examples/operator-rbac-openshift-tls/2-client-rbac-test-pod.ipynb
Feast Role-Based Access Control (RBAC) in Kubernetes relies on a service account for authentication. This applies both within a Kubernetes pod and for external clients accessing Feast
In this example, Feast will automatically retrieve the Kubernetes ServiceAccount token from pod path:
/var/run/secrets/kubernetes.io/serviceaccount/token
This means:
For more details, refer to the user guide: Kubernetes RBAC Authorization.
The Operator create client ConfigMap containing the feature_store.yaml settings. We can retrieve it save it feature_repo folder.
!kubectl get configmap feast-sample-kubernetes-auth-client -n feast -o jsonpath='{.data.feature_store\.yaml}' > client/feature_repo/feature_store.yaml
!cat client/feature_repo/feature_store.yaml
The Feast operator automatically configures the correct certificate path based on the deployment environment:
/etc/pki/tls/custom-certs/service-ca.crt/tls/offline/tls.crtNo manual configuration is needed - the operator handles this automatically.
# The operator now automatically configures the correct certificate path
# No manual modification needed - the feature_store.yaml already has the correct paths
print("Certificate paths are automatically configured by the Feast operator")
Create ConfigMap From Feature Repository
We need feature_repo inside the container. let's create configmap from feature_repo contains the feature repository files, including feature-store.yaml and test.py. It will be mounted as a volume in the deployment for the client examples to test the script.
!kubectl delete configmap client-feature-repo-config --ignore-not-found -n feast
!kubectl create configmap client-feature-repo-config --from-file=client/feature_repo -n feast
!kubectl exec deploy/feast-sample-kubernetes-auth -itc online -- feast materialize -v driver_hourly_stats 2025-05-08T12:00:00Z 2025-05-20T12:00:00Z
Step 1: Deploy read-only user, we are using serviceAccountName feast-user-sa in deployment.
# Create the deployment
!cat client/readonly_user_deployment_tls.yaml
!kubectl apply -f "client/readonly_user_deployment_tls.yaml"
Step 2: Run test.py script for client-readonly-user, readonly-user can only read or query all objects.
#Run test.py script from pod to test RBAC for client-readonly-user.
# verify the logs for write operation will show below message
# --- Write to Feature Store ---
#*** PERMISSION DENIED *** User lacks permission to modify the feature store.
!kubectl exec -n feast -it $(kubectl get pods -n feast -l app=client-user -o jsonpath="{.items[0].metadata.name}") -- python test.py
Step 3: Run API request for client-readonly-user, readonly-user can only read or query all objects.
Required:
/etc/pki/tls/custom-certs/service-ca.crt/var/run/secrets/kubernetes.io/serviceaccount/token OR kubectl whoami -t on the client pod.# Run Curl command to test the RBAC for client-readonly-user.
!kubectl exec -it $(kubectl get pods -n feast -l app=client-user -o jsonpath="{.items[0].metadata.name}") -n feast -- curl --cacert /etc/pki/tls/custom-certs/service-ca.crt -X POST https://feast-sample-kubernetes-auth-online.feast.svc.cluster.local/get-online-features -H "Content-Type: application/json" -H "Authorization: Bearer <client_user_token>" -d '{"features": ["driver_hourly_stats:conv_rate","driver_hourly_stats:acc_rate"], "entities":{"driver_id": [1001, 1002]}}'
Step 1: Run test.py script for client-unauthorized-user, unauthorized-user could not even view all objects.
!kubectl apply -f "client/unauthorized_user_deployment_tls.yaml"
!kubectl exec -n feast -it $(kubectl get pods -n feast -l app=client-unauthorized-user -o jsonpath="{.items[0].metadata.name}") -- python test.py
Step 2: Run API request for Unauthorized User, Unauthorized user should not be able to even view the objects.
Required:
/var/run/secrets/kubernetes.io/serviceaccount/token OR kubectl whoami -t on the client pod.# Run Curl command to test the RBAC for client-readonly-user.
!kubectl exec -it $(kubectl get pods -n feast -l app=client-unauthorized-user -o jsonpath="{.items[0].metadata.name}") -n feast -- curl --cacert /etc/pki/tls/custom-certs/service-ca.crt -X POST https://feast-sample-kubernetes-auth-online.feast.svc.cluster.local/get-online-features -H "Content-Type: application/json" -H "Authorization: Bearer <client_user_token>" -d '{"features": ["driver_hourly_stats:conv_rate","driver_hourly_stats:acc_rate"], "entities":{"driver_id": [1001, 1002]}}'
Step 1: Run test.py script for clientadmin, client-admin should be perform all operations on all objects.
!kubectl apply -f "client/admin_user_deployment_tls.yaml"
!kubectl exec -n feast -it $(kubectl get pods -n feast -l app=client-admin -o jsonpath="{.items[0].metadata.name}") -- python test.py
Step 2: Run API request for admin-user, admin-user should be able to read features.
Required:
/etc/pki/tls/custom-certs/service-ca.crt/var/run/secrets/kubernetes.io/serviceaccount/token OR kubectl whoami -t on the client pod.# Run Curl command to test the RBAC for client-readonly-user.
!kubectl exec -it $(kubectl get pods -n feast -l app=client-admin -o jsonpath="{.items[0].metadata.name}") -n feast -- curl --cacert /etc/pki/tls/custom-certs/service-ca.crt -X POST https://feast-sample-kubernetes-auth-online.feast.svc.cluster.local/get-online-features -H "Content-Type: application/json" -H "Authorization: Bearer <client_user_token>" -d '{"features": ["driver_hourly_stats:conv_rate","driver_hourly_stats:acc_rate", "transformed_conv_rate:conv_rate_plus_val1"], "entities":{"driver_id": [1001, 1002], "val_to_add": [1000, 1001], "val_to_add_2": [2000, 2002]}}'