diff --git a/charts/promenade/templates/configmap-etc.yaml b/charts/promenade/templates/configmap-etc.yaml
index 6971cee5..0d59f36f 100644
--- a/charts/promenade/templates/configmap-etc.yaml
+++ b/charts/promenade/templates/configmap-etc.yaml
@@ -55,4 +55,6 @@ data:
 {{ include "helm-toolkit.utils.to_ini" .Values.conf.paste | indent 4 }}
   promenade.conf: |+
 {{ include "helm-toolkit.utils.to_ini" .Values.conf.promenade | indent 4 }}
+  policy.yaml: |+
+{{ toYaml .Values.conf.policy | indent 4 }}
 {{- end }}
diff --git a/charts/promenade/templates/deployment-api.yaml b/charts/promenade/templates/deployment-api.yaml
index 667b7d31..05326b47 100644
--- a/charts/promenade/templates/deployment-api.yaml
+++ b/charts/promenade/templates/deployment-api.yaml
@@ -86,6 +86,9 @@ spec:
               readOnly: true
             - name: cache
               mountPath: /tmp/cache
+            - name: promenade-etc
+              mountpath: /etc/promenade/policy.yaml
+              subPath: policy.yaml
       volumes:
         - name: promenade-etc
           configMap:
diff --git a/charts/promenade/values.yaml b/charts/promenade/values.yaml
index 569efeae..09d0fdbe 100644
--- a/charts/promenade/values.yaml
+++ b/charts/promenade/values.yaml
@@ -18,6 +18,16 @@ conf:
       delay_auth_decision: true
       auth_type: password
       auth_section: keystone_authtoken
+    oslo_policy:
+      policy_file: policy.yaml
+      policy_default_rule: admin_required
+      policy_dirs: policy.d
+
+  policy:
+    admin_required: 'role:admin or is_admin:1'
+    'kubernetes_provisioner:get_join_scripts': 'rule:admin_required'
+    'kubernetes_provisioner:post_validatedesign': 'rule:admin_required'
+    'kubernetes_provisioner:update_node_labels': 'rule:admin_required'
 
   paste:
     pipeline:main: