diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 46c2e5ae24ee80fbf91a076cf63ebb4671dff7e2..a5ef1a49cc84bd074e15dac1bd4c94fed05fcb4f 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -10,8 +10,8 @@ include:
     file: 'docker-images-ci-templates/DockerImages.gitlab-ci.yml'
 
 stages:
-  - test
   - build
+  - test
 
 variables:
   DEFAULT_DOMAIN: "webtest.cern.ch"
diff --git a/chart/drupalsite-operator/values.yaml b/chart/drupalsite-operator/values.yaml
index 1ca025a98567d9bafcf200fe15d635c299ae38b8..b7450610015179eac5eefeb2918f842c3c08dced 100644
--- a/chart/drupalsite-operator/values.yaml
+++ b/chart/drupalsite-operator/values.yaml
@@ -1,7 +1,7 @@
 # Name of the k8s cluster where the operator is deployed. Used in the `ApplicationRegistration` naming convention.
 
-image: {}
-imagePullPolicy: Always
+image: ""
+imagePullPolicy: IfNotPresent
 nodeSelector: {}
 tolerations: []
 replicas: 1
@@ -16,6 +16,7 @@ resources:
 
 # Operator-specific configuration
 drupalsiteOperator:
+  websiteImagePullPolicy: "IfNotPresent"
   sitebuilderImage: "gitlab-registry.cern.ch/drupal/paas/cern-drupal-distribution/site-builder"
   phpFpmExporterImage: "gitlab-registry.cern.ch/drupal/paas/php-fpm-prometheus-exporter:RELEASE.2021.06.02T09-41-38Z"
   webdavImage: "gitlab-registry.cern.ch/drupal/paas/sabredav/webdav:RELEASE-2021.10.12T17-55-06Z"
diff --git a/controllers/drupalsite_controller.go b/controllers/drupalsite_controller.go
index fcac2c1423a9c207540f4ef323e6090155fed59b..bb6f529b215fe7ba57e723000724ff866d6ab1c3 100644
--- a/controllers/drupalsite_controller.go
+++ b/controllers/drupalsite_controller.go
@@ -55,6 +55,8 @@ const (
 )
 
 var (
+	// websiteImagePullPolicy sets the image pull policy for Drupal deployments
+	WebsiteImagePullPolicy corev1.PullPolicy
 	// SiteBuilderImage refers to the sitebuilder image name
 	SiteBuilderImage string
 	// PhpFpmExporterImage refers to the php-fpm-exporter image name
diff --git a/controllers/drupalsite_resources.go b/controllers/drupalsite_resources.go
index 35b6639d3c803d0d0baeb086605a83671fc58c6b..3a66965abf6fbeec31a760a133eae1e64909aad4 100644
--- a/controllers/drupalsite_resources.go
+++ b/controllers/drupalsite_resources.go
@@ -862,10 +862,13 @@ func deploymentForDrupalSite(currentobject *appsv1.Deployment, databaseSecret st
 
 		// TODO: gradually migrate this code outside of the `CreationTimestamp.IsZero` check
 		for i, container := range currentobject.Spec.Template.Spec.Containers {
+			currentobject.Spec.Template.Spec.Containers[i].ImagePullPolicy = WebsiteImagePullPolicy
+			if d.Spec.ExtraConfigurationRepository.RepositoryUrl != "" {
+				// Set to always due to https://gitlab.cern.ch/drupal/paas/drupalsite-operator/-/issues/54
+				currentobject.Spec.Template.Spec.Containers[i].ImagePullPolicy = corev1.PullAlways
+			}
 			switch container.Name {
 			case "nginx":
-				// Set to always due to https://gitlab.cern.ch/drupal/paas/drupalsite-operator/-/issues/54
-				currentobject.Spec.Template.Spec.Containers[i].ImagePullPolicy = "Always"
 				currentobject.Spec.Template.Spec.Containers[i].Ports = []corev1.ContainerPort{{
 					ContainerPort: 8080,
 					Name:          "nginx",
@@ -895,8 +898,6 @@ func deploymentForDrupalSite(currentobject *appsv1.Deployment, databaseSecret st
 				}
 				// TODO: add readiness probe. Tmp removed due to https://gitlab.cern.ch/webservices/webframeworks-planning/-/issues/542
 			case "php-fpm":
-				// Set to always due to https://gitlab.cern.ch/drupal/paas/drupalsite-operator/-/issues/54
-				currentobject.Spec.Template.Spec.Containers[i].ImagePullPolicy = "Always"
 				currentobject.Spec.Template.Spec.Containers[i].Ports = []corev1.ContainerPort{{
 					ContainerPort: 9000,
 					Name:          "php-fpm",
@@ -962,8 +963,6 @@ func deploymentForDrupalSite(currentobject *appsv1.Deployment, databaseSecret st
 					},
 				}
 			case "php-fpm-exporter":
-				// Set to always due to https://gitlab.cern.ch/drupal/paas/drupalsite-operator/-/issues/54
-				currentobject.Spec.Template.Spec.Containers[i].ImagePullPolicy = "Always"
 				// Port on which to expose metrics
 				currentobject.Spec.Template.Spec.Containers[i].Ports = []corev1.ContainerPort{{
 					ContainerPort: 9253,
@@ -983,8 +982,6 @@ func deploymentForDrupalSite(currentobject *appsv1.Deployment, databaseSecret st
 					},
 				}
 			case "webdav":
-				// Set to always due to https://gitlab.cern.ch/drupal/paas/drupalsite-operator/-/issues/54
-				currentobject.Spec.Template.Spec.Containers[i].ImagePullPolicy = "Always"
 				currentobject.Spec.Template.Spec.Containers[i].Ports = []corev1.ContainerPort{{
 					ContainerPort: 8008,
 					Name:          "webdav",
@@ -1182,7 +1179,11 @@ func deploymentForDrupalSite(currentobject *appsv1.Deployment, databaseSecret st
 				"/operations/cronjob.sh -s " + d.Name,
 			}
 			currentobject.Spec.Template.Spec.Containers[i].Resources = config.cronResources
-			currentobject.Spec.Template.Spec.Containers[i].ImagePullPolicy = "Always"
+			currentobject.Spec.Template.Spec.Containers[i].ImagePullPolicy = WebsiteImagePullPolicy
+			if d.Spec.ExtraConfigurationRepository.RepositoryUrl != "" {
+				// Set to always due to https://gitlab.cern.ch/drupal/paas/drupalsite-operator/-/issues/54
+				currentobject.Spec.Template.Spec.Containers[i].ImagePullPolicy = corev1.PullAlways
+			}
 			currentobject.Spec.Template.Spec.Containers[i].VolumeMounts = []corev1.VolumeMount{
 				{
 					Name:      "php-cli-config-volume",
@@ -1198,8 +1199,11 @@ func deploymentForDrupalSite(currentobject *appsv1.Deployment, databaseSecret st
 		case "drupal-logs":
 			currentobject.Spec.Template.Spec.Containers[i].Command = tailDrupalLogs()
 			currentobject.Spec.Template.Spec.Containers[i].Resources = config.drupalLogsResources
-			// Set to always due to https://gitlab.cern.ch/drupal/paas/drupalsite-operator/-/issues/54
-			currentobject.Spec.Template.Spec.Containers[i].ImagePullPolicy = "Always"
+			currentobject.Spec.Template.Spec.Containers[i].ImagePullPolicy = WebsiteImagePullPolicy
+			if d.Spec.ExtraConfigurationRepository.RepositoryUrl != "" {
+				// Set to always due to https://gitlab.cern.ch/drupal/paas/drupalsite-operator/-/issues/54
+				currentobject.Spec.Template.Spec.Containers[i].ImagePullPolicy = corev1.PullAlways
+			}
 			currentobject.Spec.Template.Spec.Containers[i].Ports = []corev1.ContainerPort{{
 				ContainerPort: 8085,
 				Name:          "drupal-logs",
diff --git a/main.go b/main.go
index 617efd3caf431061aa356ce23dc8d3328ecfc35c..651a25f9e41b03163807b42dc773c511ded9adab 100644
--- a/main.go
+++ b/main.go
@@ -45,6 +45,7 @@ import (
 	pipelinev1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1"
 	velerov1 "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
 	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
 )
 
 var (
@@ -68,9 +69,14 @@ func init() {
 }
 
 func main() {
-	var metricsAddr string
-	var enableLeaderElection bool
-	var probeAddr string
+	var (
+		metricsAddr          string
+		enableLeaderElection bool
+		probeAddr            string
+		err                  error
+		// Storing the String , and later converting into the corev1.PullPolicy type
+		websiteImagePullPolicyString string
+	)
 	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
 	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
@@ -89,6 +95,7 @@ func main() {
 	// The variable name is set here: https://gitlab.cern.ch/drupal/paas/cern-drupal-distribution/-/blob/master/supporteddrupalversions/chart/templates/supported-drupal-versions.yaml
 	flag.StringVar(&controllers.SupportedDrupalVersionName, "supported-drupal-version-name", "supported-drupal-versions", "The name of the resource used cluster-wide for supported drupal versions")
 	flag.StringVar(&controllers.VeleroBackupStorageLocation, "velero-backup-storage-location", "default", "The name of the backupStorageLocation to be used for Velero Schedules created by the controller")
+	flag.StringVar(&websiteImagePullPolicyString, "websiteImagePullPolicy", "IfNotPresent", "The default image pull policy for deployed pods. We avoid 'Always' as it makes us more vulnerable to container registry downtime.")
 	opts := zap.Options{
 		Development: false,
 	}
@@ -96,7 +103,7 @@ func main() {
 	flag.Parse()
 	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
 
-	var err error
+	controllers.WebsiteImagePullPolicy = corev1.PullPolicy(websiteImagePullPolicyString)
 	controllers.BuildResources, err = controllers.ResourceRequestLimit("2Gi", "1000m", "4Gi", "2000m")
 	if err != nil {
 		setupLog.Error(err, "Invalid configuration: can't parse build resources")