examples/operator-rbac-openshift-tls/1-setup-operator-rbac.ipynb
This demo provides a reference implementation of a runbook on how to enable Role-Based Access Control (RBAC) for Feast using the Feast Operator with the Kubernetes authentication type. This serves as useful reference material for a cluster admin / MLOps engineer.
The demo steps include deploying the Feast Operator, creating Feast instances with server components (registry, offline store, online store), and Feast client testing locally and from the Openshift. The goal is to ensure secure access control for Feast instances deployed by the Feast Operator.
Please read these reference documents for understanding the Feast RBAC framework.
In this notebook, we will deploy a distributed topology of Feast services, which includes:
Registry Server: Handles metadata storage for feature definitions.Online Store Server: Uses the Registry Server to query metadata and is responsible for low-latency serving of features.Offline Store Server: Uses the Registry Server to query metadata and provides access to batch data for historical feature retrieval.Additionally, we will cover:
!kubectl create ns feast
!kubectl config set-context --current --namespace feast
Validate the cluster setup:
!kubectl get ns feast
Feast Admins or MLOps Engineers may require Kubernetes Cluster Admin roles when working with OpenShift clusters. Below is the list of steps Required to set up Feast RBAC with the Operator by an Admin or MLOps Engineer.
## Use this install command from a stable branch
!kubectl apply -f ../../infra/feast-operator/dist/install.yaml
## OR, for the latest code/builds, use one the following commands from the 'master' branch
# !make -C ../../infra/feast-operator install deploy IMG=quay.io/feastdev-ci/feast-operator:develop FS_IMG=quay.io/feastdev-ci/feature-server:develop
# !make -C ../../infra/feast-operator install deploy IMG=quay.io/feastdev-ci/feast-operator:$(git rev-parse HEAD) FS_IMG=quay.io/feastdev-ci/feature-server:$(git rev-parse HEAD)
!kubectl wait --for=condition=available --timeout=5m deployment/feast-operator-controller-manager -n feast-operator-system
Next, we'll use the running Feast Operator to install the feast services with Server components online, offline, registry with kubernetes Authorization set. Apply the included reference deployment to install and configure Feast with kubernetes Authorization .
!cat ../../infra/feast-operator/config/samples/v1_featurestore_kubernetes_auth.yaml
!kubectl apply -f ../../infra/feast-operator/config/samples/v1_featurestore_kubernetes_auth.yaml -n feast
Validate the deployment status.
!kubectl get all
!kubectl wait --for=condition=available --timeout=8m deployment/feast-sample-kubernetes-auth
Validate that the FeatureStore CR is in a Ready state.
!kubectl get feast
As we have created Kubernetes roles in FeatureStore CR to manage access control for Feast objects, the Python script permissions_apply.py will apply these roles to configure permissions. See the detailed code example below with comments.
#view the permissions
!cat permissions_apply.py
# Copy the Permissions to the pods under feature_repo directory
!kubectl cp permissions_apply.py $(kubectl get pods -l 'feast.dev/name=sample-kubernetes-auth' -ojsonpath="{.items[*].metadata.name}"):/feast-data/feast_rbac/feature_repo -c online
#view the feature_store.yaml configuration
!kubectl exec deploy/feast-sample-kubernetes-auth -itc online -- cat feature_store.yaml
!kubectl exec deploy/feast-sample-kubernetes-auth -itc online -- feast apply
List the applied permission details permissions on Feast Resources.
!kubectl exec deploy/feast-sample-kubernetes-auth -itc online -- feast permissions list-roles
!kubectl exec deploy/feast-sample-kubernetes-auth -itc online -- feast permissions list
!kubectl exec deploy/feast-sample-kubernetes-auth -itc online -- feast permissions describe feast_admin_permission
!kubectl exec deploy/feast-sample-kubernetes-auth -itc online -- feast permissions describe feast_user_permission
The steps below will:
| User Type | ServiceAccount | RoleBinding Assigned | Expected Behavior in output |
|---|---|---|---|
| Read-Only | feast-user-sa | feast-reader | Can read from the feature store, but cannot write. |
| Unauthorized | feast-unauthorized-user-sa | None | Access should be denied in test.py. |
| Admin | feast-admin-sa | feast-writer | Can read and write feature store data. |
(ServiceAccount: feast-user-sa, Role: feast-reader)
# Step 1: Create the ServiceAccount
!echo "Creating ServiceAccount: feast-user-sa"
!kubectl create serviceaccount feast-user-sa -n feast
# Step 2: Assign RoleBinding (Read-Only Access for Feast)
!echo "Assigning Read-Only RoleBinding: feast-user-rolebinding"
!kubectl create rolebinding feast-user-rolebinding --role=feast-reader --serviceaccount=feast:feast-user-sa -n feast
(ServiceAccount: feast-unauthorized-user-sa, Role: None)
# Create the ServiceAccount (Without RoleBinding)
!echo "Creating Unauthorized ServiceAccount: feast-unauthorized-user-sa"
!kubectl create serviceaccount feast-unauthorized-user-sa -n feast
(ServiceAccount: feast-admin-sa, Role: feast-writer)
# Create the ServiceAccount
!echo "Creating ServiceAccount: feast-admin-sa"
!kubectl create serviceaccount feast-admin-sa -n feast
# Assign RoleBinding (Admin Access for Feast)
!echo "Assigning Admin RoleBinding: feast-admin-rolebinding"
!kubectl create rolebinding feast-admin-rolebinding --role=feast-writer --serviceaccount=feast:feast-admin-sa -n feast