{

"cells": [

{

"cell_type": "code",

"execution_count": null,

"id": "bd1a081f3f7f5752",

"metadata": {},

"outputs": [],

"source": [

"## Uninstall"

]

},

{

"cell_type": "markdown",

"id": "1175f3d6c5ee9bf0",

"metadata": {},

"source": [

"### Uninstall the Operator and Feast Instance"

]

},

{

"cell_type": "code",

"execution_count": 1,

"id": "f4b4c6fa4a1fe0a8",

"metadata": {

"ExecuteTime": {

"end_time": "2025-03-14T14:45:22.053112Z",

"start_time": "2025-03-14T14:45:15.816729Z"

}

},

"outputs": [

{

"name": "stdout",

"output_type": "stream",

"text": [

"featurestore.feast.dev \"sample-kubernetes-auth\" deleted\n",

"namespace \"feast-operator-system\" deleted\n",

"customresourcedefinition.apiextensions.k8s.io \"featurestores.feast.dev\" deleted\n",

"serviceaccount \"feast-operator-controller-manager\" deleted\n",

"role.rbac.authorization.k8s.io \"feast-operator-leader-election-role\" deleted\n",

"clusterrole.rbac.authorization.k8s.io \"feast-operator-featurestore-editor-role\" deleted\n",

"clusterrole.rbac.authorization.k8s.io \"feast-operator-featurestore-viewer-role\" deleted\n",

"clusterrole.rbac.authorization.k8s.io \"feast-operator-manager-role\" deleted\n",

"clusterrole.rbac.authorization.k8s.io \"feast-operator-metrics-auth-role\" deleted\n",

"clusterrole.rbac.authorization.k8s.io \"feast-operator-metrics-reader\" deleted\n",

"rolebinding.rbac.authorization.k8s.io \"feast-operator-leader-election-rolebinding\" deleted\n",

"clusterrolebinding.rbac.authorization.k8s.io \"feast-operator-manager-rolebinding\" deleted\n",

"clusterrolebinding.rbac.authorization.k8s.io \"feast-operator-metrics-auth-rolebinding\" deleted\n",

"service \"feast-operator-controller-manager-metrics-service\" deleted\n",

"deployment.apps \"feast-operator-controller-manager\" deleted\n"

]

}

],

"source": [

"!kubectl delete -f ../../infra/feast-operator/config/samples/v1alpha1_featurestore_kubernetes_auth.yaml\n",

"!kubectl delete -f ../../infra/feast-operator/dist/install.yaml"

]

},

{

"cell_type": "markdown",

"id": "2a2aa884aeddfb99",

"metadata": {},

"source": [

"## Delete RoleBindings and ServiceAccounts\n"

]

},

{

"cell_type": "code",

"execution_count": 2,

"id": "6ce30879d64bbd06",

"metadata": {

"ExecuteTime": {

"end_time": "2025-03-14T14:45:47.419179Z",

"start_time": "2025-03-14T14:45:46.325817Z"

}

},

"outputs": [

{

"name": "stdout",

"output_type": "stream",

"text": [

"Deleting RoleBindings...\n",

"rolebinding.rbac.authorization.k8s.io \"feast-user-rolebinding\" deleted\n",

"rolebinding.rbac.authorization.k8s.io \"feast-admin-rolebinding\" deleted\n",

"Deleting ServiceAccounts...\n",

"serviceaccount \"feast-user-sa\" deleted\n",

"serviceaccount \"feast-admin-sa\" deleted\n",

"serviceaccount \"feast-unauthorized-user-sa\" deleted\n"

]

}

],

"source": [

"!echo \"Deleting RoleBindings...\"\n",

"!kubectl delete rolebinding feast-user-rolebinding -n feast --ignore-not-found\n",

"!kubectl delete rolebinding feast-admin-rolebinding -n feast --ignore-not-found\n",

"\n",

"!echo \"Deleting ServiceAccounts...\"\n",

"!kubectl delete serviceaccount feast-user-sa -n feast --ignore-not-found\n",

"!kubectl delete serviceaccount feast-admin-sa -n feast --ignore-not-found\n",

"!kubectl delete serviceaccount feast-unauthorized-user-sa -n feast --ignore-not-found\n"

]

},

{

"cell_type": "markdown",

"id": "fa7a79763774f770",

"metadata": {},

"source": [

"### Delete Client Example Deployments"

]

},

{

"cell_type": "code",

"execution_count": 3,

"id": "7bc23b3eb0153c75",

"metadata": {

"ExecuteTime": {

"end_time": "2025-03-14T14:46:05.998191Z",

"start_time": "2025-03-14T14:46:05.344334Z"

}

},

"outputs": [

{

"name": "stdout",

"output_type": "stream",

"text": [

"deployment.apps \"client-admin-user\" deleted\n",

"deployment.apps \"client-readonly-user\" deleted\n",

"deployment.apps \"client-unauthorized-user\" deleted\n",

"configmap \"client-feature-repo-config\" deleted\n"

]

}

],

"source": [

"!kubectl delete -f client/admin_user_deployment_tls.yaml\n",

"!kubectl delete -f client/readonly_user_deployment_tls.yaml\n",

"!kubectl delete -f client/unauthorized_user_deployment_tls.yaml\n",

"!kubectl delete configmap client-feature-repo-config -n feast"

]

},

{

"cell_type": "markdown",

"id": "ce8ef7c832d146dd",

"metadata": {},

"source": [

"### Validate all Objects Removed from Namespace and Delete the Namespace"

]

},

{

"cell_type": "code",

"execution_count": 4,

"id": "587eb85352a8a353",

"metadata": {

"ExecuteTime": {

"end_time": "2025-03-14T14:46:14.626703Z",

"start_time": "2025-03-14T14:46:14.429984Z"

}

},

"outputs": [

{

"name": "stdout",

"output_type": "stream",

"text": [

"\u001b[33;1mWarning:\u001b[0m apps.openshift.io/v1 DeploymentConfig is deprecated in v4.14+, unavailable in v4.10000+\n",

"NAME READY STATUS RESTARTS AGE\n",

"pod/client-admin-user-69b5448688-srvg5 1/1 Terminating 0 83s\n",

"pod/client-readonly-user-6bf689d-ggb8f 1/1 Terminating 0 5m36s\n",

"pod/client-unauthorized-user-74f795fd9f-zmcxp 1/1 Terminating 0 3m40s\n",

"pod/feast-sample-kubernetes-auth-d98b89bcc-wx7xj 2/4 Terminating 0 32m\n"

]

}

],

"source": [

"!kubectl get all -n feast\n"

]

},

{

"cell_type": "code",

"execution_count": 5,

"id": "7a0ce2d9e4a92828",

"metadata": {

"ExecuteTime": {

"end_time": "2025-03-14T14:46:26.127988Z",

"start_time": "2025-03-14T14:46:20.865605Z"

}

},

"outputs": [

{

"name": "stdout",

"output_type": "stream",

"text": [

"namespace \"feast\" deleted\n"

]

}

],

"source": [

"!kubectl delete namespace feast"

]

}

],

"metadata": {

"kernelspec": {

"display_name": ".venv",

"language": "python",

"name": "python3"

},

"language_info": {

"codemirror_mode": {

"name": "ipython",

"version": 3

},

"file_extension": ".py",

"mimetype": "text/x-python",

"name": "python",

"nbconvert_exporter": "python",

"pygments_lexer": "ipython3",

"version": "3.11.11"

}

},

"nbformat": 4,

"nbformat_minor": 5

}

This directory contains examples and configurations for using Feast with Role-Based Access Control (RBAC) in an OpenShift environment with TLS authentication.

- `1-setup-operator-rbac.ipynb`: Jupyter notebook for setting up RBAC with TLS in OpenShift

- `2-client-rbac-test-pod.ipynb`: Jupyter notebook demonstrating RBAC testing with TLS in OpenShift

- `3-uninstall.ipynb`: Jupyter notebook for cleaning up the RBAC setup

- `permissions_apply.py`: Python script for applying RBAC permissions with TLS configuration

- `client/`: Directory containing client configurations

- `readonly_user_deployment_tls.yaml`: Deployment configuration for readonly users with TLS

- `admin_user_deployment_tls.yaml`: Deployment configuration for admin users with TLS

- `unauthorized_user_deployment_tls.yaml`: Deployment configuration for unauthorized users with TLS

- `feature_repo/`: Feature repository configurations

- `feature_store.yaml`: Feature store configuration with TLS settings

- `test.py`: Contents numerous tests for validation of permissions while accessing feast objects

- TLS certificate configuration for secure communication

- OpenShift service CA certificate integration

- RBAC with service account authentication

- HTTPS endpoints (port 443)

- Separate configurations for admin, readonly, and unauthorized users

1. Set up RBAC with TLS:

- Option 1: Run `1-setup-operator-rbac.ipynb` notebook

- Option 2: Run `python permissions_apply.py` script

2. Apply the appropriate deployment configurations

3. Test RBAC functionality with TLS authentication using `2-client-rbac-test-pod.ipynb`

4. Clean up resources using `3-uninstall.ipynb` when done

For more details, refer to the [Feast documentation](https://docs.feast.dev/master/getting-started/components/authz_manager#kubernetes-rbac-authorization).

apiVersion: apps/v1

kind: Deployment

metadata:

name: client-admin-user

namespace: feast

labels:

app: client-admin

spec:

replicas: 1

selector:

matchLabels:

app: client-admin

template:

metadata:

labels:

app: client-admin

spec:

serviceAccountName: feast-admin-sa

containers:

- name: client-admin-container

image: quay.io/feastdev/feature-server:latest

imagePullPolicy: Always

command: ["sleep", "infinity"]

volumeMounts:

- name: client-feature-repo-config

mountPath: /opt/app-root/src

- name: feast-service-ca

mountPath: /etc/pki/tls/custom-certs/service-ca.crt

subPath: service-ca.crt

volumes:

- name: client-feature-repo-config

configMap:

name: client-feature-repo-config

- name: feast-service-ca

configMap:

name: feast-sample-kubernetes-auth-client-ca

project: feast_rbac

provider: local

offline_store:

host: feast-sample-kubernetes-auth-offline.feast.svc.cluster.local

type: remote

port: 443

scheme: https

cert: /etc/pki/tls/custom-certs/service-ca.crt

online_store:

path: https://feast-sample-kubernetes-auth-online.feast.svc.cluster.local:443

type: remote

cert: /etc/pki/tls/custom-certs/service-ca.crt

registry:

path: feast-sample-kubernetes-auth-registry.feast.svc.cluster.local:443

registry_type: remote

cert: /etc/pki/tls/custom-certs/service-ca.crt

auth:

type: kubernetes

entity_key_serialization_version: 3