use init container for CNI setup

Instead of using a shell script as the entrypoint for the CNI image and
relying on that shell script to copy the CNI plugin binary to a host
volume, perform those steps using an initContainer and set the CNI
aws-k8s-agent binary to be the CNI image's CMD.

This has the benefit of not embedding setup steps in either a shell
script that needs to be copied into the target image /app directory nor
hard-coded into the aws-k8s-agent's main.go file (which was performing
the copy of the CNI plugin binary to a host volume).

See discussion in
aws#706 (comment)
for more details.

config/v1.5/aws-k8s-cni.yaml

@@ -80,9 +80,54 @@ spec:
       hostNetwork: true
       tolerations:
         - operator: Exists
-      containers:
+      # The AWS VPC CNI has a number of components. The first is the "CNI
+      # plugin", which is built as the /app/aws-cni binary from the source code
+      # in /plugins/routed-eni. This /app/aws-cni binary is executed by kubelet
+      # when a container networking command is fired (e.g. when a network is
+      # added or deleted from the host for a container). This binary must be
+      # copied, along with an associated configuration file, to a volume that
+      # is readable from the host (since kubelet will execute it). The
+      # initContainer here is responsible for ensuring the /app/aws-cni and its
+      # config file are in a location the kubelet can read. This setup used to
+      # be hard-coded into the second primary binary, the agent
+      # (/app/aws-k8s-agent) and was moved here to place all
+      # initialization/setup in a more appropriate place.
+      #
+      # See https://github.com/aws/amazon-vpc-cni-k8s/pull/706
+      initContainers:
+        - name: aws-node-init
         - image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni:v1.5.3
           imagePullPolicy: Always
+          securityContext:
+            privileged: true
+          volumeMounts:
+            - mountPath: /host/opt/cni/bin
+              name: cni-bin-dir
+            - mountPath: /host/etc/cni/net.d
+              name: cni-net-dir
+          env:
+            - name: AWS_VPC_K8S_CNI_VETHPREFIX
+              value: eni
+            - name: AWS_VPC_K8S_CNI_MTU
+              value: 9001
+          command:
+        - 'sh'
+        - '-c'
+        - 'cp /app/aws-cni /host/opt/cni/bin/;
+           chmod +x /host/opt/cni/bin/aws-cni;
+           cp /app/10-aws.conflist /host/etc/cni/net.d/10-aws.conflist;
+           sed -i s/__VETHPREFIX__/"${AWS_VPC_K8S_CNI_VETHPREFIX:-"eni"}"/g /app/10-aws.conflist;
+           sed -i s/__MTU__/"${AWS_VPC_ENI_MTU:-"9001"}"/g /app/10-aws.conflist;
+           cp /app/portmap /host/opt/cni/bin/;
+           chmod +x /host/opt/cni/bin/portmap;
+           cp /app/aws-cni-support.sh /host/opt/cni/bin/;
+
+           if [[ -f /host/etc/cni/net.d/aws.conf ]]; then
+             rm /host/etc/cni/net.d/aws.conf
+           fi;'
+      containers:
+        - image: 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni:v1.5.3
+          imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 61678
               name: metrics

main.go

@@ -14,7 +14,6 @@
 package main
 
 import (
-	"io"
 	"os"
 
 	"github.com/aws/amazon-vpc-cni-k8s/pkg/utils/logger"
@@ -74,21 +73,6 @@ func _main() int {
 	// CNI introspection endpoints
 	go ipamContext.ServeIntrospection()
 
-	// Copy the CNI plugin and config. This will mark the node as Ready.
-	log.Info("Copying /app/aws-cni to /host/opt/cni/bin/aws-cni")
-	err = copyFileContents("/app/aws-cni", "/host/opt/cni/bin/aws-cni")
-	if err != nil {
-		log.Errorf("Failed to copy aws-cni: %v", err)
-		return 1
-	}
-
-	log.Info("Copying /app/10-aws.conflist to /host/etc/cni/net.d/10-aws.conflist")
-	err = copyFileContents("/app/10-aws.conflist", "/host/etc/cni/net.d/10-aws.conflist")
-	if err != nil {
-		log.Errorf("Failed to copy 10-aws.conflist: %v", err)
-		return 1
-	}
-
 	// Start the RPC listener
 	err = ipamContext.RunRPCHandler()
 	if err != nil {
@@ -97,39 +81,3 @@ func _main() int {
 	}
 	return 0
 }
-
-// copyFileContents copies a file
-func copyFileContents(src, dst string) error {
-	in, err := os.Open(src)
-	if err != nil {
-		return err
-	}
-	defer in.Close()
-	out, err := os.Create(dst)
-	if err != nil {
-		return err
-	}
-	defer func() {
-		e := out.Close()
-		if err == nil {
-			err = e
-		}
-	}()
-	if _, err = io.Copy(out, in); err != nil {
-		return err
-	}
-	err = out.Sync()
-	if err != nil {
-		return err
-	}
-	si, err := os.Stat(src)
-	if err != nil {
-		return err
-	}
-	err = os.Chmod(dst, si.Mode())
-	if err != nil {
-		return err
-	}
-	log.Debugf("Copied file from %q to %q", src, dst)
-	return err
-}

scripts/dockerfiles/Dockerfile.release

@@ -30,7 +30,6 @@ COPY --from=builder /go/src/github.com/aws/amazon-vpc-cni-k8s/aws-cni \
     /go/src/github.com/aws/amazon-vpc-cni-k8s/portmap \
     /go/src/github.com/aws/amazon-vpc-cni-k8s/aws-k8s-agent  \
     /go/src/github.com/aws/amazon-vpc-cni-k8s/grpc_health_probe \
-    /go/src/github.com/aws/amazon-vpc-cni-k8s/scripts/aws-cni-support.sh \
-    /go/src/github.com/aws/amazon-vpc-cni-k8s/scripts/install-aws.sh /app/
+    /go/src/github.com/aws/amazon-vpc-cni-k8s/scripts/aws-cni-support.sh /app/
 
-ENTRYPOINT /app/install-aws.sh
+CMD /app/aws-k8s-agent