diff --git a/images/base/files/usr/local/bin/entrypoint b/images/base/files/usr/local/bin/entrypoint
index da611a8307..171d31dabf 100755
--- a/images/base/files/usr/local/bin/entrypoint
+++ b/images/base/files/usr/local/bin/entrypoint
@@ -29,7 +29,12 @@ fi
 
 grep_allow_nomatch() {
   # grep exits 0 on match, 1 on no match, 2 on error
-  grep "$@" || [[ $? == 1 ]]
+  grep "$@"|| [[ $? == 1 ]]
+}
+
+# regex_escape_ip converts IP address string $1 to a regex-escaped literal
+regex_escape_ip(){
+  sed -e 's#\.#\\.#g' -e 's#\[#\\[#g' -e 's#\]#\\]#g' <<<"$1"
 }
 
 validate_userns() {
@@ -434,12 +439,13 @@ enable_network_magic(){
       fi
       if [[ "${old_ipv4}" != "${curr_ipv4}" ]]; then
         # kubernetes manifests are only present on control-plane nodes
-        sed -i "s#${old_ipv4}#${curr_ipv4}#" /etc/kubernetes/manifests/*.yaml || true
-        sed -i "s#${old_ipv4}#${curr_ipv4}#" /etc/kubernetes/controller-manager.conf || true
-        sed -i "s#${old_ipv4}#${curr_ipv4}#" /etc/kubernetes/scheduler.conf || true
-        sed -i "s#${old_ipv4}#${curr_ipv4}#" /kind/kubeadm.conf || true
+        sed_ipv4_command="s#$(regex_escape_ip "${old_ipv4}")#${curr_ipv4}#g"
+        sed -i "${sed_ipv4_command}" /etc/kubernetes/manifests/*.yaml || true
+        sed -i "${sed_ipv4_command}" /etc/kubernetes/controller-manager.conf || true
+        sed -i "${sed_ipv4_command}" /etc/kubernetes/scheduler.conf || true
+        sed -i "${sed_ipv4_command}" /kind/kubeadm.conf || true
         # this is no longer required with autodiscovery
-        sed -i "s#${old_ipv4}#${curr_ipv4}#" /var/lib/kubelet/kubeadm-flags.env || true
+        sed -i "${sed_ipv4_command}" /var/lib/kubelet/kubeadm-flags.env || true
         # certificate must match the new IP
         fix_certificate || true
       fi
@@ -459,13 +465,14 @@ enable_network_magic(){
         echo "ERROR: Have an old IPv6 address but no current IPv6 address (!)" >&2
       fi
       if [[ "${old_ipv6}" != "${curr_ipv6}" ]]; then
+        sed_ipv6_command="s#$(regex_escape_ip "${old_ipv6}")#${curr_ipv6}#g"
         # kubernetes manifests are only present on control-plane nodes
-        sed -i "s#${old_ipv6}#${curr_ipv6}#" /etc/kubernetes/manifests/*.yaml || true
-        sed -i "s#${old_ipv6}#${curr_ipv6}#" /etc/kubernetes/controller-manager.conf || true
-        sed -i "s#${old_ipv6}#${curr_ipv6}#" /etc/kubernetes/scheduler.conf || true
-        sed -i "s#${old_ipv6}#${curr_ipv6}#" /kind/kubeadm.conf || true
+        sed -i "${sed_ipv6_command}" /etc/kubernetes/manifests/*.yaml || true
+        sed -i "${sed_ipv6_command}" /etc/kubernetes/controller-manager.conf || true
+        sed -i "${sed_ipv6_command}" /etc/kubernetes/scheduler.conf || true
+        sed -i "${sed_ipv6_command}" /kind/kubeadm.conf || true
         # this is no longer required with autodiscovery
-        sed -i "s#${old_ipv6}#${curr_ipv6}#" /var/lib/kubelet/kubeadm-flags.env || true
+        sed -i "${sed_ipv6_command}" /var/lib/kubelet/kubeadm-flags.env || true
         # certificate must match the new IP
         fix_certificate || true
       fi