diff --git a/doc/source/userguide.rst b/doc/source/userguide.rst
index 9dd0cab504a722c995f3de9e3470a550e619f9e8..a0de51f0ba454816a50a41da2fd16756cfb6f5c2 100644
--- a/doc/source/userguide.rst
+++ b/doc/source/userguide.rst
@@ -298,6 +298,8 @@ the table are linked to more details elsewhere in the user guide.
 +---------------------------------------+--------------------+---------------+
 | `mesos_slave_executor_env_variables`_ | (file name)        | ""            |
 +---------------------------------------+--------------------+---------------+
+| `admission_control_list`_             | see below          | see below     |
++---------------------------------------+--------------------+---------------+
 
 
 =======
@@ -900,6 +902,17 @@ Log into the servers
   You can log into the master servers using the login 'fedora' and the
   keypair specified in the ClusterTemplate.
 
+In addition to the common attributes in the ClusterTemplate, you can specify
+the following attributes that are specific to Kubernetes by using the
+labels attribute.
+
+_`admission_control_list`
+  This label corresponds to Kubernetes parameter for the API server '--admission-control'.
+  For more details, refer to the `Admission Controllers
+  <https://kubernetes.io/docs/admin/admission-controllers//>`_.
+  The default value corresponds to the one recommended in this doc
+  for our current Kubernetes version.
+
 External load balancer for services
 -----------------------------------
 
diff --git a/magnum/drivers/common/k8s_template_def.py b/magnum/drivers/common/k8s_template_def.py
index dba44175f301b03c2652267b406340e006ced4bc..6d88d953ab7f11a5eb3c5e10a0c6ec65f82c6ffe 100644
--- a/magnum/drivers/common/k8s_template_def.py
+++ b/magnum/drivers/common/k8s_template_def.py
@@ -102,7 +102,9 @@ class K8sTemplateDefinition(template_def.BaseTemplateDefinition):
             extra_params['kubernetes_port'] = 8080
 
         label_list = ['flannel_network_cidr', 'flannel_backend',
-                      'flannel_network_subnetlen']
+                      'flannel_network_subnetlen',
+                      'admission_control_list']
+
         for label in label_list:
             extra_params[label] = cluster_template.labels.get(label)
 
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
index d481ff492888b55b60e678b0055a6f54b4bf65cf..df1d8a6c156a9b94a18ca76965daf2ae5169fdd1 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
@@ -25,12 +25,17 @@ else
     KUBE_API_ARGS="$KUBE_API_ARGS --client_ca_file=/srv/kubernetes/ca.crt"
 fi
 
+KUBE_ADMISSION_CONTROL=""
+if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then
+    KUBE_ADMISSION_CONTROL="--admission-control=${ADMISSION_CONTROL_LIST}"
+fi
+
 sed -i '
-  /^KUBE_API_ADDRESS=/ s/=.*/='"${KUBE_API_ADDRESS}"'/
-  /^KUBE_SERVICE_ADDRESSES=/ s|=.*|="--service-cluster-ip-range='"$PORTAL_NETWORK_CIDR"'"|
-  /^KUBE_API_ARGS=/ s/KUBE_API_ARGS.//
-  /^KUBE_ETCD_SERVERS=/ s/=.*/="--etcd_servers=http:\/\/127.0.0.1:2379"/
-  /^KUBE_ADMISSION_CONTROL=/ s/=.*/=""/
+    /^KUBE_API_ADDRESS=/ s/=.*/="'"${KUBE_API_ADDRESS}"'"/
+    /^KUBE_SERVICE_ADDRESSES=/ s|=.*|="--service-cluster-ip-range='"$PORTAL_NETWORK_CIDR"'"|
+    /^KUBE_API_ARGS=/ s/KUBE_API_ARGS.//
+    /^KUBE_ETCD_SERVERS=/ s/=.*/="--etcd-servers=http:\/\/127.0.0.1:2379"/
+    /^KUBE_ADMISSION_CONTROL=/ s/=.*/="'"${KUBE_ADMISSION_CONTROL}"'"/
 ' /etc/kubernetes/apiserver
 cat << _EOC_ >> /etc/kubernetes/apiserver
 #Uncomment the following line to disable Load Balancer feature
@@ -39,10 +44,19 @@ KUBE_API_ARGS="$KUBE_API_ARGS"
 #KUBE_API_ARGS="$KUBE_API_ARGS --cloud_config=/etc/sysconfig/kube_openstack_config --cloud_provider=openstack"
 _EOC_
 
+# Add controller manager args
+KUBE_CONTROLLER_MANAGER_ARGS=""
+if [ -n "${ADMISSION_CONTROL_LIST}" ] && [ "${TLS_DISABLED}" == "False" ]; then
+    KUBE_CONTROLLER_MANAGER_ARGS="--service-account-private-key-file=/srv/kubernetes/server.key"
+fi
 sed -i '
-  /^KUBELET_ADDRESSES=/ s/=.*/="--machines='""'"/
-  /^KUBE_CONTROLLER_MANAGER_ARGS=/ s/KUBE_CONTROLLER_MANAGER_ARGS.*/#Uncomment the following line to enable Kubernetes Load Balancer feature \n#KUBE_CONTROLLER_MANAGER_ARGS="--cloud-config=\/etc\/sysconfig\/kube_openstack_config --cloud-provider=openstack"/
+    /^KUBELET_ADDRESSES=/ s/=.*/="--machines='""'"/
+    /^KUBE_CONTROLLER_MANAGER_ARGS=/ s#\(KUBE_CONTROLLER_MANAGER_ARGS\).*#\1="'"${KUBE_CONTROLLER_MANAGER_ARGS}"'"#
 ' /etc/kubernetes/controller-manager
+cat << _EOC_ >> /etc/kubernetes/controller-manager
+#Uncomment the following line to enable Kubernetes Load Balancer feature
+#KUBE_CONTROLLER_MANAGER_ARGS="\$KUBE_CONTROLLER_MANAGER_ARGS --cloud-config=/etc/sysconfig/kube_openstack_config --cloud-provider=openstack"
+_EOC_
 
 KUBELET_ARGS="--register-node=true --register-schedulable=false --config=/etc/kubernetes/manifests --hostname-override=$KUBE_NODE_IP"
 
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml
index 4651ab3db38efa1c085c47960badfec7a98ea185..d4a036f680c9a8e1f9f6c0aebcc7f0e1cfd1b6dd 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml
+++ b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml
@@ -20,6 +20,7 @@ write_files:
       FLANNEL_NETWORK_SUBNETLEN="$FLANNEL_NETWORK_SUBNETLEN"
       FLANNEL_BACKEND="$FLANNEL_BACKEND"
       PORTAL_NETWORK_CIDR="$PORTAL_NETWORK_CIDR"
+      ADMISSION_CONTROL_LIST="$ADMISSION_CONTROL_LIST"
       ETCD_DISCOVERY_URL="$ETCD_DISCOVERY_URL"
       USERNAME="$USERNAME"
       PASSWORD="$PASSWORD"
diff --git a/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml
index 8d81f81abc4ae4ce22de16f8fa5fd8afd463ed26..0130ff0226ec384b4af86287abe9da602b6ef69a 100644
--- a/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/kubecluster.yaml
@@ -80,6 +80,12 @@ parameters:
     constraints:
       - allowed_values: ["udp", "vxlan", "host-gw"]
 
+  admission_control_list:
+    type: string
+    description: >
+      Not used by this driver
+    default: ""
+
   kube_allow_priv:
     type: string
     description: >
diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
index add4a8c8ae7b3db8e012359cbb657f93878af3d3..c37be1c1552a693640118844f404a7a15ae24e96 100644
--- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
+++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
@@ -79,6 +79,12 @@ parameters:
     constraints:
       - allowed_values: ["udp", "vxlan", "host-gw"]
 
+  admission_control_list:
+    type: string
+    description: >
+      List of admission control plugins to activate
+    default: "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota"
+
   kube_allow_priv:
     type: string
     description: >
@@ -305,6 +311,7 @@ resources:
           flannel_network_subnetlen: {get_param: flannel_network_subnetlen}
           flannel_backend: {get_param: flannel_backend}
           portal_network_cidr: {get_param: portal_network_cidr}
+          admission_control_list: {get_param: admission_control_list}
           discovery_url: {get_param: discovery_url}
           cluster_uuid: {get_param: cluster_uuid}
           magnum_url: {get_param: magnum_url}
diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml
index c6ea154dcda4e37b8947c2b05a4e78afd9dae5ae..c2847fd1267cccef40cb32c631bebf5b1c382aab 100644
--- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml
+++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml
@@ -63,6 +63,11 @@ parameters:
     constraints:
       - allowed_values: ["udp", "vxlan", "host-gw"]
 
+  admission_control_list:
+    type: string
+    description: >
+      List of admission control plugins to activate
+
   discovery_url:
     type: string
     description: >
@@ -223,6 +228,7 @@ resources:
             "$FLANNEL_NETWORK_SUBNETLEN": {get_param: flannel_network_subnetlen}
             "$FLANNEL_BACKEND": {get_param: flannel_backend}
             "$PORTAL_NETWORK_CIDR": {get_param: portal_network_cidr}
+            "$ADMISSION_CONTROL_LIST": {get_param: admission_control_list}
             "$ETCD_DISCOVERY_URL": {get_param: discovery_url}
             "$AUTH_URL": {get_param: auth_url}
             "$USERNAME": {get_param: username}
diff --git a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml
index e95cf100deb591b21ca2415270454f2b0efe60f3..616022404ab07da352375c0028318b934f90a992 100644
--- a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml
+++ b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml
@@ -87,6 +87,12 @@ parameters:
     constraints:
       - allowed_values: ["udp", "vxlan", "host-gw"]
 
+  admission_control_list:
+    type: string
+    description: >
+      List of admission control plugins to activate
+    default: "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota"
+
   kube_allow_priv:
     type: string
     description: >
@@ -438,6 +444,7 @@ resources:
           flannel_network_subnetlen: {get_param: flannel_network_subnetlen}
           flannel_backend: {get_param: flannel_backend}
           portal_network_cidr: {get_param: portal_network_cidr}
+          admission_control_list: {get_param: admission_control_list}
           discovery_url: {get_param: discovery_url}
           cluster_uuid: {get_param: cluster_uuid}
           magnum_url: {get_param: magnum_url}
diff --git a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml
index 1b1f1d1f8193d319eb5c17495675a9f7106bf2cd..4ccdd1c7298b0281b9f15fc6233a73bbedc5464e 100644
--- a/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml
+++ b/magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml
@@ -63,6 +63,11 @@ parameters:
     constraints:
       - allowed_values: ["udp", "vxlan", "host-gw"]
 
+  admission_control_list:
+    type: string
+    description: >
+      List of admission control plugins to activate
+
   discovery_url:
     type: string
     description: >
@@ -235,6 +240,7 @@ resources:
             "$FLANNEL_NETWORK_SUBNETLEN": {get_param: flannel_network_subnetlen}
             "$FLANNEL_BACKEND": {get_param: flannel_backend}
             "$PORTAL_NETWORK_CIDR": {get_param: portal_network_cidr}
+            "$ADMISSION_CONTROL_LIST": {get_param: admission_control_list}
             "$ETCD_DISCOVERY_URL": {get_param: discovery_url}
             "$AUTH_URL": {get_param: auth_url}
             "$USERNAME": {get_param: username}
diff --git a/magnum/tests/functional/k8s/test_k8s_python_client.py b/magnum/tests/functional/k8s/test_k8s_python_client.py
index f6586527dbb0626753c24f8a4d4a98c810d37914..2172c8de75d95b92c1932f9c585a9f439d3a8e96 100644
--- a/magnum/tests/functional/k8s/test_k8s_python_client.py
+++ b/magnum/tests/functional/k8s/test_k8s_python_client.py
@@ -18,5 +18,8 @@ class TestKubernetesAPIs(base.BaseK8sTest):
         "tls_disabled": False,
         "network_driver": 'flannel',
         "volume_driver": 'cinder',
-        "fixed_network": '192.168.0.0/24'
+        "fixed_network": '192.168.0.0/24',
+        "labels": {
+            "admission_control_list": "",
+        }
     }
diff --git a/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py b/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py
index 570a55952e7cc8808a1e3ac622ca03b13805f09c..d80287562beef36a2b31a2f666b8154fa2b6ed85 100644
--- a/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py
+++ b/magnum/tests/unit/conductor/handlers/test_k8s_cluster_conductor.py
@@ -43,7 +43,8 @@ class TestClusterConductorWithK8s(base.TestCase):
             'no_proxy': 'no_proxy',
             'labels': {'flannel_network_cidr': '10.101.0.0/16',
                        'flannel_network_subnetlen': '26',
-                       'flannel_backend': 'vxlan'},
+                       'flannel_backend': 'vxlan',
+                       'admission_control_list': 'fake_list'},
             'tls_disabled': False,
             'server_type': 'vm',
             'registry_enabled': False,
@@ -134,7 +135,8 @@ class TestClusterConductorWithK8s(base.TestCase):
             'discovery_url': 'discovery_url',
             'labels': {'flannel_network_cidr': '10.101.0.0/16',
                        'flannel_network_subnetlen': '26',
-                       'flannel_backend': 'vxlan'},
+                       'flannel_backend': 'vxlan',
+                       'admission_control_list': 'fake_list'},
             'http_proxy': 'http_proxy',
             'https_proxy': 'https_proxy',
             'no_proxy': 'no_proxy',
@@ -160,6 +162,7 @@ class TestClusterConductorWithK8s(base.TestCase):
             'flannel_network_cidr': '10.101.0.0/16',
             'flannel_network_subnetlen': '26',
             'flannel_backend': 'vxlan',
+            'admission_control_list': 'fake_list',
             'http_proxy': 'http_proxy',
             'https_proxy': 'https_proxy',
             'no_proxy': 'no_proxy',
@@ -227,6 +230,7 @@ class TestClusterConductorWithK8s(base.TestCase):
             'flannel_backend': 'vxlan',
             'flannel_network_cidr': '10.101.0.0/16',
             'flannel_network_subnetlen': '26',
+            'admission_control_list': 'fake_list',
             'http_proxy': 'http_proxy',
             'https_proxy': 'https_proxy',
             'magnum_url': 'http://127.0.0.1:9511/v1',
@@ -305,6 +309,7 @@ class TestClusterConductorWithK8s(base.TestCase):
             'flannel_backend': 'vxlan',
             'flannel_network_cidr': '10.101.0.0/16',
             'flannel_network_subnetlen': '26',
+            'admission_control_list': 'fake_list',
             'insecure_registry_url': '10.0.0.1:5000',
             'kube_version': 'fake-version',
             'magnum_url': 'http://127.0.0.1:9511/v1',
@@ -370,6 +375,7 @@ class TestClusterConductorWithK8s(base.TestCase):
             'flannel_network_cidr': '10.101.0.0/16',
             'flannel_network_subnetlen': '26',
             'flannel_backend': 'vxlan',
+            'admission_control_list': 'fake_list',
             'tls_disabled': False,
             'registry_enabled': False,
             'trustee_domain_id': self.mock_keystone.trustee_domain_id,
@@ -427,6 +433,7 @@ class TestClusterConductorWithK8s(base.TestCase):
             'flannel_network_cidr': '10.101.0.0/16',
             'flannel_network_subnetlen': '26',
             'flannel_backend': 'vxlan',
+            'admission_control_list': 'fake_list',
             'tls_disabled': False,
             'registry_enabled': False,
             'trustee_domain_id': self.mock_keystone.trustee_domain_id,
@@ -579,6 +586,7 @@ class TestClusterConductorWithK8s(base.TestCase):
             'flannel_network_cidr': '10.101.0.0/16',
             'flannel_network_subnetlen': '26',
             'flannel_backend': 'vxlan',
+            'admission_control_list': 'fake_list',
             'tenant_name': 'fake_tenant',
             'username': 'fake_user',
             'cluster_uuid': self.cluster_dict['uuid'],
diff --git a/magnum/tests/unit/drivers/test_template_definition.py b/magnum/tests/unit/drivers/test_template_definition.py
index f3320ef6ab2fe1b6f73832875167c98ac09c3622..7f0c21b3626f2f40b79ff6b1357dd77b149ab30d 100644
--- a/magnum/tests/unit/drivers/test_template_definition.py
+++ b/magnum/tests/unit/drivers/test_template_definition.py
@@ -266,6 +266,8 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase):
         flannel_subnet = mock_cluster_template.labels.get(
             'flannel_network_subnetlen')
         flannel_backend = mock_cluster_template.labels.get('flannel_backend')
+        admission_control_list = mock_cluster_template.labels.get(
+            'admission_control_list')
 
         k8s_def = k8sa_tdef.AtomicK8sTemplateDefinition()
 
@@ -278,6 +280,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase):
             'flannel_network_cidr': flannel_cidr,
             'flannel_network_subnetlen': flannel_subnet,
             'flannel_backend': flannel_backend,
+            'admission_control_list': admission_control_list,
             'username': 'fake_user',
             'tenant_name': 'fake_tenant',
             'magnum_url': mock_osc.magnum_url.return_value,
@@ -322,6 +325,8 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase):
         flannel_subnet = mock_cluster_template.labels.get(
             'flannel_network_subnetlen')
         flannel_backend = mock_cluster_template.labels.get('flannel_backend')
+        admission_control_list = mock_cluster_template.labels.get(
+            'admission_control_list')
 
         k8s_def = k8sa_tdef.AtomicK8sTemplateDefinition()
 
@@ -334,6 +339,7 @@ class AtomicK8sTemplateDefinitionTestCase(BaseTemplateDefinitionTestCase):
             'flannel_network_cidr': flannel_cidr,
             'flannel_network_subnetlen': flannel_subnet,
             'flannel_backend': flannel_backend,
+            'admission_control_list': admission_control_list,
             'username': 'fake_user',
             'tenant_name': 'fake_tenant',
             'magnum_url': mock_osc.magnum_url.return_value,