Admission Controller Fix

A previous PR #5221 introduced the --enable-admission-plugins for >= 1.10.0 as recommended, it does however cause an issue if you already have AdmissionControl is specified in the Spec as both flags get rendered

nodeup/pkg/model/kube_apiserver.go

@@ -304,6 +304,20 @@ func (b *KubeAPIServerBuilder) buildPod() (*v1.Pod, error) {
 		}
 	}
 
+	// @fixup: the admission controller migrated from --admission-control to --enable-admission-plugins, but
+	// most people will still have c.Spec.KubeAPIServer.AdmissionControl references into their configuration we need
+	// to fix up. A PR https://github.com/kubernetes/kops/pull/5221/ introduced the issue and since the command line
+	// flags are mutually exclusive the API refuses to come up.
+	if b.IsKubernetesGTE("1.10") {
+		// @note: note sure if this is the best place to put it, I could place into the validation.go which has the benefit of
+		// fixing up the manifests itself, but that feels VERY hacky
+		// @note: it's fine to use AdmissionControl here and it's not populated by the model, thus the only data could have come from the cluster spec
+		if len(c.Spec.KubeAPIServer.AdmissionControl) > 0 {
+			c.Spec.KubeAPIServer.EnableAdmissionPlugins = append(c.Spec.KubeAPIServer.EnableAdmissionPlugins, c.Spec.KubeAPIServer.AdmissionControl...)
+			c.Spec.KubeAPIServer.AdmissionControl = []string{}
+		}
+	}
+
 	// build the kube-apiserver flags for the service
 	flags, err := flagbuilder.BuildFlagsList(b.Cluster.Spec.KubeAPIServer)
 	if err != nil {