Added policy file.

README.md

 # Kubernetes-keystone
 
-This charm deploys a service that provides [Webhook Token
-Authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/)
+This charm deploys a service that provides
+[Webhook Token Authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/)
 to `Kubernetes` through `OpenStack Keystone`.
 
 
 # Deployment
 
-This is a subordinate charm to the [kubernetes-master]() charm.
+This is a subordinate charm to the
+[kubernetes-master charm](https://github.com/kubernetes/kubernetes/tree/master/cluster/juju/layers/kubernetes-master).
 In order to deploy it, do:
 
    $ juju deploy cs:~csd-garr/kubernetes-keystone
-   $ juju add-relation kubernetes-master:juju-info kubernetes-keystone:juju-info
+   $ juju add-relation kubernetes-master kubernetes-keystone
 
 
-# Resources
-
-The kubernetes-keystone charm takes advantage of the [Juju Resources](https://docs.jujucharms.com/2.4/en/developer-resources) 
-feature to deliver the Kubernetes software.
-
-In deployments on public clouds the Charm Store provides the resource to the
-charm automatically with no user intervention. Some environments with strict
-firewall rules may not be able to contact the Charm Store. In these network
-restricted  environments the resource can be uploaded to the model by the Juju
-operator.
-
 # Configuration
 
 This charm supports some configuration options to set up a `Webhook
 Token Authentication` server for `Keystone`:
 
 #### keystone-url
-
 URL of the Keystone endpoint.
 
 #### k8s-keystone-auth-url
-
 URL for downloading the Keystone authentication server.
 
-#### authn-server-url
+#### kubernetes-project
+Name of the OpenStack project allowed to access the cluster. 
 
+#### authn-server-url
 The URL of the `Keystone` endpoint.
 
 #### authz-server-url
-
 URL for the Webhook authorization server.
 
 
@@ -54,6 +43,6 @@ URL for the Webhook authorization server.
 
 # Contact
 
-The kubernetes-keystone charm is free and open source operations created
-by the CSD team at GARR. 
+The `kubernetes-keystone` charm is free and open source operations created
+by the `CSD team` at `GARR` <csd@garr.it>. 
 

reactive/kubernetes-keystone.py

@@ -41,7 +41,9 @@ from charmhelpers.fetch import archiveurl
 
 webhook_authn_config_path = '/root/cdk/webhook-authn.config'
 webhook_authz_config_path = '/root/cdk/webhook-authz.config'
-k8s_keystone_sync_config_path = '/root/cdk/sync-config.yaml'
+webhook_sync_config_path = '/root/cdk/sync-config.yaml'
+webhook_policy_file = '/root/cdk/webhook-policy.json'
+
 k8s_keystone_auth_start = '/root/cdk/k8s-keystone-auth.sh'
 k8s_keystone_auth_path = '/root/cdk/k8s-keystone-auth'
 k8s_keystone_auth_service = '/etc/systemd/system/k8s-keystone-auth.service'
@@ -63,12 +65,19 @@ def setup_authentication():
         k8s_keystone_auth_path,
         'k8s_keystone_auth_start':
         k8s_keystone_auth_start,
+        'kubernetes_project':
+        hookenv.config('kubernetes-project'),
+        'keystone_url':
+        hookenv.config('keystone-url'),
         'keystone_url':
-        hookenv.config('keystone-url')}
+        webhook_policy_file
+    }
     render('webhook-authn.config', webhook_authn_config_path, webhook_context)
     render('webhook-authz.config', webhook_authz_config_path, webhook_context)
-    render('sync-config.yaml', k8s_keystone_sync_config_path, webhook_context)
-    # the systemd unit
+    render('sync-config.yaml', webhook_sync_config_path, webhook_context)
+    render('webhook-policy.json', webhook_policy_json, webhook_context)
+
+    # the systemd unit for deploying the k8s_keystone_auth service.
     render('k8s-keystone-auth.service', k8s_keystone_auth_service, webhook_context)
     # invokes this script
     render('k8s-keystone-auth.sh', k8s_keystone_auth_start, webhook_context)

templates/k8s-keystone-auth.sh

@@ -3,6 +3,7 @@ set -a
 
 K8S_KEYSTONE_AUTH={{ k8s_keystone_auth_path }}
 KEYSTONE_URL={{ keystone_url }}
+KEYSTONE_POLICY={{ keystone_policy }}
 APISERVER_CERT=/root/cdk/server.crt
 APISERVER_KEY=/root/cdk/server.key
 SYNC_CONFIG=/root/cdk/sync-config.yaml
@@ -11,5 +12,6 @@ KUBE_CONFIG=/home/ubuntu/config
 $K8S_KEYSTONE_AUTH --tls-cert-file $APISERVER_CERT \
     --tls-private-key-file $APISERVER_KEY \
     --keystone-url $KEYSTONE_URL \
+    --keystone-policy-file $KEYSTONE_POLICY \
     --sync-config-file $SYNC_CONFIG \
     --kubeconfig $KUBE_CONFIG

templates/webhook-policy.json

+## The Kubernetes cluster can only be accessed by the users in kubernetes project,
+## users with k8s-admin or k8s-user role have both write and read permissions
+## to the pod resource, but users with k8s-admin role can also assign roles
+## to others.
+
+[
+  {
+    "resource": {
+      "verbs": ["get", "list", "watch", "create", "update", "delete"],
+      "resources": ["pods"],
+      "version": "*",
+      "namespace": "default"
+    },
+    "match": [
+      {
+        "type": "role",
+        "values": ["k8s-admin", "k8s-user"]
+      },
+      {
+        "type": "project",
+        "values": ["{{ kubernetes_project }}"]
+      }
+    ]
+  },
+  {
+    "resource": {
+        "verbs": ["bind"],
+        "resources": ["clusterroles"],
+        "resourceNames": ["admin", "edit", "view"],
+      "version": "*",
+      "namespace": "default"
+    },
+    "match": [
+      {
+        "type": "role",
+        "values": ["k8s-admin"]
+      },
+      {
+        "type": "project",
+        "values": ["{{ kubernetes_project }}"]
+      }
+    ]
+  }
+]