diff --git a/pkg/agent/flannel/setup.go b/pkg/agent/flannel/setup.go
index 2ca80607ba5..27c9b0148a5 100644
--- a/pkg/agent/flannel/setup.go
+++ b/pkg/agent/flannel/setup.go
@@ -242,7 +242,7 @@ func createFlannelConf(nodeConfig *config.Node) error {
 			routes = append(routes, "$IPV6SUBNET")
 		}
 		if len(routes) == 0 {
-			return fmt.Errorf("incorrect netMode for flannel tailscale backend")
+			return errors.New("incorrect netMode for flannel tailscale backend")
 		}
 		advertisedRoutes, err := vpn.GetAdvertisedRoutes()
 		if err == nil && advertisedRoutes != nil {
diff --git a/pkg/agent/flannel/setup_test.go b/pkg/agent/flannel/setup_test.go
index 4a5375b8224..2e1cef697ae 100644
--- a/pkg/agent/flannel/setup_test.go
+++ b/pkg/agent/flannel/setup_test.go
@@ -79,7 +79,7 @@ func Test_createFlannelConf(t *testing.T) {
 			}
 			data, err := os.ReadFile("test_file")
 			if err != nil {
-				t.Errorf("Something went wrong when reading the flannel config file")
+				t.Error("Something went wrong when reading the flannel config file")
 			}
 			for _, config := range tt.wantConfig {
 				isExist, _ := regexp.Match(config, data)
diff --git a/pkg/agent/loadbalancer/loadbalancer_test.go b/pkg/agent/loadbalancer/loadbalancer_test.go
index 7de442e192a..21310578266 100644
--- a/pkg/agent/loadbalancer/loadbalancer_test.go
+++ b/pkg/agent/loadbalancer/loadbalancer_test.go
@@ -84,7 +84,7 @@ func (s *testServer) echo(conn net.Conn) {
 }
 
 func ping(conn net.Conn) (string, error) {
-	fmt.Fprintf(conn, "ping\n")
+	fmt.Fprint(conn, "ping\n")
 	result, err := bufio.NewReader(conn).ReadString('\n')
 	if err != nil {
 		return "", err
diff --git a/pkg/agent/run.go b/pkg/agent/run.go
index 39290301db6..4c0347b20a1 100644
--- a/pkg/agent/run.go
+++ b/pkg/agent/run.go
@@ -93,7 +93,7 @@ func run(ctx context.Context, cfg cmds.Agent, proxy proxy.Proxy) error {
 
 	// dualStack or IPv6 are not supported on Windows node
 	if (goruntime.GOOS == "windows") && enableIPv6 {
-		return fmt.Errorf("dual-stack or IPv6 are not supported on Windows node")
+		return errors.New("dual-stack or IPv6 are not supported on Windows node")
 	}
 
 	conntrackConfig, err := getConntrackConfig(nodeConfig)
diff --git a/pkg/authenticator/passwordfile/passwordfile_test.go b/pkg/authenticator/passwordfile/passwordfile_test.go
index ff65da69c1a..633c1c2d52a 100644
--- a/pkg/authenticator/passwordfile/passwordfile_test.go
+++ b/pkg/authenticator/passwordfile/passwordfile_test.go
@@ -134,13 +134,13 @@ password2,user2,uid2
 password3,user3
 password4
 `); err == nil {
-		t.Fatalf("unexpected non error")
+		t.Fatal("unexpected non error")
 	}
 }
 
 func Test_UnitInsufficientColumnsPasswordFile(t *testing.T) {
 	if _, err := newWithContents(t, "password4\n"); err == nil {
-		t.Fatalf("unexpected non error")
+		t.Fatal("unexpected non error")
 	}
 }
 
diff --git a/pkg/cli/agent/agent.go b/pkg/cli/agent/agent.go
index 83d3aa0c085..7fd2ef06a3a 100644
--- a/pkg/cli/agent/agent.go
+++ b/pkg/cli/agent/agent.go
@@ -3,7 +3,7 @@ package agent
 import (
 	"context"
 	"crypto/tls"
-	"fmt"
+	"errors"
 	"os"
 	"path/filepath"
 	"sync"
@@ -82,11 +82,11 @@ func Run(clx *cli.Context) (rerr error) {
 	_, err := tls.LoadX509KeyPair(clientKubeletCert, clientKubeletKey)
 
 	if err != nil && cmds.AgentConfig.Token == "" {
-		return fmt.Errorf("--token is required")
+		return errors.New("--token is required")
 	}
 
 	if cmds.AgentConfig.ServerURL == "" {
-		return fmt.Errorf("--server is required")
+		return errors.New("--server is required")
 	}
 
 	if cmds.AgentConfig.FlannelIface != "" && len(cmds.AgentConfig.NodeIP.Value()) == 0 {
diff --git a/pkg/cli/cert/cert.go b/pkg/cli/cert/cert.go
index f74edcff9ec..8e2a840ce5a 100644
--- a/pkg/cli/cert/cert.go
+++ b/pkg/cli/cert/cert.go
@@ -133,8 +133,8 @@ func (f *TableFormatter) Format(certInfo *CertificateInfo) error {
 	now := certInfo.ReferenceTime
 	defer w.Flush()
 
-	fmt.Fprintf(w, "\nFILENAME\tSUBJECT\tUSAGES\tEXPIRES\tRESIDUAL TIME\tSTATUS\n")
-	fmt.Fprintf(w, "--------\t-------\t------\t-------\t-------------\t------\n")
+	fmt.Fprint(w, "\nFILENAME\tSUBJECT\tUSAGES\tEXPIRES\tRESIDUAL TIME\tSTATUS\n")
+	fmt.Fprint(w, "--------\t-------\t------\t-------\t-------------\t------\n")
 
 	for _, cert := range certInfo.Certificates {
 		fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\t%s\n",
diff --git a/pkg/cli/secretsencrypt/secrets_encrypt.go b/pkg/cli/secretsencrypt/secrets_encrypt.go
index d3b611cfec6..bdc2a96ec66 100644
--- a/pkg/cli/secretsencrypt/secrets_encrypt.go
+++ b/pkg/cli/secretsencrypt/secrets_encrypt.go
@@ -132,9 +132,9 @@ func Status(app *cli.Context) error {
 
 	var tabBuffer bytes.Buffer
 	w := tabwriter.NewWriter(&tabBuffer, 0, 0, 2, ' ', 0)
-	fmt.Fprintf(w, "\n")
-	fmt.Fprintf(w, "Active\tKey Type\tName\n")
-	fmt.Fprintf(w, "------\t--------\t----\n")
+	fmt.Fprint(w, "\n")
+	fmt.Fprint(w, "Active\tKey Type\tName\n")
+	fmt.Fprint(w, "------\t--------\t----\n")
 	if status.ActiveKey != "" {
 		ak := strings.Split(status.ActiveKey, " ")
 		fmt.Fprintf(w, " *\t%s\t%s\n", ak[0], ak[1])
diff --git a/pkg/cloudprovider/cloudprovider.go b/pkg/cloudprovider/cloudprovider.go
index 5900b9ac854..54ec3134bd9 100644
--- a/pkg/cloudprovider/cloudprovider.go
+++ b/pkg/cloudprovider/cloudprovider.go
@@ -2,7 +2,7 @@ package cloudprovider
 
 import (
 	"encoding/json"
-	"fmt"
+	"errors"
 	"io"
 
 	"github.com/k3s-io/k3s/pkg/util"
@@ -74,7 +74,7 @@ func init() {
 		}
 
 		if !k.LBEnabled && !k.NodeEnabled {
-			return nil, fmt.Errorf("all cloud-provider functionality disabled by config")
+			return nil, errors.New("all cloud-provider functionality disabled by config")
 		}
 
 		return &k, err
diff --git a/pkg/cloudprovider/servicelb.go b/pkg/cloudprovider/servicelb.go
index 3109254e7ab..18a5d96f610 100644
--- a/pkg/cloudprovider/servicelb.go
+++ b/pkg/cloudprovider/servicelb.go
@@ -3,6 +3,7 @@ package cloudprovider
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"sort"
 	"strconv"
@@ -734,11 +735,11 @@ func validateToleration(toleration *core.Toleration) error {
 	}
 
 	if toleration.Key == "" && toleration.Operator != core.TolerationOpExists {
-		return fmt.Errorf("toleration with empty key must have operator 'Exists'")
+		return errors.New("toleration with empty key must have operator 'Exists'")
 	}
 
 	if toleration.Operator == core.TolerationOpExists && toleration.Value != "" {
-		return fmt.Errorf("toleration with operator 'Exists' must have an empty value")
+		return errors.New("toleration with operator 'Exists' must have an empty value")
 	}
 
 	return nil
diff --git a/pkg/cluster/encrypt.go b/pkg/cluster/encrypt.go
index b39fdc15137..75ed6f26392 100644
--- a/pkg/cluster/encrypt.go
+++ b/pkg/cluster/encrypt.go
@@ -6,7 +6,7 @@ import (
 	"crypto/rand"
 	"crypto/sha1"
 	"encoding/base64"
-	"fmt"
+	"errors"
 	"io"
 	"strings"
 
@@ -54,7 +54,7 @@ func encrypt(passphrase string, plaintext []byte) ([]byte, error) {
 func decrypt(passphrase string, ciphertext []byte) ([]byte, error) {
 	parts := strings.SplitN(string(ciphertext), ":", 2)
 	if len(parts) != 2 {
-		return nil, fmt.Errorf("invalid cipher text, not : delimited")
+		return nil, errors.New("invalid cipher text, not : delimited")
 	}
 
 	clearKey := pbkdf2.Key([]byte(passphrase), []byte(parts[0]), 4096, 32, sha1.New)
diff --git a/pkg/cluster/https.go b/pkg/cluster/https.go
index df5446b98a7..332a2e8b066 100644
--- a/pkg/cluster/https.go
+++ b/pkg/cluster/https.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"crypto/tls"
 	"errors"
-	"fmt"
 	"io"
 	"log"
 	"net"
@@ -105,7 +104,7 @@ func (c *Cluster) initClusterAndHTTPS(ctx context.Context) error {
 		if c.config.Runtime.Handler != nil {
 			c.config.Runtime.Handler.ServeHTTP(rw, req)
 		} else {
-			util.SendError(fmt.Errorf("starting"), rw, req, http.StatusServiceUnavailable)
+			util.SendError(errors.New("starting"), rw, req, http.StatusServiceUnavailable)
 		}
 	})
 
diff --git a/pkg/etcd/etcd.go b/pkg/etcd/etcd.go
index c65512f45b2..570a527f3c8 100644
--- a/pkg/etcd/etcd.go
+++ b/pkg/etcd/etcd.go
@@ -758,7 +758,7 @@ func (e *ETCD) handler(next http.Handler) http.Handler {
 func (e *ETCD) infoHandler() http.Handler {
 	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
 		if req.Method != http.MethodGet {
-			util.SendError(fmt.Errorf("method not allowed"), rw, req, http.StatusMethodNotAllowed)
+			util.SendError(errors.New("method not allowed"), rw, req, http.StatusMethodNotAllowed)
 			return
 		}
 
diff --git a/pkg/etcd/s3/s3.go b/pkg/etcd/s3/s3.go
index 94a174a5934..e659b226dee 100644
--- a/pkg/etcd/s3/s3.go
+++ b/pkg/etcd/s3/s3.go
@@ -200,7 +200,7 @@ func (c *Controller) GetClient(ctx context.Context, etcdS3 *config.EtcdS3) (*Cli
 				return nil, pkgerrors.WithMessage(err, "failed to parse etcd-s3-proxy value as URL")
 			}
 			if u.Scheme == "" || u.Host == "" {
-				return nil, fmt.Errorf("proxy URL must include scheme and host")
+				return nil, errors.New("proxy URL must include scheme and host")
 			}
 		}
 		tr.Proxy = http.ProxyURL(u)
diff --git a/pkg/etcd/snapshot_handler.go b/pkg/etcd/snapshot_handler.go
index 5d591d9832c..1d156bcdcde 100644
--- a/pkg/etcd/snapshot_handler.go
+++ b/pkg/etcd/snapshot_handler.go
@@ -3,7 +3,7 @@ package etcd
 import (
 	"context"
 	"encoding/json"
-	"fmt"
+	"errors"
 	"io"
 	"net/http"
 
@@ -136,7 +136,7 @@ func (e *ETCD) handleDelete(rw http.ResponseWriter, req *http.Request, snapshots
 }
 
 func (e *ETCD) handleInvalid(rw http.ResponseWriter, req *http.Request) error {
-	util.SendErrorWithID(fmt.Errorf("invalid snapshot operation"), "etcd-snapshot", rw, req, http.StatusBadRequest)
+	util.SendErrorWithID(errors.New("invalid snapshot operation"), "etcd-snapshot", rw, req, http.StatusBadRequest)
 	return nil
 }
 
diff --git a/pkg/nodepassword/nodepassword_test.go b/pkg/nodepassword/nodepassword_test.go
index 2c803a0897a..57606aafbac 100644
--- a/pkg/nodepassword/nodepassword_test.go
+++ b/pkg/nodepassword/nodepassword_test.go
@@ -23,9 +23,9 @@ func Test_UnitAsserts(t *testing.T) {
 }
 
 func Test_PasswordError(t *testing.T) {
-	err := &passwordError{node: "test", err: fmt.Errorf("inner error")}
+	err := &passwordError{node: "test", err: errors.New("inner error")}
 	assertEqual(t, errors.Is(err, ErrVerifyFailed), true)
-	assertEqual(t, errors.Is(err, fmt.Errorf("different error")), false)
+	assertEqual(t, errors.Is(err, errors.New("different error")), false)
 	assertNotEqual(t, errors.Unwrap(err), nil)
 }
 
diff --git a/pkg/secretsencrypt/config.go b/pkg/secretsencrypt/config.go
index 436e635bb29..c129fb75432 100644
--- a/pkg/secretsencrypt/config.go
+++ b/pkg/secretsencrypt/config.go
@@ -6,6 +6,7 @@ import (
 	"crypto/sha256"
 	"encoding/hex"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"os"
 	"time"
@@ -92,7 +93,7 @@ func GetEncryptionKeys(runtime *config.ControlRuntime) (*EncryptionKeys, error)
 			currentKeys.SBKeys = append(currentKeys.SBKeys, p.Secretbox.Keys...)
 		}
 		if p.AESGCM != nil || p.KMS != nil {
-			return nil, fmt.Errorf("unsupported encryption keys found")
+			return nil, errors.New("unsupported encryption keys found")
 		}
 	}
 	return currentKeys, nil
@@ -333,7 +334,7 @@ func GetEncryptionConfigMetrics(runtime *config.ControlRuntime, initialMetrics b
 
 		unixUpdateTime = int64(tsMetric.GetMetric()[0].GetGauge().GetValue())
 		if time.Now().Unix() < unixUpdateTime {
-			return true, fmt.Errorf("encryption reload time is incorrectly ahead of current time")
+			return true, errors.New("encryption reload time is incorrectly ahead of current time")
 		}
 
 		for _, totalMetric := range totalMetrics.GetMetric() {
diff --git a/pkg/server/handlers/cert.go b/pkg/server/handlers/cert.go
index e1cd6be1e11..82e748e32f3 100644
--- a/pkg/server/handlers/cert.go
+++ b/pkg/server/handlers/cert.go
@@ -33,7 +33,7 @@ import (
 func CACertReplace(control *config.Control) http.HandlerFunc {
 	return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
 		if req.Method != http.MethodPut {
-			util.SendError(fmt.Errorf("method not allowed"), resp, req, http.StatusMethodNotAllowed)
+			util.SendError(errors.New("method not allowed"), resp, req, http.StatusMethodNotAllowed)
 			return
 		}
 		force, _ := strconv.ParseBool(req.FormValue("force"))
diff --git a/pkg/server/handlers/secrets-encrypt.go b/pkg/server/handlers/secrets-encrypt.go
index eadaa2da625..2cca9819c22 100644
--- a/pkg/server/handlers/secrets-encrypt.go
+++ b/pkg/server/handlers/secrets-encrypt.go
@@ -177,7 +177,7 @@ func encryptionEnable(ctx context.Context, control *config.Control, enable bool)
 		logrus.Infoln("Secrets encryption already enabled")
 		return nil
 	} else {
-		return fmt.Errorf("unable to enable/disable secrets encryption, unknown configuration")
+		return errors.New("unable to enable/disable secrets encryption, unknown configuration")
 	}
 	if err := cluster.Save(ctx, control, true); err != nil {
 		return err
@@ -188,7 +188,7 @@ func encryptionEnable(ctx context.Context, control *config.Control, enable bool)
 func EncryptionConfig(ctx context.Context, control *config.Control) http.Handler {
 	return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
 		if req.Method != http.MethodPut {
-			util.SendError(fmt.Errorf("method not allowed"), resp, req, http.StatusMethodNotAllowed)
+			util.SendError(errors.New("method not allowed"), resp, req, http.StatusMethodNotAllowed)
 			return
 		}
 
@@ -237,7 +237,7 @@ func encryptionPrepare(ctx context.Context, control *config.Control, force bool)
 		return err
 	}
 	if control.EncryptProvider == secretsencrypt.SecretBoxProvider {
-		return fmt.Errorf("prepare does not support secretbox key type, use rotate-keys instead")
+		return errors.New("prepare does not support secretbox key type, use rotate-keys instead")
 	}
 
 	curKeys, err := secretsencrypt.GetEncryptionKeys(control.Runtime)
@@ -265,7 +265,7 @@ func encryptionRotate(ctx context.Context, control *config.Control, force bool)
 		return err
 	}
 	if control.EncryptProvider == secretsencrypt.SecretBoxProvider {
-		return fmt.Errorf("rotate does not support secretbox key type, use rotate-keys instead")
+		return errors.New("rotate does not support secretbox key type, use rotate-keys instead")
 	}
 
 	curKeys, err := secretsencrypt.GetEncryptionKeys(control.Runtime)
@@ -301,7 +301,7 @@ func encryptionReencrypt(ctx context.Context, control *config.Control, force boo
 		return err
 	}
 	if control.EncryptProvider == secretsencrypt.SecretBoxProvider {
-		return fmt.Errorf("reencrypt does not support secretbox key type, use rotate-keys instead")
+		return errors.New("reencrypt does not support secretbox key type, use rotate-keys instead")
 	}
 
 	// Set the reencrypt-active annotation so other nodes know we are in the process of reencrypting.
diff --git a/pkg/server/handlers/token.go b/pkg/server/handlers/token.go
index fd782d2b475..8203351f7a7 100644
--- a/pkg/server/handlers/token.go
+++ b/pkg/server/handlers/token.go
@@ -3,7 +3,7 @@ package handlers
 import (
 	"context"
 	"encoding/json"
-	"fmt"
+	"errors"
 	"io"
 	"net/http"
 	"os"
@@ -35,7 +35,7 @@ func getServerTokenRequest(req *http.Request) (TokenRotateRequest, error) {
 func TokenRequest(ctx context.Context, control *config.Control) http.Handler {
 	return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
 		if req.Method != http.MethodPut {
-			util.SendError(fmt.Errorf("method not allowed"), resp, req, http.StatusMethodNotAllowed)
+			util.SendError(errors.New("method not allowed"), resp, req, http.StatusMethodNotAllowed)
 			return
 		}
 		var err error
@@ -73,7 +73,7 @@ func tokenRotate(ctx context.Context, control *config.Control, newToken string)
 
 	oldToken, found := passwd.Pass("server")
 	if !found {
-		return fmt.Errorf("server token not found")
+		return errors.New("server token not found")
 	}
 	if newToken == "" {
 		newToken, err = util.Random(16)
diff --git a/pkg/util/net.go b/pkg/util/net.go
index e6a0a7b537c..4123493537e 100644
--- a/pkg/util/net.go
+++ b/pkg/util/net.go
@@ -396,9 +396,9 @@ func (ml *multiListener) Accept() (net.Conn, error) {
 		if ok {
 			return res.conn, res.err
 		}
-		return nil, fmt.Errorf("connection channel closed")
+		return nil, errors.New("connection channel closed")
 	case <-ml.closing:
-		return nil, fmt.Errorf("listener closed")
+		return nil, errors.New("listener closed")
 	}
 }
 
diff --git a/pkg/util/permissions/permissions_others.go b/pkg/util/permissions/permissions_others.go
index e2d1ab1d4cb..e25605ea746 100644
--- a/pkg/util/permissions/permissions_others.go
+++ b/pkg/util/permissions/permissions_others.go
@@ -3,7 +3,7 @@
 package permissions
 
 import (
-	"fmt"
+	"errors"
 	"os"
 )
 
@@ -11,7 +11,7 @@ import (
 // Ref: https://github.com/kubernetes/kubernetes/pull/96616
 func IsPrivileged() error {
 	if os.Getuid() != 0 {
-		return fmt.Errorf("not running as root")
+		return errors.New("not running as root")
 	}
 	return nil
 }
diff --git a/pkg/util/permissions/permissions_windows.go b/pkg/util/permissions/permissions_windows.go
index 03df43aba7d..0b4a9109198 100644
--- a/pkg/util/permissions/permissions_windows.go
+++ b/pkg/util/permissions/permissions_windows.go
@@ -3,7 +3,7 @@
 package permissions
 
 import (
-	"fmt"
+	"errors"
 
 	pkgerrors "github.com/pkg/errors"
 	"golang.org/x/sys/windows"
@@ -39,7 +39,7 @@ func IsPrivileged() error {
 	}
 
 	if !member {
-		return fmt.Errorf("not running as member of BUILTIN\\Administrators group")
+		return errors.New("not running as member of BUILTIN\\Administrators group")
 	}
 
 	return nil