Add admission control to CoreOS Driver

This adds the default set of admission control to CoreOS driver and
enable service account that are a requirement for most K8s addons

Change-Id: Id4948973627f4517eba13901e822f22e3fb1212f
Partially-Implements: bp coreos-best-pratice

magnum/drivers/k8s_coreos_v1/templates/fragments/enable-kube-apiserver.yaml

@@ -21,6 +21,11 @@ write_files:
     content: |
       #!/bin/sh
 
+      KUBE_ADMISSION_CONTROL=""
+      if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then
+          KUBE_ADMISSION_CONTROL="- --admission-control=${ADMISSION_CONTROL_LIST}"
+      fi
+
       TLS_CERT_FILE=${KUBE_CERTS_PATH}/apiserver.pem
       TLS_PRIVATE_KEY_FILE=${KUBE_CERTS_PATH}/apiserver-key.pem
       CLIENT_CA_FILE=${KUBE_CERTS_PATH}/ca.pem
@@ -62,6 +67,7 @@ write_files:
           - --tls-private-key-file=${TLS_PRIVATE_KEY_FILE}
           - --client-ca-file=${CLIENT_CA_FILE}
           - --service-account-key-file=${TLS_PRIVATE_KEY_FILE}
+          ${KUBE_ADMISSION_CONTROL}
           ports:
           - containerPort: 6443
             hostPort: 6443

magnum/drivers/k8s_coreos_v1/templates/fragments/write-heat-params-master.yaml

@@ -19,6 +19,7 @@ write_files:
       FLANNEL_NETWORK_SUBNETLEN="$FLANNEL_NETWORK_SUBNETLEN"
       FLANNEL_BACKEND="$FLANNEL_BACKEND"
       PORTAL_NETWORK_CIDR="$PORTAL_NETWORK_CIDR"
+      ADMISSION_CONTROL_LIST="$ADMISSION_CONTROL_LIST"
       ETCD_DISCOVERY_URL="$ETCD_DISCOVERY_URL"
       USERNAME="$USERNAME"
       PASSWORD="$PASSWORD"

magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml

@@ -107,8 +107,8 @@ parameters:
   admission_control_list:
     type: string
     description: >
-      Not used by this driver
+      List of admission control plugins to activate
-    default: ""
+    default: "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota"
 
   kube_allow_priv:
     type: string
@@ -376,6 +376,7 @@ resources:
           system_pods_initial_delay: {get_param: system_pods_initial_delay}
           system_pods_timeout: {get_param: system_pods_timeout}
           portal_network_cidr: {get_param: portal_network_cidr}
+          admission_control_list: {get_param: admission_control_list}
           fixed_network: {get_attr: [network, fixed_network]}
           fixed_subnet: {get_attr: [network, fixed_subnet]}
           discovery_url: {get_param: discovery_url}

magnum/drivers/k8s_coreos_v1/templates/kubemaster.yaml

@@ -77,6 +77,11 @@ parameters:
       (in seconds)
     default: 5
 
+  admission_control_list:
+    type: string
+    description: >
+      List of admission control plugins to activate
+
   fixed_network:
     type: string
     description: Network from which to allocate fixed addresses.
@@ -225,6 +230,7 @@ resources:
             "$SYSTEM_PODS_INITIAL_DELAY": {get_param: system_pods_initial_delay}
             "$SYSTEM_PODS_TIMEOUT": {get_param: system_pods_timeout}
             "$PORTAL_NETWORK_CIDR": {get_param: portal_network_cidr}
+            "$ADMISSION_CONTROL_LIST": {get_param: admission_control_list}
             "$CLUSTER_SUBNET": {get_param: fixed_subnet}
             "$ETCD_DISCOVERY_URL": {get_param: discovery_url}
             "$WAIT_CURL": {get_attr: [master_wait_handle, curl_cli]}