Skip to content

Operator PVC mount use fails in namespaces w/ privileged Pod security #5324

New issue
New issue
Closed
#5325
Closed
Operator PVC mount use fails in namespaces w/ privileged Pod security#5324
#5325
Labels
kind/bugpriority/p2
@tchughesiv

Description

@tchughesiv
tchughesiv
opened on May 6, 2025

Expected Behavior

With the following FeatureStore spec, the Pod should start successfully (in any namespace) in clusters that support PVC creation -

spec:
  feastProject: my_project
  services:
    offlineStore:
      persistence:
        file:
          pvc:
            create: {}
            mountPath: /offline

Current Behavior

Pod goes into CrashLoopBackOff and throws these errors -
feast-init container -

Creating feast repository...
feast init my_project
bash: line 3: /offline/my_project/feature_repo/feature_store.yaml: Permission denied
Feast repo creation complete

online container -

Can't find feature repo configuration file at /offline/my_project/feature_repo/feature_store.yaml. Make sure you're running feast from an initialized feast repository.

The issue is that the resulting mount is owned by root and does not offer group write permissions.

$ id
uid=1001(default) gid=0(root) groups=0(root)

$ ls -la /offline
total 24
drwxr-xr-x. 4 root root  4096 May  6 13:42 .
dr-xr-xr-x. 1 root root    61 May  6 13:52 ..
drwx------. 2 root root 16384 May  6 13:42 lost+found
drwxr-xr-x. 3 root root  4096 May  6 13:42 my_project

Steps to reproduce

  • Switch to a namespace w/ privileged pod security -
$ kubectl get ns default -oyaml
apiVersion: v1
kind: Namespace
metadata:
  annotations:
    openshift.io/sa.scc.mcs: s0:c1,c0
    openshift.io/sa.scc.supplemental-groups: 1000000000/10000
    openshift.io/sa.scc.uid-range: 1000000000/10000
  creationTimestamp: "2025-05-01T02:05:22Z"
  labels:
    kubernetes.io/metadata.name: default
    pod-security.kubernetes.io/audit: privileged
    pod-security.kubernetes.io/enforce: privileged
    pod-security.kubernetes.io/warn: privileged
  name: default
  • Deploy the following CR -
apiVersion: feast.dev/v1alpha1
kind: FeatureStore
metadata:
  name: sample
spec:
  feastProject: my_project
  services:
    offlineStore:
      persistence:
        file:
          pvc:
            create: {}
            mountPath: /offline

Specifications

  • Version: 0.49.0
  • Platform: OpenShift
  • Subsystem: Operator

Possible Solution

Add ability to set the securityContext of the feature store Pod. This would allow the user to set things like runAsGroup & fsGroup, which should resolve the issue

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugpriority/p2

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions