Use enable-admission-plugins key for v1.10 and above

[billpratt]

What this PR does / why we need it:

In k8s v1.10, the --admission-control flag was deprecated and replaced with --enable-admission-plugins. This PR uses the new flag for v1.10.

v1.10 release notes:

Add --enable-admission-plugins --disable-admission-plugins flags and deprecate --admission-control. When using the separate flag, the order in which they're specified doesn't matter.

More details:

• refactor admission flag kubernetes/kubernetes#58123
• https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#is-there-a-recommended-set-of-admission-controllers-to-use
• https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.10.md#v1100

Which issue this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged): fixes #

Special notes for your reviewer:

If applicable:

• documentation
• unit tests
• tested backward compatibility (ie. deploy with previous version, upgrade with this branch)

Release note:

[billpratt]

/assign @CecileRobertMichon

[billpratt]

@CecileRobertMichon you and I spoke about this briefly during sync week.

[CecileRobertMichon]

this looks to me like it's doing the opposite of what the comment says

[CecileRobertMichon]

sorry missed the ! please disregard my comment

[codecov]

Codecov Report

Merging #3090 into master will increase coverage by 0.04%.
The diff coverage is 87.5%.

@@            Coverage Diff             @@
##           master    #3090      +/-   ##
==========================================
+ Coverage    51.5%   51.54%   +0.04%     
==========================================
  Files          99       99              
  Lines       15036    15049      +13     
==========================================
+ Hits         7744     7757      +13     
  Misses       6582     6582              
  Partials      710      710

Impacted Files	Coverage Δ
pkg/acsengine/defaults-apiserver.go	97.89% <87.5%> (+0.33%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update da8646d...3efba48. Read the comment docs.

[billpratt]

@CecileRobertMichon This PR also sets MutatingAdmissionWebhook and ValidatingAdmissionWebhook for k8s version 1.9 and above. acs-engine currently sets AlwaysPullImages as a default admission control. In v1.10, this causes issues. Please see here: kubernetes/kubernetes#64333

Does AlwaysPullImages really need to be a default admission control?

cc @brendanburns

[jackfrancis]

Also note the addition of DefaultTolerationSeconds

[jackfrancis]

/approve
/lgtm

Added docs

[acs-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jackfrancis

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [jackfrancis]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jackfrancis]

Thanks @billpratt!

[billpratt]

@jackfrancis Does AlwaysPullImages need to be enabled? Please see above

[jackfrancis]

@billpratt Can you kindly track the progress of the pathological behaviors of AlwaysPullImages w/ MutatingAdmissionWebhook? I'm happy to have this as-is at the moment, will be curious if folks complain about the security ramifications of removing AlwaysPullImages outlined here:

https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#alwayspullimages

(Of course this is all user-configurable but our defaults add value to users)