From 5fb60a0bd0cbee407405311fd0d759d9f26f7896 Mon Sep 17 00:00:00 2001
From: Andrew Rynhard <andrew@andrewrynhard.com>
Date: Mon, 3 Dec 2018 19:59:10 -0800
Subject: [PATCH] fix: disable AlwaysPullImages admission plugin

This is a temporary fix until Istio sidecar injection works with this plugin enabled.
---
 src/initramfs/cmd/init/pkg/security/cis/cis.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/initramfs/cmd/init/pkg/security/cis/cis.go b/src/initramfs/cmd/init/pkg/security/cis/cis.go
index a063fd067a..f431564f23 100644
--- a/src/initramfs/cmd/init/pkg/security/cis/cis.go
+++ b/src/initramfs/cmd/init/pkg/security/cis/cis.go
@@ -107,9 +107,10 @@ func EnforceTLSRequirements(cfg *kubeadmapi.InitConfiguration) error {
 // EnforceAdmissionPluginsRequirements enforces CIS requirements for admission plugins.
 // TODO(andrewrynhard): Include any extra user specified plugins.
 // TODO(andrewrynhard): Enable EventRateLimit.
+// TODO(andrewrynhard): Enable AlwaysPullImages (See https://github.com/kubernetes/kubernetes/issues/64333).
 func EnforceAdmissionPluginsRequirements(cfg *kubeadmapi.InitConfiguration) error {
 	// nolint: lll
-	cfg.APIServerExtraArgs["enable-admission-plugins"] = "AlwaysPullImages,PodSecurityPolicy,DenyEscalatingExec,NamespaceLifecycle,ServiceAccount,NodeRestriction,LimitRanger,DefaultStorageClass,DefaultTolerationSeconds,ResourceQuota"
+	cfg.APIServerExtraArgs["enable-admission-plugins"] = "PodSecurityPolicy,DenyEscalatingExec,NamespaceLifecycle,ServiceAccount,NodeRestriction,LimitRanger,DefaultStorageClass,DefaultTolerationSeconds,ResourceQuota"
 
 	return nil
 }