Skip to content

Commit

Permalink
feat: RBAC Authorization in Feast Operator (#4786)
Browse files Browse the repository at this point in the history
* Initial commit

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* refactoring types with FeastHandler

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* no private image

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* removed  log-level

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* no empty list for default Role

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* removed nameLabelKey, using serices.NameLabelKey

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* improved CRD comments and using IsLocalRegistry

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* fixing generated code

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* renamed auth condition and types

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* post rebase fixes

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

* more renamings

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

---------

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>
  • Loading branch information
dmartinol authored Dec 1, 2024
1 parent f226cb9 commit 0ef5acc
Show file tree
Hide file tree
Showing 24 changed files with 1,461 additions and 193 deletions.
53 changes: 37 additions & 16 deletions infra/feast-operator/api/v1alpha1/featurestore_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,26 +28,29 @@ const (
FailedPhase = "Failed"

// Feast condition types:
ClientReadyType = "Client"
OfflineStoreReadyType = "OfflineStore"
OnlineStoreReadyType = "OnlineStore"
RegistryReadyType = "Registry"
ReadyType = "FeatureStore"
ClientReadyType = "Client"
OfflineStoreReadyType = "OfflineStore"
OnlineStoreReadyType = "OnlineStore"
RegistryReadyType = "Registry"
ReadyType = "FeatureStore"
AuthorizationReadyType = "AuthorizationReadyType"

// Feast condition reasons:
ReadyReason = "Ready"
FailedReason = "FeatureStoreFailed"
OfflineStoreFailedReason = "OfflineStoreDeploymentFailed"
OnlineStoreFailedReason = "OnlineStoreDeploymentFailed"
RegistryFailedReason = "RegistryDeploymentFailed"
ClientFailedReason = "ClientDeploymentFailed"
ReadyReason = "Ready"
FailedReason = "FeatureStoreFailed"
OfflineStoreFailedReason = "OfflineStoreDeploymentFailed"
OnlineStoreFailedReason = "OnlineStoreDeploymentFailed"
RegistryFailedReason = "RegistryDeploymentFailed"
ClientFailedReason = "ClientDeploymentFailed"
KubernetesAuthzFailedReason = "KubernetesAuthorizationDeploymentFailed"

// Feast condition messages:
ReadyMessage = "FeatureStore installation complete"
OfflineStoreReadyMessage = "Offline Store installation complete"
OnlineStoreReadyMessage = "Online Store installation complete"
RegistryReadyMessage = "Registry installation complete"
ClientReadyMessage = "Client installation complete"
ReadyMessage = "FeatureStore installation complete"
OfflineStoreReadyMessage = "Offline Store installation complete"
OnlineStoreReadyMessage = "Online Store installation complete"
RegistryReadyMessage = "Registry installation complete"
ClientReadyMessage = "Client installation complete"
KubernetesAuthzReadyMessage = "Kubernetes authorization installation complete"

// entity_key_serialization_version
SerializationVersion = 3
Expand All @@ -59,6 +62,7 @@ type FeatureStoreSpec struct {
// FeastProject is the Feast project id. This can be any alphanumeric string with underscores, but it cannot start with an underscore. Required.
FeastProject string `json:"feastProject"`
Services *FeatureStoreServices `json:"services,omitempty"`
AuthzConfig *AuthzConfig `json:"authz,omitempty"`
}

// FeatureStoreServices defines the desired feast service deployments. ephemeral registry is deployed by default.
Expand Down Expand Up @@ -263,6 +267,23 @@ type OptionalConfigs struct {
Resources *corev1.ResourceRequirements `json:"resources,omitempty"`
}

// AuthzConfig defines the authorization settings for the deployed Feast services.
type AuthzConfig struct {
KubernetesAuthz *KubernetesAuthz `json:"kubernetes,omitempty"`
}

// KubernetesAuthz provides a way to define the authorization settings using Kubernetes RBAC resources.
// https://kubernetes.io/docs/reference/access-authn-authz/rbac/
type KubernetesAuthz struct {
// The Kubernetes RBAC roles to be deployed in the same namespace of the FeatureStore.
// Roles are managed by the operator and created with an empty list of rules.
// See the Feast permission model at https://docs.feast.dev/getting-started/concepts/permission
// The feature store admin is not obligated to manage roles using the Feast operator, roles can be managed independently.
// This configuration option is only providing a way to automate this procedure.
// Important note: the operator cannot ensure that these roles will match the ones used in the configured Feast permissions.
Roles []string `json:"roles,omitempty"`
}

// FeatureStoreStatus defines the observed state of FeatureStore
type FeatureStoreStatus struct {
// Shows the currently applied feast configuration, including any pertinent defaults
Expand Down
45 changes: 45 additions & 0 deletions infra/feast-operator/api/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

44 changes: 44 additions & 0 deletions infra/feast-operator/config/crd/bases/feast.dev_featurestores.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,28 @@ spec:
spec:
description: FeatureStoreSpec defines the desired state of FeatureStore
properties:
authz:
description: AuthzConfig defines the authorization settings for the
deployed Feast services.
properties:
kubernetes:
description: |-
KubernetesAuthz provides a way to define the authorization settings using Kubernetes RBAC resources.
https://kubernetes.io/docs/reference/access-authn-authz/rbac/
properties:
roles:
description: |-
The Kubernetes RBAC roles to be deployed in the same namespace of the FeatureStore.
Roles are managed by the operator and created with an empty list of rules.
See the Feast permission model at https://docs.feast.dev/getting-started/concepts/permission
The feature store admin is not obligated to manage roles using the Feast operator, roles can be managed independently.
This configuration option is only providing a way to automate this procedure.
Important note: the operator cannot ensure that these roles will match the ones used in the configured Feast permissions.
items:
type: string
type: array
type: object
type: object
feastProject:
description: FeastProject is the Feast project id. This can be any
alphanumeric string with underscores, but it cannot start with an
Expand Down Expand Up @@ -1048,6 +1070,28 @@ spec:
description: Shows the currently applied feast configuration, including
any pertinent defaults
properties:
authz:
description: AuthzConfig defines the authorization settings for
the deployed Feast services.
properties:
kubernetes:
description: |-
KubernetesAuthz provides a way to define the authorization settings using Kubernetes RBAC resources.
https://kubernetes.io/docs/reference/access-authn-authz/rbac/
properties:
roles:
description: |-
The Kubernetes RBAC roles to be deployed in the same namespace of the FeatureStore.
Roles are managed by the operator and created with an empty list of rules.
See the Feast permission model at https://docs.feast.dev/getting-started/concepts/permission
The feature store admin is not obligated to manage roles using the Feast operator, roles can be managed independently.
This configuration option is only providing a way to automate this procedure.
Important note: the operator cannot ensure that these roles will match the ones used in the configured Feast permissions.
items:
type: string
type: array
type: object
type: object
feastProject:
description: FeastProject is the Feast project id. This can be
any alphanumeric string with underscores, but it cannot start
Expand Down
11 changes: 11 additions & 0 deletions infra/feast-operator/config/rbac/role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -62,3 +62,14 @@ rules:
- get
- patch
- update
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
verbs:
- create
- delete
- get
- list
- update
- watch
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: feast.dev/v1alpha1
kind: FeatureStore
metadata:
name: sample-all-default
spec:
feastProject: my_project
services:
onlineStore:
image: 'feastdev/feature-server:0.40.0'
offlineStore:
image: 'feastdev/feature-server:0.40.0'
registry:
local:
image: 'feastdev/feature-server:0.40.0'
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
apiVersion: feast.dev/v1alpha1
kind: FeatureStore
metadata:
name: sample-kubernetes-auth
spec:
feastProject: my_project
services:
onlineStore:
persistence:
file:
path: /data/online_store.db
offlineStore:
persistence:
file:
type: dask
registry:
local:
persistence:
file:
path: /data/registry.db
authz:
kubernetes:
roles:
- reader
- writer
55 changes: 55 additions & 0 deletions infra/feast-operator/dist/install.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,28 @@ spec:
spec:
description: FeatureStoreSpec defines the desired state of FeatureStore
properties:
authz:
description: AuthzConfig defines the authorization settings for the
deployed Feast services.
properties:
kubernetes:
description: |-
KubernetesAuthz provides a way to define the authorization settings using Kubernetes RBAC resources.
https://kubernetes.io/docs/reference/access-authn-authz/rbac/
properties:
roles:
description: |-
The Kubernetes RBAC roles to be deployed in the same namespace of the FeatureStore.
Roles are managed by the operator and created with an empty list of rules.
See the Feast permission model at https://docs.feast.dev/getting-started/concepts/permission
The feature store admin is not obligated to manage roles using the Feast operator, roles can be managed independently.
This configuration option is only providing a way to automate this procedure.
Important note: the operator cannot ensure that these roles will match the ones used in the configured Feast permissions.
items:
type: string
type: array
type: object
type: object
feastProject:
description: FeastProject is the Feast project id. This can be any
alphanumeric string with underscores, but it cannot start with an
Expand Down Expand Up @@ -1056,6 +1078,28 @@ spec:
description: Shows the currently applied feast configuration, including
any pertinent defaults
properties:
authz:
description: AuthzConfig defines the authorization settings for
the deployed Feast services.
properties:
kubernetes:
description: |-
KubernetesAuthz provides a way to define the authorization settings using Kubernetes RBAC resources.
https://kubernetes.io/docs/reference/access-authn-authz/rbac/
properties:
roles:
description: |-
The Kubernetes RBAC roles to be deployed in the same namespace of the FeatureStore.
Roles are managed by the operator and created with an empty list of rules.
See the Feast permission model at https://docs.feast.dev/getting-started/concepts/permission
The feature store admin is not obligated to manage roles using the Feast operator, roles can be managed independently.
This configuration option is only providing a way to automate this procedure.
Important note: the operator cannot ensure that these roles will match the ones used in the configured Feast permissions.
items:
type: string
type: array
type: object
type: object
feastProject:
description: FeastProject is the Feast project id. This can be
any alphanumeric string with underscores, but it cannot start
Expand Down Expand Up @@ -2324,6 +2368,17 @@ rules:
- get
- patch
- update
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
verbs:
- create
- delete
- get
- list
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
Expand Down
Loading

0 comments on commit 0ef5acc

Please sign in to comment.