diff --git a/metropolis/node/build/genosrelease/main.go b/metropolis/node/build/genosrelease/main.go
index ad6e3e2..adb8202 100644
--- a/metropolis/node/build/genosrelease/main.go
+++ b/metropolis/node/build/genosrelease/main.go
@@ -23,7 +23,6 @@
 import (
 	"flag"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"strings"
 
@@ -40,7 +39,7 @@
 
 func main() {
 	flag.Parse()
-	statusFileContent, err := ioutil.ReadFile(*flagStatusFile)
+	statusFileContent, err := os.ReadFile(*flagStatusFile)
 	if err != nil {
 		fmt.Printf("Failed to open bazel workspace status file: %v\n", err)
 		os.Exit(1)
@@ -73,7 +72,7 @@
 		fmt.Printf("Failed to encode os-release file: %v\n", err)
 		os.Exit(1)
 	}
-	if err := ioutil.WriteFile(*flagOutFile, []byte(osReleaseContent), 0644); err != nil {
+	if err := os.WriteFile(*flagOutFile, []byte(osReleaseContent), 0644); err != nil {
 		fmt.Printf("Failed to write os-release file: %v\n", err)
 		os.Exit(1)
 	}
diff --git a/metropolis/node/build/mkerofs/main.go b/metropolis/node/build/mkerofs/main.go
index ea89d67..d4e9d4d 100644
--- a/metropolis/node/build/mkerofs/main.go
+++ b/metropolis/node/build/mkerofs/main.go
@@ -22,7 +22,6 @@
 import (
 	"flag"
 	"io"
-	"io/ioutil"
 	"log"
 	"os"
 	"path"
@@ -132,7 +131,7 @@
 
 func main() {
 	flag.Parse()
-	specRaw, err := ioutil.ReadFile(*specPath)
+	specRaw, err := os.ReadFile(*specPath)
 	if err != nil {
 		log.Fatalf("failed to open spec: %v", err)
 	}
diff --git a/metropolis/node/build/mkimage/osimage/osimage.go b/metropolis/node/build/mkimage/osimage/osimage.go
index 4ad2d5f..2f000a6 100644
--- a/metropolis/node/build/mkimage/osimage/osimage.go
+++ b/metropolis/node/build/mkimage/osimage/osimage.go
@@ -21,7 +21,6 @@
 import (
 	"fmt"
 	"io"
-	"io/ioutil"
 	"os"
 
 	diskfs "github.com/diskfs/go-diskfs"
@@ -58,7 +57,7 @@
 	// If this is streamed (e.g. using io.Copy) it exposes a bug in diskfs, so
 	// do it in one go.
 	// TODO(mateusz@monogon.tech): Investigate the bug.
-	data, err := ioutil.ReadAll(src)
+	data, err := io.ReadAll(src)
 	if err != nil {
 		return fmt.Errorf("while reading %q: %w", src, err)
 	}
diff --git a/metropolis/node/core/cluster/cluster.go b/metropolis/node/core/cluster/cluster.go
index aa293b0..60d7e15 100644
--- a/metropolis/node/core/cluster/cluster.go
+++ b/metropolis/node/core/cluster/cluster.go
@@ -29,7 +29,7 @@
 	"context"
 	"errors"
 	"fmt"
-	"io/ioutil"
+	"os"
 	"sync"
 
 	"google.golang.org/protobuf/proto"
@@ -129,7 +129,7 @@
 }
 
 func (m *Manager) nodeParamsFWCFG(ctx context.Context) (*apb.NodeParameters, error) {
-	bytes, err := ioutil.ReadFile("/sys/firmware/qemu_fw_cfg/by_name/dev.monogon.metropolis/parameters.pb/raw")
+	bytes, err := os.ReadFile("/sys/firmware/qemu_fw_cfg/by_name/dev.monogon.metropolis/parameters.pb/raw")
 	if err != nil {
 		return nil, fmt.Errorf("could not read firmware enrolment file: %w", err)
 	}
diff --git a/metropolis/node/core/consensus/consensus_test.go b/metropolis/node/core/consensus/consensus_test.go
index 105b8eb..16d6f76 100644
--- a/metropolis/node/core/consensus/consensus_test.go
+++ b/metropolis/node/core/consensus/consensus_test.go
@@ -20,7 +20,6 @@
 	"bytes"
 	"context"
 	"crypto/x509"
-	"io/ioutil"
 	"os"
 	"testing"
 	"time"
@@ -44,7 +43,7 @@
 	// Force usage of /tmp as temp directory root, otherwsie TMPDIR from Bazel
 	// returns a path long enough that socket binds in the localstorage fail
 	// (as socket names are limited to 108 characters).
-	tmp, err := ioutil.TempDir("/tmp", "metropolis-consensus-test")
+	tmp, err := os.MkdirTemp("/tmp", "metropolis-consensus-test")
 	if err != nil {
 		t.Fatal(err)
 	}
diff --git a/metropolis/node/core/curator/curator_test.go b/metropolis/node/core/curator/curator_test.go
index 5ce0077..5529e5d 100644
--- a/metropolis/node/core/curator/curator_test.go
+++ b/metropolis/node/core/curator/curator_test.go
@@ -3,7 +3,6 @@
 import (
 	"context"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"testing"
 	"time"
@@ -79,7 +78,7 @@
 
 	// Create ephemeral directory for curator and place it into /tmp.
 	dir := localstorage.EphemeralCuratorDirectory{}
-	tmp, err := ioutil.TempDir("/tmp", "curator-test-*")
+	tmp, err := os.MkdirTemp("/tmp", "curator-test-*")
 	if err != nil {
 		t.Fatalf("TempDir: %v", err)
 	}
diff --git a/metropolis/node/core/curator/listener_test.go b/metropolis/node/core/curator/listener_test.go
index fad7e92..7c1744e 100644
--- a/metropolis/node/core/curator/listener_test.go
+++ b/metropolis/node/core/curator/listener_test.go
@@ -3,7 +3,7 @@
 import (
 	"context"
 	"errors"
-	"io/ioutil"
+	"os"
 	"testing"
 
 	"google.golang.org/grpc/codes"
@@ -29,7 +29,7 @@
 	// Force usage of /tmp as temp directory root, otherwsie TMPDIR from Bazel
 	// returns a path long enough that socket binds in the localstorage fail
 	// (as socket names are limited to 108 characters).
-	tmp, err := ioutil.TempDir("/tmp", "curator-test-*")
+	tmp, err := os.MkdirTemp("/tmp", "curator-test-*")
 	if err != nil {
 		t.Fatalf("TempDir: %v", err)
 	}
diff --git a/metropolis/node/core/debug_service.go b/metropolis/node/core/debug_service.go
index 814da9a..48a4c9b 100644
--- a/metropolis/node/core/debug_service.go
+++ b/metropolis/node/core/debug_service.go
@@ -20,7 +20,6 @@
 	"bufio"
 	"context"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"regexp"
 	"strings"
@@ -215,7 +214,7 @@
 	if !safeTracingPropertyNamesRe.MatchString(name) {
 		return fmt.Errorf("disallowed tracing property name received: \"%v\"", name)
 	}
-	return ioutil.WriteFile("/sys/kernel/tracing/"+name, []byte(value+"\n"), 0)
+	return os.WriteFile("/sys/kernel/tracing/"+name, []byte(value+"\n"), 0)
 }
 
 func (s *debugService) Trace(req *apb.TraceRequest, srv apb.NodeDebugService_TraceServer) error {
diff --git a/metropolis/node/core/localstorage/crypt/blockdev.go b/metropolis/node/core/localstorage/crypt/blockdev.go
index 6ea1b49..dde2fd9 100644
--- a/metropolis/node/core/localstorage/crypt/blockdev.go
+++ b/metropolis/node/core/localstorage/crypt/blockdev.go
@@ -19,7 +19,6 @@
 import (
 	"context"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"strconv"
@@ -51,7 +50,7 @@
 // to ESPDevicePath and NodeDataCryptPath respectively. This doesn't fail if it
 // doesn't find the partitions, only if something goes catastrophically wrong.
 func MakeBlockDevices(ctx context.Context) error {
-	blockdevNames, err := ioutil.ReadDir("/sys/class/block")
+	blockdevNames, err := os.ReadDir("/sys/class/block")
 	if err != nil {
 		return fmt.Errorf("failed to read sysfs block class: %w", err)
 	}
diff --git a/metropolis/node/core/localstorage/declarative/placement_local.go b/metropolis/node/core/localstorage/declarative/placement_local.go
index 43921cd..f12f654 100644
--- a/metropolis/node/core/localstorage/declarative/placement_local.go
+++ b/metropolis/node/core/localstorage/declarative/placement_local.go
@@ -18,7 +18,6 @@
 
 import (
 	"fmt"
-	"io/ioutil"
 	"os"
 	"sync"
 
@@ -58,7 +57,7 @@
 }
 
 func (f *FSPlacement) Read() ([]byte, error) {
-	return ioutil.ReadFile(f.FullPath())
+	return os.ReadFile(f.FullPath())
 }
 
 // Write performs an atomic file write, via a temporary file.
@@ -69,7 +68,7 @@
 	// TODO(q3k): ensure that these do not collide with an existing sibling file, or generate this suffix randomly.
 	tmp := f.FullPath() + ".__metropolis_tmp"
 	defer os.Remove(tmp)
-	if err := ioutil.WriteFile(tmp, d, mode); err != nil {
+	if err := os.WriteFile(tmp, d, mode); err != nil {
 		return fmt.Errorf("temporary file write failed: %w", err)
 	}
 
diff --git a/metropolis/node/core/localstorage/storage.go b/metropolis/node/core/localstorage/storage.go
index 1e06967..d067438 100644
--- a/metropolis/node/core/localstorage/storage.go
+++ b/metropolis/node/core/localstorage/storage.go
@@ -53,7 +53,7 @@
 	// Ephemeral data, used by runtime, stored in tmpfs. Things like sockets,
 	// temporary config files, etc.
 	Ephemeral EphemeralDirectory `dir:"ephemeral"`
-	// FHS-standard /tmp directory, used by ioutil.TempFile.
+	// FHS-standard /tmp directory, used by os.MkdirTemp.
 	Tmp TmpDirectory `dir:"tmp"`
 	// FHS-standard /run directory. Used by various services.
 	Run RunDirectory `dir:"run"`
diff --git a/metropolis/node/core/mounts.go b/metropolis/node/core/mounts.go
index bb98462..a54331d 100644
--- a/metropolis/node/core/mounts.go
+++ b/metropolis/node/core/mounts.go
@@ -18,7 +18,6 @@
 
 import (
 	"fmt"
-	"io/ioutil"
 	"os"
 	"strings"
 
@@ -57,7 +56,7 @@
 	if err := unix.Mount("tmpfs", "/sys/fs/cgroup", "tmpfs", unix.MS_NOEXEC|unix.MS_NOSUID|unix.MS_NODEV, ""); err != nil {
 		panic(err)
 	}
-	cgroupsRaw, err := ioutil.ReadFile("/proc/cgroups")
+	cgroupsRaw, err := os.ReadFile("/proc/cgroups")
 	if err != nil {
 		panic(err)
 	}
diff --git a/metropolis/node/kubernetes/containerd/main.go b/metropolis/node/kubernetes/containerd/main.go
index c3dd4a0..b5e2cf0 100644
--- a/metropolis/node/kubernetes/containerd/main.go
+++ b/metropolis/node/kubernetes/containerd/main.go
@@ -20,7 +20,6 @@
 	"context"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -108,7 +107,7 @@
 		return fmt.Errorf("failed to connect to containerd: %w", err)
 	}
 	logger := supervisor.Logger(ctx)
-	preseedNamespaceDirs, err := ioutil.ReadDir(preseedNamespacesDir)
+	preseedNamespaceDirs, err := os.ReadDir(preseedNamespacesDir)
 	if err != nil {
 		return fmt.Errorf("failed to open preseed dir: %w", err)
 	}
@@ -118,7 +117,7 @@
 			continue
 		}
 		namespace := dir.Name()
-		images, err := ioutil.ReadDir(filepath.Join(preseedNamespacesDir, namespace))
+		images, err := os.ReadDir(filepath.Join(preseedNamespacesDir, namespace))
 		if err != nil {
 			return fmt.Errorf("failed to list namespace preseed directory for ns \"%v\": %w", namespace, err)
 		}
diff --git a/metropolis/node/kubernetes/plugins/kvmdevice/kvmdevice.go b/metropolis/node/kubernetes/plugins/kvmdevice/kvmdevice.go
index ed47f74..c9a6a79 100644
--- a/metropolis/node/kubernetes/plugins/kvmdevice/kvmdevice.go
+++ b/metropolis/node/kubernetes/plugins/kvmdevice/kvmdevice.go
@@ -27,7 +27,6 @@
 	"bytes"
 	"context"
 	"fmt"
-	"io/ioutil"
 	"net"
 	"os"
 	"strconv"
@@ -136,7 +135,7 @@
 func (k *Plugin) Run(ctx context.Context) error {
 	k.logger = supervisor.Logger(ctx)
 
-	l1tfStatus, err := ioutil.ReadFile("/sys/devices/system/cpu/vulnerabilities/l1tf")
+	l1tfStatus, err := os.ReadFile("/sys/devices/system/cpu/vulnerabilities/l1tf")
 	if err != nil && !os.IsNotExist(err) {
 		return fmt.Errorf("failed to query for CPU vulnerabilities: %v", err)
 	}
@@ -148,7 +147,7 @@
 		return nil
 	}
 
-	kvmDevRaw, err := ioutil.ReadFile("/sys/devices/virtual/misc/kvm/dev")
+	kvmDevRaw, err := os.ReadFile("/sys/devices/virtual/misc/kvm/dev")
 	if err != nil {
 		k.logger.Warning("KVM is not available. Check firmware settings and CPU.")
 		supervisor.Signal(ctx, supervisor.SignalHealthy)
diff --git a/metropolis/node/kubernetes/provisioner.go b/metropolis/node/kubernetes/provisioner.go
index 42edf77..7288c84 100644
--- a/metropolis/node/kubernetes/provisioner.go
+++ b/metropolis/node/kubernetes/provisioner.go
@@ -20,7 +20,6 @@
 	"context"
 	"errors"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 
@@ -276,7 +275,7 @@
 		if err := os.Mkdir(volumePath, 0644); err != nil && !os.IsExist(err) {
 			return fmt.Errorf("failed to create volume directory: %w", err)
 		}
-		files, err := ioutil.ReadDir(volumePath)
+		files, err := os.ReadDir(volumePath)
 		if err != nil {
 			return fmt.Errorf("failed to list files in newly-created volume: %w", err)
 		}