diff --git a/pkg/kubelet/container_bridge.go b/pkg/kubelet/container_bridge.go
index dc5259979c1..ad6895b6579 100644
--- a/pkg/kubelet/container_bridge.go
+++ b/pkg/kubelet/container_bridge.go
@@ -24,11 +24,13 @@ import (
 	"os/exec"
 	"regexp"
 
+	"syscall"
+
 	"github.com/golang/glog"
+	"github.com/vishvananda/netlink"
 	"k8s.io/kubernetes/pkg/util"
 	"k8s.io/kubernetes/pkg/util/iptables"
 	"k8s.io/kubernetes/pkg/util/procfs"
-	"syscall"
 )
 
 var cidrRegexp = regexp.MustCompile(`inet ([0-9a-fA-F.:]*/[0-9]*)`)
@@ -103,7 +105,12 @@ func ensureCbr0(wantCIDR *net.IPNet, promiscuous, babysitDaemons bool) error {
 	if promiscuous {
 		// Checking if the bridge is in promiscuous mode is as expensive and more brittle than
 		// simply setting the flag every time.
-		if err := exec.Command("ip", "link", "set", "cbr0", "promisc", "on").Run(); err != nil {
+		link, err := netlink.LinkByName("cbr0")
+		if err != nil {
+			glog.Error(err)
+			return err
+		}
+		if err := netlink.SetPromiscOn(link); err != nil {
 			glog.Error(err)
 			return err
 		}
diff --git a/pkg/kubelet/network/kubenet/kubenet_linux.go b/pkg/kubelet/network/kubenet/kubenet_linux.go
index a1c86e8dcea..5b7275a8477 100644
--- a/pkg/kubelet/network/kubenet/kubenet_linux.go
+++ b/pkg/kubelet/network/kubenet/kubenet_linux.go
@@ -21,7 +21,6 @@ package kubenet
 import (
 	"fmt"
 	"net"
-	"strings"
 	"sync"
 	"syscall"
 	"time"
@@ -319,11 +318,13 @@ func (plugin *kubenetNetworkPlugin) setup(namespace string, name string, id kube
 
 	// Put the container bridge into promiscuous mode to force it to accept hairpin packets.
 	// TODO: Remove this once the kernel bug (#20096) is fixed.
-	// TODO: check and set promiscuous mode with netlink once vishvananda/netlink supports it
 	if plugin.hairpinMode == componentconfig.PromiscuousBridge {
-		output, err := plugin.execer.Command("ip", "link", "show", "dev", BridgeName).CombinedOutput()
-		if err != nil || strings.Index(string(output), "PROMISC") < 0 {
-			_, err := plugin.execer.Command("ip", "link", "set", BridgeName, "promisc", "on").CombinedOutput()
+		link, err := netlink.LinkByName(BridgeName)
+		if err != nil {
+			return err
+		}
+		if link.Attrs().Promisc != 1 {
+			err := netlink.SetPromiscOn(link)
 			if err != nil {
 				return fmt.Errorf("Error setting promiscuous mode on %s: %v", BridgeName, err)
 			}