OSAC-1029: Multi-NIC networking design for VMs and bare metal

[danmanor]

Summary

Follow-up to the Unified Networking Design (merged). Addresses the multi-NIC questions.

The unified networking enhancement defines the attachment types (ComputeNetworkAttachment, BareMetalNetworkAttachment) and validation rules for multi-NIC, but defers the operational details. This enhancement defines:

• Primary network attachment — tenant-designated via primary: true field; determines default gateway, DNAT target, and SNAT source
• IPAM/DHCP behavior — primary subnet provides default gateway + DNS; secondary subnets provide IP + connected route only (no conflicting gateways)
• ExternalIPAttachment resolution — DNAT targets the primary subnet IP on multi-homed resources
• NATGateway behavior — SNAT applies to egress from all interfaces
• Validation — exactly one primary required when multiple attachments exist

Changes

• New: enhancements/multi-nic-networking/README.md
• Updated: enhancements/unified-networking/README.md — references this enhancement for multi-NIC details

Summary by CodeRabbit

• Documentation
  • Added comprehensive design documentation for multi-NIC networking on VMs and Bare Metal resources, detailing primary network attachment selection, default gateway configuration, and DHCP behavior.
  • Updated unified networking documentation with cross-references to multi-NIC networking specifications.

[coderabbitai]

Warning

Review limit reached

@danmanor, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 37 minutes and 36 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: osac-project/coderabbit/.coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 5fc89120-68b7-42a0-8d83-5e44452ebf19

📥 Commits

Reviewing files that changed from the base of the PR and between c4d7f82 and 760be23.

📒 Files selected for processing (1)

• enhancements/unified-networking/README.md

Walkthrough

Adds a new enhancements/multi-nic-networking/README.md document specifying the primary field for ComputeNetworkAttachment and BareMetalNetworkAttachment, along with validation rules, gateway/DHCP/DNAT/SNAT semantics, implementation notes, and alternatives. Updates enhancements/unified-networking/README.md to cross-reference the new document instead of inlining multi-NIC gateway details.

Changes

Multi-NIC Networking Enhancement

Layer / File(s)	Summary
Unified networking README cross-reference enhancements/unified-networking/README.md	Replaces inline default-gateway/DHCP/ExternalIPAttachment implementation details with a pointer to the new Multi-NIC Networking enhancement document.
New enhancement: metadata, proposal, and core semantics enhancements/multi-nic-networking/README.md	Adds front matter and the full core design: primary field on attachment types, validation rules (exactly one primary, immutability), default gateway selection, per-subnet DHCP roles, ExternalIPAttachment DNAT targeting, NATGateway SNAT behavior, and ClusterNetworkAttachment exclusion.
End-to-end examples and implementation notes enhancements/multi-nic-networking/README.md	Adds VM and bare metal two-NIC CLI examples illustrating primary effects, plus k8sManager and fabric manager guidance for DHCP/static routing and default route placement.
Risks, mitigations, and alternatives enhancements/multi-nic-networking/README.md	Documents known risks/mitigations and compares the chosen primary field approach against attachment-ordering and per-ExternalIPAttachment subnet field alternatives.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• osac-project/enhancement-proposals#50: Laid out the original multi-NIC and unified networking API documentation; this PR directly extends and supersedes those multi-NIC gateway/DHCP/ExternalIPAttachment details by extracting them into the new dedicated enhancement.

Suggested reviewers

• tzumainn
• jhernand
• mhrivnak
• vladikr
• AlonaKaplan

Poem

A primary field joins the fray,
One gateway to rule the subnet's day.
DNAT aims true, DHCP picks a lane,
The fabric and k8sManager agree — no pain.
Cross-ref'd and tidy, the docs align at last! 🎉

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main change: introducing a new Multi-NIC Networking design enhancement document that specifies operational details for VMs and bare metal.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
No-Hardcoded-Secrets	✅ Passed	No hardcoded secrets found in PR files. Comprehensive scan of unified-networking/README.md detected no API keys, tokens, passwords, private keys, credentials, base64 strings >32 chars, or URLs with...
No-Weak-Crypto	✅ Passed	PR contains only documentation files (markdown) describing multi-NIC networking architecture. No weak cryptographic algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementati...
No-Injection-Vectors	✅ Passed	This is a documentation-only PR (enhancements/multi-nic-networking/README.md and unified-networking/README.md). Repository contains no executable code (Python, JS, TS, etc.). The no-injection-vecto...
Container-Privileges	✅ Passed	PR contains only documentation and GitHub Actions/pre-commit configuration files with no privileged container configurations (no privileged: true, hostPID, hostNetwork, hostIPC, SYS_ADMIN, allowPri...
No-Sensitive-Data-In-Logs	✅ Passed	PR contains only documentation (markdown) files. No logging code exists; no passwords, tokens, API keys, PII, or sensitive credentials are exposed in logs or code.
Ai-Attribution	✅ Passed	PR shows no indication that AI tools were used. The "AI-generated summary" in raw_summary is system-generated analysis, not a claim of AI-assisted content creation. Commit message authored solely b...
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

enhancements/unified-networking/README.md (1)

601-620: 🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Update proto definitions to reflect the primary field introduced by the Multi-NIC Networking enhancement.

The unified-networking document shows ComputeNetworkAttachment (lines 601–608) and BareMetalNetworkAttachment (lines 613–621) without the primary field. However, the new Multi-NIC Networking enhancement proposes adding a bool primary field to both types. Readers of this document alone will see incomplete proto definitions.

Either:

1. Preferred: Update the proto definitions here to include the primary field and cross-reference the Multi-NIC Networking doc for the operational semantics.
2. Alternative: Add a note next to each proto definition stating that it is extended by the Multi-NIC Networking enhancement.

This ensures proto definitions are authoritative and complete in the base unified-networking document.

Proposed fix (Option 1): Update proto definitions

 message ComputeNetworkAttachment {
   string subnet = 1;                    // Subnet ID, required, immutable
   repeated string security_groups = 2;  // SecurityGroup IDs, optional, mutable
+  bool primary = 3;                     // optional, default false; see Multi-NIC Networking enhancement
 }

 message BareMetalNetworkAttachment {
   string subnet = 1;                    // Subnet ID, required, immutable
   repeated string security_groups = 2;  // SecurityGroup IDs, optional, mutable
   string interface = 3;                 // optional, immutable: physical interface identifier from BMaaS
+  bool primary = 4;                     // optional, default false; see Multi-NIC Networking enhancement
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@enhancements/unified-networking/README.md` around lines 601 - 620, The proto
definitions for ComputeNetworkAttachment and BareMetalNetworkAttachment are
missing the `primary` field that was introduced in the Multi-NIC Networking
enhancement. Add a `bool primary` field to both message definitions with
appropriate comments indicating it is optional and immutable, reflecting its
purpose in the networking hierarchy. Consider adding a note that
cross-references the Multi-NIC Networking enhancement documentation for the
operational semantics of this field to ensure readers understand the complete
picture.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@enhancements/multi-nic-networking/README.md`:
- Line 199: In the risk mitigation table on line 199 of the README file, correct
the spelling error in the "Service unreachable" cell where "unreachabl" is
misspelled. Change it to "unreachable" to ensure proper spelling in the
documentation table.

---

Outside diff comments:
In `@enhancements/unified-networking/README.md`:
- Around line 601-620: The proto definitions for ComputeNetworkAttachment and
BareMetalNetworkAttachment are missing the `primary` field that was introduced
in the Multi-NIC Networking enhancement. Add a `bool primary` field to both
message definitions with appropriate comments indicating it is optional and
immutable, reflecting its purpose in the networking hierarchy. Consider adding a
note that cross-references the Multi-NIC Networking enhancement documentation
for the operational semantics of this field to ensure readers understand the
complete picture.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: osac-project/coderabbit/.coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: d1609f4b-c511-4816-a2b3-ee890bb00276

📥 Commits

Reviewing files that changed from the base of the PR and between 3724292 and c4d7f82.

📒 Files selected for processing (2)

• enhancements/multi-nic-networking/README.md
• enhancements/unified-networking/README.md

[danmanor]

/cc @adriengentil @ygalblum @vladikr

[adriengentil]

Looks good, thanks for the follow-up!

[vladikr]

Thanks @danmanor !
Looks good from my side as well!
/lgmt