Skip to content

feat: RBAC Authorization in Feast Operator #4786

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dmartinol merged 12 commits into from
Dec 1, 2024
Merged

feat: RBAC Authorization in Feast Operator #4786

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
fa6be07
Initial commit
dmartinol Nov 22, 2024
bcd7fe4
refactoring types with FeastHandler
dmartinol Nov 22, 2024
17e6b43
no private image
dmartinol Nov 22, 2024
0817c9c
removed log-level
dmartinol Nov 25, 2024
62861c6
no empty list for default Role
dmartinol Nov 25, 2024
a4c9378
removed nameLabelKey, using serices.NameLabelKey
dmartinol Nov 25, 2024
c9a583c
improved CRD comments and using IsLocalRegistry
dmartinol Nov 25, 2024
f97ab65
fixing generated code
dmartinol Nov 25, 2024
2f7bf15
renamed auth condition and types
dmartinol Nov 26, 2024
13dd560
post rebase fixes
dmartinol Nov 26, 2024
3e457f1
more renamings
dmartinol Nov 26, 2024
faf215f
Merge branch 'feast-dev:master' into auth_k8s
dmartinol Nov 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
improved CRD comments and using IsLocalRegistry 
Signed-off-by: Daniele Martinoli <dmartino@redhat.com>
  • Loading branch information
@dmartinol
dmartinol committed Nov 26, 2024
commit c9a583c1cd1c894beb4eac822a6795cf35b28d9b
8 changes: 8 additions & 0 deletions infra/feast-operator/api/v1alpha1/featurestore_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -272,7 +272,15 @@ type AuthConfig struct {
KubernetesAuth *KubernetesAuth `json:"kubernetes,omitempty"`
Comment thread
dmartinol marked this conversation as resolved.
Outdated
}

// KubernetesAuth provides a way to define the authorization settings using Kubernetes RBAC resources.
// https://kubernetes.io/docs/reference/access-authn-authz/rbac/
type KubernetesAuth struct {
// The Kubernetes RBAC roles to be deployed in the same namespace of the FeatureStore.
// Roles are managed by the operator and created with an empty list of rules.
// See the Feast permission model at https://docs.feast.dev/getting-started/concepts/permission
// The feature store admin is not obligated to manage roles using the Feast operator, roles can be managed independently.
// This configuration option is only providing a way to automate this procedure.
// Important note: the operator cannot ensure that these roles will match the ones used in the configured Feast permissions.
Roles []string `json:"roles,omitempty"`
}

Expand Down
20 changes: 20 additions & 0 deletions infra/feast-operator/config/crd/bases/feast.dev_featurestores.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,8 +53,18 @@ spec:
deployed Feast services.
properties:
kubernetes:
description: |-
KubernetesAuth provides a way to define the authorization settings using Kubernetes RBAC resources.
https://kubernetes.io/docs/reference/access-authn-authz/rbac/
properties:
roles:
description: |-
The Kubernetes RBAC roles to be deployed in the same namespace of the FeatureStore.
Roles are managed by the operator and created with an empty list of rules.
See the Feast permission model at https://docs.feast.dev/getting-started/concepts/permission
The feature store admin is not obligated to manage roles using the Feast operator, roles can be managed independently.
This configuration option is only providing a way to automate this procedure.
Important note: the operator cannot ensure that these roles will match the ones used in the configured Feast permissions.
items:
type: string
type: array
Expand Down Expand Up @@ -1056,8 +1066,18 @@ spec:
the deployed Feast services.
properties:
kubernetes:
description: |-
KubernetesAuth provides a way to define the authorization settings using Kubernetes RBAC resources.
https://kubernetes.io/docs/reference/access-authn-authz/rbac/
properties:
roles:
description: |-
The Kubernetes RBAC roles to be deployed in the same namespace of the FeatureStore.
Roles are managed by the operator and created with an empty list of rules.
See the Feast permission model at https://docs.feast.dev/getting-started/concepts/permission
The feature store admin is not obligated to manage roles using the Feast operator, roles can be managed independently.
This configuration option is only providing a way to automate this procedure.
Important note: the operator cannot ensure that these roles will match the ones used in the configured Feast permissions.
items:
type: string
type: array
Expand Down
18 changes: 18 additions & 0 deletions infra/feast-operator/dist/install.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,8 +61,17 @@ spec:
deployed Feast services.
properties:
kubernetes:
description: |-
KubernetesAuth defines the authorization settings using Kubernetes RBAC.
https://kubernetes.io/docs/reference/access-authn-authz/rbac/
properties:
roles:
description: |-
The Kubernetes RBAC roles to be deployed in the same namespace of the FeatureStore.
See the Feast permission model https://docs.feast.dev/getting-started/concepts/permission
Please note that the feature store admin is not obligated to manage roles using the Feast operator.
Roles can be managed independently. This configuration is only providing a way to automate this step.
Note that the operator cannot ensure that these roles will match the ones used in the configured Feast permissions.
items:
type: string
type: array
Expand Down Expand Up @@ -1064,8 +1073,17 @@ spec:
the deployed Feast services.
properties:
kubernetes:
description: |-
KubernetesAuth defines the authorization settings using Kubernetes RBAC.
https://kubernetes.io/docs/reference/access-authn-authz/rbac/
properties:
roles:
description: |-
The Kubernetes RBAC roles to be deployed in the same namespace of the FeatureStore.
See the Feast permission model https://docs.feast.dev/getting-started/concepts/permission
Please note that the feature store admin is not obligated to manage roles using the Feast operator.
Roles can be managed independently. This configuration is only providing a way to automate this step.
Note that the operator cannot ensure that these roles will match the ones used in the configured Feast permissions.
items:
type: string
type: array
Expand Down
2 changes: 1 addition & 1 deletion infra/feast-operator/internal/controller/auth/auth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -146,7 +146,7 @@ func (auth *FeastAuth) setFeastRoleBinding(roleBinding *rbacv1.RoleBinding) erro
Namespace: auth.Handler.FeatureStore.Namespace,
})
}
if auth.Handler.FeatureStore.Status.Applied.Services.Registry != nil {
if services.IsLocalRegistry(auth.Handler.FeatureStore) {
roleBinding.Subjects = append(roleBinding.Subjects, rbacv1.Subject{
Kind: rbacv1.ServiceAccountKind,
Name: services.GetFeastServiceName(auth.Handler.FeatureStore, services.RegistryFeastType),
Expand Down
2 changes: 1 addition & 1 deletion infra/feast-operator/internal/controller/services/repo_config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ func getServiceRepoConfig(feastType FeastServiceType, featureStore *feastdevv1al
appliedSpec := featureStore.Status.Applied

repoConfig := getClientRepoConfig(featureStore)
isLocalReg := isLocalRegistry(featureStore)
isLocalRegistry := IsLocalRegistry(featureStore)
if appliedSpec.Services != nil {
services := appliedSpec.Services

Expand Down
2 changes: 1 addition & 1 deletion infra/feast-operator/internal/controller/services/services.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -502,7 +502,7 @@ func (feast *FeastServices) setRemoteRegistryURL() error {
}

func (feast *FeastServices) isLocalRegistry() bool {
return isLocalRegistry(feast.Handler.FeatureStore)
return IsLocalRegistry(feast.Handler.FeatureStore)
}

func (feast *FeastServices) isRemoteRegistry() bool {
Expand Down
4 changes: 2 additions & 2 deletions infra/feast-operator/internal/controller/services/util.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ import (
"sigs.k8s.io/controller-runtime/pkg/log"
)

func isLocalRegistry(featureStore *feastdevv1alpha1.FeatureStore) bool {
func IsLocalRegistry(featureStore *feastdevv1alpha1.FeatureStore) bool {
appliedServices := featureStore.Status.Applied.Services
return appliedServices != nil && appliedServices.Registry != nil && appliedServices.Registry.Local != nil
}
Expand All @@ -35,7 +35,7 @@ func hasPvcConfig(featureStore *feastdevv1alpha1.FeatureStore, feastType FeastSe
pvcConfig = services.OfflineStore.Persistence.FilePersistence.PvcConfig
}
case RegistryFeastType:
if isLocalRegistry(featureStore) && services.Registry.Local.Persistence.FilePersistence != nil {
if IsLocalRegistry(featureStore) && services.Registry.Local.Persistence.FilePersistence != nil {
pvcConfig = services.Registry.Local.Persistence.FilePersistence.PvcConfig
}
}
Expand Down