ContextQMD
Back to Feast

!kubectl get configmap feast-sample-kubernetes-auth-client -n feast -o jsonpath='{.data.feature_store.yaml}' > client/feature_repo/feature_store.yaml

examples/operator-rbac/2-client-rbac-test-pod.ipynb

0.63.06.0 KB
Original Source

Feast Client with RBAC

Feast Kubernetes RBAC Authorization

Feast Role-Based Access Control (RBAC) in Kubernetes relies on a service account for authentication. This applies both within a Kubernetes pod and for external clients accessing Feast

In this example, Feast will automatically retrieve the Kubernetes ServiceAccount token from pod path:

/var/run/secrets/kubernetes.io/serviceaccount/token

This means:

  • No manual configuration is needed inside a pod.
  • The token is mounted automatically and used for authentication.
  • Developer?User just need create the binding with role and service account accordingly.

For more details, refer to the user guide: Kubernetes RBAC Authorization.

Feature Store settings

The Operator create client ConfigMap containing the feature_store.yaml settings. We can retrieve it save it feature_repo folder.

python
# !kubectl get configmap feast-sample-kubernetes-auth-client -n feast -o jsonpath='{.data.feature_store\.yaml}' > client/feature_repo/feature_store.yaml
!cat  client/feature_repo/feature_store.yaml

Create ConfigMap From Feature Repository
We need feature_repo inside the container. let's create configmap from feature_repo contains the feature repository files, including feature-store.yaml and test.py. It will be mounted as a volume in the deployment for the client examples to test the script.

python
!kubectl delete configmap client-feature-repo-config --ignore-not-found -n feast 
!kubectl create configmap client-feature-repo-config --from-file=client/feature_repo -n feast

Testing

0. Lets Run Materialization on the Feature Server

python
!kubectl exec deploy/feast-sample-kubernetes-auth -itc online -- feast materialize -v driver_hourly_stats 2025-05-08T12:00:00Z 2025-05-20T12:00:00Z

1. Test Read-Only Feast User

Step 1: Deploy read-only user, we are using serviceAccountName feast-user-sa in deployment.

python
# Create the deployment 
!cat client/readonly_user_deployment.yaml
!kubectl apply -f "client/readonly_user_deployment.yaml"

Step 2: Run test.py script for client-readonly-user, readonly-user can only read or query all objects.

python
#Run test.py script from pod to test RBAC for client-readonly-user.
# verify the logs for write operation will show below message 
# --- Write to Feature Store ---
#*** PERMISSION DENIED *** User lacks permission to modify the feature store.

!kubectl exec -n feast -it $(kubectl get pods -n feast -l app=client-user -o jsonpath="{.items[0].metadata.name}") -- python test.py

Step 3: Run API request for client-readonly-user, readonly-user can only read or query all objects.

Required:

  • Users Bearer Token
    • Get the User token from the location /var/run/secrets/kubernetes.io/serviceaccount/token OR kubectl whoami -t on the client pod.
    • Replace the <client_user_token> below with token obtained from above.
python
# Run Curl command to test the RBAC for client-readonly-user.
!kubectl exec -it $(kubectl get pods -n feast -l app=client-user -o jsonpath="{.items[0].metadata.name}") -n feast -- curl -X POST http://feast-sample-kubernetes-auth-online/get-online-features -H "Content-Type: application/json" -H "Authorization: Bearer <client_user_token>" -d '{"features": ["driver_hourly_stats:conv_rate","driver_hourly_stats:acc_rate"], "entities":{"driver_id": [1001, 1002]}}'

2. Test Unauthorized Feast User

Step 1: Run test.py script for client-unauthorized-user, unauthorized-user could not even view all objects.

python
!kubectl apply -f "client/unauthorized_user_deployment.yaml"
python
!kubectl exec -n feast -it $(kubectl get pods -n feast -l app=client-unauthorized-user -o jsonpath="{.items[0].metadata.name}") -- python test.py

Step 2: Run API request for Unauthorized User, Unauthorized user should not be able to even view the objects.

Required:

  • Users Bearer Token
    • Get the User token from the location /var/run/secrets/kubernetes.io/serviceaccount/token OR kubectl whoami -t on the client pod.
    • Replace the <client_user_token> below with token obtained from above.
python
# Run Curl command to test the RBAC for client-readonly-user.
!kubectl exec -it $(kubectl get pods -n feast -l app=client-unauthorized-user -o jsonpath="{.items[0].metadata.name}") -n feast -- curl -X POST http://feast-sample-kubernetes-auth-online/get-online-features -H "Content-Type: application/json" -H "Authorization: Bearer <client_user_token>" -d '{"features": ["driver_hourly_stats:conv_rate","driver_hourly_stats:acc_rate"], "entities":{"driver_id": [1001, 1002]}}'

3. Test Admin Feast User

Step 1: Run test.py script for clientadmin, client-admin should be perform all operations on all objects.

python
!kubectl apply -f "client/admin_user_deployment.yaml"
python
!kubectl exec -n feast -it $(kubectl get pods -n feast -l app=client-admin -o jsonpath="{.items[0].metadata.name}") -- python test.py

Step 2: Run API request for admin-user, admin-user should be able to read features.

Required:

  • Users Bearer Token
    • Get the User token from the location /var/run/secrets/kubernetes.io/serviceaccount/token OR kubectl whoami -t on the client pod.
    • Replace the <client_user_token> below with token obtained from above.
python
# Run Curl command to test the RBAC for client-readonly-user.
!kubectl exec -it $(kubectl get pods -n feast -l app=client-admin -o jsonpath="{.items[0].metadata.name}") -n feast -- curl -X POST http://feast-sample-kubernetes-auth-online/get-online-features -H "Content-Type: application/json" -H "Authorization: Bearer <client_user_token>" -d '{"features": ["driver_hourly_stats:conv_rate","driver_hourly_stats:acc_rate", "transformed_conv_rate:conv_rate_plus_val1"], "entities":{"driver_id": [1001, 1002], "val_to_add": [1000, 1001], "val_to_add_2": [2000, 2002]}}'

Next: Client example on local