- !policy id: conjur/authn-k8s/conjur-follower #Subpolicy to define all thin

1. - !policy
2. id: conjur/authn-k8s/conjur-follower
3. #Subpolicy to define all things required for OpenShift Authentication
4.  
5. body:
6. - !webservice
7. annotations:
8. description: Authentication service definition for follower namespace
9.  
10. - !policy #policy definition for CA - used as part of authenticator
11. id: ca
12. body:
13. - !variable
14. id: cert
15. annotations:
16. description: CA Cert for OpenShift Pods
17.  
18. - !variable
19. id: key
20. annotations:
21. description: Corresponding CA key for OpenShift Pod Cert
22.  
23. - !policy
24. id: apps
25. annotations:
26. description: Apps policy - all hosts must be members for OpenShift auth
27.  
28. body:
29. - !layer #creating "group of applications" for ease of provisioning
30.  
31. - &PetShelterAppHosts
32. - !host
33. id: secure-pet-shelter/*/*
34. annotations:
35. kubernetes/authentication-container-name: authenticator
36. openshift: true
37.  
38. - &Go-AppHosts
39. - !host
40. id: go-app/*/*
41. annotations:
42. kubernetes/authentication-container-name: authenticator
43. openshift: true
44.  
45. - !grant
46. role: !layer
47. members: *PetShelterAppHosts
48.  
49. - !grant
50. role: !layer
51. members: *Go-AppHosts
52.  
53. - !permit
54. resource: !webservice
55. privileges: [ read, authenticate ]
56. role: !layer /conjur/authn-k8s/conjur-follower/apps