• Proposed title of this feature request

VRF config with Kubernetes-NMState

• What is the nature and description of the request?

Currently nmstate supports VRF configurations [1] but this capability it is not supported by Kubernetes-nmstate

[1] https://nmstate.io/devel/api.html#virtual-routing-and-forwarding-vrf

• Why does the customer need this? (List the business requirements here)

VRF configurations are used where strict Layer3 network isolation is required, either because of security or business reasons.

• Scenario 1: Any Pod running on a node that has a NIC with an IP that connects to an "private network" will be able to send traffic to that network just by being in the same node because the path will be Pod > OVS/OVN > Host Routing Table > "private network". A node level VRF configuration will prevent this scenario
• Scenario 2: Customers with networks with overlapping CIDRS (e.g. OAM network & storage network connecting to the same node and having overlapping CIDRS). Even if those networks are used for IPvlans or Macvlans interfaces and another for host access, that configuration is only possible by isolating one of them with a VRF

In the past we have used MachineConfigs to achieve the desired configuration but with Kubernetes-NMState as the option for node level network configuration, it will be preferable to also do this through the same nmstate mechanism:

https://docs.google.com/document/d/1ISubumFIgfX3JetgXgchNh5pcWwZVknYoEKVuljMkqg/edit#heading=h.vq75ns3qajc9