Skip to main content

Network architecture

vMetal uses two distinct L2 segments. The Kubernetes cluster network carries pod-to-pod traffic inside the control plane cluster. The bare metal provisioning network is a separate segment where bare metal servers PXE boot. These are not the same network, and bare metal servers have no direct access to cluster-internal services.

The vMetal DHCP proxy bridges the two segments.

DHCP server and Multus CNI

The DHCP server runs as a pod on the control plane cluster. By default, pods can only reach the cluster network. Bare metal servers PXE boot on the provisioning network, which is unreachable from a single-interface pod.

The DHCP server is a multihomed pod with two interfaces. The first (eth0) connects to the cluster network, where Ironic runs. The second (eth1), attached via Multus CNI, connects to the provisioning network where bare metal servers broadcast DHCP requests.

Cluster NetworkKubernetes pod networkIronicprovisioning engineMetal3 / vMetalbare metal operatorDHCP Proxy Podeth0cluster neteth1Multus CNIPXE DHCP + HTTP proxymultihomed podProvisioning NetworkL2 segment · PXE bootbare metal serverserver-1bare metal serverserver-2Ironic APIPXE DHCP + HTTP
Click to enlarge

Use the DHCP server and Multus CNI when the bare metal servers and Ironic are on different L2 segments. In lab setups where both share the same network, they may not be needed.

PXE boot flow

When Ironic powers on a server, the server broadcasts a DHCP discover on the provisioning network. The vMetal DHCP server receives the request on its provisioning-network interface and responds with an IP address and the location of the iPXE bootloader.

The server downloads the bootloader, then contacts Ironic over HTTP to fetch the Ironic Python Agent ramdisk. The ramdisk boots in memory, registers with Ironic, and performs hardware inspection or OS installation. After installation, Ironic sets the boot device to disk and reboots the server.

IPAM

vMetal includes built-in IP address management. Each Machine receives one static IP address from a configured address pool. The platform tracks allocations across all Machines in a node type and releases IPs automatically when a Machine is deleted.

The allocated IP, gateway, and DNS servers are written into a network-data Secret. Ironic reads this Secret and applies the network configuration during provisioning.

For advanced configurations such as VLAN tagging or bonding, a raw network-data JSON document can be supplied directly, overriding IPAM-based generation.

For pool configuration, CIDR and IP range formats, and Helm values, see Network configuration.