diff --git a/doc/crds/daemonset-install.yaml b/doc/crds/daemonset-install.yaml
index 5783fc81a..39b52ab54 100644
--- a/doc/crds/daemonset-install.yaml
+++ b/doc/crds/daemonset-install.yaml
@@ -93,14 +93,30 @@ spec:
       tolerations:
       - operator: Exists
         effect: NoSchedule
+      initContainers:
+        - name: install-cin-bin
+          command: [ "/install-bin.sh" ]
+          image: ghcr.io/k8snetworkplumbingwg/whereabouts:latest-amd64
+          env:
+            - name: WHEREABOUTS_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          resources:
+            requests:
+              cpu: "100m"
+              memory: "50Mi"
+            limits:
+              cpu: "100m"
+              memory: "50Mi"
+          securityContext:
+            privileged: true
+          volumeMounts:
+            - name: cnibin
+              mountPath: /host/opt/cni/bin
       containers:
       - name: whereabouts
-        command: [ "/bin/sh" ]
-        args:
-          - -c
-          - >
-            SLEEP=false /install-cni.sh &&
-            /ip-control-loop -log-level debug
+        command: [ "/ip-control-loop -log-level debug" ]
         image: ghcr.io/k8snetworkplumbingwg/whereabouts:latest-amd64
         env:
         - name: WHEREABOUTS_NAMESPACE
diff --git a/script/install-cni.sh b/script/install-cni.sh
index 6eab0ff56..d710dd03a 100755
--- a/script/install-cni.sh
+++ b/script/install-cni.sh
@@ -10,36 +10,36 @@ set -u -e
 #
 #SPDX-License-Identifier: Apache-2.0
 
-CNI_BIN_DIR=${CNI_BIN_DIR:-"/host/opt/cni/bin/"}
-WHEREABOUTS_KUBECONFIG_FILE_HOST=${WHEREABOUTS_KUBECONFIG_FILE_HOST:-"/etc/cni/net.d/whereabouts.d/whereabouts.kubeconfig"}
-CNI_CONF_DIR=${CNI_CONF_DIR:-"/host/etc/cni/net.d"}
+CNI_BIN_DIR="${CNI_BIN_DIR:-"/host/opt/cni/bin/"}"
+WHEREABOUTS_KUBECONFIG_FILE_HOST="${WHEREABOUTS_KUBECONFIG_FILE_HOST:-"/etc/cni/net.d/whereabouts.d/whereabouts.kubeconfig"}"
+CNI_CONF_DIR="${CNI_CONF_DIR:-"/host/etc/cni/net.d"}"
 
 # Make a whereabouts.d directory (for our kubeconfig)
 
-mkdir -p $CNI_CONF_DIR/whereabouts.d
-WHEREABOUTS_KUBECONFIG=$CNI_CONF_DIR/whereabouts.d/whereabouts.kubeconfig
-WHEREABOUTS_FLATFILE=$CNI_CONF_DIR/whereabouts.d/whereabouts.conf
-WHEREABOUTS_KUBECONFIG_LITERAL=$(echo "$WHEREABOUTS_KUBECONFIG" | sed -e s'|/host||')
+mkdir -p "$CNI_CONF_DIR/whereabouts.d"
+WHEREABOUTS_KUBECONFIG="$CNI_CONF_DIR/whereabouts.d/whereabouts.kubeconfig"
+WHEREABOUTS_FLATFILE="$CNI_CONF_DIR/whereabouts.d/whereabouts.conf"
+WHEREABOUTS_KUBECONFIG_LITERAL="${WHEREABOUTS_KUBECONFIG##/host}"
 
 # ------------------------------- Generate a "kube-config"
-SERVICE_ACCOUNT_PATH=/var/run/secrets/kubernetes.io/serviceaccount
-KUBE_CA_FILE=${KUBE_CA_FILE:-$SERVICE_ACCOUNT_PATH/ca.crt}
-SERVICEACCOUNT_TOKEN=$(cat $SERVICE_ACCOUNT_PATH/token)
-SKIP_TLS_VERIFY=${SKIP_TLS_VERIFY:-false}
+SERVICE_ACCOUNT_PATH="/var/run/secrets/kubernetes.io/serviceaccount"
+KUBE_CA_FILE="${KUBE_CA_FILE:-$SERVICE_ACCOUNT_PATH/ca.crt}"
+SERVICEACCOUNT_TOKEN="$(cat $SERVICE_ACCOUNT_PATH/token)"
+SKIP_TLS_VERIFY="${SKIP_TLS_VERIFY:-false}"
 
 # Setup our logging routines
 
-function log()
+log()
 {
     echo "$(date --iso-8601=seconds) ${1}"
 }
 
-function error()
+error()
 {
     log "ERR:  {$1}"
 }
 
-function warn()
+warn()
 {
     log "WARN: {$1}"
 }
@@ -48,32 +48,32 @@ function warn()
 # Check if we're running as a k8s pod.
 if [ -f "$SERVICE_ACCOUNT_PATH/token" ]; then
   # We're running as a k8d pod - expect some variables.
-  if [ -z ${KUBERNETES_SERVICE_HOST} ]; then
+  if [ -z "${KUBERNETES_SERVICE_HOST}" ]; then
     error "KUBERNETES_SERVICE_HOST not set"; exit 1;
   fi
-  if [ -z ${KUBERNETES_SERVICE_PORT} ]; then
+  if [ -z "${KUBERNETES_SERVICE_PORT}" ]; then
     error "KUBERNETES_SERVICE_PORT not set"; exit 1;
   fi
 
-  if [ "$SKIP_TLS_VERIFY" == "true" ]; then
+  if [ "$SKIP_TLS_VERIFY" = "true" ]; then
     TLS_CFG="insecure-skip-tls-verify: true"
   elif [ -f "$KUBE_CA_FILE" ]; then
-    TLS_CFG="certificate-authority-data: $(cat $KUBE_CA_FILE | base64 | tr -d '\n')"
+    TLS_CFG="certificate-authority-data: $(base64 < "$KUBE_CA_FILE" | tr -d '\n')"
   fi
 
   # Kubernetes service address must be wrapped if it is IPv6 address
-  KUBERNETES_SERVICE_HOST_WRAP=$KUBERNETES_SERVICE_HOST
+  KUBERNETES_SERVICE_HOST_WRAP="$KUBERNETES_SERVICE_HOST"
   if [ "$KUBERNETES_SERVICE_HOST_WRAP" != "${KUBERNETES_SERVICE_HOST_WRAP#*:[0-9a-fA-F]}" ]; then
-    KUBERNETES_SERVICE_HOST_WRAP=\[$KUBERNETES_SERVICE_HOST_WRAP\]
+    KUBERNETES_SERVICE_HOST_WRAP="[$KUBERNETES_SERVICE_HOST_WRAP]"
   fi
 
   # Write a kubeconfig file for the CNI plugin.  Do this
   # to skip TLS verification for now.  We should eventually support
   # writing more complete kubeconfig files. This is only used
   # if the provided CNI network config references it.
-  touch $WHEREABOUTS_KUBECONFIG
-  chmod ${KUBECONFIG_MODE:-600} $WHEREABOUTS_KUBECONFIG
-  cat > $WHEREABOUTS_KUBECONFIG <<EOF
+  touch "$WHEREABOUTS_KUBECONFIG"
+  chmod "${KUBECONFIG_MODE:-0600}" "$WHEREABOUTS_KUBECONFIG"
+  cat > "$WHEREABOUTS_KUBECONFIG" <<EOF
 # Kubeconfig file for Multus CNI plugin.
 apiVersion: v1
 kind: Config
@@ -95,9 +95,9 @@ contexts:
 current-context: whereabouts-context
 EOF
 
-  touch $WHEREABOUTS_FLATFILE
-  chmod ${KUBECONFIG_MODE:-600} $WHEREABOUTS_FLATFILE
-  cat > $WHEREABOUTS_FLATFILE <<EOF
+  touch "$WHEREABOUTS_FLATFILE"
+  chmod "${KUBECONFIG_MODE:-0600}" "$WHEREABOUTS_FLATFILE"
+  cat > "$WHEREABOUTS_FLATFILE" <<EOF
 {
   "datastore": "kubernetes",
   "kubernetes": {
@@ -112,14 +112,6 @@ else
 fi
 
 # copy whereabouts to the cni bin dir
-cp -f /whereabouts $CNI_BIN_DIR
+cp -f /whereabouts "$CNI_BIN_DIR"
 
 # ---------------------- end Generate a "kube-config".
-
-# Unless told otherwise, sleep forever.
-# This prevents Kubernetes from restarting the pod repeatedly.
-should_sleep=${SLEEP:-"true"}
-echo "Done configuring CNI.  Sleep=$should_sleep"
-while [ "$should_sleep" == "true"  ]; do
-    sleep 1000000000000
-done