Install crictl for CLI interaction with containerd

[benmccown]

What would you like to be added: Install crictl as part of the EKS AMI build. Currently the only CLI utility included with the AMI is ctr.

crictl project: https://github.com/kubernetes-sigs/cri-tools/blob/master/docs/crictl.md
crictl documentation included in official Kubernetes docs: https://kubernetes.io/docs/tasks/debug-application-cluster/crictl/

Why is this needed:

Let me first start with issues I have seen with ctr and then I will discuss why crictl is the proposed alternative.

ctr's issues

• Non existent documentation. If you search for "containerd ctr documentation" you'll find a blog post or two, an outdated fork of the containerd project that has an old markdown file from 2016, and that's about it. There's the -h help output you can access from the CLI binary itself, but I don't think this is adequate for a new containerd user who is used to docker cli syntax.
• Unintuitive syntax when coming from the docker cli. Some commands are relatively straight forward, but in my experience so far there's a learning curve with ctr. This is fine, but the curve is made even steeper by the aforementioned lack of documentation.
• Doesn't pull private registry credentials when they are defined in containerd's config.toml. See this comment confirming the same. I have confirmed this myself. When registry credentials are defined in containerd's config.toml a private image can be pulled with crictl but not with ctr. If a user wants to test their containerd config by pulling a private image with the default cli (ctr) they're going to see the image fail to pull even if their config is correct, leading to unnecessary troubleshooting.

crictl as proposed solution

• crictl is part of the official kubernetes-sigs "cri-tools" project and was developed with Kubernetes in mind.
• crictl is well documented within the official Kubernetes documentation.
• crictl seems to honor private registry credentials provided in containerd's config.toml (issue with ctr mentioned above)

Providing a CLI utility that is part of the Kubernetes ecosystem, easier to use, and well documented will ease the transition for new users to containerd.

[davidegiunchi]

Another point about "why is this needed", from the ctr's manpage:

ctr(8)()                                                                                                                                                                                          

       ctr is an unsupported debug and administrative client for interacting with the containerd daemon. Because it is unsupported, the commands, options, and operations are not guaranteed to be backward
       compatible or stable from release to release of the containerd project.

Since it's unsupported, i think that installing cri-tools would be important.

[Mylleranton]

Still very relevant, especially given that K8s >=1.2.4 no longer have the dockershim - which will force everyone over to containerd sooner rather than later. Especially the part about ctl not respecting configuration is a big headache for anyone working with private registries etc.

[ringerc]

It's also inconsistent with most other kube node deployments, such as the Azure k8s node images.

I was recently amazed to find that crictl is absent from the EKS nodes.

It doesn't appear to be in the yum repo either. Had to install it via cri-tools github. https://github.com/kubernetes-sigs/cri-tools

Note that at least on the k82 1.22 node I tested on, containerd was at 1.4.x and didn't want to talk to crictl 1.26.0 . I had to use 1.25.0.