feat: Add Feast Operator RBAC example with Kubernetes Authentication … #5077
Conversation
redhatHameed
force-pushed
the
operator-rbac-example
branch
from
c022e37 to
8487ac3
Compare
|
@tchughesiv @franciscojavierarceo @dmartinol when you get a chance, could you please provide review/feedback on this PR? Thanks! |
redhatHameed
force-pushed
the
operator-rbac-example
branch
2 times, most recently
from
2bb0cd0 to
5f02b7b
Compare
|
@redhatHameed one thing that's not obvious to me is how the test.py script makes use of the service account that is being used to connect to the feature store. I'm assuming it's automatically using some environment variable somewhere or something like that, but I'm not sure. Can we document that so it's more explicit? I expect users will want to be able to connect to a feature store instance from a script that isn't running inside of a kubernetes pod, and I'm assuming doing so would require them to specify the token somewhere, so we should make it clear how they can do so. |
@accorvin Right, it's getting directly from the pod location.
That's also possible, we can use environment variable |
redhatHameed
force-pushed
the
operator-rbac-example
branch
4 times, most recently
from
dfdc884 to
4a06332
Compare
|
@accorvin can you take another look of this PR, I have updated the notebook to use local client instead of the pod. Thanks |
redhatHameed
force-pushed
the
operator-rbac-example
branch
from
4a06332 to
e340a0d
Compare
redhatHameed
force-pushed
the
operator-rbac-example
branch
4 times, most recently
from
d7eca8c to
cbaa0ca
Compare
…type. Signed-off-by: Abdul Hameed <[email protected]>
redhatHameed
force-pushed
the
operator-rbac-example
branch
from
cbaa0ca to
ed9f593
Compare
@franciscojavierarceo Thanks yes make sense, I have separated notebooks for setup operator and RBAC - > and client notebook -> |
| "* `Registry Server`: Handles metadata storage for feature definitions.\n", | ||
| "* `Online Store Server`: Uses the `Registry Server` to query metadata and is responsible for low-latency serving of features.\n", | ||
| "* `Offline Store Server`: Uses the `Registry Server` to query metadata and provides access to batch data for historical feature retrieval.\n", | ||
| "* `Kubernetes` Authentication types for RBAC Configuration for Feast resources.\n", |
There was a problem hiding this comment.
The last 2 bullets doesn't seem to be related to "distributed topology of Feast services".
The last one in particular, it looks like it's an objective of the notebook rather any architectural component.
| { | ||
| "metadata": {}, | ||
| "cell_type": "markdown", | ||
| "source": "## Next Run Client notebook -> 2-client.ipynb" |
There was a problem hiding this comment.
can't this be a link instead?
| "metadata": {}, | ||
| "cell_type": "markdown", | ||
| "source": [ | ||
| "## Configure the RBAC Permissions\n", |
There was a problem hiding this comment.
This section code be a bit more descriptive on the intentions, to clarify what the code is doing
| "start_time": "2025-03-05T18:50:19.362018Z" | ||
| } | ||
| }, | ||
| "source": [ |
There was a problem hiding this comment.
The same could be demonstrated by connecting a client to the registry server, w/o using the kubectl exec command. e.g., probably in the client notebook.
It probably depends on who's the target person we want to instruct with this notebook.
| "source": [ | ||
| "## Feast Client with RBAC\n", | ||
| "### RBAC Kubernetes Authentication\n", | ||
| "This Feast **Role-Based Access Control (RBAC)** in Kubernetes support authentication **inside a Kubernetes pod** and **outside a pod** when running a local script.\n", |
There was a problem hiding this comment.
I'm not clear about the "and outside a pod" part.
You mean that the RBAC solution authorizes the server endpoints against requests coming either from another K8s service or from an external client?
BTW: It's more intended to authorize than to authenticate
| "- Developer just need create the binding with role and service account accordingly.\n", | ||
| "- Code Reference: \n", | ||
| "[Feast Kubernetes Auth Client Manager (Pod Token Usage)](https://github.com/feast-dev/feast/blob/master/sdk/python/feast/permissions/client/kubernetes_auth_client_manager.py#L15) \n", | ||
| "- See the example will use service account from pod [Example](https://github.com/feast-dev/feast/blob/master/examples/rbac-remote/client/k8s/)\n", |
There was a problem hiding this comment.
This sentence seems confusing, any typo?
| "Feast will use this token for authentication.\n", | ||
| "\n", | ||
| "Reference: \n", | ||
| "[Feast Authentication via `LOCAL_K8S_TOKEN`](https://github.com/feast-dev/feast/blob/master/sdk/python/feast/permissions/client/kubernetes_auth_client_manager.py#L50)" |
There was a problem hiding this comment.
I would link to the user guide instead, there's a reference here:
https://docs.feast.dev/master/getting-started/components/authz_manager#kubernetes-rbac-authorization
| { | ||
| "metadata": {}, | ||
| "cell_type": "markdown", | ||
| "source": "**The Operator creates the client ConfigMap containing the feature_store.yaml. We can retrieve it and port froward to local**", |
There was a problem hiding this comment.
what about The Operator creates the ConfigMap containing the feature_store.yaml for a client application
| "metadata": {}, | ||
| "cell_type": "markdown", | ||
| "source": [ | ||
| "**Generating training data. The following test functions were copied from the `test_workflow.py` template but we added `try` blocks to print only \n", |
| "name": "stdout", | ||
| "output_type": "stream", | ||
| "text": [ | ||
| "An occurred while performing materialize incremental: \n", |
There was a problem hiding this comment.
There's no evidence that this is a permission error, is there another issue on the client side that ew can attach to the notebook?
Co-authored-by: Francisco Arceo <[email protected]>
What this PR does / why we need it:
Adding Feast Operator RBAC example with Kubernetes Authentication
Which issue(s) this PR fixes:
Misc