Skip to content

VEP-183: NetworkDevicesWithDRA API design #185

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
oshoval wants to merge 1 commit into
base: main
Choose a base branch
from
Open

VEP-183: NetworkDevicesWithDRA API design #185

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
292 changes: 292 additions & 0 deletions veps/sig-network/183-dra-network/vep.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,292 @@
# VEP #183: SR-IOV Network DRA Support

## Release Signoff Checklist

Items marked with (R) are required *prior to targeting to a milestone / release*.

- [x] (R) Enhancement issue created, which links to VEP dir in [kubevirt/enhancements] (not the initial VEP PR)

## Overview

This proposal adds support for DRA (Dynamic Resource Allocation) provisioned SR-IOV network devices in KubeVirt.
It extends the existing KubeVirt networks API with a new `ResourceClaimNetworkSource` type, allowing SR-IOV NICs to be allocated via DRA while maintaining compatibility with the existing Multus-based SR-IOV approach.

This VEP builds upon the core DRA infrastructure defined in VEP #10 ([kubevirt/enhancements/pull/11](https://github.com/kubevirt/enhancements/pull/11)) to add support for network devices, specifically SR-IOV NICs.

## Motivation

DRA adoption for network devices is important for KubeVirt so that network device vendors can expect
the same level of control when using Virtual Machines as they have with Containers.
DRA allows network device vendors fine-grained control over device allocation and topology.

## Goals

- Introduce the API changes needed to consume DRA-enabled SR-IOV network devices in KubeVirt
- Introduce how KubeVirt will consume SR-IOV devices via external DRA drivers
- Seamlessly support DRA-based SR-IOV use cases available to containers in KubeVirt VMIs
- Support custom MAC addresses for DRA-based SR-IOV networks

## Non Goals

- Replace existing Multus-based SR-IOV network integration (remains fully supported)
- Deploy DRA SR-IOV driver (handled by sriov-network-operator)
Copy link
Copy Markdown
Member

@nirdothan nirdothan Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider omitting (handled by sriov-network-operator) as it is not part of KubeVirt, nor is it a prerequisite . You can add a note that recommends it somewhere further down.

Copy link
Copy Markdown
Contributor Author

@oshoval oshoval Jan 27, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is a non goal that emphasize the fact deployment is not handled,
because deployment side by side with DP is tricky, yet to determined, and will be solved by the sriov-operator

#158 (comment)
#158 (comment)

- Support coexistence of DRA SR-IOV and device-plugin SR-IOV
- Live migration of VMs with DRA network devices

## Definition of Users

- **User**: A person who wants to attach SR-IOV network devices to a VM
- **Admin**: A person who manages infrastructure and configures DRA device classes and drivers
- **Developer**: A person familiar with CNCF ecosystem who develops automation using these APIs

## User Stories

- As a user, I want to consume SR-IOV network devices via DRA in my VMs
- As a user, I want to specify custom MAC addresses for DRA-provisioned SR-IOV interfaces
- As an admin, I want to use DRA drivers to manage SR-IOV device allocation with fine-grained control
- As a developer, I want extensible APIs to build automation for DRA-based networking

## Use Cases

### Supported Use Cases

1. SR-IOV network devices where the DRA driver publishes required attributes in device metadata files:
- `resources.kubernetes.io/pciBusID` for SR-IOV VF passthrough

### Future Use Cases
1. Scalable Functions network devices
2. Live migration of VMIs using DRA network devices (will have a VEP amendment)

## Repos

kubevirt/kubevirt

## Design

This design introduces a new feature gate: `NetworkDevicesWithDRA`.
All the API changes will be gated behind this feature gate so as not to break existing functionality.

### API Changes

A new network source type `ResourceClaimNetworkSource` is added to the existing `NetworkSource` type:

```go
// Represents the source resource that will be connected to the vm.
// Only one of its members may be specified.
type NetworkSource struct {
Pod *PodNetwork `json:"pod,omitempty"`
Multus *MultusNetwork `json:"multus,omitempty"`
ResourceClaim *ResourceClaimNetworkSource `json:"resourceClaim,omitempty"`
}

// ResourceClaimNetworkSource represents a network resource requested
// via a Kubernetes ResourceClaim.
type ResourceClaimNetworkSource struct {
Copy link
Copy Markdown
Contributor

@alaypatel07 alaypatel07 Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any resource why ClaimRequest cannot be used here? https://github.com/kubevirt/kubevirt/blob/main/staging/src/kubevirt.io/api/core/v1/schema.go#L635

Copy link
Copy Markdown
Contributor Author

@oshoval oshoval Feb 8, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, because for Network DRA, requestName must exists, as was discussed in the meeting,
Because we support only one per network,interface tuple atm.
And having requestName always makes sure that it will support both ResourceClaim[Template] with one device type, or more.

however for GPU and HostDevices it isn't.
Yet there is a bug there
kubevirt/kubevirt#16319 (comment)
Once i reach it i will open an issue (with better explanation) about it so we can discuss and fix it

Copy link
Copy Markdown
Contributor Author

@oshoval oshoval Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

created issue for this
kubevirt/kubevirt#16771

Copy link
Copy Markdown
Contributor

@alaypatel07 alaypatel07 Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Commented on the issue.

Yet there is a bug there

I am not sure if this is a bug, there is an intentional API decision in GPU struct that each device is a single element in the list. Having empty requestName gives flexibility but I cant think of any usecase for this flexibility.

Copy link
Copy Markdown
Contributor Author

@oshoval oshoval Feb 26, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If requestName isn't supplied, it fail to find it using current logic, without failing earlier with deterministic assertion, hence at least that should be fixed imo.
Will answer verbose on kubevirt/kubevirt#16771 with the options at least as i see it, thanks

// ClaimName references the name of an entry in the
// VMI's spec.resourceClaims[] array.
// +kubebuilder:validation:MinLength=1
ClaimName string `json:"claimName"`

// RequestName specifies which request from the
// ResourceClaim.spec.devices.requests array this network
// source corresponds to.
// +kubebuilder:validation:MinLength=1
RequestName string `json:"requestName"`
}
```

The VMI must also include the resource claim in `spec.resourceClaims[]` (consistent with GPU and HostDevice DRA usage).
Copy link
Copy Markdown
Member

@nirdothan nirdothan Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please consider referencing VEP 10 for this field.

Copy link
Copy Markdown
Contributor Author

@oshoval oshoval Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We already say in the beginning

This VEP builds upon the core DRA infrastructure defined in VEP #10 (https://github.com/kubevirt/enhancements/pull/11) to add support for network devices, specifically SR-IOV NICs.

I prefer to DRY (don't repeat yourself) rule


### Status Reporting

For consistency with GPUs and HostDevices, DRA-provisioned network devices populate the same `vmi.status.deviceStatus.hostDeviceStatuses[]` array. The DRA controller in virt-controller:
Copy link
Copy Markdown
Member

@nirdothan nirdothan Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above.

Copy link
Copy Markdown
Contributor Author

@oshoval oshoval Feb 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do you mean #185 (comment) ?
if so same answer imho


1. Identifies networks with `resourceClaim` source type
2. Extracts device information from the allocated ResourceClaim and ResourceSlice
3. Populates `hostDeviceStatuses` with network name and allocated device attributes (PCI address)

The status entry name matches the network name from `spec.networks[].name`, allowing virt-launcher to correlate the network configuration with its allocated DRA device.

The detailed mechanism for extracting device information from Pod status, ResourceClaim, and ResourceSlice follows the same approach described in VEP #10.

### SR-IOV Integration

When a network interface has `sriov` binding and references a network with `resourceClaim` source:

1. The network admitter validates that exactly one network source type (pod, multus, or resourceClaim) is specified
2. Virt-controller adds the resource claim to the virt-launcher pod spec via `WithNetworksDRA()` render option
Copy link
Copy Markdown
Member

@nirdothan nirdothan Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WithNetworksDRA()

If that's a name of a function that you're designing then I would recommend to explain what it adds to the pod rather than the name of the function.

Copy link
Copy Markdown
Contributor Author

@oshoval oshoval Feb 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

prefix says what it does Virt-controller adds the resource claim to the virt-launcher pod spec
i can just remove func mentioning if you prefer, i dont think we need more details than the prefix

3. The DRA controller populates `vmi.status.deviceStatus` with the PCI address from the ResourceSlice
Copy link
Copy Markdown
Member

@nirdothan nirdothan Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I'm not mistaken, you must query the resourceClaim in order to find the resourceSlice element/s name/s that was/were allocated to this pod.
Field ref resourceclaim.status.allocation.devices.results.device

Copy link
Copy Markdown
Contributor Author

@oshoval oshoval Feb 12, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The DRA controller (#10) populates the data from the ResourceClaim to vmi.status.deviceStatus already
so we just need to read it,
we show flow here, not addition by this VEP

4. Virt-launcher reads the PCI address from device status and generates the appropriate libvirt hostdev XML (at [`generateConverterContext`](https://github.com/kubevirt/kubevirt/blob/ffa91c8156fecf1d91dd865c6197865a0a3e525b/pkg/virt-launcher/virtwrap/manager.go#L1163), alongside the existing `sriov.CreateHostDevices` call), identical to traditional Multus-based SR-IOV

This approach provides clean separation: DRA handles device provisioning, KubeVirt networks API handles configuration.

**Important:** Traditional Multus-based SR-IOV (using `multus` network source) and DRA-based SR-IOV (using `resourceClaim` network source) are **mutually exclusive per VM**. A single VMI should not mix both approaches. The existing Multus-based SR-IOV API remains fully supported and unchanged.
Copy link
Copy Markdown
Member

@nirdothan nirdothan Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please consider placing this higher up in the doc as it is important (although it is already hinted twice, one in the goals(?) and once in validation rules).

Copy link
Copy Markdown
Contributor Author

@oshoval oshoval Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i prefer not, as you said it is hinted and explicit
give those details later instead adding context in early step, that can be given later


### Custom MAC Address Support

To support custom MAC addresses for DRA-based SR-IOV networks, KubeVirt will annotate the virt-launcher pod with requested MAC addresses. The MAC address will be taken from the existing `spec.domain.devices.interfaces[].macAddress` field:

```
kubevirt.io/dra-networks: '[{"claimName":"sriov","requestName":"vf","mac":"de:ad:00:00:be:ef"}]'
Copy link
Copy Markdown
Contributor Author

@oshoval oshoval Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@SchSeba @EdDev
ack this one please, so we can continue SR-IOV driver implementation of it

Copy link
Copy Markdown

@aojea aojea Jan 23, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

an alternative is to use the ResourceClaim and ResourceClaimTemplate opaque data to pass this information, so you don't need to embed it into an annotation, this information is cascaded to the driver via the kubelet NodePrepareResources hook

apiVersion: resource.k8s.io/v1
kind: ResourceClaimTemplate
metadata:
  name: sriov-network-claim-template
  namespace: default
spec:
  spec:
    devices:
      requests:
      - name: sriov-nic-request
        exactly:
          deviceClassName: sriov.network.example.com
    config:
    - opaque:
        driver: sriov.network.example.com
        parameters:
          interface:
            name: "enp0s1"
            mtu: 4321
            hardwareAddr: "00:11:22:33:44:55"

this way you can also create an schema and add validation, see how I do in dranet

https://github.com/kubernetes-sigs/dranet/blob/main/pkg/apis/types.go

https://github.com/kubernetes-sigs/dranet/blob/bfe5826c1ddc63ee3fe7e561f71ba232072a9341/pkg/driver/dra_hooks.go#L175-L206

Copy link
Copy Markdown
Contributor Author

@oshoval oshoval Jan 25, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, we discussed this approach,
It is a resource claim template, which means k8s is the one that creates ResourceClaims based on that, and it is a singleton, where each virt-launcher pod needs a different MAC, hence it is not scalable.
The MAC approach allows minimum maintenance by Kubevirt, and per pod custom MAC.

It solves the specific case where ResourceClaim/ResourceClaimsTemplate aren't created by Kubevirt, so it is good to use MAC annotation approach also for the generic case where Kubevirt itself creates the ResourceClaim ("auto" mode), so there will be one solution for all the cases.

Copy link
Copy Markdown

@SchSeba SchSeba Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree here we can't have this one if we want to re-use the resourceClaimTemplate for multiple pod/vms.

then we can also continue to use the kubemacpool system to assign the mac address. (we may just need to ajust the annotation)

Copy link
Copy Markdown

@SchSeba SchSeba Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another option is to have a mutating webhook on the resourceClaim that will inject this opaque mac address to have unique mac addresses, but again I don't know how much work that is.

Copy link
Copy Markdown
Contributor Author

@oshoval oshoval Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there will be e2e test that injects a MAC, and depends on the current value being handled
this is what we do already for the current multus + DP approach, same tests will be duplicated to use DRA as well

Copy link
Copy Markdown

@LionelJouin LionelJouin Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Multus is fine I think as it's a full implementation. DRA is a kubernetes feature that has multiple implementations (DRANET, SR-IOV DRA Driver, CNI DRA Driver...), so having conformance tests could help to determine which DRA Driver is Kubevirt networking compliant.

Copy link
Copy Markdown
Contributor

@alaypatel07 alaypatel07 Feb 6, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Until now, we thought that any driver which has pciAddress attribute or mdevUUID attribute can be compatible with KubeVirt. But this usecase shows that advance features in kubevirt might require more from driver than just providing those attributes, in which case a conformance tests should will be helpful. It could potentially be tracked as part of graduating VEP-10 to GA.

Multus is fine I think as it's a full implementation. DRA is a kubernetes feature that has multiple implementations (DRANET, SR-IOV DRA Driver, CNI DRA Driver...), so having conformance tests could help to determine which DRA Driver is Kubevirt networking compliant.

Copy link
Copy Markdown
Contributor

@alaypatel07 alaypatel07 Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If ResourceClaimTemplate object could be embedded in the pod spec, would this help avoid having this custom annotation?

I remember very early on the plan was to embed the template in pod spec, but because DRA was not stable and pod spec is V1 GA object, it was decided to move the template into its own API.

Copy link
Copy Markdown
Contributor Author

@oshoval oshoval Feb 8, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assuming you mean that K8s will create a RessourceClaim if ResourceClaimTemplate is embedded in the pod right ?
This is a precondition for this idea.

But i think that we need to consider all the cases

  1. Exisitng ResourceClaim
  2. Existing ResourceClaimTemplate
  3. Kubevirt "auto" mode where Kubevirt is the one that creates the ResourceClaim

And to also consider that lets say ResourceClaimTemplate exists, we copy it to the pod, add there the MAC,
but now upon migration, we need to copy the pod's ResourceClaimTemplate because the original might be changed and we can't depend on it.
While this is a nice idea, given the above, we should start simple imho, and later consider to adjusts according needs.
Moreover i think that it is embedding a whole CRD instead an annotation, and have cons as above.
We can make the annotation standard and it is pretty straight forward and simpler.

Note, didn't think deeper on the other cases, took one edge example to show why it makes things harder.

Another cons, is once we don't have a MAC, we don't need it, but we can't have 2 mechanisms, so it bloats the non MAC path.

```

This preserves the structure of `k8s.v1.cni.cncf.io/networks`, but for claimName/requestName instead of NAD.

The SR-IOV DRA driver reads this annotation and passes the claim/request identifier along with the MAC address to the SR-IOV CNI, ensuring the network interface is configured with the specified MAC address.

**Design Rationale:** The annotation-based approach was chosen because it solves the case where ResourceClaim/ResourceClaimTemplate is created by the admin (not by KubeVirt). Since this approach handles the more complex admin-created claim scenario, it naturally also works for the general case where KubeVirt creates the claims ("auto" mode), providing a unified solution for both scenarios.

### Validation

Webhook validations ensure:
1. Networks with `resourceClaim` source have corresponding `sriov` binding interfaces
2. Each network must reference a unique `claimName` + `requestName` combination. No two DRA entities (networks, hostDevices, or GPUs) can share the same tuple, as each interface+network pair must map to exactly one device allocation
Copy link
Copy Markdown
Contributor Author

@oshoval oshoval Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For now will enforce it just for network versus network, not cross GPU / HostDevice.
If needed also cross better in a separated PR.

3. No mixing of Multus-based and DRA-based SR-IOV in the same VMI.

### Component Changes

**Virt-Controller:**
- Renders virt-launcher pod spec with resource claims from `vmi.spec.resourceClaims[]` referenced by `vmi.spec.networks[].resourceClaim`
- Annotates virt-launcher pod with `kubevirt.io/dra-networks` containing MAC addresses from `spec.domain.devices.interfaces[].macAddress`

**Virt-Launcher:**
- For SR-IOV networks with DRA, virt-launcher uses `vmi.status.deviceStatus` to generate the domain XML instead of Kubevirt's downwardAPI file as in the case of device-plugins
- The `CreateDRAHostDevices()` function generates hostdev XML by:
- Filtering VMI spec interfaces with SRIOV binding that reference networks with resourceClaim source
- Looking up the corresponding VMI status device status entry by network name
- Extracting the PCI address from VMI status device status attributes
- Generating standard libvirt hostdev XML

- **Note:** If the ResourceClaim/ResourceClaimTemplate is allocating more than one device for the request, KubeVirt will consume the first device from the allocated devices

## API Examples

### VMI with DRA SR-IOV Network

```yaml
---
apiVersion: resource.k8s.io/v1
kind: DeviceClass
metadata:
name: sriov.network.example.com
spec:
selectors:
- cel:
expression: device.driver == 'sriov.network.example.com'
---
apiVersion: resource.k8s.io/v1
kind: ResourceClaimTemplate
metadata:
name: sriov-network-claim-template
namespace: default
spec:
spec:
devices:
requests:
- name: sriov-nic-request
exactly:
Copy link
Copy Markdown
Member

@nirdothan nirdothan Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this select exactly 1 resource?

Copy link
Copy Markdown
Contributor Author

@oshoval oshoval Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes

deviceClassName: sriov.network.example.com
---
apiVersion: kubevirt.io/v1
kind: VirtualMachineInstance
metadata:
name: vmi-sriov-dra
namespace: default
spec:
domain:
devices:
interfaces:
Copy link
Copy Markdown
Member

@nirdothan nirdothan Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I recommend to add one more sriov interface in order to demonstrate what gets multiplied(ifaces, networks, resourceClaims?) and what remains sigular (deviceClass, resourceClaimTemplate)

Copy link
Copy Markdown
Contributor Author

@oshoval oshoval Feb 12, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

well we dont support it correct yet because of kubevirt/kubevirt#16769
so i prefer not, once we do i will amend it

as far as i know we need this,
once we support downward API, maybe we will able to simplify this
(and to relax some of the webhook limitations)
right @SchSeba ?

apiVersion: resource.k8s.io/v1
kind: ResourceClaimTemplate
metadata:
  namespace: vf-test2
  name: single-vf
spec:
  spec:
    devices:
      requests:
      - name: vf1
        exactly:
          deviceClassName: sriovnetwork.k8snetworkplumbingwg.io
      - name: vf2
        exactly:
          deviceClassName: sriovnetwork.k8snetworkplumbingwg.io
      config:
      - requests: ["vf1","vf2"]
        opaque:
          driver: sriovnetwork.k8snetworkplumbingwg.io
          parameters:
            apiVersion: sriovnetwork.k8snetworkplumbingwg.io/v1alpha1
            kind: VfConfig
            netAttachDefName: vf-test
            driver: vfio-pci
            addVhostMount: true
---
apiVersion: kubevirt.io/v1
kind: VirtualMachine
metadata:
  name: testvmi
  namespace: vf-test2
spec:
  runStrategy: Always
  template:
    metadata:
      labels:
        kubevirt.io/domain: testvmi
    spec:
      architecture: amd64
      domain:
        cpu:
          cores: 1
          maxSockets: 4
          model: host-model
          sockets: 1
          threads: 1
        devices:
          autoattachGraphicsDevice: false
          disks:
          - disk:
              bus: virtio
            name: disk0
          - disk:
              bus: virtio
            name: cloudinitdisk
          interfaces:
          - masquerade: {}
            name: default
          - sriov: {}
            name: red
            macAddress: "de:ad:00:00:be:ef"
          - sriov: {}
            name: blue
          rng: {}
        features:
          acpi:
            enabled: true
        firmware:
          uuid: d7873366-c2b0-4a56-bfc2-1e1bee0a88db
        machine:
          type: q35
        memory:
          guest: 1Gi
        resources:
          requests:
            memory: 1Gi
      evictionStrategy: None
      networks:
      - name: default
        pod: {}
      - name: red
        resourceClaim:
          claimName: sriov
          requestName: vf1
      - name: blue
        resourceClaim:
          claimName: sriov
          requestName: vf2
      terminationGracePeriodSeconds: 0
      resourceClaims:
      - name: sriov
        resourceClaimTemplateName: single-vf
      volumes:
      - containerDisk:
          image: quay.io/kubevirt/fedora-with-test-tooling-container-disk:devel
          imagePullPolicy: IfNotPresent
        name: disk0
      - cloudInitNoCloud:
          networkData: |
            ethernets:
              eth0:
                addresses:
                - fd10:0:2::2/120
                dhcp4: true
                gateway6: fd10:0:2::1
                match: {}
                nameservers:
                  addresses:
                  - 10.96.0.10
                  search:
                  - default.svc.cluster.local
                  - svc.cluster.local
                  - cluster.local
            version: 2
        name: cloudinitdisk

- name: sriov-net
sriov: {}
macAddress: "de:ad:00:00:be:ef"
networks:
- name: sriov-net
resourceClaim:
claimName: sriov-network-claim
requestName: sriov-nic-request
resourceClaims:
- name: sriov-network-claim
resourceClaimTemplateName: sriov-network-claim-template
status:
deviceStatus:
hostDeviceStatuses:
- name: sriov-net
deviceResourceClaimStatus:
name: 0000-05-00-1
resourceClaimName: virt-launcher-vmi-sriov-dra-sriov-network-claim-abc123
attributes:
pciAddress: 0000:05:00.1
---
apiVersion: v1
kind: Pod
metadata:
name: virt-launcher-vmi-sriov-dra
namespace: default
annotations:
kubevirt.io/dra-networks: '[{"claimName":"sriov-network-claim","requestName":"sriov-nic-request","mac":"de:ad:00:00:be:ef"}]'
spec:
containers:
- name: compute
image: virt-launcher
resources:
claims:
- name: sriov-network-claim
request: sriov-nic-request
resourceClaims:
- name: sriov-network-claim
resourceClaimTemplateName: sriov-network-claim-template
status:
resourceClaimStatuses:
- name: sriov-network-claim
resourceClaimName: virt-launcher-vmi-sriov-dra-sriov-network-claim-abc123
```

## Scalability

The DRA controller in virt-controller uses existing shared informers (no additional watch calls) and filters events to relevant status sections. See [VEP #10](../../sig-compute/10-dra-devices/vep.md#scalability) for detailed scalability analysis.

## Update/Rollback Compatibility

- Changes are upgrade compatible
- Rollback works as long as feature gate is disabled
- If the feature is enabled, VMIs using DRA network devices must be deleted and feature gate disabled before attempting rollback

## Functional Testing Approach

- Unit tests with optimum coverage for new code
- New e2e test lane with all current SR-IOV tests using the new API
(excluding migration tests, which will be added when migration is supported)

## Implementation History

- 2026-01-20: Initial design/VEP proposal for SR-IOV Network DRA support

## Graduation Requirements

### Alpha

- Code changes behind `NetworkDevicesWithDRA` feature gate
- Unit tests
- E2E tests with SR-IOV DRA driver (excluding migration)

### Beta

- Evaluate user and driver author experience
- Consider additional use cases if any
- Work with Kubernetes community on standardizing device information injection
- Live migration support for DRA network devices
- Live migration will use CDI/NRI to inject device information as files into each pod (mappings of request/claim to PCI addresses)
Copy link
Copy Markdown
Member

@nirdothan nirdothan Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not clear to me - but maybe It's on me to learn.

Copy link
Copy Markdown
Contributor Author

@oshoval oshoval Jan 27, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it is not part of this VEP, just meant to give highlight

in high level, in the long term k8s will create a downward API, each pod will have file with the device info,
CDI/NRI is implementation details
kubernetes/enhancements#5606

until it happens we might create this mechanism by SRIOV driver
(poc that we will continue according needs)
k8snetworkplumbingwg/dra-driver-sriov#59 (POC, closed for now, but it shows how it works, CDI prepare the pod manifest, NRI populates data and then container creates the file)
k8snetworkplumbingwg/dra-driver-sriov#62 (WIP)

nice diagram wrt to this
kubernetes/enhancements#5606 (comment)

also #155 (VEP 10 amendment)
talks about using downward API already

- Each virt-launcher reads its pod-specific device file, avoiding conflicts in VMI status
- Might be initially implemented by SR-IOV DRA driver; future Kubernetes support may generalize this (see [kubernetes/enhancements#5606](https://github.com/kubernetes/enhancements/pull/5606))
- Details: https://github.com/k8snetworkplumbingwg/dra-driver-sriov/pull/62

### GA

- Upgrade/downgrade testing

## References

- DRA: https://kubernetes.io/docs/concepts/scheduling-eviction/dynamic-resource-allocation/
- SR-IOV DRA driver: https://github.com/k8snetworkplumbingwg/dra-driver-sriov
- VEP #10 (DRA devices): /veps/sig-compute/10-dra-devices/vep.md
- Kubernetes DRA device information injection: https://github.com/kubernetes/enhancements/pull/5606