[pydantic issue] User token parsing fixed

Signed-off-by: jyejare <[email protected]>

Author: jyejare

infra/feast-operator/config/rbac/role.yaml

@@ -15,6 +15,12 @@ rules:
   - list
   - update
   - watch
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 - apiGroups:
   - batch
   resources:
@@ -44,11 +50,13 @@ rules:
 - apiGroups:
   - ""
   resources:
+  - namespaces
   - pods
   - secrets
   verbs:
   - get
   - list
+  - watch
 - apiGroups:
   - ""
   resources:
@@ -84,8 +92,11 @@ rules:
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:
+  - clusterrolebindings
+  - clusterroles
   - rolebindings
   - roles
+  - subjectaccessreviews
   verbs:
   - create
   - delete
@@ -104,32 +115,3 @@ rules:
   - list
   - update
   - watch
-# Token Access Review permissions for Feast server RBAC creation
-- apiGroups:
-  - authentication.k8s.io
-  resources:
-  - tokenreviews
-  verbs:
-  - create
-- apiGroups:
-  - rbac.authorization.k8s.io
-  resources:
-  - subjectaccessreviews
-  verbs:
-  - create
-- apiGroups:
-  - ""
-  resources:
-  - namespaces
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - rbac.authorization.k8s.io
-  resources:
-  - clusterroles
-  - clusterrolebindings
-  verbs:
-  - get
-  - list

infra/feast-operator/internal/controller/authz/authz.go

@@ -37,13 +37,23 @@ func (authz *FeastAuthorization) deployKubernetesAuth() error {
 	if authz.isKubernetesAuth() {
 		authz.removeOrphanedRoles()
 
+		// Create namespace-scoped RBAC resources
 		if err := authz.createFeastRole(); err != nil {
 			return authz.setFeastKubernetesAuthCondition(err)
 		}
 		if err := authz.createFeastRoleBinding(); err != nil {
 			return authz.setFeastKubernetesAuthCondition(err)
 		}
 
+		// Create cluster-scoped RBAC resources (separate from namespace resources)
+		if err := authz.createFeastClusterRole(); err != nil {
+			return authz.setFeastKubernetesAuthCondition(err)
+		}
+		if err := authz.createFeastClusterRoleBinding(); err != nil {
+			return authz.setFeastKubernetesAuthCondition(err)
+		}
+
+		// Create custom auth roles
 		for _, roleName := range authz.Handler.FeatureStore.Status.Applied.AuthzConfig.KubernetesAuthz.Roles {
 			if err := authz.createAuthRole(roleName); err != nil {
 				return authz.setFeastKubernetesAuthCondition(err)
@@ -89,6 +99,80 @@ func (authz *FeastAuthorization) createFeastRole() error {
 	return nil
 }
 
+func (authz *FeastAuthorization) createFeastClusterRole() error {
+	logger := log.FromContext(authz.Handler.Context)
+	clusterRole := authz.initFeastClusterRole()
+	if op, err := controllerutil.CreateOrUpdate(authz.Handler.Context, authz.Handler.Client, clusterRole, controllerutil.MutateFn(func() error {
+		return authz.setFeastClusterRole(clusterRole)
+	})); err != nil {
+		return err
+	} else if op == controllerutil.OperationResultCreated || op == controllerutil.OperationResultUpdated {
+		logger.Info("Successfully reconciled", "ClusterRole", clusterRole.Name, "operation", op)
+	}
+
+	return nil
+}
+
+func (authz *FeastAuthorization) initFeastClusterRole() *rbacv1.ClusterRole {
+	clusterRole := &rbacv1.ClusterRole{
+		ObjectMeta: metav1.ObjectMeta{Name: authz.getFeastClusterRoleName()},
+	}
+	clusterRole.SetGroupVersionKind(rbacv1.SchemeGroupVersion.WithKind("ClusterRole"))
+	return clusterRole
+}
+
+func (authz *FeastAuthorization) setFeastClusterRole(clusterRole *rbacv1.ClusterRole) error {
+	clusterRole.Labels = authz.getLabels()
+	clusterRole.Rules = []rbacv1.PolicyRule{
+		{
+			APIGroups: []string{rbacv1.GroupName},
+			Resources: []string{"rolebindings"},
+			Verbs:     []string{"list"},
+		},
+	}
+	return nil
+}
+
+func (authz *FeastAuthorization) initFeastClusterRoleBinding() *rbacv1.ClusterRoleBinding {
+	clusterRoleBinding := &rbacv1.ClusterRoleBinding{
+		ObjectMeta: metav1.ObjectMeta{Name: authz.getFeastClusterRoleBindingName()},
+	}
+	clusterRoleBinding.SetGroupVersionKind(rbacv1.SchemeGroupVersion.WithKind("ClusterRoleBinding"))
+	return clusterRoleBinding
+}
+
+func (authz *FeastAuthorization) setFeastClusterRoleBinding(clusterRoleBinding *rbacv1.ClusterRoleBinding) error {
+	clusterRoleBinding.Labels = authz.getLabels()
+	clusterRoleBinding.Subjects = []rbacv1.Subject{
+		{
+			Kind:      "ServiceAccount",
+			Name:      authz.getFeastServiceAccountName(),
+			Namespace: authz.Handler.FeatureStore.Namespace,
+		},
+	}
+	clusterRoleBinding.RoleRef = rbacv1.RoleRef{
+		APIGroup: rbacv1.GroupName,
+		Kind:     "ClusterRole",
+		Name:     authz.getFeastClusterRoleName(),
+	}
+	return nil
+}
+
+// Create ClusterRoleBinding
+func (authz *FeastAuthorization) createFeastClusterRoleBinding() error {
+	logger := log.FromContext(authz.Handler.Context)
+	clusterRoleBinding := authz.initFeastClusterRoleBinding()
+	if op, err := controllerutil.CreateOrUpdate(authz.Handler.Context, authz.Handler.Client, clusterRoleBinding, controllerutil.MutateFn(func() error {
+		return authz.setFeastClusterRoleBinding(clusterRoleBinding)
+	})); err != nil {
+		return err
+	} else if op == controllerutil.OperationResultCreated || op == controllerutil.OperationResultUpdated {
+		logger.Info("Successfully reconciled", "ClusterRoleBinding", clusterRoleBinding.Name, "operation", op)
+	}
+
+	return nil
+}
+
 func (authz *FeastAuthorization) initFeastRole() *rbacv1.Role {
 	role := &rbacv1.Role{
 		ObjectMeta: metav1.ObjectMeta{Name: authz.getFeastRoleName(), Namespace: authz.Handler.FeatureStore.Namespace},
@@ -230,3 +314,23 @@ func (authz *FeastAuthorization) getFeastRoleName() string {
 func GetFeastRoleName(featureStore *feastdevv1alpha1.FeatureStore) string {
 	return services.GetFeastName(featureStore)
 }
+
+func (authz *FeastAuthorization) getFeastClusterRoleName() string {
+	return GetFeastClusterRoleName(authz.Handler.FeatureStore)
+}
+
+func GetFeastClusterRoleName(featureStore *feastdevv1alpha1.FeatureStore) string {
+	return services.GetFeastName(featureStore) + "-cluster"
+}
+
+func (authz *FeastAuthorization) getFeastClusterRoleBindingName() string {
+	return GetFeastClusterRoleBindingName(authz.Handler.FeatureStore)
+}
+
+func GetFeastClusterRoleBindingName(featureStore *feastdevv1alpha1.FeatureStore) string {
+	return services.GetFeastName(featureStore) + "-cluster-binding"
+}
+
+func (authz *FeastAuthorization) getFeastServiceAccountName() string {
+	return services.GetFeastName(authz.Handler.FeatureStore)
+}

infra/feast-operator/internal/controller/featurestore_controller.go

@@ -59,9 +59,10 @@ type FeatureStoreReconciler struct {
 // +kubebuilder:rbac:groups=feast.dev,resources=featurestores/finalizers,verbs=update
 // +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;create;update;watch;delete
 // +kubebuilder:rbac:groups=core,resources=services;configmaps;persistentvolumeclaims;serviceaccounts,verbs=get;list;create;update;watch;delete
-// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles;rolebindings,verbs=get;list;create;update;watch;delete
-// +kubebuilder:rbac:groups=core,resources=secrets;pods,verbs=get;list
+// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles;rolebindings;clusterroles;clusterrolebindings;subjectaccessreviews,verbs=get;list;create;update;watch;delete
+// +kubebuilder:rbac:groups=core,resources=secrets;pods;namespaces,verbs=get;list;watch
 // +kubebuilder:rbac:groups=core,resources=pods/exec,verbs=create
+// +kubebuilder:rbac:groups=authentication.k8s.io,resources=tokenreviews,verbs=create
 // +kubebuilder:rbac:groups=route.openshift.io,resources=routes,verbs=get;list;create;update;watch;delete
 // +kubebuilder:rbac:groups=batch,resources=cronjobs,verbs=get;list;watch;create;update;patch;delete