Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: RBAC Authorization in Feast Operator #4786

Open
wants to merge 11 commits into
base: master
Choose a base branch
from
Open

feat: RBAC Authorization in Feast Operator #4786

wants to merge 11 commits into from
+1,461 −193

Conversation

dmartinol
Copy link
Contributor

@dmartinol dmartinol commented Nov 22, 2024
edited
Loading

What this PR does / why we need it:

Adding support to define the kubernetes authorization manager with the Feast Operator.

  • All services are configured to adopt this authorization manager.
  • Services runs with a ServiceAccount that is bound to a newly created Role allowing to get, list, watch the other Roles and RoleBindings in the same namespace.
  • Admins are not requested to perform any manual configuration once the custom resource is installed.

Sample manifest to configure the deployments:

apiVersion: feast.dev/v1alpha1
kind: FeatureStore
metadata:
  name: sample-kubernetes-auth
spec:
  feastProject: my_project
  services:
    onlineStore: {}
    offlineStore: {}
    registry: {}
  authz:
    kubernetes:
      roles:
        - reader
        - writer

Which issue(s) this PR fixes:

Relates to #4765
Next PR will add support for the OIDC authorization.

@dmartinol dmartinol requested a review from a team as a code owner November 22, 2024 21:34
@dmartinol
Copy link
Contributor Author

@tchughesiv @redhatHameed @tmihalac

tchughesiv
tchughesiv suggested changes Nov 22, 2024
View reviewed changes
Copy link
Contributor

@tchughesiv tchughesiv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for this! only a few nits so far

infra/feast-operator/internal/controller/services/services_types.go Outdated Show resolved Hide resolved
infra/feast-operator/internal/controller/services/services_types.go Outdated Show resolved Hide resolved
infra/feast-operator/internal/controller/services/services_types.go Outdated Show resolved Hide resolved
infra/feast-operator/internal/controller/services/util.go Outdated Show resolved Hide resolved
tchughesiv
tchughesiv suggested changes Nov 26, 2024
View reviewed changes
Copy link
Contributor

@tchughesiv tchughesiv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a few nits ... otherwise lgtm

infra/feast-operator/api/v1alpha1/featurestore_types.go Outdated Show resolved Hide resolved
infra/feast-operator/api/v1alpha1/featurestore_types.go Outdated Show resolved Hide resolved
infra/feast-operator/api/v1alpha1/featurestore_types.go Outdated Show resolved Hide resolved
infra/feast-operator/api/v1alpha1/featurestore_types.go Outdated Show resolved Hide resolved
infra/feast-operator/internal/controller/services/services_types.go Outdated Show resolved Hide resolved
@dmartinol
Initial commit
fa6be07 
Signed-off-by: Daniele Martinoli <[email protected]>
@dmartinol
refactoring types with FeastHandler
bcd7fe4 
Signed-off-by: Daniele Martinoli <[email protected]>
@dmartinol
no private image
17e6b43 
Signed-off-by: Daniele Martinoli <[email protected]>
@dmartinol
removed log-level
0817c9c 
Signed-off-by: Daniele Martinoli <[email protected]>
@dmartinol
no empty list for default Role
62861c6 
Signed-off-by: Daniele Martinoli <[email protected]>
@dmartinol
removed nameLabelKey, using serices.NameLabelKey
a4c9378 
Signed-off-by: Daniele Martinoli <[email protected]>
@dmartinol
improved CRD comments and using IsLocalRegistry
c9a583c 
Signed-off-by: Daniele Martinoli <[email protected]>
@dmartinol
fixing generated code
f97ab65 
Signed-off-by: Daniele Martinoli <[email protected]>
@dmartinol
renamed auth condition and types
2f7bf15 
Signed-off-by: Daniele Martinoli <[email protected]>
@dmartinol
post rebase fixes
13dd560 
Signed-off-by: Daniele Martinoli <[email protected]>
@dmartinol
more renamings
3e457f1 
Signed-off-by: Daniele Martinoli <[email protected]>
@dmartinol
Copy link
Contributor Author

@feast-dev/reviewers-and-approvers please TAL

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tchughesiv tchughesiv tchughesiv approved these changes

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
ok-to-test
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dmartinol @tchughesiv