@@ -137,3 +137,21 @@ func captureSurroundingJSONForError(prefix string, data []byte, err error) error

 	}

 	return err

 }

+

+// IsAdmissionPluginActivated returns true if the admission plugin is activated using configapi.DefaultAdmissionConfig

+// otherwise it returns a default value

+func IsAdmissionPluginActivated(reader io.Reader, defaultValue bool) (bool, error) {

+	obj, err := ReadYAML(reader)

+	if err != nil {

+		return false, err

+	}

+	if obj == nil {

+		return defaultValue, nil

+	}

+	activationConfig, ok := obj.(*configapi.DefaultAdmissionConfig)

+	if !ok {

+		return false, fmt.Errorf("unexpected config object: %#v", obj)

+	}

+

+	return !activationConfig.Disable, nil

+}

@@ -53,9 +53,13 @@ func addKnownTypes(scheme *runtime.Scheme) {

 		&OpenIDIdentityProvider{},

 		&LDAPSyncConfig{},

+

+		&DefaultAdmissionConfig{},

 	)

 }

+func (obj *DefaultAdmissionConfig) GetObjectKind() unversioned.ObjectKind { return &obj.TypeMeta }

+

 func (obj *LDAPSyncConfig) GetObjectKind() unversioned.ObjectKind { return &obj.TypeMeta }

 func (obj *OpenIDIdentityProvider) GetObjectKind() unversioned.ObjectKind        { return &obj.TypeMeta }

@@ -1202,3 +1202,13 @@ type ServiceServingCert struct {

 	// If this value is nil, then certs are not signed automatically.

 	Signer *CertInfo

 }

+

+// DefaultAdmissionConfig can be used to enable or disable various admission plugins.

+// When this type is present as the `configuration` object under `pluginConfig` and *if* the admission plugin supports it,

+// this will cause an "off by default" admission plugin to be enabled

+type DefaultAdmissionConfig struct {

+	unversioned.TypeMeta

+

+	// Disable turns off an admission plugin that is enabled by default.

+	Disable bool

+}

@@ -36,9 +36,13 @@ func addKnownTypes(scheme *runtime.Scheme) {

 		&OpenIDIdentityProvider{},

 		&LDAPSyncConfig{},

+

+		&DefaultAdmissionConfig{},

 	)

 }

+func (obj *DefaultAdmissionConfig) GetObjectKind() unversioned.ObjectKind { return &obj.TypeMeta }

+

 func (obj *LDAPSyncConfig) GetObjectKind() unversioned.ObjectKind { return &obj.TypeMeta }

 func (obj *OpenIDIdentityProvider) GetObjectKind() unversioned.ObjectKind        { return &obj.TypeMeta }

@@ -135,6 +135,15 @@ func (DNSConfig) SwaggerDoc() map[string]string {

 	return map_DNSConfig

 }

+var map_DefaultAdmissionConfig = map[string]string{

+	"":        "DefaultAdmissionConfig can be used to enable or disable various admission plugins. When this type is present as the `configuration` object under `pluginConfig` and *if* the admission plugin supports it, this will cause an \"off by default\" admission plugin to be enabled",

+	"Disable": "Disable turns off an admission plugin that is enabled by default.",

+}

+

+func (DefaultAdmissionConfig) SwaggerDoc() map[string]string {

+	return map_DefaultAdmissionConfig

+}

+

 var map_DenyAllPasswordIdentityProvider = map[string]string{

 	"": "DenyAllPasswordIdentityProvider provides no identities for users",

 }

@@ -1207,3 +1207,13 @@ type ServiceServingCert struct {

 	// If this value is nil, then certs are not signed automatically.

 	Signer *CertInfo `json:"signer"`

 }

+

+// DefaultAdmissionConfig can be used to enable or disable various admission plugins.

+// When this type is present as the `configuration` object under `pluginConfig` and *if* the admission plugin supports it,

+// this will cause an "off by default" admission plugin to be enabled

+type DefaultAdmissionConfig struct {

+	unversioned.TypeMeta `json:",inline"`

+

+	// Disable turns off an admission plugin that is enabled by default.

+	Disable bool

+}

@@ -47,7 +47,7 @@ import (

 )

 // AdmissionPlugins is the full list of admission control plugins to enable in the order they must run

-var AdmissionPlugins = []string{"RunOnceDuration", lifecycle.PluginName, "PodNodeConstraints", "OriginPodNodeEnvironment", overrideapi.PluginName, serviceadmit.ExternalIPPluginName, "LimitRanger", "ServiceAccount", "SecurityContextConstraint", "BuildDefaults", "BuildOverrides", "ResourceQuota", "SCCExecRestrictions"}

+var AdmissionPlugins = []string{"RunOnceDuration", lifecycle.PluginName, "PodNodeConstraints", "OriginPodNodeEnvironment", overrideapi.PluginName, serviceadmit.ExternalIPPluginName, "LimitRanger", "ServiceAccount", "SecurityContextConstraint", "BuildDefaults", "BuildOverrides", "AlwaysPullImages", "ResourceQuota", "SCCExecRestrictions"}

 // MasterConfig defines the required values to start a Kubernetes master

 type MasterConfig struct {

new file mode 100644

@@ -0,0 +1,57 @@

+package start

+

+import (

+	"io"

+

+	"k8s.io/kubernetes/pkg/admission"

+	"k8s.io/kubernetes/pkg/util/sets"

+

+	// Admission control plug-ins used by OpenShift

+	_ "github.com/openshift/origin/pkg/build/admission/defaults"

+	_ "github.com/openshift/origin/pkg/build/admission/overrides"

+	_ "github.com/openshift/origin/pkg/build/admission/strategyrestrictions"

+	_ "github.com/openshift/origin/pkg/project/admission/lifecycle"

+	_ "github.com/openshift/origin/pkg/project/admission/nodeenv"

+	_ "github.com/openshift/origin/pkg/project/admission/requestlimit"

+	_ "github.com/openshift/origin/pkg/quota/admission/clusterresourceoverride"

+	_ "github.com/openshift/origin/pkg/quota/admission/resourcequota"

+	_ "github.com/openshift/origin/pkg/quota/admission/runonceduration"

+	_ "github.com/openshift/origin/pkg/scheduler/admission/podnodeconstraints"

+	_ "github.com/openshift/origin/pkg/security/admission"

+	_ "k8s.io/kubernetes/plugin/pkg/admission/admit"

+	_ "k8s.io/kubernetes/plugin/pkg/admission/alwayspullimages"

+	_ "k8s.io/kubernetes/plugin/pkg/admission/exec"

+	_ "k8s.io/kubernetes/plugin/pkg/admission/limitranger"

+	_ "k8s.io/kubernetes/plugin/pkg/admission/namespace/exists"

+	_ "k8s.io/kubernetes/plugin/pkg/admission/namespace/lifecycle"

+	_ "k8s.io/kubernetes/plugin/pkg/admission/resourcequota"

+	_ "k8s.io/kubernetes/plugin/pkg/admission/serviceaccount"

+

+	configlatest "github.com/openshift/origin/pkg/cmd/server/api/latest"

+)

+

+var (

+	defaultOnPlugins  = sets.String{}

+	defaultOffPlugins = sets.String{}

+)

+

+func init() {

+	defaultOffPlugins.Insert("AlwaysPullImages")

+	admission.PluginEnabledFn = IsAdmissionPluginActivated

+}

+

+func IsAdmissionPluginActivated(name string, config io.Reader) bool {

+	// only intercept if we have an explicit enable or disable.  If the check fails in any way,

+	// assume that the config was a different type and let the actual admission plugin check it

+	if defaultOnPlugins.Has(name) {

+		if enabled, err := configlatest.IsAdmissionPluginActivated(config, true); err == nil && !enabled {

+			return false

+		}

+	} else if defaultOffPlugins.Has(name) {

+		if enabled, err := configlatest.IsAdmissionPluginActivated(config, false); err == nil && !enabled {

+			return false

+		}

+	}

+

+	return true

+}

deleted file mode 100644

@@ -1,25 +0,0 @@

-package start

-

-import (

-

-	// Admission control plug-ins used by OpenShift

-	_ "github.com/openshift/origin/pkg/build/admission/defaults"

-	_ "github.com/openshift/origin/pkg/build/admission/overrides"

-	_ "github.com/openshift/origin/pkg/build/admission/strategyrestrictions"

-	_ "github.com/openshift/origin/pkg/project/admission/lifecycle"

-	_ "github.com/openshift/origin/pkg/project/admission/nodeenv"

-	_ "github.com/openshift/origin/pkg/project/admission/requestlimit"

-	_ "github.com/openshift/origin/pkg/quota/admission/clusterresourceoverride"

-	_ "github.com/openshift/origin/pkg/quota/admission/resourcequota"

-	_ "github.com/openshift/origin/pkg/quota/admission/runonceduration"

-	_ "github.com/openshift/origin/pkg/scheduler/admission/podnodeconstraints"

-	_ "github.com/openshift/origin/pkg/security/admission"

-	_ "k8s.io/kubernetes/plugin/pkg/admission/admit"

-	_ "k8s.io/kubernetes/plugin/pkg/admission/alwayspullimages"

-	_ "k8s.io/kubernetes/plugin/pkg/admission/exec"

-	_ "k8s.io/kubernetes/plugin/pkg/admission/limitranger"

-	_ "k8s.io/kubernetes/plugin/pkg/admission/namespace/exists"

-	_ "k8s.io/kubernetes/plugin/pkg/admission/namespace/lifecycle"

-	_ "k8s.io/kubernetes/plugin/pkg/admission/resourcequota"

-	_ "k8s.io/kubernetes/plugin/pkg/admission/serviceaccount"

-)

@@ -291,3 +291,92 @@ func TestOpenshiftAdmissionPluginEmbeddedConfig(t *testing.T) {

 		t.Errorf("Error: %v", err)

 	}

 }

+

+func TestAlwaysPullImagesOn(t *testing.T) {

+	testutil.RequireEtcd(t)

+	masterConfig, err := testserver.DefaultMasterOptions()

+	if err != nil {

+		t.Fatalf("error creating config: %v", err)

+	}

+	masterConfig.KubernetesMasterConfig.AdmissionConfig.PluginConfig = map[string]configapi.AdmissionPluginConfig{

+		"AlwaysPullImages": {

+			Configuration: &configapi.DefaultAdmissionConfig{},

+		},

+	}

+	kubeConfigFile, err := testserver.StartConfiguredMaster(masterConfig)

+	if err != nil {

+		t.Fatalf("error starting server: %v", err)

+	}

+	kubeClient, err := testutil.GetClusterAdminKubeClient(kubeConfigFile)

+	if err != nil {

+		t.Fatalf("error getting client: %v", err)

+	}

+

+	ns := &kapi.Namespace{}

+	ns.Name = testutil.Namespace()

+	_, err = kubeClient.Namespaces().Create(ns)

+	if err != nil {

+		t.Fatalf("error creating namespace: %v", err)

+	}

+	if err := testserver.WaitForPodCreationServiceAccounts(kubeClient, testutil.Namespace()); err != nil {

+		t.Fatalf("error getting client config: %v", err)

+	}

+

+	testPod := &kapi.Pod{}

+	testPod.GenerateName = "test"

+	testPod.Spec.Containers = []kapi.Container{

+		{

+			Name:            "container",

+			Image:           "openshift/origin-pod:notlatest",

+			ImagePullPolicy: kapi.PullNever,

+		},

+	}

+

+	actualPod, err := kubeClient.Pods(testutil.Namespace()).Create(testPod)

+	if err != nil {

+		t.Fatalf("unexpected error: %v", err)

+	}

+	if actualPod.Spec.Containers[0].ImagePullPolicy != kapi.PullAlways {

+		t.Errorf("expected %v, got %v", kapi.PullAlways, actualPod.Spec.Containers[0].ImagePullPolicy)

+	}

+}

+

+func TestAlwaysPullImagesOff(t *testing.T) {

+	testutil.RequireEtcd(t)

+	_, kubeConfigFile, err := testserver.StartTestMaster()

+	if err != nil {

+		t.Fatalf("error starting server: %v", err)

+	}

+	kubeClient, err := testutil.GetClusterAdminKubeClient(kubeConfigFile)

+	if err != nil {

+		t.Fatalf("error getting client: %v", err)

+	}

+

+	ns := &kapi.Namespace{}

+	ns.Name = testutil.Namespace()

+	_, err = kubeClient.Namespaces().Create(ns)

+	if err != nil {

+		t.Fatalf("error creating namespace: %v", err)

+	}

+	if err := testserver.WaitForPodCreationServiceAccounts(kubeClient, testutil.Namespace()); err != nil {

+		t.Fatalf("error getting client config: %v", err)

+	}

+

+	testPod := &kapi.Pod{}

+	testPod.GenerateName = "test"

+	testPod.Spec.Containers = []kapi.Container{

+		{

+			Name:            "container",

+			Image:           "openshift/origin-pod:notlatest",

+			ImagePullPolicy: kapi.PullNever,

+		},

+	}

+

+	actualPod, err := kubeClient.Pods(testutil.Namespace()).Create(testPod)

+	if err != nil {

+		t.Fatalf("unexpected error: %v", err)

+	}

+	if actualPod.Spec.Containers[0].ImagePullPolicy != kapi.PullNever {

+		t.Errorf("expected %v, got %v", kapi.PullNever, actualPod.Spec.Containers[0].ImagePullPolicy)

+	}

+}