Cache the pause container as a localhost image

awslabs · Oct 8, 2024 · 41f0520 · 41f0520
1 parent 093058d
commit 41f0520
Show file tree

Hide file tree

Showing 6 changed files with 41 additions and 13 deletions.
diff --git a/nodeadm/cmd/nodeadm/init/init.go b/nodeadm/cmd/nodeadm/init/init.go
@@ -11,7 +11,6 @@ import (
 	"k8s.io/utils/strings/slices"
 
 	"github.com/awslabs/amazon-eks-ami/nodeadm/internal/api"
-	"github.com/awslabs/amazon-eks-ami/nodeadm/internal/aws/ecr"
 	"github.com/awslabs/amazon-eks-ami/nodeadm/internal/aws/imds"
 	"github.com/awslabs/amazon-eks-ami/nodeadm/internal/cli"
 	"github.com/awslabs/amazon-eks-ami/nodeadm/internal/configprovider"
@@ -164,12 +163,8 @@ func enrichConfig(log *zap.Logger, cfg *api.NodeConfig) error {
 	cfg.Status.Instance = *instanceDetails
 	log.Info("Instance details populated", zap.Reflect("details", instanceDetails))
 	log.Info("Fetching default options...")
-	eksRegistry, err := ecr.GetEKSRegistry(instanceDetails.Region)
-	if err != nil {
-		return err
-	}
 	cfg.Status.Defaults = api.DefaultOptions{
-		SandboxImage: eksRegistry.GetSandboxImage(),
+		SandboxImage: containerd.PauseContainerImageRef,
 	}
 	log.Info("Default options populated", zap.Reflect("defaults", cfg.Status.Defaults))
 	return nil

diff --git a/nodeadm/internal/aws/ecr/ecr.go b/nodeadm/internal/aws/ecr/ecr.go
@@ -33,10 +33,6 @@ func GetAuthorizationToken(awsRegion string) (string, error) {
 	return *authData, nil
 }
 
-func (r *ECRRegistry) GetSandboxImage() string {
-	return r.GetImageReference("eks/pause", "3.5")
-}
-
 func GetEKSRegistry(region string) (ECRRegistry, error) {
 	account, region := getEKSRegistryCoordinates(region)
 	servicesDomain, err := imds.GetProperty(context.TODO(), imds.ServicesDomain)

diff --git a/nodeadm/internal/containerd/sandbox.go b/nodeadm/internal/containerd/sandbox.go
@@ -15,6 +15,8 @@ import (
 	v1 "k8s.io/cri-api/pkg/apis/runtime/v1"
 )
 
+const PauseContainerImageRef = "localhost/kubernetes/pause:0.1.0"
+
 var containerdSandboxImageRegex = regexp.MustCompile(`sandbox_image = "(.*)"`)
 
 func cacheSandboxImage(cfg *api.NodeConfig) error {

diff --git a/templates/al2/provisioners/install-worker.sh b/templates/al2/provisioners/install-worker.sh
@@ -367,6 +367,21 @@ sudo chmod +x /etc/eks/bootstrap.sh
 sudo mv $WORKING_DIR/max-pods-calculator.sh /etc/eks/max-pods-calculator.sh
 sudo chmod +x /etc/eks/max-pods-calculator.sh
 
+################################################################################
+### Pause Container ############################################################
+################################################################################
+
+# pull the pause container and cache it under localhost so that the regional
+# images do not matter from now on.
+
+sudo systemctl enable containerd --now
+PAUSE_CONTAINER="${ECR_URI}/eks/pause:${PAUSE_CONTAINER_VERSION}"
+sudo ctr --namespace k8s.io content fetch ${PAUSE_CONTAINER} --user AWS:$(aws ecr get-login-password --region $BINARY_BUCKET_REGION)
+sudo ctr --namespace k8s.io image tag ${PAUSE_CONTAINER} "localhost/kubernetes/pause:0.1.0"
+sudo ctr --namespace k8s.io image rm ${PAUSE_CONTAINER}
+# might not be necessary
+sudo ctr --namespace=k8s.io image label "localhost/kubernetes/pause:0.1.0" io.cri-containerd.pinned=pinned
+
 ################################################################################
 ### ECR CREDENTIAL PROVIDER ####################################################
 ################################################################################

diff --git a/templates/al2/runtime/bootstrap.sh b/templates/al2/runtime/bootstrap.sh
@@ -340,9 +340,13 @@ chown root:root /etc/systemd/system/configure-clocksource.service
 systemctl daemon-reload
 systemctl enable --now configure-clocksource
 
-ECR_URI=$(/etc/eks/get-ecr-uri.sh "${AWS_DEFAULT_REGION}" "${AWS_SERVICES_DOMAIN}" "${PAUSE_CONTAINER_ACCOUNT:-}")
-PAUSE_CONTAINER_IMAGE=${PAUSE_CONTAINER_IMAGE:-$ECR_URI/eks/pause}
-PAUSE_CONTAINER="$PAUSE_CONTAINER_IMAGE:$PAUSE_CONTAINER_VERSION"
+PAUSE_CONTAINER=localhost/kubernetes/pause:0.1.0
+# if the user provided an account, then it needs to be resolved.
+if [ -n "${PAUSE_CONTAINER_ACCOUNT:-}" ]; then
+  ECR_URI=$(/etc/eks/get-ecr-uri.sh "${AWS_DEFAULT_REGION}" "${AWS_SERVICES_DOMAIN}" "${PAUSE_CONTAINER_ACCOUNT:-}")
+  PAUSE_CONTAINER_IMAGE=${PAUSE_CONTAINER_IMAGE:-$ECR_URI/eks/pause}
+  PAUSE_CONTAINER="$PAUSE_CONTAINER_IMAGE:$PAUSE_CONTAINER_VERSION"
+fi
 
 ### kubelet kubeconfig
 

diff --git a/templates/al2023/provisioners/install-worker.sh b/templates/al2023/provisioners/install-worker.sh
@@ -187,6 +187,22 @@ done
 
 sudo rm ./*.sha256
 
+################################################################################
+### Pause Container ############################################################
+################################################################################
+
+# pull the pause container and cache it under localhost so that the regional
+# images do not matter from now on.
+
+sudo systemctl enable containerd --now
+PAUSE_CONTAINER="${ECR_URI}/eks/pause:${PAUSE_CONTAINER_VERSION}"
+sudo ctr --namespace k8s.io content fetch ${PAUSE_CONTAINER} --user AWS:$(aws ecr get-login-password --region $BINARY_BUCKET_REGION)
+sudo ctr --namespace k8s.io image tag ${PAUSE_CONTAINER} "localhost/kubernetes/pause:0.1.0"
+sudo ctr --namespace k8s.io image rm ${PAUSE_CONTAINER}
+# might not be necessary
+sudo ctr --namespace=k8s.io image label "localhost/kubernetes/pause:0.1.0" io.cri-containerd.pinned=pinned
+
+
 ################################################################################
 ### ECR Credential Provider Binary #############################################
 ################################################################################