Management cluster networking

This page summarizes the recommended networking architecture of a management cluster for a Mirantis OpenStack for Kubernetes (MOSK) cluster.

The main purpose of networking in a management cluster is to provide access to the management API that consists of:

  • Public API

    Used by end users to provision and configure MOSK clusters and machines. Includes the management console.

  • LCM API

    Used by LCM agents in MOSK clusters to obtain configuration and report status. Contains provider-specific services and internal API including LCMMachine and LCMCluster objects.

We recommend deploying the management cluster with a dedicated interface for the provisioning (PXE) network. The separation of the provisioning network from the management network ensures additional security and resilience of the solution.

MOSK end users typically should have access to the Keycloak service in the management cluster for authentication to the Horizon web UI. Therefore, we recommend that you connect the management network of the management cluster to an external network through an IP router. The default route on the management cluster nodes must be configured with the default gateway in the management network.

If you deploy the multi-rack configuration, ensure that the provisioning network of the management cluster is connected to an IP router that connects it to the provisioning networks of all racks.

The following types of networks are supported for management clusters in MOSK:

  • PXE network

    Enables PXE boot of all bare metal machines. The PXE subnet provides IP addresses for DHCP and network boot of the bare metal hosts for initial inspection and operating system provisioning. This network may not have the default gateway or a router connected to it. The PXE subnet is defined by the operator during bootstrap.

    Provides IP addresses for the bare metal management services, such as bare metal provisioning service (Ironic). These addresses are allocated and served by MetalLB.

  • Management network

    Connects LCM agents running on the hosts to the LCM API. Serves the external connections to the management API. This network is also used for communication between kubelet and the Kubernetes API server inside a Kubernetes cluster. The MKE components use this network for communication inside a swarm cluster.

    The LCM subnet provides IP addresses for Kubernetes nodes in the management cluster. This network also provides a Virtual IP (VIP) address for the load balancer that enables external access to the Kubernetes API of the management cluster. This VIP is also the endpoint to access the management API in the management cluster.

    Provides IP addresses for externally accessible services, such as Keycloak, management console, StackLight. These addresses are allocated and served by MetalLB.

  • Kubernetes workloads network

    Technology Preview

    Serves the internal traffic between workloads on the management cluster. The Kubernetes workloads subnet provides IP addresses that are assigned to nodes and used by Calico.

  • Out-of-Band (OOB) network

    Connects to Baseboard Management Controllers of the servers that host the management cluster. The OOB subnet must be accessible from the management network through IP routing. The OOB network is not managed by MOSK and is not represented in the IPAM API.