Simplify binary installation, fix review comments

Since init container is required to always run, let binary installation
for external plugins happen in init container. This simplifies the main
container entrypoint and the dockerfile for each image.

cmd/aws-vpc-cni-init/main.go

@@ -82,7 +82,7 @@ func configureSystemParams(sysctlUtil sysctl.Interface, primaryIF string) error
 	// Enable or disable TCP early demux based on environment variable
 	// Note that older kernels may not support tcp_early_demux, so we must first check that it exists.
 	entry = "net/ipv4/tcp_early_demux"
-	if _, err := sysctlUtil.Get(entry); err != nil {
+	if _, err := sysctlUtil.Get(entry); err == nil {
 		disableIPv4EarlyDemux := getEnv(envDisableIPv4TcpEarlyDemux, "false")
 		if disableIPv4EarlyDemux == "true" {
 			err = sysctlUtil.Set(entry, 0)
@@ -140,7 +140,7 @@ func main() {
 
 func _main() int {
 	log.Debug("Started Initialization")
-	pluginBins := []string{"loopback", "portmap", "bandwidth", "aws-cni-support.sh"}
+	pluginBins := []string{"loopback", "portmap", "bandwidth", "host-local", "aws-cni-support.sh"}
 	var err error
 	for _, plugin := range pluginBins {
 		if _, err = os.Stat(plugin); err != nil {

cmd/aws-vpc-cni/main.go

@@ -61,6 +61,7 @@ const (
 	defaultAgentLogPath          = "aws-k8s-agent.log"
 	defaultVethPrefix            = "eni"
 	defaultMTU                   = "9001"
+	defaultEnablePodEni          = "false"
 	defaultPodSGEnforcingMode    = "strict"
 	defaultPluginLogFile         = "/var/log/aws-routed-eni/plugin.log"
 	defaultEgressV4PluginLogFile = "/var/log/aws-routed-eni/egress-v4-plugin.log"
@@ -75,11 +76,11 @@ const (
 	envHostCniConfDirPath    = "HOST_CNI_CONFDIR_PATH"
 	envVethPrefix            = "AWS_VPC_K8S_CNI_VETHPREFIX"
 	envEniMTU                = "AWS_VPC_ENI_MTU"
+	envEnablePodEni          = "ENABLE_POD_ENI"
 	envPodSGEnforcingMode    = "POD_SECURITY_GROUP_ENFORCING_MODE"
 	envPluginLogFile         = "AWS_VPC_K8S_PLUGIN_LOG_FILE"
 	envPluginLogLevel        = "AWS_VPC_K8S_PLUGIN_LOG_LEVEL"
 	envEgressV4PluginLogFile = "AWS_VPC_K8S_EGRESS_V4_PLUGIN_LOG_FILE"
-	envConfRPFfilter         = "AWS_VPC_K8S_CNI_CONFIGURE_RPFILTER"
 	envEnPrefixDelegation    = "ENABLE_PREFIX_DELEGATION"
 	envWarmIPTarget          = "WARM_IP_TARGET"
 	envMinIPTarget           = "MINIMUM_IP_TARGET"
@@ -288,6 +289,7 @@ func validateEnvVars() bool {
 		return false
 	}
 
+	// Validate that veth prefix is less than or equal to four characters and not in reserved set: (eth, lo, vlan)
 	vethPrefix := getEnv(envVethPrefix, defaultVethPrefix)
 	if len(vethPrefix) > 4 {
 		log.Errorf("AWS_VPC_K8S_CNI_VETHPREFIX cannot be longer than 4 characters")
@@ -299,17 +301,22 @@ func validateEnvVars() bool {
 		return false
 	}
 
-	podSGEnforcingMode := getEnv(envPodSGEnforcingMode, defaultPodSGEnforcingMode)
-	if podSGEnforcingMode != "strict" && podSGEnforcingMode != "standard" {
-		log.Errorf("%s must be set to either 'strict' or 'standard'", envPodSGEnforcingMode)
-		return false
+	// When ENABLE_POD_ENI is set, validate security group enforcing mode
+	enablePodEni := getEnv(envEnablePodEni, defaultEnablePodEni)
+	if enablePodEni == "true" {
+		podSGEnforcingMode := getEnv(envPodSGEnforcingMode, defaultPodSGEnforcingMode)
+		if podSGEnforcingMode != "strict" && podSGEnforcingMode != "standard" {
+			log.Errorf("%s must be set to either 'strict' or 'standard'", envPodSGEnforcingMode)
+			return false
+		}
 	}
 
 	prefixDelegationEn := getEnv(envEnPrefixDelegation, "false")
 	warmIPTarget := getEnv(envWarmIPTarget, "0")
 	warmPrefixTarget := getEnv(envWarmPrefixTarget, "0")
 	minimumIPTarget := getEnv(envMinIPTarget, "0")
 
+	// Note that these string values should probably be cast to integers, but the comparison for values greater than 0 works either way
 	if (prefixDelegationEn == "true") && (warmIPTarget <= "0" && warmPrefixTarget <= "0" && minimumIPTarget <= "0") {
 		log.Errorf("Setting WARM_PREFIX_TARGET = 0 is not supported while WARM_IP_TARGET/MINIMUM_IP_TARGET is not set. Please configure either one of the WARM_{PREFIX/IP}_TARGET or MINIMUM_IP_TARGET env variables")
 		return false
@@ -327,20 +334,8 @@ func _main() int {
 		return 1
 	}
 
-	hostCNIBinPath := getEnv(envHostCniBinPath, defaultHostCNIBinPath)
-	configureRPFfilter := getEnv(envConfRPFfilter, "true")
-	if configureRPFfilter != "false" {
-		log.Infof("Copying CNI plugin binaries ... ")
-		pluginBins := []string{"loopback", "portmap", "bandwidth", "aws-cni-support.sh"}
-		err := cp.InstallBinaries(pluginBins, hostCNIBinPath)
-		if err != nil {
-			log.WithError(err).Errorf("Failed to install binaries")
-			return 1
-		}
-	}
-
-	log.Infof("Install CNI binaries..")
 	pluginBins := []string{"aws-cni", "egress-v4-cni"}
+	hostCNIBinPath := getEnv(envHostCniBinPath, defaultHostCNIBinPath)
 	err := cp.InstallBinaries(pluginBins, hostCNIBinPath)
 	if err != nil {
 		log.WithError(err).Errorf("Failed to install CNI binaries")
@@ -379,26 +374,17 @@ func _main() int {
 	log.Infof("Copying config file... ")
 	err = generateJSON(defaultAWSconflistFile, tmpAWSconflistFile)
 	if err != nil {
-		log.WithError(err).Errorf("Failed to update 10-awsconflist")
+		log.WithError(err).Errorf("Failed to generate 10-awsconflist")
 		return 1
 	}
 
 	err = cp.CopyFile(tmpAWSconflistFile, defaultHostCNIConfDirPath+awsConflistFile)
 	if err != nil {
-		log.WithError(err).Errorf("Failed to update 10-awsconflist")
+		log.WithError(err).Errorf("Failed to copy 10-awsconflist")
 		return 1
 	}
 	log.Infof("Successfully copied CNI plugin binary and config file.")
 
-	awsConfFile := defaultHostCNIConfDirPath + "/aws.conf"
-	if _, err := os.Stat(awsConfFile); err == nil {
-		err = os.Remove(awsConfFile)
-		if err != nil {
-			log.WithError(err).Errorf("Failed to delete file %s", awsConfFile)
-			return 1
-		}
-	}
-
 	err = ipamdDaemon.Wait()
 	if err != nil {
 		log.WithError(err).Errorf("Failed to wait for IPAM daemon to complete")

scripts/dockerfiles/Dockerfile.init

@@ -26,6 +26,7 @@ COPY --from=builder \
     /go/src/github.com/aws/amazon-vpc-cni-k8s/loopback \
     /go/src/github.com/aws/amazon-vpc-cni-k8s/portmap \
     /go/src/github.com/aws/amazon-vpc-cni-k8s/bandwidth \
+    /go/src/github.com/aws/amazon-vpc-cni-k8s/host-local \
     /go/src/github.com/aws/amazon-vpc-cni-k8s/aws-cni-support.sh \
     /go/src/github.com/aws/amazon-vpc-cni-k8s/aws-vpc-cni-init /init/
 

scripts/dockerfiles/Dockerfile.release

@@ -12,8 +12,6 @@ COPY go.mod go.sum ./
 RUN go mod download
 
 COPY Makefile ./
-RUN make plugins && make debug-script
-
 COPY . ./
 RUN make build-aws-vpc-cni && make build-linux
 
@@ -24,12 +22,7 @@ WORKDIR /app
 
 COPY --from=builder /go/src/github.com/aws/amazon-vpc-cni-k8s/aws-cni \
     /go/src/github.com/aws/amazon-vpc-cni-k8s/misc/10-aws.conflist \
-    /go/src/github.com/aws/amazon-vpc-cni-k8s/loopback \
-    /go/src/github.com/aws/amazon-vpc-cni-k8s/portmap \
-    /go/src/github.com/aws/amazon-vpc-cni-k8s/bandwidth \
-    /go/src/github.com/aws/amazon-vpc-cni-k8s/host-local \
-    /go/src/github.com/aws/amazon-vpc-cni-k8s/aws-cni-support.sh \
-    /go/src/github.com/aws/amazon-vpc-cni-k8s/aws-k8s-agent  \
+    /go/src/github.com/aws/amazon-vpc-cni-k8s/aws-k8s-agent \
     /go/src/github.com/aws/amazon-vpc-cni-k8s/grpc-health-probe \
     /go/src/github.com/aws/amazon-vpc-cni-k8s/egress-v4-cni \
     /go/src/github.com/aws/amazon-vpc-cni-k8s/aws-vpc-cni /app/