 @@ import (
 	cryptorand "crypto/rand"
 	"crypto/sha256"
 	"encoding/hex"
+	"errors"
 	"os"
 	"path/filepath"
 	"github.com/k3s-io/k3s/pkg/clientaccess"
 	"github.com/k3s-io/k3s/pkg/daemons/config"
-	"github.com/pkg/errors"
 )
 func Random(size int) (string, error) {

--- a/pkg/vpn/vpn.go
+++ b/pkg/vpn/vpn.go
@@ -2,6 +2,7 @@ package vpn
 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net"
 	"net/url"
@@ -9,7 +10,7 @@ import (
 	"github.com/k3s-io/k3s/pkg/util"
-	"github.com/pkg/errors"
+	pkgerrors "github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
@@ -60,7 +61,7 @@ func StartVPN(vpnAuthConfigFile string) error {
 		logrus.Debugf("Flags passed to tailscale up: %v", args)
 		output, err := util.ExecCommand("tailscale", args)
 		if err != nil {
-			return errors.Wrap(err, "tailscale up failed: "+output)
+			return pkgerrors.WithMessage(err, "tailscale up failed: "+output)
 		}
 		logrus.Debugf("Output from tailscale up: %v", output)
 		return nil