Move calico-policy-controller into separate role

By default Calico CNI does not create any network access policies
or profiles if 'policy' is enabled in CNI config. And without any
policies/profiles network access to/from PODs is blocked.

K8s related policies are created by calico-policy-controller in
such case. So we need to start it as soon as possible, before any
real workloads.

This patch also fixes kube-api port in calico-policy-controller
yaml template.

Closes #1132

roles/kubernetes-apps/ansible/defaults/main.yml

@@ -19,12 +19,6 @@ kubednsmasq_image_tag: "{{ kubednsmasq_version }}"
 exechealthz_image_repo: "gcr.io/google_containers/exechealthz-amd64"
 exechealthz_image_tag: "{{ exechealthz_version }}"
 
-# Limits for calico apps
-calico_policy_controller_cpu_limit: 100m
-calico_policy_controller_memory_limit: 256M
-calico_policy_controller_cpu_requests: 30m
-calico_policy_controller_memory_requests: 64M
-
 # Netchecker
 deploy_netchecker: false
 netchecker_port: 31081
@@ -45,5 +39,4 @@ netchecker_server_memory_requests: 64M
 
 # SSL
 etcd_cert_dir: "/etc/ssl/etcd/ssl"
-calico_cert_dir: "/etc/calico/certs"
 canal_cert_dir: "/etc/canal/certs"