René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Operator PVC mount use fails in namespaces w/ privileged Pod security","articleBody":"## Expected Behavior \nWith the following FeatureStore `spec`, the Pod should start successfully (in any namespace) in clusters that support PVC creation -\n```yaml\nspec:\n  feastProject: my_project\n  services:\n    offlineStore:\n      persistence:\n        file:\n          pvc:\n            create: {}\n            mountPath: /offline\n```\n\n## Current Behavior\nPod goes into `CrashLoopBackOff` and throws these errors -\nfeast-init container -\n```sh\nCreating feast repository...\nfeast init my_project\nbash: line 3: /offline/my_project/feature_repo/feature_store.yaml: Permission denied\nFeast repo creation complete\n```\nonline container -\n```sh\nCan't find feature repo configuration file at /offline/my_project/feature_repo/feature_store.yaml. Make sure you're running feast from an initialized feast repository.\n``` \n\nThe issue is that the resulting mount is owned by root and does not offer group write permissions.\n```sh\n$ id\nuid=1001(default) gid=0(root) groups=0(root)\n\n$ ls -la /offline\ntotal 24\ndrwxr-xr-x. 4 root root  4096 May  6 13:42 .\ndr-xr-xr-x. 1 root root    61 May  6 13:52 ..\ndrwx------. 2 root root 16384 May  6 13:42 lost+found\ndrwxr-xr-x. 3 root root  4096 May  6 13:42 my_project\n```\n\n\n## Steps to reproduce\n - Switch to a namespace w/ `privileged` pod security -\n```sh\n$ kubectl get ns default -oyaml\napiVersion: v1\nkind: Namespace\nmetadata:\n  annotations:\n    openshift.io/sa.scc.mcs: s0:c1,c0\n    openshift.io/sa.scc.supplemental-groups: 1000000000/10000\n    openshift.io/sa.scc.uid-range: 1000000000/10000\n  creationTimestamp: \"2025-05-01T02:05:22Z\"\n  labels:\n    kubernetes.io/metadata.name: default\n    pod-security.kubernetes.io/audit: privileged\n    pod-security.kubernetes.io/enforce: privileged\n    pod-security.kubernetes.io/warn: privileged\n  name: default\n```\n - Deploy the following CR -\n```yaml\napiVersion: feast.dev/v1alpha1\nkind: FeatureStore\nmetadata:\n  name: sample\nspec:\n  feastProject: my_project\n  services:\n    offlineStore:\n      persistence:\n        file:\n          pvc:\n            create: {}\n            mountPath: /offline\n```\n\n### Specifications\n\n- Version: 0.49.0\n- Platform: OpenShift\n- Subsystem: Operator\n\n## Possible Solution\nAdd ability to set the `securityContext` of the feature store Pod. This would allow the user to set things like `runAsGroup` \u0026 `fsGroup`, which should resolve the issue","author":{"url":"https://github.com/tchughesiv","@type":"Person","name":"tchughesiv"},"datePublished":"2025-05-06T13:51:25.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/5324/feast/issues/5324"}