1. Proposed title of this feature request

Enable MultiNetworkPolicy support in OVN-Kubernetes secondary networks using externally assigned IPs without requiring subnets in NetworkAttachmentDefinition (NAD)

2. What is the nature and description of the request?

The customer is using OVN-Kubernetes with secondary networks in OpenShift, and needs to apply MultiNetworkPolicy rules using podSelector or namespaceSelector while managing IP addresses externally (e.g., via DHCP or static assignment).

Currently, this is not supported. Enabling MultiNetworkPolicy requires defining subnets in the NAD, which forces the use of OVN IPAM, and conflicts with external IPAM. Without subnets, policies cannot be applied because OVN cannot track IPs.

The request is to decouple MultiNetworkPolicy from OVN IPAM, allowing policy enforcement even when IPs are externally managed.

3. Why does the customer need this? (List the business requirements here)

The customer’s production environment requires IP address assignment via external DHCP infrastructure, due to integration with their physical network and security infrastructure.

They must also enforce network isolation and traffic control between workloads using MultiNetworkPolicy, for compliance and internal security policy.

Current OpenShift behavior forces a trade-off between IP address control and policy enforcement, which blocks their production deployment.

Resolving this would allow faster adoption of OpenShift for critical workloads that depend on external IPAM and segmentation.

4. List any affected packages or components.

ovn-kubernetes
multus-cni
k8s-network-policy / MultiNetworkPolicy
Possibly: NetworkAttachmentDefinition CRD logic