feat: RBAC Authorization in Feast Operator#4786
Merged
dmartinol merged 12 commits intofeast-dev:masterfrom Dec 1, 2024
Merged
Conversation
Contributor
Author
tchughesiv
requested changes
Nov 22, 2024
Contributor
tchughesiv
left a comment
There was a problem hiding this comment.
thanks for this! only a few nits so far
infra/feast-operator/internal/controller/services/services_types.go
Outdated
Show resolved
Hide resolved
infra/feast-operator/internal/controller/services/services_types.go
Outdated
Show resolved
Hide resolved
infra/feast-operator/internal/controller/services/services_types.go
Outdated
Show resolved
Hide resolved
tchughesiv
requested changes
Nov 22, 2024
tchughesiv
requested changes
Nov 25, 2024
tchughesiv
requested changes
Nov 26, 2024
Contributor
tchughesiv
left a comment
There was a problem hiding this comment.
a few nits ... otherwise lgtm
infra/feast-operator/internal/controller/services/services_types.go
Outdated
Show resolved
Hide resolved
Signed-off-by: Daniele Martinoli <dmartino@redhat.com>
Signed-off-by: Daniele Martinoli <dmartino@redhat.com>
Signed-off-by: Daniele Martinoli <dmartino@redhat.com>
Signed-off-by: Daniele Martinoli <dmartino@redhat.com>
Signed-off-by: Daniele Martinoli <dmartino@redhat.com>
Signed-off-by: Daniele Martinoli <dmartino@redhat.com>
Signed-off-by: Daniele Martinoli <dmartino@redhat.com>
Signed-off-by: Daniele Martinoli <dmartino@redhat.com>
Signed-off-by: Daniele Martinoli <dmartino@redhat.com>
Signed-off-by: Daniele Martinoli <dmartino@redhat.com>
Signed-off-by: Daniele Martinoli <dmartino@redhat.com>
tchughesiv
approved these changes
Nov 27, 2024
Contributor
Author
|
@feast-dev/reviewers-and-approvers please TAL |
lokeshrangineni
approved these changes
Dec 1, 2024
lokeshrangineni
pushed a commit
to lokeshrangineni/feast
that referenced
this pull request
Dec 2, 2024
* Initial commit Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * refactoring types with FeastHandler Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * no private image Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * removed log-level Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * no empty list for default Role Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * removed nameLabelKey, using serices.NameLabelKey Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * improved CRD comments and using IsLocalRegistry Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * fixing generated code Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * renamed auth condition and types Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * post rebase fixes Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * more renamings Signed-off-by: Daniele Martinoli <dmartino@redhat.com> --------- Signed-off-by: Daniele Martinoli <dmartino@redhat.com>
tmihalac
pushed a commit
to tmihalac/feast
that referenced
this pull request
Dec 3, 2024
* Initial commit Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * refactoring types with FeastHandler Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * no private image Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * removed log-level Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * no empty list for default Role Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * removed nameLabelKey, using serices.NameLabelKey Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * improved CRD comments and using IsLocalRegistry Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * fixing generated code Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * renamed auth condition and types Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * post rebase fixes Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * more renamings Signed-off-by: Daniele Martinoli <dmartino@redhat.com> --------- Signed-off-by: Daniele Martinoli <dmartino@redhat.com> Signed-off-by: Theodor Mihalache <tmihalac@redhat.com>
tmihalac
pushed a commit
to tmihalac/feast
that referenced
this pull request
Dec 4, 2024
* Initial commit Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * refactoring types with FeastHandler Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * no private image Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * removed log-level Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * no empty list for default Role Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * removed nameLabelKey, using serices.NameLabelKey Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * improved CRD comments and using IsLocalRegistry Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * fixing generated code Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * renamed auth condition and types Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * post rebase fixes Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * more renamings Signed-off-by: Daniele Martinoli <dmartino@redhat.com> --------- Signed-off-by: Daniele Martinoli <dmartino@redhat.com> Signed-off-by: Theodor Mihalache <tmihalac@redhat.com>
franciscojavierarceo
pushed a commit
that referenced
this pull request
Dec 5, 2024
# [0.42.0](v0.41.0...v0.42.0) (2024-12-05) ### Bug Fixes * Add adapters for sqlite datetime conversion ([#4797](#4797)) ([e198b17](e198b17)) * Added grpcio extras to default feature-server image ([#4737](#4737)) ([e9cd373](e9cd373)) * Changing node version in release ([7089918](7089918)) * Feast create empty online table when FeatureView attribute online=False ([#4666](#4666)) ([237c453](237c453)) * Fix db store types in Operator CRD ([#4798](#4798)) ([f09339e](f09339e)) * Fix the config issue for postgres ([#4776](#4776)) ([a36f7e5](a36f7e5)) * Fixed example materialize-incremental and improved explanation ([#4734](#4734)) ([ca8a7ab](ca8a7ab)) * Fixed SparkSource docstrings so it wouldn't used inhereted class docstrings ([#4722](#4722)) ([32e6aa1](32e6aa1)) * Fixing PGVector integration tests ([#4778](#4778)) ([88a0320](88a0320)) * Incorrect type passed to assert_permissions in materialize endpoints ([#4727](#4727)) ([b72c2da](b72c2da)) * Issue of DataSource subclasses using parent abstract class docstrings ([#4730](#4730)) ([b24acd5](b24acd5)) * Operator envVar positioning & tls.SecretRef.Name ([#4806](#4806)) ([1115d96](1115d96)) * Populates project created_time correctly according to created ti… ([#4686](#4686)) ([a61b93c](a61b93c)) * Reduce feast-server container image size & fix dev image build ([#4781](#4781)) ([ccc9aea](ccc9aea)) * Removed version func from feature_store.py ([#4748](#4748)) ([f902bb9](f902bb9)) * Support registry instantiation for read-only users ([#4719](#4719)) ([ca3d3c8](ca3d3c8)) * Syntax Error in BigQuery While Retrieving Columns that Start wit… ([#4713](#4713)) ([60fbc62](60fbc62)) * Update release version in a pertinent Operator file ([#4708](#4708)) ([764a8a6](764a8a6)) ### Features * Add api contract to fastapi docs ([#4721](#4721)) ([1a165c7](1a165c7)) * Add Couchbase as an online store ([#4637](#4637)) ([824859b](824859b)) * Add Operator support for spec.feastProject & status.applied fields ([#4656](#4656)) ([430ac53](430ac53)) * Add services functionality to Operator ([#4723](#4723)) ([d1d80c0](d1d80c0)) * Add TLS support to the Operator ([#4796](#4796)) ([a617a6c](a617a6c)) * Added feast Go operator db stores support ([#4771](#4771)) ([3302363](3302363)) * Added support for setting env vars in feast services in feast controller ([#4739](#4739)) ([84b24b5](84b24b5)) * Adding docs outlining native Python transformations on singletons ([#4741](#4741)) ([0150278](0150278)) * Adding first feast operator e2e test. ([#4791](#4791)) ([8339f8d](8339f8d)) * Adding github action to run the operator end-to-end tests. ([#4762](#4762)) ([d8ccb00](d8ccb00)) * Adding ssl support for registry server. ([#4718](#4718)) ([ccf7a55](ccf7a55)) * Adding SSL support for the React UI server and feast UI command. ([#4736](#4736)) ([4a89252](4a89252)) * Adding support for native Python transformations on a single dictionary ([#4724](#4724)) ([9bbc1c6](9bbc1c6)) * Adding TLS support for offline server. ([#4744](#4744)) ([5d8d03f](5d8d03f)) * Building the feast image ([#4775](#4775)) ([6635dde](6635dde)) * File persistence definition and implementation ([#4742](#4742)) ([3bad4a1](3bad4a1)) * Object store persistence in operator ([#4758](#4758)) ([0ae86da](0ae86da)) * OIDC authorization in Feast Operator ([#4801](#4801)) ([eb111d6](eb111d6)) * Operator will create k8s serviceaccount for each feast service ([#4767](#4767)) ([cde5760](cde5760)) * Printing more verbose logs when we start the offline server ([#4660](#4660)) ([9d8d3d8](9d8d3d8)) * PVC configuration and impl ([#4750](#4750)) ([785a190](785a190)) * Qdrant vectorstore support ([#4689](#4689)) ([86573d2](86573d2)) * RBAC Authorization in Feast Operator ([#4786](#4786)) ([0ef5acc](0ef5acc)) * Support for nested timestamp fields in Spark Offline store ([#4740](#4740)) ([d4d94f8](d4d94f8)) * Update the go feature server from Expedia code repo. ([#4665](#4665)) ([6406625](6406625)) * Updated feast Go operator db stores ([#4809](#4809)) ([2c5a6b5](2c5a6b5)) * Updated sample secret following review ([#4811](#4811)) ([dc9f825](dc9f825))
dharmisha
pushed a commit
to nishantgaurav-dev/feast
that referenced
this pull request
Jan 15, 2025
* Initial commit Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * refactoring types with FeastHandler Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * no private image Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * removed log-level Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * no empty list for default Role Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * removed nameLabelKey, using serices.NameLabelKey Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * improved CRD comments and using IsLocalRegistry Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * fixing generated code Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * renamed auth condition and types Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * post rebase fixes Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * more renamings Signed-off-by: Daniele Martinoli <dmartino@redhat.com> --------- Signed-off-by: Daniele Martinoli <dmartino@redhat.com>
dharmisha
pushed a commit
to nishantgaurav-dev/feast
that referenced
this pull request
Jan 15, 2025
* Add adapters for sqlite datetime conversion ([feast-dev#4797](feast-dev#4797)) ([e198b17](feast-dev@e198b17)) * Added grpcio extras to default feature-server image ([feast-dev#4737](feast-dev#4737)) ([e9cd373](feast-dev@e9cd373)) * Changing node version in release ([7089918](feast-dev@7089918)) * Feast create empty online table when FeatureView attribute online=False ([feast-dev#4666](feast-dev#4666)) ([237c453](feast-dev@237c453)) * Fix db store types in Operator CRD ([feast-dev#4798](feast-dev#4798)) ([f09339e](feast-dev@f09339e)) * Fix the config issue for postgres ([feast-dev#4776](feast-dev#4776)) ([a36f7e5](feast-dev@a36f7e5)) * Fixed example materialize-incremental and improved explanation ([feast-dev#4734](feast-dev#4734)) ([ca8a7ab](feast-dev@ca8a7ab)) * Fixed SparkSource docstrings so it wouldn't used inhereted class docstrings ([feast-dev#4722](feast-dev#4722)) ([32e6aa1](feast-dev@32e6aa1)) * Fixing PGVector integration tests ([feast-dev#4778](feast-dev#4778)) ([88a0320](feast-dev@88a0320)) * Incorrect type passed to assert_permissions in materialize endpoints ([feast-dev#4727](feast-dev#4727)) ([b72c2da](feast-dev@b72c2da)) * Issue of DataSource subclasses using parent abstract class docstrings ([feast-dev#4730](feast-dev#4730)) ([b24acd5](feast-dev@b24acd5)) * Operator envVar positioning & tls.SecretRef.Name ([feast-dev#4806](feast-dev#4806)) ([1115d96](feast-dev@1115d96)) * Populates project created_time correctly according to created ti… ([feast-dev#4686](feast-dev#4686)) ([a61b93c](feast-dev@a61b93c)) * Reduce feast-server container image size & fix dev image build ([feast-dev#4781](feast-dev#4781)) ([ccc9aea](feast-dev@ccc9aea)) * Removed version func from feature_store.py ([feast-dev#4748](feast-dev#4748)) ([f902bb9](feast-dev@f902bb9)) * Support registry instantiation for read-only users ([feast-dev#4719](feast-dev#4719)) ([ca3d3c8](feast-dev@ca3d3c8)) * Syntax Error in BigQuery While Retrieving Columns that Start wit… ([feast-dev#4713](feast-dev#4713)) ([60fbc62](feast-dev@60fbc62)) * Update release version in a pertinent Operator file ([feast-dev#4708](feast-dev#4708)) ([764a8a6](feast-dev@764a8a6)) * Add api contract to fastapi docs ([feast-dev#4721](feast-dev#4721)) ([1a165c7](feast-dev@1a165c7)) * Add Couchbase as an online store ([feast-dev#4637](feast-dev#4637)) ([824859b](feast-dev@824859b)) * Add Operator support for spec.feastProject & status.applied fields ([feast-dev#4656](feast-dev#4656)) ([430ac53](feast-dev@430ac53)) * Add services functionality to Operator ([feast-dev#4723](feast-dev#4723)) ([d1d80c0](feast-dev@d1d80c0)) * Add TLS support to the Operator ([feast-dev#4796](feast-dev#4796)) ([a617a6c](feast-dev@a617a6c)) * Added feast Go operator db stores support ([feast-dev#4771](feast-dev#4771)) ([3302363](feast-dev@3302363)) * Added support for setting env vars in feast services in feast controller ([feast-dev#4739](feast-dev#4739)) ([84b24b5](feast-dev@84b24b5)) * Adding docs outlining native Python transformations on singletons ([feast-dev#4741](feast-dev#4741)) ([0150278](feast-dev@0150278)) * Adding first feast operator e2e test. ([feast-dev#4791](feast-dev#4791)) ([8339f8d](feast-dev@8339f8d)) * Adding github action to run the operator end-to-end tests. ([feast-dev#4762](feast-dev#4762)) ([d8ccb00](feast-dev@d8ccb00)) * Adding ssl support for registry server. ([feast-dev#4718](feast-dev#4718)) ([ccf7a55](feast-dev@ccf7a55)) * Adding SSL support for the React UI server and feast UI command. ([feast-dev#4736](feast-dev#4736)) ([4a89252](feast-dev@4a89252)) * Adding support for native Python transformations on a single dictionary ([feast-dev#4724](feast-dev#4724)) ([9bbc1c6](feast-dev@9bbc1c6)) * Adding TLS support for offline server. ([feast-dev#4744](feast-dev#4744)) ([5d8d03f](feast-dev@5d8d03f)) * Building the feast image ([feast-dev#4775](feast-dev#4775)) ([6635dde](feast-dev@6635dde)) * File persistence definition and implementation ([feast-dev#4742](feast-dev#4742)) ([3bad4a1](feast-dev@3bad4a1)) * Object store persistence in operator ([feast-dev#4758](feast-dev#4758)) ([0ae86da](feast-dev@0ae86da)) * OIDC authorization in Feast Operator ([feast-dev#4801](feast-dev#4801)) ([eb111d6](feast-dev@eb111d6)) * Operator will create k8s serviceaccount for each feast service ([feast-dev#4767](feast-dev#4767)) ([cde5760](feast-dev@cde5760)) * Printing more verbose logs when we start the offline server ([feast-dev#4660](feast-dev#4660)) ([9d8d3d8](feast-dev@9d8d3d8)) * PVC configuration and impl ([feast-dev#4750](feast-dev#4750)) ([785a190](feast-dev@785a190)) * Qdrant vectorstore support ([feast-dev#4689](feast-dev#4689)) ([86573d2](feast-dev@86573d2)) * RBAC Authorization in Feast Operator ([feast-dev#4786](feast-dev#4786)) ([0ef5acc](feast-dev@0ef5acc)) * Support for nested timestamp fields in Spark Offline store ([feast-dev#4740](feast-dev#4740)) ([d4d94f8](feast-dev@d4d94f8)) * Update the go feature server from Expedia code repo. ([feast-dev#4665](feast-dev#4665)) ([6406625](feast-dev@6406625)) * Updated feast Go operator db stores ([feast-dev#4809](feast-dev#4809)) ([2c5a6b5](feast-dev@2c5a6b5)) * Updated sample secret following review ([feast-dev#4811](feast-dev#4811)) ([dc9f825](feast-dev@dc9f825))
Contributor
|
@dmartinol I am document this feature using operator, what is the usage of the |
Contributor
Author
The RBAC policy checks that the role, in the Feast namespace, is bound to the SA in the client namespace. This is how it works |
Contributor
but as per the example these role are created as namespace scope. How it will be bind the client namespace SA ? let suppose I have installed feast using operator in namespace |
Contributor
|
@redhatHameed here's how you'd create a roleBinding for an SA in another ns - kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: feast-authz-client
namespace: feast
subjects:
- kind: ServiceAccount
name: feast-sample-client
namespace: feast-client
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: feast-sample-kubernetes-auth |
Contributor
|
@redhatHameed here's how you'd create the same binding via command-line - $ kubectl create rolebinding feast-authz-client -n feast --role=feast-sample-kubernetes-auth --serviceaccount=feast-client:feast-sample-client |
Contributor
|
@tchughesiv @dmartinol let me try with this. Thanks |
Contributor
Author
Thanks @tchughesiv i was replying the same 👏 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
Adding support to define the kubernetes authorization manager with the Feast Operator.
ServiceAccountthat is bound to a newly createdRoleallowing toget, list, watchthe otherRolesandRoleBindingsin the same namespace.Sample manifest to configure the deployments:
Which issue(s) this PR fixes:
Relates to #4765
Next PR will add support for the OIDC authorization.