0.5.0 container has weird entrypoint

[james-callahan]

What happened:

The 0.5.0 release changed the ENTRYPOINT in the dockerfile to /go-runner rather than /webhook.

Our deployment of the webhook was using

          args:
            - --in-cluster=false
            - --namespace=$(POD_NAMESPACE)
            - --port=8443
            - --sts-regional-endpoint=true
            - --aws-default-region=$(POD_IDENTITY_WEBHOOK_AWS_DEFAULT_REGION)

(rather than using command as you do upstream https://github.com/aws/amazon-eks-pod-identity-webhook/blob/254737fc69173139a7d802f5ff859e3d9a88b190/deploy/deployment-base.yaml#L21C1-L21C1)

This resulted in our pod failing with go-runner complaining that it didn't understand the --in-cluster flag.

What you expected to happen:

The entrypoint to be something that invoked /webhook eventually; passing arguments along.

How to reproduce it (as minimally and precisely as possible):

Notice for the previous release (0.4.0), the container invokes the webhook with the arguments, and we get the help output of the webhook:

$ docker run -t amazon/amazon-eks-pod-identity-webhook:v0.4.0 --help
Usage of /webhook:
      --add_dir_header                   If true, adds the file directory to the header
      --alsologtostderr                  log to standard error as well as files
      --annotation-prefix string         The Service Account annotation to look for (default "eks.amazonaws.com")
      --aws-default-region string        If set, AWS_DEFAULT_REGION and AWS_REGION will be set to this value in mutated containers
      --enable-debugging-handlers        Enable debugging handlers. Currently /debug/alpha/cache is supported
      --in-cluster                       Use in-cluster authentication and certificate request API (default true)
      --kube-api string                  (out-of-cluster) The url to the API server
      --kubeconfig string                (out-of-cluster) Absolute path to the API server kubeconfig file
      --log_backtrace_at traceLocation   when logging hits line file:N, emit a stack trace (default :0)
      --log_dir string                   If non-empty, write log files in this directory
      --log_file string                  If non-empty, use this log file
      --log_file_max_size uint           Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
      --logtostderr                      log to standard error instead of files (default true)
      --metrics-port int                 Port to listen on for metrics and healthz (http) (default 9999)
      --namespace string                 (in-cluster) The namespace name this webhook, the TLS secret, and configmap resides in (default "eks")
      --port int                         Port to listen on (default 443)
      --service-name string              (in-cluster) The service name fronting this webhook (default "pod-identity-webhook")
      --skip_headers                     If true, avoid header prefixes in the log messages
      --skip_log_headers                 If true, avoid headers when opening log files
      --stderrthreshold severity         logs at or above this threshold go to stderr (default 2)
      --sts-regional-endpoint false      Whether to inject the AWS_STS_REGIONAL_ENDPOINTS=regional env var in mutated pods. Defaults to false.
      --tls-cert string                  (out-of-cluster) TLS certificate file path (default "/etc/webhook/certs/tls.crt")
      --tls-key string                   (out-of-cluster) TLS key file path (default "/etc/webhook/certs/tls.key")
      --tls-secret string                (in-cluster) The secret name for storing the TLS serving cert (default "pod-identity-webhook")
      --token-audience string            The default audience for tokens. Can be overridden by annotation (default "sts.amazonaws.com")
      --token-expiration int             The token expiration (default 86400)
      --token-mount-path string          The path to mount tokens (default "/var/run/secrets/eks.amazonaws.com/serviceaccount")
  -v, --v Level                          number for the log level verbosity
      --version                          Display the version and exit
      --vmodule moduleSpec               comma-separated list of pattern=N settings for file-filtered logging
      --watch-config-map                 Enables watching serviceaccounts that are configured through the pod-identity-webhook configmap instead of using annotations
pflag: help requested

Whereas with 0.5.0, we get the help output of go-runner:

$ docker run -t amazon/amazon-eks-pod-identity-webhook:v0.5.0 --help
Usage of /go-runner:
  -also-stdout
        useful with log-file, log to standard output as well as the log file
  -log-file string
        If non-empty, save stdout to this file
  -redirect-stderr
        treat stderr same as stdout (default true)

Anything else we need to know?:

https://github.com/aws/amazon-eks-pod-identity-webhook/blob/254737fc69173139a7d802f5ff859e3d9a88b190/Dockerfile#L10 Introduced via https://github.com/aws/amazon-eks-pod-identity-webhook/commit/45808266d958019d8b0ce91a03017ece5798a4ee / https://github.com/aws/amazon-eks-pod-identity-webhook/pull/186

[prateekgogia]

This was an intended change to be consistent with all the other components running as part of the Kubernetes control plane. You should be able to rebuild the Docker image with the older Dockerfile config with scratch as the base image.