Move calico-policy-controller into separate role

By default Calico CNI does not create any network access policies
or profiles if 'policy' is enabled in CNI config. And without any
policies/profiles network access to/from PODs is blocked.

K8s related policies are created by calico-policy-controller in
such case. So we need to start it as soon as possible, before any
real workloads.

This patch also fixes kube-api port in calico-policy-controller
yaml template.

Closes #1132

roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2

@@ -64,7 +64,7 @@ spec:
     - --runtime-config={{ conf }}
 {%   endfor %}
 {% endif %}
-{% if enable_network_policy is defined and enable_network_policy == True %}
+{% if enable_network_policy %}
     - --runtime-config=extensions/v1beta1/networkpolicies=true
 {% endif %}
     - --v={{ kube_log_level }}