diff --git a/README.md b/README.md
index d5dca5b2512de71ce2842fa5e4ae89c4bd191492..500ad0d207abf47233dc470da2c4a38a5cad1d65 100644
--- a/README.md
+++ b/README.md
@@ -5,7 +5,10 @@
 
 ## Overview
 
-This is a `Kubernetes` cluster composed of the following components and features:
+This is a `Kubernetes` cluster using [Webhook Token Authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/),
+provided by the charm `cs:~csd-garr/kubernetes-keystone`.
+
+This cluster is composed of the following components and features:
 
 - `Kubernetes` (automated deployment, operations, and scaling)
      - `Kubernetes` cluster with one master and three worker nodes.
@@ -13,6 +16,7 @@ This is a `Kubernetes` cluster composed of the following components and features
      - TLS used for communication between nodes for security.
      - A CNI plugin (Flannel).
      - A load balancer for HA `kubernetes-master`.
+     - Webhook Token Authentication.
      - Optional Ingress Controller (on worker).
      - Optional `Dashboard` addon (on master) including `Heapster` for cluster monitoring.
 - EasyRSA
diff --git a/bundle.yaml b/bundle.yaml
index c2aa637c6a46768dc2de5daaaa753b322261e3b0..7739dae598c8063596fc4abb7c262b1dbdf26bc8 100644
--- a/bundle.yaml
+++ b/bundle.yaml
@@ -30,7 +30,7 @@ services:
       gateway: 90.147.161.27/25
 
   easyrsa:
-    charm: cs:~containers/easyrsa-45
+    charm: cs:~containers/easyrsa-50
     bindings:
       "": space-os-mgmt
     num_units: 1
@@ -42,7 +42,7 @@ services:
       gui-y: '550'
 
   etcd:
-    charm: cs:~containers/etcd-90
+    charm: cs:~containers/etcd-96
     bindings:
       "": space-os-mgmt
     num_units: 3
@@ -58,7 +58,7 @@ services:
       gui-y: '550'
 
   flannel:
-    charm: cs:~containers/flannel-60
+    charm: cs:~containers/flannel-66
     # no bindings
     options:
       cidr: 10.111.0.0/16
@@ -67,7 +67,7 @@ services:
       gui-y: '750'
 
   kubeapi-load-balancer:
-    charm: cs:~containers/kubeapi-load-balancer-64
+    charm: cs:~containers/kubeapi-load-balancer-69
     bindings:
       "": space-os-mgmt
       # necessary for getting a floating IP
@@ -80,37 +80,41 @@ services:
       gui-x: '450'
       gui-y: '250'
 
+  kubernetes-keystone:
+    charm: ./kubernetes-keystone
+    options:
+      keystone-url: https://keystone.cloud.garr.it:5000/v3
+      webhook-authn-config: /root/cdk/webhook-authn.onfig
+
   kubernetes-master:
-    charm: ./kubernetes-master
+    charm: cs:~containers/kubernetes-master-122
     bindings:
       "": space-os-mgmt
       #kube-api-endpoint: space-pub
     num_units: 1
     constraints: tags=kubernetes-public-ip cores=2 mem=4G #root-disk=16G
     options:
-      channel: 1.10/stable
-      authorization-mode: "Node,RBAC,Webhook"
-      keystone_url: https://keystone.cloud.garr.it:5000/v3
-      k8s_keystone_auth_image: zioproto/k8s-keystone-auth:e0fce6d3-dirty
+      channel: 1.11/stable
+      authorization-mode: "Node,RBAC"
       # RBAC to allow access to dashboard to User "system:anonymous"
       # Because of this bug https://github.com/kubernetes/kubernetes/issues/39722
       # the value must be false, rather than what the documentation says.
-      api-extra-args: "anonymous-auth=false authorization-webhook-config-file=/root/cdk/webhook.kubeconfig"
+      api-extra-args: "anonymous-auth=false authentication-token-webhook-config-file=/root/cdk/webhook-authn.onfig"
       enable-dashboard-addons: True
     annotations:
       gui-x: '800'
       gui-y: '850'
 
   kubernetes-worker:
-    charm: cs:~containers/kubernetes-worker-131
+    charm: cs:~containers/kubernetes-worker-138
     bindings:
       "": space-os-mgmt
     num_units: 3
     constraints: tags=kubernetes cores=4 mem=4G #root-disk=16G
     expose: true
     options:
-      channel: 1.10/stable
-      cuda_repo: 9.2.88-1 #9.1.85-1
+      channel: 1.11/stable
+      cuda_repo: 9.2.88-1
       # Enable Cloud Controller Manager
       # https://kubernetes.io/docs/tasks/administer-cluster/running-cloud-controller/
       # kubelet-extra-args: --cloud-provider=external
@@ -119,7 +123,7 @@ services:
       gui-y: '850'
 
   kubernetes-worker-gpu: 
-    charm: cs:~containers/kubernetes-worker-131
+    charm: cs:~containers/kubernetes-worker-138
     bindings:
       "": space-os-mgmt
     # charm: ./kubernetes-worker # patched for cuda-9.0
@@ -127,8 +131,8 @@ services:
     constraints: tags=gpu cores=4 mem=4G #root-disk=16G
     expose: true
     options:
-      channel: 1.10/stable
-      cuda_repo: 9.2.88-1 #9.1.85-1
+      channel: 1.11/stable
+      cuda_repo: 9.2.88-1
       # kubelet-extra-args: --cloud-provider=external
     annotations: 
       gui-x: "520"
@@ -206,6 +210,7 @@ relations:
   - ["kubernetes-master:loadbalancer", "kubeapi-load-balancer:loadbalancer"]
   - ["kubernetes-master:certificates", "easyrsa:client"]
   - ["kubernetes-master:juju-info", "defaultgw:juju-info"]
+  - ["kubernetes-master:juju-info", "kubernetes-keystone:juju-info"]
   - ["kubernetes-master:etcd", "etcd:db"]
   # Kube load balancer
   - ["kubeapi-load-balancer:certificates", "easyrsa:client"]