Separate PXE and management networks

This section describes how to configure a dedicated PXE network for a management or regional bare metal cluster. A separate PXE network allows isolating sensitive bare metal provisioning process from the end users. The users still have access to Container Cloud services, such as Keycloak, to authenticate workloads in managed clusters, such as Horizon in a Mirantis OpenStack for Kubernetes cluster.


This additional configuration procedure must be completed as part of the Prepare metadata and deploy the management cluster steps. It substitutes or appends some configuration parameters and templates that are used in Prepare metadata and deploy the management cluster for the management cluster to use two networks, PXE and management, instead of one PXE/management network. We recommend considering the Prepare metadata and deploy the management cluster procedure first.

The following table describes the overall network mapping scheme with all L2/L3 parameters, for example, for two networks, PXE (CIDR and management (CIDR

Network mapping overview

Deployment file name


Parameters and values
























When using a separate PXE network, the management cluster services are exposed in different networks using two separate MetalLB address pools:

  • Services exposed through the PXE network are as follows:

    • Ironic API (bare metal provisioning server)

    • HTTP server that provides images for network boot and server provisioning

    • Caching server for accessing the Container Cloud artifacts deployed on hosts

  • Services exposed through the management network are all other Container Cloud services, such as Keycloak, web UI, and so on

To configure separate PXE and management networks:

  1. In kaas-bootstrap/templates/bm/ipam-objects.yaml.template:

    • Substitute all the Subnet object templates with the new ones as described in the example template below

    • Update the L2 template spec.l3Layout and spec.npTemplate fields as described in the example template below

    The last Subnet template named mgmt-pxe-lb in the example above will be used to configure the MetalLB address pool in the PXE network. The bare metal provider will automatically configure MetalLB with address pools using the Subnet objects identified by specific labels.

    Use the following labels to identify the Subnet object as a MetalLB address pool and configure the name and protocol for that address pool. All labels below are mandatory for the Subnet object that configures a MetalLB address pool.

    Mandatory Subnet labels for a MetalLB address pool




    Defines that the Subnet object will be used to provide a new address pool/range for MetalLB.


    Sets the name services-pxe for the newly created address pool. The services-pxe address pool name is mandatory when configuring a dedicated PXE network in the management cluster. This name will be used in annotations for services exposed through the PXE network. Every address pool must have a distinct name except the default name that is reserved for the management network.


    Sets the address pool protocol. The only supported value is layer2 (default).

    Specifies the management or regional cluster name that the Subnet should be bound to.


    Do not set the same address pool name for two or more Subnet objects. Otherwise, the corresponding MetalLB address pool configuration fails with a warning message in the bare metal provider log.

  2. Verify the current MetalLB configuration that is stored in the ConfigMap object:

    kubectl -n metallb-system get cm metallb -o jsonpath={.data.config}

    For the example configuration described above, the following lines must appear in the ConfigMap for MetalLB:

    - name: default
      protocol: layer2
    - name: services-pxe
      protocol: layer2
      auto-assign: false

    The auto-assign parameter will be set to false for all address pools except the default one. So, a particular service will get an address from such an address pool only if the Service object has a special annotation that points to the specific address pool name.


    It is expected that every Container Cloud service on a management and regional cluster will be assigned to one of the address pools. Current consideration is to have two MetalLB address pools:

    • services-pxe is a reserved address pool name to use for the Container Cloud services in the PXE network (Ironic API, HTTP server, caching server)

    • default is an address pool to use for all other Container Cloud services in the management network. No annotation is required on the Service objects in this case.

  3. In kaas-bootstrap/templates/bm/cluster.yaml.template, add the dedicatedMetallbPools flag and set it to true:

          kind: BaremetalClusterProviderSpec
          dedicatedMetallbPools: true

    User sets this flag to enable splitting of LB endpoints for the Container Cloud services. The annotations on the Service objects are configured by the bare metal provider automatically when the dedicatedMetallbPools flag is set to true.

    Example Service object configured by the baremetal-operator Helm release:

    apiVersion: v1
    kind: Service
      name: ironic-api
      annotations: services-pxe
      - port: 443
        targetPort: 443
      type: LoadBalancer

    The annotation on the Service object is set to services-pxe by the baremetal provider, so the ironic-api service will be assigned an LB address from the corresponding MetalLB address pool.

  4. In addition to the network parameters defined in Prepare metadata and deploy the management cluster, configure the following ones by replacing them in templates/bm/ipam-objects.yaml.template:

    New subnet template parameters



    Example value


    Address of a management network for the management cluster in the CIDR notation. You can later share this network with managed clusters where it will act as the LCM network. If managed clusters have their separate LCM networks, those networks must be routable to the management network.


    Address range that includes addresses to be allocated to bare metal hosts in the management network for the management cluster. When this network is shared with managed clusters, the size of this range limits the number of hosts that can be deployed in all clusters that share this network. When this network is solely used by a management cluster, the range should include at least 3 IP addresses for bare metal hosts of the management cluster.


    Address range to be used for LB endpoints of the Container Cloud services: Ironic-API, HTTP server, and caching server. This range must be within the PXE network. The minimum required range is 5 IP addresses.

    The following parameters will now be tied to the management network while their meaning remains the same as described in Prepare metadata and deploy the management cluster:

    Subnet template parameters migrated to management network



    Example value


    IP address of the externally accessible API endpoint of the management cluster. This address must NOT be within the SET_METALLB_ADDR_POOL range but within the management network. External load balancers are not supported.


    The address range to be used for the externally accessible LB endpoints of the Container Cloud services, such as Keycloak, web UI, and so on. This range must be within the management network. The minimum required range is 19 IP addresses.

  5. Proceed to further steps in Prepare metadata and deploy the management cluster.