@@ -80,7 +80,7 @@ func setupClusterAdminPodNodeConstraintsTest(t *testing.T, pluginConfig *plugina

 	if err != nil {

 		t.Fatalf("error creating namespace: %v", err)

 	}

-	if err := testserver.WaitForServiceAccounts(kubeClient, testutil.Namespace(), []string{bootstrappolicy.DefaultServiceAccountName}); err != nil {

+	if err := testserver.WaitForPodCreationServiceAccounts(kubeClient, testutil.Namespace()); err != nil {

 		t.Fatalf("unexpected error: %v", err)

 	}

 	return openShiftClient, kubeClient

@@ -9,7 +9,6 @@ import (

 	kclient "k8s.io/kubernetes/pkg/client/unversioned"

 	configapi "github.com/openshift/origin/pkg/cmd/server/api"

-	"github.com/openshift/origin/pkg/cmd/server/bootstrappolicy"

 	pluginapi "github.com/openshift/origin/pkg/quota/admission/runonceduration/api"

 	testutil "github.com/openshift/origin/test/util"

 	testserver "github.com/openshift/origin/test/util/server"

@@ -98,7 +97,7 @@ func setupRunOnceDurationTest(t *testing.T, pluginConfig *pluginapi.RunOnceDurat

 	if err != nil {

 		t.Fatalf("error creating namespace: %v", err)

 	}

-	if err := testserver.WaitForServiceAccounts(kubeClient, testutil.Namespace(), []string{bootstrappolicy.DefaultServiceAccountName}); err != nil {

+	if err := testserver.WaitForPodCreationServiceAccounts(kubeClient, testutil.Namespace()); err != nil {

 		t.Errorf("unexpected error: %v", err)

 	}

 	return kubeClient

@@ -37,6 +37,10 @@ import (

 // controllers to start up, and populate the service accounts in the test namespace

 const ServiceAccountWaitTimeout = 30 * time.Second

+// PodCreationWaitTimeout is used to determine how long to wait after the service account token

+// is available for the admission control cache to catch up and allow pod creation

+const PodCreationWaitTimeout = 10 * time.Second

+

 // RequireServer verifies if the etcd and the OpenShift server are

 // available and you can successfully connect to them.

 func RequireServer(t *testing.T) {

@@ -395,6 +399,37 @@ func serviceAccountSecretsExist(client *kclient.Client, namespace string, sa *ka

 	return foundTokenSecret && foundDockercfgSecret

 }

+// WaitForPodCreationServiceAccounts ensures that the service account needed for pod creation exists

+// and that the cache for the admission control that checks for pod tokens has caught up to allow

+// pod creation.

+func WaitForPodCreationServiceAccounts(client *kclient.Client, namespace string) error {

+	if err := WaitForServiceAccounts(client, namespace, []string{bootstrappolicy.DefaultServiceAccountName}); err != nil {

+		return err

+	}

+

+	testPod := &kapi.Pod{}

+	testPod.GenerateName = "test"

+	testPod.Spec.Containers = []kapi.Container{

+		{

+			Name:  "container",

+			Image: "openshift/origin-pod:latest",

+		},

+	}

+

+	return wait.PollImmediate(time.Second, PodCreationWaitTimeout, func() (bool, error) {

+		pod, err := client.Pods(namespace).Create(testPod)

+		if err != nil {

+			glog.Warningf("Error attempting to create test pod: %v", err)

+			return false, nil

+		}

+		err = client.Pods(namespace).Delete(pod.Name, kapi.NewDeleteOptions(0))

+		if err != nil {

+			return false, err

+		}

+		return true, nil

+	})

+}

+

 // WaitForServiceAccounts ensures the service accounts needed by build pods exist in the namespace

 // The extra controllers tend to starve the service account controller

 func WaitForServiceAccounts(client *kclient.Client, namespace string, accounts []string) error {