diff --git a/bootstrap/cluster/main.tf b/bootstrap/cluster/main.tf
index 224c79a..e900e66 100644
--- a/bootstrap/cluster/main.tf
+++ b/bootstrap/cluster/main.tf
@@ -21,6 +21,7 @@ resource "null_resource" "kubeadm_control_plane" {
     kubeconfig_owner        = var.kubeconfig_owner
     registry_endpoint       = var.registry_endpoint
     registry_config_version = "7"
+    cni_plugins_version     = "2"
     node_dns_servers        = join(" ", var.node_dns_servers)
     persistent_volume_dirs  = join(",", var.persistent_volume_dirs)
   }
@@ -204,9 +205,11 @@ install_cni_plugins() {
   local plugin
 
   sudo mkdir -p /opt/cni/bin
+  sudo find /opt/cni/bin -maxdepth 1 -type f ! -perm -111 -delete
+  sudo find /opt/cni/bin -maxdepth 1 -type l ! -exec test -x {} \; -delete
   if [ -d /usr/lib/cni ]; then
     for plugin in /usr/lib/cni/*; do
-      [ -f "$plugin" ] || continue
+      [ -f "$plugin" ] && [ -x "$plugin" ] || continue
       sudo ln -sf "$plugin" "/opt/cni/bin/$(basename "$plugin")"
     done
   fi
@@ -343,6 +346,7 @@ resource "null_resource" "kubeadm_worker" {
     ssh_key_path                         = each.value.ssh_key_path
     registry_endpoint                    = var.registry_endpoint
     registry_config_version              = "7"
+    cni_plugins_version                  = "2"
     node_dns_servers                     = join(" ", var.node_dns_servers)
     persistent_volume_dirs               = join(",", var.persistent_volume_dirs)
     tailscale_nodeport_version           = "3"
@@ -543,9 +547,11 @@ install_cni_plugins() {
   local plugin
 
   sudo mkdir -p /opt/cni/bin
+  sudo find /opt/cni/bin -maxdepth 1 -type f ! -perm -111 -delete
+  sudo find /opt/cni/bin -maxdepth 1 -type l ! -exec test -x {} \; -delete
   if [ -d /usr/lib/cni ]; then
     for plugin in /usr/lib/cni/*; do
-      [ -f "$plugin" ] || continue
+      [ -f "$plugin" ] && [ -x "$plugin" ] || continue
       sudo ln -sf "$plugin" "/opt/cni/bin/$(basename "$plugin")"
     done
   fi