◐ Shell
reader mode source ↗
Skip to content

feat: Add Feast Operator RBAC example with Kubernetes Authentication …#5077

Merged
franciscojavierarceo merged 3 commits into
feast-dev:masterfrom
redhatHameed:operator-rbac-example
Mar 7, 2025
Merged

feat: Add Feast Operator RBAC example with Kubernetes Authentication …#5077
franciscojavierarceo merged 3 commits into
feast-dev:masterfrom
redhatHameed:operator-rbac-example

Conversation

@redhatHameed

@redhatHameed redhatHameed commented Feb 20, 2025

Copy link
Copy Markdown
Contributor

What this PR does / why we need it:

Adding Feast Operator RBAC example with Kubernetes Authentication

Which issue(s) this PR fixes:

Misc

@redhatHameed redhatHameed requested a review from a team as a code owner February 20, 2025 20:46
@redhatHameed

redhatHameed commented Feb 20, 2025

Copy link
Copy Markdown
Contributor Author

@tchughesiv @franciscojavierarceo @dmartinol when you get a chance, could you please provide review/feedback on this PR? Thanks!

@redhatHameed redhatHameed force-pushed the operator-rbac-example branch 2 times, most recently from 2bb0cd0 to 5f02b7b Compare February 25, 2025 18:37
@accorvin

accorvin commented Feb 26, 2025

Copy link
Copy Markdown
Contributor

@redhatHameed one thing that's not obvious to me is how the test.py script makes use of the service account that is being used to connect to the feature store. I'm assuming it's automatically using some environment variable somewhere or something like that, but I'm not sure. Can we document that so it's more explicit?

I expect users will want to be able to connect to a feature store instance from a script that isn't running inside of a kubernetes pod, and I'm assuming doing so would require them to specify the token somewhere, so we should make it clear how they can do so.

@redhatHameed

redhatHameed commented Feb 26, 2025

Copy link
Copy Markdown
Contributor Author

@redhatHameed one thing that's not obvious to me is how the test.py script makes use of the service account that is being used to connect to the feature store. I'm assuming it's automatically using some environment variable somewhere or something like that, but I'm not sure. Can we document that so it's more explicit?

@accorvin Right, it's getting directly from the pod location. /var/run/secrets/kubernetes.io/serviceaccount/token
https://github.com/feast-dev/feast/blob/master/sdk/python/feast/permissions/client/kubernetes_auth_client_manager.py#L15
I will add this note.

I expect users will want to be able to connect to a feature store instance from a script that isn't running inside of a kubernetes pod, and I'm assuming doing so would require them to specify the token somewhere, so we should make it clear how they can do so.

That's also possible, we can use environment variable LOCAL_K8S_TOKEN https://github.com/feast-dev/feast/blob/master/sdk/python/feast/permissions/client/kubernetes_auth_client_manager.py#L50
let me change the example using locally instead from the pod and add missing document.

@redhatHameed redhatHameed marked this pull request as draft February 27, 2025 16:01
@redhatHameed redhatHameed force-pushed the operator-rbac-example branch 4 times, most recently from dfdc884 to 4a06332 Compare February 27, 2025 21:34
@redhatHameed redhatHameed marked this pull request as ready for review February 27, 2025 21:35
@redhatHameed

redhatHameed commented Feb 27, 2025

Copy link
Copy Markdown
Contributor Author

@accorvin can you take another look of this PR, I have updated the notebook to use local client instead of the pod. Thanks

franciscojavierarceo
franciscojavierarceo reviewed Mar 5, 2025
View reviewed changes

@franciscojavierarceo franciscojavierarceo left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hide comment

I would contextualize some of the documentation that this is mostly relevant if you're an MLOps Engineer or Cluster Admin trying to add Feast to your k8s cluster.

@redhatHameed redhatHameed force-pushed the operator-rbac-example branch 5 times, most recently from cbaa0ca to ed9f593 Compare March 5, 2025 19:29
@redhatHameed

redhatHameed commented Mar 5, 2025

Copy link
Copy Markdown
Contributor Author

I would contextualize some of the documentation that this is mostly relevant if you're an MLOps Engineer or Cluster Admin trying to add Feast to your k8s cluster.

@franciscojavierarceo Thanks yes make sense,

I have separated notebooks for setup operator and RBAC - > 1-setup-operator-rbac.ipynb which need to perform Admin or MLOps Engineer,

and client notebook -> 2-client.ipynb for specific to developer

15 hidden items Load more…
franciscojavierarceo
franciscojavierarceo reviewed Mar 6, 2025
View reviewed changes

@franciscojavierarceo franciscojavierarceo left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hide comment

left some feedback.

@redhatHameed redhatHameed force-pushed the operator-rbac-example branch from 4541f35 to 062429e Compare March 6, 2025 20:06
redhatHameed and others added 2 commits March 6, 2025 15:18
@redhatHameed
feat: Add Feast Operator RBAC example with Kubernetes Authentication …
dc3a376 
…type.

Signed-off-by: Abdul Hameed <ahameed@redhat.com>
@redhatHameed @franciscojavierarceo
Apply suggestions from code review
7483fae 
Co-authored-by: Francisco Arceo <farceo@redhat.com>
Signed-off-by: Abdul Hameed <ahameed@redhat.com>
@redhatHameed redhatHameed force-pushed the operator-rbac-example branch 2 times, most recently from 3438e44 to 32c9667 Compare March 6, 2025 20:22
@redhatHameed
addressed the review comments
597441d 
Signed-off-by: Abdul Hameed <ahameed@redhat.com>
@redhatHameed redhatHameed force-pushed the operator-rbac-example branch from 32c9667 to 597441d Compare March 6, 2025 20:36
@redhatHameed

redhatHameed commented Mar 7, 2025

Copy link
Copy Markdown
Contributor Author

@franciscojavierarceo can we merge this so it can be part of today release if we are planning for that. Thanks

@franciscojavierarceo franciscojavierarceo merged commit 2179fbe into feast-dev:master Mar 7, 2025
@tchughesiv

tchughesiv commented Mar 7, 2025
edited
Loading

Copy link
Copy Markdown
Contributor

@redhatHameed while i understand the addition of local workstation client example ... where did the pod to pod (admin vs client) example go? shouldn't we have those as well? after all, restricting authorization from pods within the cluster is probably the more common use case here. its also the cleaner way to demonstrate how RBAC works in feast.

Can you add that part of the example back but keep the local workstation bit as secondary example as well?

@tchughesiv

tchughesiv commented Mar 7, 2025
edited
Loading

Copy link
Copy Markdown
Contributor

i fear this is too complex ... maybe we pivot to demoing remote registry access here instead? much of the local workstation client stuff would do better as a separate example, unrelated to RBAC.

@tchughesiv

tchughesiv commented Mar 7, 2025

Copy link
Copy Markdown
Contributor

I have an outstanding task to add an additional example around using the feature-server endpoints of an operator deployed feature store. i may play around with some of these rbac docs at the same time. i think this example would benefit from a remote registry use-case ... maybe even using the feature-server endpoints directly

franciscojavierarceo pushed a commit that referenced this pull request Mar 10, 2025
@feast-ci-bot
chore(release): release 0.47.0
3e3afa9 
# [0.47.0](v0.46.0...v0.47.0) (2025-03-10)

* feat!: Include PUBLIC_URL in defaultProjectListPromise URL in /ui ([2f0f7b3](2f0f7b3))

### Bug Fixes

* Add transformation_service_endpoit to support Go feature server. ([#5071](#5071)) ([5627d7c](5627d7c))
* Adding extra space on the VM to kind cluster to see if this solves the issue with memory not available with operator e2e tests. ([#5102](#5102)) ([e6e928c](e6e928c))
* Allow unencrypted Snowflake key ([#5097](#5097)) ([87a7c23](87a7c23))
* Cant add different type of list types ([#5118](#5118)) ([bebd7be](bebd7be))
* Fixing transformations on writes ([#5127](#5127)) ([95ac34a](95ac34a))
* Identify s3/remote uri path correctly ([#5076](#5076)) ([93becff](93becff))
* Increase available action VM storage and reduce dev feature-server image size ([#5112](#5112)) ([75f5a90](75f5a90))
* Move Feast to pyproject.toml instead of setup.py ([#5067](#5067)) ([4231274](4231274))
* Skip refresh if already in progress or if lock is already held ([#5068](#5068)) ([f3a24de](f3a24de))

### Features

* Add an OOTB Chat uI to the Feature Server to support RAG demo ([#5106](#5106)) ([40ea7a9](40ea7a9))
* Add Couchbase Columnar as an Offline Store ([#5025](#5025)) ([4373cbf](4373cbf))
* Add Feast Operator RBAC example with Kubernetes Authentication … ([#5077](#5077)) ([2179fbe](2179fbe))
* Added docling and pytorch as add on ([#5089](#5089)) ([135342b](135342b))
* Feast Operator example with Postgres in TLS mode. ([#5028](#5028)) ([2c46f6a](2c46f6a))
* Operator - Add feastProjectDir section to CR with git & init options ([#5079](#5079)) ([d64f01e](d64f01e))
* Override the udf name when provided as input to an on demand transformation ([#5094](#5094)) ([8a714bb](8a714bb))
* Set value_type of entity directly in from_proto ([#5092](#5092)) ([90e7498](90e7498))
* Updating retrieve online documents v2 to work for other fields for sq… ([#5082](#5082)) ([fc121c3](fc121c3))

### BREAKING CHANGES

* The PUBLIC_URL environment variable is now taken into account by default
when fetching the projects list. This is a breaking change only if all
these points apply:

1. You're using Feast UI as a module

2. You're serving the UI files from a non-root path via the PUBLIC_URL
   environment variable

3. You're serving the project list from the root path

4. You're not passing the `feastUIConfigs.projectListPromise` prop to
   the FeastUI component

In this case, you need to explicitly fetch the project list from the
root path via the `feastUIConfigs.projectListPromise` prop:

```diff
 const root = createRoot(document.getElementById("root")!);
 root.render(
   <React.StrictMode>
-    <FeastUI />
+    <FeastUI
+      feastUIConfigs={{
+        projectListPromise: fetch("/projects-list.json", {
+            headers: {
+              "Content-Type": "application/json",
+            },
+          }).then((res) => res.json())
+      }}
+    />
   </React.StrictMode>
 );
```

Signed-off-by: Harri Lehtola <peruukki@hotmail.com>
@redhatHameed

redhatHameed commented Mar 14, 2025

Copy link
Copy Markdown
Contributor Author

@redhatHameed while i understand the addition of local workstation client example ... where did the pod to pod (admin vs client) example go? shouldn't we have those as well? after all, restricting authorization from pods within the cluster is probably the more common use case here. its also the cleaner way to demonstrate how RBAC works in feast.

Can you add that part of the example back but keep the local workstation bit as secondary example as well?

@tchughesiv thanks for pointing that, I have updated and added that example in this PR #5147 which contain now client example using local environment and from the pod.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ntkathole ntkathole ntkathole left review comments

@lokeshrangineni lokeshrangineni lokeshrangineni left review comments

@dmartinol dmartinol dmartinol left review comments

@franciscojavierarceo franciscojavierarceo

Assignees

No one assigned

Labels

area/documentation ok-to-test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@redhatHameed @accorvin @tchughesiv @franciscojavierarceo @ntkathole @lokeshrangineni @dmartinol