imagePullPolicy: IfNotPresent for all versioned containers (#4212)

2018-11-08 13:23:17 -08:00 · 2018-11-08 13:23:17 -08:00 · 1022387742
--- a/docs/clusterdefinition.md
+++ b/docs/clusterdefinition.md
@ -387,8 +387,8 @@ Below is a list of apiserver options that acs-engine will configure by default:

 | apiserver option                | default value                                                                                                                                                                                                                           |
 | ------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| "--admission-control"           | "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,AlwaysPullImages" (Kubernetes versions prior to 1.9.0                                                                               |
-| "--enable-admission-plugins"`*` | "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,AlwaysPullImages" (Kubernetes versions 1.9.0 and later |
+| "--admission-control"           | "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota" (Kubernetes versions prior to 1.9.0)                                                                               |
+| "--enable-admission-plugins"`*` | "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,ExtendedResourceToleration" (Kubernetes versions 1.9.0 and later) |
 | "--authorization-mode"          | "Node", "RBAC" (_the latter if enabledRbac is true_)                                                                                                                                                                                    |
 | "--audit-log-maxage"            | "30"                                                                                                                                                                                                                                    |
 | "--audit-log-maxbackup"         | "10"                                                                                                                                                                                                                                    |
--- a/packer/install-dependencies.sh
+++ b/packer/install-dependencies.sh
@ -136,6 +136,16 @@ for KUBE_SVC_REDIRECT_VERSION in ${KUBE_SVC_REDIRECT_VERSIONS}; do
    pullContainerImage "docker" "docker.io/deis/kube-svc-redirect:v${KUBE_SVC_REDIRECT_VERSION}"
 done

+KV_FLEXVOLUME_VERSIONS="0.0.5"
+for KV_FLEXVOLUME_VERSION in ${KV_FLEXVOLUME_VERSIONS}; do
+    pullContainerImage "docker" "mcr.microsoft.com/k8s/flexvolume/keyvault-flexvolume:v${KV_FLEXVOLUME_VERSION}"
+done
+
+IP_MASQ_AGENT_VERSIONS="2.0.0"
+for IP_MASQ_AGENT_VERSION in ${IP_MASQ_AGENT_VERSIONS}; do
+    pullContainerImage "docker" "gcr.io/google-containers/ip-masq-agent-amd64:v${IP_MASQ_AGENT_VERSION}"
+done
+
 NGINX_VERSIONS="1.13.12-alpine"
 for NGINX_VERSION in ${NGINX_VERSIONS}; do
    pullContainerImage "docker" "nginx:${NGINX_VERSION}"
--- a/parts/k8s/addons/1.10/kubernetesmasteraddons-kube-dns-deployment.yaml
+++ b/parts/k8s/addons/1.10/kubernetesmasteraddons-kube-dns-deployment.yaml
@ -94,6 +94,7 @@ spec:
      containers:
      - name: kubedns
        image: <img>
+        imagePullPolicy: IfNotPresent
        resources:
          # TODO: Set memory limits when we've profiled the container for large
          # clusters, then set request = limit to keep this container in
@ -143,6 +144,7 @@ spec:
          mountPath: /kube-dns-config
      - name: dnsmasq
        image: <imgMasq>
+        imagePullPolicy: IfNotPresent
        livenessProbe:
          httpGet:
            path: /healthcheck/dnsmasq
@ -181,6 +183,7 @@ spec:
          mountPath: /etc/k8s/dns/dnsmasq-nanny
      - name: sidecar
        image: <imgSidecar>
+        imagePullPolicy: IfNotPresent
        livenessProbe:
          httpGet:
            path: /metrics
--- a/parts/k8s/addons/1.6/kubernetesmasteraddons-heapster-deployment.yaml
+++ b/parts/k8s/addons/1.6/kubernetesmasteraddons-heapster-deployment.yaml
@ -96,6 +96,7 @@ spec:
      serviceAccountName: heapster
      containers:
      - image: <img>
+        imagePullPolicy: IfNotPresent
        command:
        - "/heapster"
        - "--source=kubernetes.summary_api:\"\""
@ -108,6 +109,7 @@ spec:
            cpu: 80m
            memory: 140Mi
      - image: <imgNanny>
+        imagePullPolicy: IfNotPresent
        command:
        - "/pod_nanny"
        - "--cpu=80m"
--- a/parts/k8s/addons/1.6/kubernetesmasteraddons-kubernetes-dashboard-deployment.yaml
+++ b/parts/k8s/addons/1.6/kubernetesmasteraddons-kubernetes-dashboard-deployment.yaml
@ -64,7 +64,7 @@ spec:
      - args:
        - --heapster-host=http://heapster.kube-system:80
        image: <img>
-        imagePullPolicy: Always
+        imagePullPolicy: IfNotPresent
        livenessProbe:
          httpGet:
            path: "/"
--- a/parts/k8s/addons/1.7/kubernetesmasteraddons-heapster-deployment.yaml
+++ b/parts/k8s/addons/1.7/kubernetesmasteraddons-heapster-deployment.yaml
@ -96,6 +96,7 @@ spec:
      serviceAccountName: heapster
      containers:
      - image: <img>
+        imagePullPolicy: IfNotPresent
        command:
        - "/heapster"
        - "--source=kubernetes.summary_api:\"\""
@ -108,6 +109,7 @@ spec:
            cpu: 80m
            memory: 140Mi
      - image: <imgNanny>
+        imagePullPolicy: IfNotPresent
        command:
        - "/pod_nanny"
        - "--cpu=80m"
--- a/parts/k8s/addons/1.7/kubernetesmasteraddons-kube-dns-deployment.yaml
+++ b/parts/k8s/addons/1.7/kubernetesmasteraddons-kube-dns-deployment.yaml
@ -84,6 +84,7 @@ spec:
        - name: PROMETHEUS_PORT
          value: "10055"
        image: <img>
+        imagePullPolicy: IfNotPresent
        livenessProbe:
          failureThreshold: 5
          httpGet:
@ -134,6 +135,7 @@ spec:
        - "--server=/ip6.arpa/127.0.0.1#10053"
        - "--log-facility=-"
        image: <imgMasq>
+        imagePullPolicy: IfNotPresent
        name: dnsmasq
        ports:
        - containerPort: 53
@ -156,6 +158,7 @@ spec:
        - name: PROBE_DOMAINS
          value: bing.com kubernetes.default.svc.<domain>
        image: <imgHealthz>
+        imagePullPolicy: IfNotPresent
        livenessProbe:
          failureThreshold: 5
          httpGet:
--- a/parts/k8s/addons/1.7/kubernetesmasteraddons-kubernetes-dashboard-deployment.yaml
+++ b/parts/k8s/addons/1.7/kubernetesmasteraddons-kubernetes-dashboard-deployment.yaml
@ -64,7 +64,7 @@ spec:
      - args:
        - --heapster-host=http://heapster.kube-system:80
        image: <img>
-        imagePullPolicy: Always
+        imagePullPolicy: IfNotPresent
        livenessProbe:
          httpGet:
            path: "/"
--- a/parts/k8s/addons/1.8/kubernetesmasteraddons-heapster-deployment.yaml
+++ b/parts/k8s/addons/1.8/kubernetesmasteraddons-heapster-deployment.yaml
@ -96,6 +96,7 @@ spec:
      serviceAccountName: heapster
      containers:
      - image: <img>
+        imagePullPolicy: IfNotPresent
        command:
        - "/heapster"
        - "--source=kubernetes.summary_api:\"\""
@ -108,6 +109,7 @@ spec:
            cpu: 80m
            memory: 140Mi
      - image: <imgNanny>
+        imagePullPolicy: IfNotPresent
        command:
        - "/pod_nanny"
        - "--cpu=80m"
--- a/parts/k8s/addons/1.8/kubernetesmasteraddons-kube-dns-deployment.yaml
+++ b/parts/k8s/addons/1.8/kubernetesmasteraddons-kube-dns-deployment.yaml
@ -84,6 +84,7 @@ spec:
        - name: PROMETHEUS_PORT
          value: "10055"
        image: <img>
+        imagePullPolicy: IfNotPresent
        livenessProbe:
          failureThreshold: 5
          httpGet:
@ -134,6 +135,7 @@ spec:
        - "--server=/ip6.arpa/127.0.0.1#10053"
        - "--log-facility=-"
        image: <imgMasq>
+        imagePullPolicy: IfNotPresent
        name: dnsmasq
        ports:
        - containerPort: 53
@ -156,6 +158,7 @@ spec:
        - name: PROBE_DOMAINS
          value: bing.com kubernetes.default.svc.<domain>
        image: <imgHealthz>
+        imagePullPolicy: IfNotPresent
        livenessProbe:
          failureThreshold: 5
          httpGet:
--- a/parts/k8s/addons/1.8/kubernetesmasteraddons-kubernetes-dashboard-deployment.yaml
+++ b/parts/k8s/addons/1.8/kubernetesmasteraddons-kubernetes-dashboard-deployment.yaml
@ -64,7 +64,7 @@ spec:
      - args:
        - --heapster-host=http://heapster.kube-system:80
        image: <img>
-        imagePullPolicy: Always
+        imagePullPolicy: IfNotPresent
        livenessProbe:
          httpGet:
            path: "/"
--- a/parts/k8s/addons/1.9/kubernetesmasteraddons-kube-dns-deployment.yaml
+++ b/parts/k8s/addons/1.9/kubernetesmasteraddons-kube-dns-deployment.yaml
@ -93,6 +93,7 @@ spec:
      containers:
      - name: kubedns
        image: <img>
+        imagePullPolicy: IfNotPresent
        resources:
          # TODO: Set memory limits when we've profiled the container for large
          # clusters, then set request = limit to keep this container in
@ -142,6 +143,7 @@ spec:
          mountPath: /kube-dns-config
      - name: dnsmasq
        image: <imgMasq>
+        imagePullPolicy: IfNotPresent
        livenessProbe:
          httpGet:
            path: /healthcheck/dnsmasq
@ -180,6 +182,7 @@ spec:
          mountPath: /etc/k8s/dns/dnsmasq-nanny
      - name: sidecar
        image: <imgSidecar>
+        imagePullPolicy: IfNotPresent
        livenessProbe:
          httpGet:
            path: /metrics
--- a/parts/k8s/addons/azure-cni-networkmonitor.yaml
+++ b/parts/k8s/addons/azure-cni-networkmonitor.yaml
@ -29,6 +29,7 @@ spec:
      containers:
        - name: azure-cnms
          image: <img>
+          imagePullPolicy: IfNotPresent
          securityContext:
            privileged: true
          env:
--- a/parts/k8s/addons/ip-masq-agent.yaml
+++ b/parts/k8s/addons/ip-masq-agent.yaml
@ -28,6 +28,7 @@ spec:
      containers:
      - name: azure-ip-masq-agent
        image: gcr.io/google-containers/ip-masq-agent-amd64:v2.0.0
+        imagePullPolicy: IfNotPresent
        securityContext:
          privileged: true
        volumeMounts:
--- a/parts/k8s/addons/kubernetesmasteraddons-aad-pod-identity-deployment.yaml
+++ b/parts/k8s/addons/kubernetesmasteraddons-aad-pod-identity-deployment.yaml
@ -105,7 +105,7 @@ spec:
      containers:
      - name: nmi
        image: "mcr.microsoft.com/k8s/aad-pod-identity/nmi:1.2"
-        imagePullPolicy: Always
+        imagePullPolicy: IfNotPresent
        resources:
          requests:
            cpu: "100m"
@ -203,7 +203,7 @@ spec:
      containers:
      - name: mic
        image: mcr.microsoft.com/k8s/aad-pod-identity/mic:1.2
-        imagePullPolicy: Always
+        imagePullPolicy: IfNotPresent
        resources:
          requests:
            cpu: 100m
--- a/parts/k8s/addons/kubernetesmasteraddons-cluster-autoscaler-deployment.yaml
+++ b/parts/k8s/addons/kubernetesmasteraddons-cluster-autoscaler-deployment.yaml
@ -154,7 +154,7 @@ spec:
        beta.kubernetes.io/os: linux
      containers:
      - image: <img>
-        imagePullPolicy: Always
+        imagePullPolicy: IfNotPresent
        name: cluster-autoscaler
        resources:
          limits:
--- a/parts/k8s/addons/kubernetesmasteraddons-heapster-deployment.yaml
+++ b/parts/k8s/addons/kubernetesmasteraddons-heapster-deployment.yaml
@ -107,6 +107,7 @@ spec:
      priorityClassName: system-cluster-critical
      containers:
        - image: <img>
+          imagePullPolicy: IfNotPresent
          name: heapster
          resources:
            limits:
@ -126,6 +127,7 @@ spec:
            - /heapster
            - --source=kubernetes.summary_api:''
        - image: <imgNanny>
+          imagePullPolicy: IfNotPresent
          name: heapster-nanny
          resources:
            limits:
--- a/parts/k8s/addons/kubernetesmasteraddons-keyvault-flexvolume-installer.yaml
+++ b/parts/k8s/addons/kubernetesmasteraddons-keyvault-flexvolume-installer.yaml
@ -27,7 +27,7 @@ spec:
      containers:
      - name: keyvault-flexvolume
        image: mcr.microsoft.com/k8s/flexvolume/keyvault-flexvolume:v0.0.5
-        imagePullPolicy: Always
+        imagePullPolicy: IfNotPresent
        resources:
          requests:
            cpu: <cpuReq>
--- a/parts/k8s/addons/kubernetesmasteraddons-kube-dns-deployment.yaml
+++ b/parts/k8s/addons/kubernetesmasteraddons-kube-dns-deployment.yaml
@ -95,6 +95,7 @@ spec:
      containers:
      - name: kubedns
        image: <img>
+        imagePullPolicy: IfNotPresent
        resources:
          # TODO: Set memory limits when we've profiled the container for large
          # clusters, then set request = limit to keep this container in
@ -144,6 +145,7 @@ spec:
          mountPath: /kube-dns-config
      - name: dnsmasq
        image: <imgMasq>
+        imagePullPolicy: IfNotPresent
        livenessProbe:
          httpGet:
            path: /healthcheck/dnsmasq
@ -182,6 +184,7 @@ spec:
          mountPath: /etc/k8s/dns/dnsmasq-nanny
      - name: sidecar
        image: <imgSidecar>
+        imagePullPolicy: IfNotPresent
        livenessProbe:
          httpGet:
            path: /metrics
--- a/parts/k8s/addons/kubernetesmasteraddons-kube-proxy-daemonset.yaml
+++ b/parts/k8s/addons/kubernetesmasteraddons-kube-proxy-daemonset.yaml
@ -27,6 +27,7 @@ spec:
        - --cluster-cidr=<CIDR>
        - --feature-gates=ExperimentalCriticalPodAnnotation=true
        image: <img>
+        imagePullPolicy: IfNotPresent
        name: kube-proxy
        resources:
          requests:
--- a/parts/k8s/addons/kubernetesmasteraddons-kube-rescheduler-deployment.yaml
+++ b/parts/k8s/addons/kubernetesmasteraddons-kube-rescheduler-deployment.yaml
@ -23,6 +23,7 @@ spec:
        beta.kubernetes.io/os: linux
      containers:
      - image: <img>
+        imagePullPolicy: IfNotPresent
        name: rescheduler
        resources:
          requests:
--- a/parts/k8s/addons/kubernetesmasteraddons-kubernetes-dashboard-deployment.yaml
+++ b/parts/k8s/addons/kubernetesmasteraddons-kubernetes-dashboard-deployment.yaml
@ -99,7 +99,7 @@ spec:
        - --auto-generate-certificates
        - --heapster-host=http://heapster.kube-system:80
        image: <img>
-        imagePullPolicy: Always
+        imagePullPolicy: IfNotPresent
        livenessProbe:
          httpGet:
            path: "/"
--- a/parts/k8s/addons/kubernetesmasteraddons-metrics-server-deployment.yaml
+++ b/parts/k8s/addons/kubernetesmasteraddons-metrics-server-deployment.yaml
@ -123,7 +123,7 @@ spec:
      containers:
      - name: metrics-server
        image: <img>
-        imagePullPolicy: Always
+        imagePullPolicy: IfNotPresent
        command:
        - /metrics-server
        - --source=kubernetes.summary_api:''
--- a/parts/k8s/addons/kubernetesmasteraddons-tiller-deployment.yaml
+++ b/parts/k8s/addons/kubernetesmasteraddons-tiller-deployment.yaml
@ -68,6 +68,7 @@ spec:
        - name: TILLER_HISTORY_MAX
          value: "<maxHist>"
        image: <img>
+        imagePullPolicy: IfNotPresent
        livenessProbe:
          httpGet:
            path: /liveness
--- a/parts/k8s/manifests/kubernetesmaster-cloud-controller-manager.yaml
+++ b/parts/k8s/manifests/kubernetesmaster-cloud-controller-manager.yaml
@ -11,6 +11,7 @@ spec:
  containers:
    - name: cloud-controller-manager
      image: <img>
+      imagePullPolicy: IfNotPresent
      command: ["cloud-controller-manager"]
      args: [<config>]
      volumeMounts:
--- a/parts/k8s/manifests/kubernetesmaster-kube-addon-manager.yaml
+++ b/parts/k8s/manifests/kubernetesmaster-kube-addon-manager.yaml
@ -9,6 +9,7 @@ spec:
  containers:
  - name: kube-addon-manager
    image: <img>
+    imagePullPolicy: IfNotPresent
    resources:
      requests:
        cpu: 5m
--- a/parts/k8s/manifests/kubernetesmaster-kube-apiserver.yaml
+++ b/parts/k8s/manifests/kubernetesmaster-kube-apiserver.yaml
@ -11,6 +11,7 @@ spec:
  containers:
    - name: kube-apiserver
      image: <img>
+      imagePullPolicy: IfNotPresent
      command: ["/hyperkube", "apiserver"]
      args: [<args>]
      volumeMounts:
--- a/parts/k8s/manifests/kubernetesmaster-kube-controller-manager.yaml
+++ b/parts/k8s/manifests/kubernetesmaster-kube-controller-manager.yaml
@ -11,6 +11,7 @@ spec:
  containers:
    - name: kube-controller-manager
      image: <img>
+      imagePullPolicy: IfNotPresent
      command: ["/hyperkube", "controller-manager"]
      args: [<args>]
      volumeMounts:
--- a/parts/k8s/manifests/kubernetesmaster-kube-scheduler.yaml
+++ b/parts/k8s/manifests/kubernetesmaster-kube-scheduler.yaml
@ -11,6 +11,7 @@ spec:
  containers:
    - name: kube-scheduler
      image: <img>
+      imagePullPolicy: IfNotPresent
      command: ["/hyperkube", "scheduler"]
      args: [<args>]
      volumeMounts:
--- a/pkg/api/defaults-apiserver.go
+++ b/pkg/api/defaults-apiserver.go
@ -143,9 +143,9 @@ func getDefaultAdmissionControls(cs *ContainerService) (string, string) {
 	// Add new version case when applying admission controllers only available in that version or later
 	switch {
 	case common.IsKubernetesVersionGe(o.OrchestratorVersion, "1.9.0"):
-		admissionControlValues = "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,AlwaysPullImages,ExtendedResourceToleration"
+		admissionControlValues = "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,ExtendedResourceToleration"
 	default:
-		admissionControlValues = "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,AlwaysPullImages"
+		admissionControlValues = "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota"
 	}

 	// Pod Security Policy configuration