Miheer Salunke of Red Hat reports:
When a private image is pulled to a node any other user on the node can use
this private image if they know the name of the image. It should be noted that
the image name typically includes a SHA hash in the value making it difficult
Doing some follow-up, can you (or anyone really) point me at a commit for this?
Kube PR for AlwaysPullImages admission controller: https://github.com/kubernetes/kubernetes/pull/18909
Kube Docs: http://kubernetes.io/docs/admin/admission-controllers/#alwayspullimages
Example showing how to enable it in OpenShift config: https://docs.openshift.com/container-platform/3.3/architecture/additional_concepts/admission_controllers.html