metal-api
metal-api copied to clipboard
Allow acquiring child prefixes from other networks than private super networks
We simplified managing firewall rules for FITS Classic networking for our tenants by splitting the MPLS network manually into pieces:
mpls-nbg-w8101-a MPLS Network for nbg-w8101 nbg-w8101 true 100.127.130.0/24 ●
mpls-nbg-w8101-b MPLS Network for nbg-w8101 nbg-w8101 true 100.127.131.0/24 ●
mpls-nbg-w8101-c MPLS Network for nbg-w8101 nbg-w8101 true 100.127.129.0/24 ●
FI-TS
mpls-nbg-w8101-d MPLS Network for nbg-w8101 nbg-w8101 true 100.127.132.0/28 ●
This is quite a static approach and it is to be expected that this will become hard to manage for us. For example, we have to prevent that tenant A can start firewalls in the tenant B network. But how can we decide this when there are no projects related to these networks? (only static config mappings come to my mind to achieve this)
The idea is to use the existing IPAM child prefix acquisition to enable users to dynamically carve out subnetworks of the MPLS network. These subnetworks would be smaller and belong to a project, therefore we could make a decision if acquiring IPs in this network is allowed or not.
Additional goal: "Wish prefix" -> Let a user try to acquire a certain prefix (would be also very good for Gardener in case something goes wrong there)