Use K8s 1.14 and add kubeadm experimental control plane mode (#4514)

* Use K8s 1.14 and add kubeadm experimental control plane mode

This reverts commit d39c273d96.

* Cleanup kubeadm setup run on first master

* pin kubeadm_certificate_key in test

* Remove kubelet autolabel of kube-node, add symlink for pki dir

Change-Id: Id5e74dd667c60675dbfe4193b0bc9fb44380e1ca

roles/kubernetes/master/defaults/main/kube-proxy.yml

@@ -107,4 +107,4 @@ kube_proxy_resource_container: /kube-proxy
 
 # udpIdleTimeout is how long an idle UDP connection will be kept open (e.g. '250ms', '2s').
 # Must be greater than 0. Only applicable for proxyMode=userspace.
-kube_proxy_udp_idle_timeout: 250ms
+kube_proxy_udp_idle_timeout: 250ms

roles/kubernetes/master/defaults/main/main.yml

@@ -23,11 +23,18 @@ kube_apiserver_storage_backend: etcd3
 # By default, force back to etcd2. Set to true to force etcd3 (experimental!)
 force_etcd3: false
 
+kube_etcd_cacert_file: ca.pem
+kube_etcd_cert_file: node-{{ inventory_hostname }}.pem
+kube_etcd_key_file: node-{{ inventory_hostname }}-key.pem
+
 # Associated interfaces must be reachable by the rest of the cluster, and by
 # CLI/web clients.
 kube_controller_manager_bind_address: 0.0.0.0
 kube_scheduler_bind_address: 0.0.0.0
 
+# discovery_timeout modifies the discovery timeout
+discovery_timeout: 5m0s
+
 # audit support
 kubernetes_audit: false
 # path to audit log file
@@ -78,7 +85,6 @@ kube_apiserver_request_timeout: "1m0s"
 
 # 1.9 and below Admission control plug-ins
 kube_apiserver_admission_control:
-  - Initializers
   - NamespaceLifecycle
   - LimitRanger
   - ServiceAccount
@@ -99,8 +105,7 @@ kube_apiserver_enable_admission_plugins: []
 kube_apiserver_disable_admission_plugins: []
 
 # extra runtime config
-kube_api_runtime_config:
-  - admissionregistration.k8s.io/v1alpha1
+kube_api_runtime_config: []
 
 ## Enable/Disable Kube API Server Authentication Methods
 kube_basic_auth: false