Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: RBAC Authorization in Feast Operator #4786

Merged
merged 12 commits into from
Dec 1, 2024
Merged

feat: RBAC Authorization in Feast Operator #4786

merged 12 commits into from
Dec 1, 2024

Conversation

dmartinol
Copy link
Contributor

@dmartinol dmartinol commented Nov 22, 2024
edited
Loading

What this PR does / why we need it:

Adding support to define the kubernetes authorization manager with the Feast Operator.

  • All services are configured to adopt this authorization manager.
  • Services runs with a ServiceAccount that is bound to a newly created Role allowing to get, list, watch the other Roles and RoleBindings in the same namespace.
  • Admins are not requested to perform any manual configuration once the custom resource is installed.

Sample manifest to configure the deployments:

apiVersion: feast.dev/v1alpha1
kind: FeatureStore
metadata:
  name: sample-kubernetes-auth
spec:
  feastProject: my_project
  services:
    onlineStore: {}
    offlineStore: {}
    registry: {}
  authz:
    kubernetes:
      roles:
        - reader
        - writer

Which issue(s) this PR fixes:

Relates to #4765
Next PR will add support for the OIDC authorization.

@dmartinol dmartinol requested a review from a team as a code owner November 22, 2024 21:34
@dmartinol
Copy link
Contributor Author

@tchughesiv @redhatHameed @tmihalac

tchughesiv
tchughesiv requested changes Nov 22, 2024
View reviewed changes
Copy link
Contributor

@tchughesiv tchughesiv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for this! only a few nits so far

infra/feast-operator/internal/controller/services/services_types.go Outdated Show resolved Hide resolved
infra/feast-operator/internal/controller/services/services_types.go Outdated Show resolved Hide resolved
infra/feast-operator/internal/controller/services/services_types.go Outdated Show resolved Hide resolved
infra/feast-operator/internal/controller/services/util.go Outdated Show resolved Hide resolved
tchughesiv
tchughesiv requested changes Nov 26, 2024
View reviewed changes
Copy link
Contributor

@tchughesiv tchughesiv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a few nits ... otherwise lgtm

infra/feast-operator/api/v1alpha1/featurestore_types.go Outdated Show resolved Hide resolved
infra/feast-operator/api/v1alpha1/featurestore_types.go Outdated Show resolved Hide resolved
infra/feast-operator/api/v1alpha1/featurestore_types.go Outdated Show resolved Hide resolved
infra/feast-operator/api/v1alpha1/featurestore_types.go Outdated Show resolved Hide resolved
infra/feast-operator/internal/controller/services/services_types.go Outdated Show resolved Hide resolved
@dmartinol
Initial commit
fa6be07 
Signed-off-by: Daniele Martinoli <dmartino@redhat.com>
@dmartinol
refactoring types with FeastHandler
bcd7fe4 
Signed-off-by: Daniele Martinoli <dmartino@redhat.com>
@dmartinol
no private image
17e6b43 
Signed-off-by: Daniele Martinoli <dmartino@redhat.com>
@dmartinol
removed log-level
0817c9c 
Signed-off-by: Daniele Martinoli <dmartino@redhat.com>
@dmartinol
no empty list for default Role
62861c6 
Signed-off-by: Daniele Martinoli <dmartino@redhat.com>
@dmartinol
removed nameLabelKey, using serices.NameLabelKey
a4c9378 
Signed-off-by: Daniele Martinoli <dmartino@redhat.com>
@dmartinol
improved CRD comments and using IsLocalRegistry
c9a583c 
Signed-off-by: Daniele Martinoli <dmartino@redhat.com>
@dmartinol
fixing generated code
f97ab65 
Signed-off-by: Daniele Martinoli <dmartino@redhat.com>
@dmartinol
renamed auth condition and types
2f7bf15 
Signed-off-by: Daniele Martinoli <dmartino@redhat.com>
@dmartinol
post rebase fixes
13dd560 
Signed-off-by: Daniele Martinoli <dmartino@redhat.com>
@dmartinol
more renamings
3e457f1 
Signed-off-by: Daniele Martinoli <dmartino@redhat.com>
@dmartinol
Copy link
Contributor Author

@feast-dev/reviewers-and-approvers please TAL

@dmartinol dmartinol enabled auto-merge (squash) November 28, 2024 14:51
@dmartinol dmartinol mentioned this pull request Nov 28, 2024
Merged
@dmartinol dmartinol merged commit 0ef5acc into feast-dev:master Dec 1, 2024
20 checks passed
lokeshrangineni pushed a commit to lokeshrangineni/feast that referenced this pull request Dec 2, 2024
@dmartinol @lokeshrangineni
feat: RBAC Authorization in Feast Operator (feast-dev#4786)
180dc71 
* Initial commit

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* refactoring types with FeastHandler

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* no private image

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* removed  log-level

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* no empty list for default Role

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* removed nameLabelKey, using serices.NameLabelKey

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* improved CRD comments and using IsLocalRegistry

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* fixing generated code

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* renamed auth condition and types

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* post rebase fixes

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* more renamings

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

---------

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>
tmihalac pushed a commit to tmihalac/feast that referenced this pull request Dec 3, 2024
@dmartinol @tmihalac
feat: RBAC Authorization in Feast Operator (feast-dev#4786)
c928c53 
* Initial commit

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* refactoring types with FeastHandler

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* no private image

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* removed  log-level

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* no empty list for default Role

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* removed nameLabelKey, using serices.NameLabelKey

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* improved CRD comments and using IsLocalRegistry

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* fixing generated code

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* renamed auth condition and types

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* post rebase fixes

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* more renamings

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

---------

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>
Signed-off-by: Theodor Mihalache <tmihalac@redhat.com>
@dmartinol dmartinol mentioned this pull request Dec 4, 2024
Closed
tmihalac pushed a commit to tmihalac/feast that referenced this pull request Dec 4, 2024
@dmartinol @tmihalac
feat: RBAC Authorization in Feast Operator (feast-dev#4786)
8252bd3 
* Initial commit

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* refactoring types with FeastHandler

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* no private image

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* removed  log-level

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* no empty list for default Role

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* removed nameLabelKey, using serices.NameLabelKey

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* improved CRD comments and using IsLocalRegistry

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* fixing generated code

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* renamed auth condition and types

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* post rebase fixes

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* more renamings

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

---------

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>
Signed-off-by: Theodor Mihalache <tmihalac@redhat.com>
franciscojavierarceo pushed a commit that referenced this pull request Dec 5, 2024
@feast-ci-bot
chore(release): release 0.42.0
aac334a 
# [0.42.0](v0.41.0...v0.42.0) (2024-12-05)

### Bug Fixes

* Add adapters for sqlite datetime conversion ([#4797](#4797)) ([e198b17](e198b17))
* Added grpcio extras to default feature-server image ([#4737](#4737)) ([e9cd373](e9cd373))
* Changing node version in release ([7089918](7089918))
* Feast create empty online table when FeatureView attribute online=False ([#4666](#4666)) ([237c453](237c453))
* Fix db store types in Operator CRD ([#4798](#4798)) ([f09339e](f09339e))
* Fix the config issue for postgres ([#4776](#4776)) ([a36f7e5](a36f7e5))
* Fixed example materialize-incremental and improved explanation ([#4734](#4734)) ([ca8a7ab](ca8a7ab))
* Fixed SparkSource docstrings so it wouldn't used inhereted class docstrings ([#4722](#4722)) ([32e6aa1](32e6aa1))
* Fixing PGVector integration tests ([#4778](#4778)) ([88a0320](88a0320))
* Incorrect type passed to assert_permissions in materialize endpoints ([#4727](#4727)) ([b72c2da](b72c2da))
* Issue of DataSource subclasses using parent abstract class docstrings ([#4730](#4730)) ([b24acd5](b24acd5))
* Operator envVar positioning & tls.SecretRef.Name ([#4806](#4806)) ([1115d96](1115d96))
* Populates project created_time correctly according to created ti… ([#4686](#4686)) ([a61b93c](a61b93c))
* Reduce feast-server container image size & fix dev image build ([#4781](#4781)) ([ccc9aea](ccc9aea))
* Removed version func from feature_store.py ([#4748](#4748)) ([f902bb9](f902bb9))
* Support registry instantiation for read-only users ([#4719](#4719)) ([ca3d3c8](ca3d3c8))
* Syntax Error in BigQuery While Retrieving Columns that Start wit… ([#4713](#4713)) ([60fbc62](60fbc62))
* Update release version in a pertinent Operator file ([#4708](#4708)) ([764a8a6](764a8a6))

### Features

* Add api contract to fastapi docs ([#4721](#4721)) ([1a165c7](1a165c7))
* Add Couchbase as an online store ([#4637](#4637)) ([824859b](824859b))
* Add Operator support for spec.feastProject & status.applied fields ([#4656](#4656)) ([430ac53](430ac53))
* Add services functionality to Operator ([#4723](#4723)) ([d1d80c0](d1d80c0))
* Add TLS support to the Operator ([#4796](#4796)) ([a617a6c](a617a6c))
* Added feast Go operator db stores support ([#4771](#4771)) ([3302363](3302363))
* Added support for setting env vars in feast services in feast controller  ([#4739](#4739)) ([84b24b5](84b24b5))
* Adding docs outlining native Python transformations on singletons ([#4741](#4741)) ([0150278](0150278))
* Adding first feast operator e2e test. ([#4791](#4791)) ([8339f8d](8339f8d))
* Adding github action to run the operator end-to-end tests. ([#4762](#4762)) ([d8ccb00](d8ccb00))
* Adding ssl support for registry server. ([#4718](#4718)) ([ccf7a55](ccf7a55))
* Adding SSL support for the React UI server and feast UI command. ([#4736](#4736)) ([4a89252](4a89252))
* Adding support for native Python transformations on a single dictionary  ([#4724](#4724)) ([9bbc1c6](9bbc1c6))
* Adding TLS support for offline server. ([#4744](#4744)) ([5d8d03f](5d8d03f))
* Building the feast image ([#4775](#4775)) ([6635dde](6635dde))
* File persistence definition and implementation ([#4742](#4742)) ([3bad4a1](3bad4a1))
* Object store persistence in operator ([#4758](#4758)) ([0ae86da](0ae86da))
* OIDC authorization in Feast Operator ([#4801](#4801)) ([eb111d6](eb111d6))
* Operator will create k8s serviceaccount for each feast service ([#4767](#4767)) ([cde5760](cde5760))
* Printing more verbose logs when we start the offline server  ([#4660](#4660)) ([9d8d3d8](9d8d3d8))
* PVC configuration and impl ([#4750](#4750)) ([785a190](785a190))
* Qdrant vectorstore support ([#4689](#4689)) ([86573d2](86573d2))
* RBAC Authorization in Feast Operator ([#4786](#4786)) ([0ef5acc](0ef5acc))
* Support for nested timestamp fields in Spark Offline store ([#4740](#4740)) ([d4d94f8](d4d94f8))
* Update the go feature server from Expedia code repo. ([#4665](#4665)) ([6406625](6406625))
* Updated feast Go operator db stores ([#4809](#4809)) ([2c5a6b5](2c5a6b5))
* Updated sample secret following review ([#4811](#4811)) ([dc9f825](dc9f825))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lokeshrangineni lokeshrangineni lokeshrangineni approved these changes

@tchughesiv tchughesiv tchughesiv approved these changes

Assignees
No one assigned
Labels
ok-to-test
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dmartinol @tchughesiv @lokeshrangineni