I'm curious if anyone here is managing Kubernetes (K8s) clusters without internet access or in restricted environments, like military, finance, or healthcare sectors. I've been hearing about these air-gapped setups where teams rely on strict firewalls and have no cloud dependencies.
We're developing K8s tools that support such environments, focusing on solutions that don't require server-side deployment, telemetry, or any external dependencies—just a binary and your kubeconfig. I'd love to hear from those operating in these conditions:
- What's your current setup like? Do you just use kubectl and k9s, or do you vet software before use?
- Have you tried any other tools that didn't perform well without internet access?
- How do you manage updates and patches when you can't download directly from the internet?
5 Answers
The toughest part is keeping image registry values updated across components. Using something like rke2 helps, or you can create a mutating webhook configuration to adjust pod image specs. It’s similar to Zarf’s approach but allows for more flexibility without needing to rebuild large tarballs for minor changes.
Check out Zarf! It combines images and Helm charts into a single tar file for easy transfer to air-gapped environments. It's a neat solution, but just a heads up—it’s pretty opinionated. If you only need to ship OCI artifacts, you might find Hauler to be a more flexible choice.
Why skip SSO or SAML? You could leverage your internal directory services for authentication. However, if you’re going full air-gap, you could send internal telemetry instead. It’s risky to operate without monitoring and security measures in place, especially when you’re working in sensitive environments.
You don't need internet for kubectl and k9s since they communicate directly with your API server. The real challenge is managing your images and artifacts—it's not about the tools themselves. You can mitigate this by using internal container registries to manage selected images as long as you have someone responsible for maintaining them.
Managing air-gapped clusters requires a solid external container registry where you can pull images into your internal one. We still use tools like Grafana and Prometheus for monitoring and Terraform for managing our setups. Everything’s documented in GitLab, and we have automated pipelines set up to handle deployments effectively.
Yeah, Zarf is a great tool, but you might want something simpler if that's all you need to do!