Adding some Kops security improvements

[robscott]

These changes are intended to improve the security of our default Kops configuration. There are three main parts of this:

1. Audit Logging Audit logging is an important part of any security posture. Of course this is only the first step, we will also want to update Fluentd or similar to actually send these audit logs to a centralized logging service. I'm open to a better way to include all the audit policy config, there's quite a bit there. It's currently based on the GCE one here: https://github.com/kubernetes/kubernetes/blob/master/cluster/gce/gci/configure-helper.sh#L798.

2. ETCD v3 + TLS + Encryption It's definitely time to upgrade to etcd v3, at least as a default for new clusters. Additionally adding encrypted volumes and TLS will help with security.

3. Using a newer Stretch AMI The default Kops AMIs are rarely updated and therefore end up missing important security patches. This switch to the official Debian stretch AMI as a default matches up with the approach we've already been using in practice. (https://wiki.debian.org/Cloud/AmazonEC2Image/Stretch)

[CLAassistant]

All committers have signed the CLA.

[ejether]

Please drop a note in the changelog, bump the version then tag and release! Either in this PR or another is fine.