Expected Behavior
With the following FeatureStore spec, the Pod should start successfully (in any namespace) in clusters that support PVC creation -
spec:
feastProject: my_project
services:
offlineStore:
persistence:
file:
pvc:
create: {}
mountPath: /offlineCurrent Behavior
Pod goes into CrashLoopBackOff and throws these errors -
feast-init container -
Creating feast repository...
feast init my_project
bash: line 3: /offline/my_project/feature_repo/feature_store.yaml: Permission denied
Feast repo creation complete
online container -
Can't find feature repo configuration file at /offline/my_project/feature_repo/feature_store.yaml. Make sure you're running feast from an initialized feast repository.
The issue is that the resulting mount is owned by root and does not offer group write permissions.
$ id
uid=1001(default) gid=0(root) groups=0(root)
$ ls -la /offline
total 24
drwxr-xr-x. 4 root root 4096 May 6 13:42 .
dr-xr-xr-x. 1 root root 61 May 6 13:52 ..
drwx------. 2 root root 16384 May 6 13:42 lost+found
drwxr-xr-x. 3 root root 4096 May 6 13:42 my_project
Steps to reproduce
- Switch to a namespace w/
privileged pod security -
$ kubectl get ns default -oyaml
apiVersion: v1
kind: Namespace
metadata:
annotations:
openshift.io/sa.scc.mcs: s0:c1,c0
openshift.io/sa.scc.supplemental-groups: 1000000000/10000
openshift.io/sa.scc.uid-range: 1000000000/10000
creationTimestamp: "2025-05-01T02:05:22Z"
labels:
kubernetes.io/metadata.name: default
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/warn: privileged
name: default
- Deploy the following CR -
apiVersion: feast.dev/v1alpha1
kind: FeatureStore
metadata:
name: sample
spec:
feastProject: my_project
services:
offlineStore:
persistence:
file:
pvc:
create: {}
mountPath: /offlineSpecifications
- Version: 0.49.0
- Platform: OpenShift
- Subsystem: Operator
Possible Solution
Add ability to set the securityContext of the feature store Pod. This would allow the user to set things like runAsGroup & fsGroup, which should resolve the issue
Expected Behavior
With the following FeatureStore
spec, the Pod should start successfully (in any namespace) in clusters that support PVC creation -Current Behavior
Pod goes into
CrashLoopBackOffand throws these errors -feast-init container -
Creating feast repository... feast init my_project bash: line 3: /offline/my_project/feature_repo/feature_store.yaml: Permission denied Feast repo creation completeonline container -
Can't find feature repo configuration file at /offline/my_project/feature_repo/feature_store.yaml. Make sure you're running feast from an initialized feast repository.The issue is that the resulting mount is owned by root and does not offer group write permissions.
$ id uid=1001(default) gid=0(root) groups=0(root) $ ls -la /offline total 24 drwxr-xr-x. 4 root root 4096 May 6 13:42 . dr-xr-xr-x. 1 root root 61 May 6 13:52 .. drwx------. 2 root root 16384 May 6 13:42 lost+found drwxr-xr-x. 3 root root 4096 May 6 13:42 my_projectSteps to reproduce
privilegedpod security -$ kubectl get ns default -oyaml apiVersion: v1 kind: Namespace metadata: annotations: openshift.io/sa.scc.mcs: s0:c1,c0 openshift.io/sa.scc.supplemental-groups: 1000000000/10000 openshift.io/sa.scc.uid-range: 1000000000/10000 creationTimestamp: "2025-05-01T02:05:22Z" labels: kubernetes.io/metadata.name: default pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/warn: privileged name: defaultSpecifications
Possible Solution
Add ability to set the
securityContextof the feature store Pod. This would allow the user to set things likerunAsGroup&fsGroup, which should resolve the issue