feat: Add Feast Operator RBAC example with Kubernetes Authentication … #5077
Conversation
redhatHameed
force-pushed
the
operator-rbac-example
branch
from
c022e37 to
8487ac3
Compare
|
@tchughesiv @franciscojavierarceo @dmartinol when you get a chance, could you please provide review/feedback on this PR? Thanks! |
redhatHameed
force-pushed
the
operator-rbac-example
branch
2 times, most recently
from
2bb0cd0 to
5f02b7b
Compare
|
@redhatHameed one thing that's not obvious to me is how the test.py script makes use of the service account that is being used to connect to the feature store. I'm assuming it's automatically using some environment variable somewhere or something like that, but I'm not sure. Can we document that so it's more explicit? I expect users will want to be able to connect to a feature store instance from a script that isn't running inside of a kubernetes pod, and I'm assuming doing so would require them to specify the token somewhere, so we should make it clear how they can do so. |
@accorvin Right, it's getting directly from the pod location.
That's also possible, we can use environment variable |
redhatHameed
force-pushed
the
operator-rbac-example
branch
4 times, most recently
from
dfdc884 to
4a06332
Compare
|
@accorvin can you take another look of this PR, I have updated the notebook to use local client instead of the pod. Thanks |
redhatHameed
force-pushed
the
operator-rbac-example
branch
from
4a06332 to
e340a0d
Compare
redhatHameed
force-pushed
the
operator-rbac-example
branch
5 times, most recently
from
cbaa0ca to
ed9f593
Compare
@franciscojavierarceo Thanks yes make sense, I have separated notebooks for setup operator and RBAC - > and client notebook -> |
| "start_time": "2025-03-05T18:50:19.362018Z" | ||
| } | ||
| }, | ||
| "source": [ |
There was a problem hiding this comment.
The same could be demonstrated by connecting a client to the registry server, w/o using the kubectl exec command. e.g., probably in the client notebook.
It probably depends on who's the target person we want to instruct with this notebook.
There was a problem hiding this comment.
This is for Feast Admin part for setting up permission and then to validate applied permissions. Yup can be done with client and then connecting registry also I believe using CLI, if required.
| "source": [ | ||
| "## Feast Client with RBAC\n", | ||
| "### RBAC Kubernetes Authentication\n", | ||
| "This Feast **Role-Based Access Control (RBAC)** in Kubernetes support authentication **inside a Kubernetes pod** and **outside a pod** when running a local script.\n", |
There was a problem hiding this comment.
I'm not clear about the "and outside a pod" part.
You mean that the RBAC solution authorizes the server endpoints against requests coming either from another K8s service or from an external client?
BTW: It's more intended to authorize than to authenticate
There was a problem hiding this comment.
Yeah, outside a pod refers to applications running outside the Kubernetes cluster—like local testing or external clients—that can’t fetch the token from the pod path. updated the description to make it more clear.
| { | ||
| "metadata": {}, | ||
| "cell_type": "markdown", | ||
| "source": "**The Operator creates the client ConfigMap containing the feature_store.yaml. We can retrieve it and port froward to local**", |
There was a problem hiding this comment.
what about The Operator creates the ConfigMap containing the feature_store.yaml for a client application
There was a problem hiding this comment.
can you explain this more, this required port-forward to locally and feature_repo required to point feature-server to local accordingly.
| "name": "stdout", | ||
| "output_type": "stream", | ||
| "text": [ | ||
| "An occurred while performing materialize incremental: \n", |
There was a problem hiding this comment.
There's no evidence that this is a permission error, is there another issue on the client side that ew can attach to the notebook?
There was a problem hiding this comment.
remote materialization is missing feature, so removed from test script. added store.apply(feature_views) to validate write permission.
redhatHameed
force-pushed
the
operator-rbac-example
branch
from
4541f35 to
062429e
Compare
…type. Signed-off-by: Abdul Hameed <ahameed@redhat.com>
Co-authored-by: Francisco Arceo <farceo@redhat.com> Signed-off-by: Abdul Hameed <ahameed@redhat.com>
redhatHameed
force-pushed
the
operator-rbac-example
branch
2 times, most recently
from
3438e44 to
32c9667
Compare
Signed-off-by: Abdul Hameed <ahameed@redhat.com>
redhatHameed
force-pushed
the
operator-rbac-example
branch
from
32c9667 to
597441d
Compare
|
@franciscojavierarceo can we merge this so it can be part of today release if we are planning for that. Thanks |
|
@redhatHameed while i understand the addition of local workstation client example ... where did the pod to pod (admin vs client) example go? shouldn't we have those as well? after all, restricting authorization from pods within the cluster is probably the more common use case here. its also the cleaner way to demonstrate how RBAC works in feast. Can you add that part of the example back but keep the local workstation bit as secondary example as well? |
|
i fear this is too complex ... maybe we pivot to demoing remote registry access here instead? much of the local workstation client stuff would do better as a separate example, unrelated to RBAC. |
|
I have an outstanding task to add an additional example around using the feature-server endpoints of an operator deployed feature store. i may play around with some of these rbac docs at the same time. i think this example would benefit from a remote registry use-case ... maybe even using the feature-server endpoints directly |
# [0.47.0](v0.46.0...v0.47.0) (2025-03-10) * feat!: Include PUBLIC_URL in defaultProjectListPromise URL in /ui ([2f0f7b3](2f0f7b3)) ### Bug Fixes * Add transformation_service_endpoit to support Go feature server. ([#5071](#5071)) ([5627d7c](5627d7c)) * Adding extra space on the VM to kind cluster to see if this solves the issue with memory not available with operator e2e tests. ([#5102](#5102)) ([e6e928c](e6e928c)) * Allow unencrypted Snowflake key ([#5097](#5097)) ([87a7c23](87a7c23)) * Cant add different type of list types ([#5118](#5118)) ([bebd7be](bebd7be)) * Fixing transformations on writes ([#5127](#5127)) ([95ac34a](95ac34a)) * Identify s3/remote uri path correctly ([#5076](#5076)) ([93becff](93becff)) * Increase available action VM storage and reduce dev feature-server image size ([#5112](#5112)) ([75f5a90](75f5a90)) * Move Feast to pyproject.toml instead of setup.py ([#5067](#5067)) ([4231274](4231274)) * Skip refresh if already in progress or if lock is already held ([#5068](#5068)) ([f3a24de](f3a24de)) ### Features * Add an OOTB Chat uI to the Feature Server to support RAG demo ([#5106](#5106)) ([40ea7a9](40ea7a9)) * Add Couchbase Columnar as an Offline Store ([#5025](#5025)) ([4373cbf](4373cbf)) * Add Feast Operator RBAC example with Kubernetes Authentication … ([#5077](#5077)) ([2179fbe](2179fbe)) * Added docling and pytorch as add on ([#5089](#5089)) ([135342b](135342b)) * Feast Operator example with Postgres in TLS mode. ([#5028](#5028)) ([2c46f6a](2c46f6a)) * Operator - Add feastProjectDir section to CR with git & init options ([#5079](#5079)) ([d64f01e](d64f01e)) * Override the udf name when provided as input to an on demand transformation ([#5094](#5094)) ([8a714bb](8a714bb)) * Set value_type of entity directly in from_proto ([#5092](#5092)) ([90e7498](90e7498)) * Updating retrieve online documents v2 to work for other fields for sq… ([#5082](#5082)) ([fc121c3](fc121c3)) ### BREAKING CHANGES * The PUBLIC_URL environment variable is now taken into account by default when fetching the projects list. This is a breaking change only if all these points apply: 1. You're using Feast UI as a module 2. You're serving the UI files from a non-root path via the PUBLIC_URL environment variable 3. You're serving the project list from the root path 4. You're not passing the `feastUIConfigs.projectListPromise` prop to the FeastUI component In this case, you need to explicitly fetch the project list from the root path via the `feastUIConfigs.projectListPromise` prop: ```diff const root = createRoot(document.getElementById("root")!); root.render( <React.StrictMode> - <FeastUI /> + <FeastUI + feastUIConfigs={{ + projectListPromise: fetch("/projects-list.json", { + headers: { + "Content-Type": "application/json", + }, + }).then((res) => res.json()) + }} + /> </React.StrictMode> ); ``` Signed-off-by: Harri Lehtola <peruukki@hotmail.com>
What this PR does / why we need it:
Adding Feast Operator RBAC example with Kubernetes Authentication
Which issue(s) this PR fixes:
Misc