This document describes the authentication and authorization capabilities in Feast that support groups, namespaces and roles extraction from Kubernetes tokens.
GitBook Assistant
Overview
Feast supports extracting user groups, namespaces and roles of both Service Account and User from Kubernetes authentication tokens. This allows for more granular access control based on:
GitBook Assistant
Groups: User groups associated directly with User/SA and from associated namespace
GitBook Assistant
Namespaces: Kubernetes namespaces associated with User/SA
GitBook Assistant
Roles: Kubernetes roles associated with User/SA
GitBook Assistant
Key Features
Setting Up Kubernetes RBAC for Feast
Role based auth setup
To ensure the Kubernetes RBAC environment aligns with Feast's RBAC configuration, follow these guidelines:
GitBook Assistant
The roles defined in Feast Permission instances must have corresponding Kubernetes RBAC Role names.
GitBook Assistant
The Kubernetes RBAC Role must reside in the same namespace as the Feast service.
GitBook Assistant
The client application can run in a different namespace, using its own dedicated ServiceAccount.
GitBook Assistant
Finally, the RoleBinding that links the client ServiceAccount to the RBAC Role must be defined in the namespace of the Feast service.
GitBook Assistant
Group and Namespace based auth setup
To ensure the Kubernetes RBAC environment aligns with Feast's RBAC configuration, follow these guidelines:
GitBook Assistant
The groups and namespaces defined in Feast Permission instances must have corresponding Kubernetes Group and Namespace names.
GitBook Assistant
The user or service account must reside in the group or namespace defined in the Feast Permission instances.
GitBook Assistant
The client application can run in a different namespace, using its own dedicated ServiceAccount or user.
GitBook Assistant
Finally, the feast service grants access based on the group and namespace association defined in the Feast Permission instances.
GitBook Assistant
Policy Types
RoleBasedPolicy
Grants access based on user role membership.
GitBook Assistant
GroupBasedPolicy
Grants access based on user group membership.
GitBook Assistant
NamespaceBasedPolicy
Grants access based on user namespace association.
GitBook Assistant
CombinedGroupNamespacePolicy
Grants access only when user is added into either permitted groups OR namespaces.
GitBook Assistant
Configuration
Server Configuration
The server automatically extracts groups, namespaces and roles when using Kubernetes authentication. No additional configuration is required beyond the existing Kubernetes auth setup.
GitBook Assistant
Client Configuration
For external users (not service accounts), you can provide a user token in the configuration: