Air-Gapped Deployment Kubernetes Ingress: A Practical Guide

Air-gapped environments present unique challenges when deploying Kubernetes workloads, including managing network isolation while maintaining cluster functionality. A key part of this puzzle is setting up ingress in these air-gapped deployments. While ingress controllers in standard Kubernetes setups enable external connectivity, air-gapped environments demand fine-tuned solutions to ensure external access without compromising the disconnected nature of the system.

This blog post breaks down how to set up Kubernetes ingress in air-gapped deployments with both precision and simplicity. By the end, you'll have actionable insights for implementing robust ingress configurations in your air-gapped clusters.

What Makes Air-Gapped Deployments Different for Ingress?

In air-gapped environments, the key constraint is the absence of direct internet access. No automatic downloads, updates, or external connections can be assumed. For Kubernetes ingress, this means:

No direct outbound connections – cloud-native solutions like managed load balancers and DNS providers are off the table.
Private or manual management of ingress endpoints – you need to handle TLS certificates, routes, and DNS resolution within the confines of the isolated network.
Controlled package distribution – container images, binaries, and updates must be manually brought into the environment.

These conditions fundamentally reshape how ingress controllers are configured and deployed.

Core Requirements for Air-Gapped Kubernetes Ingress

When deploying ingress in an air-gapped Kubernetes environment, you need a solution that supports:

Internal Load Balancers: Use solutions that work entirely within your network, such as MetalLB for bare-metal or self-contained environments.
Static IP Assignment: Ensure ease of routing by reserving static IP addresses for ingress endpoints.
Self-Managed TLS Certificates: Use a solution like cert-manager configured for private certificate authorities or manual certificate loading.
Customizable DNS: Rely on internal or manually configured DNS servers for host-based routing.

Understanding these requirements is a good starting point for implementing ingress. Now let’s explore a practical configuration.

Step-by-Step: Deploying Kubernetes Ingress in an Air-Gapped Cluster

Below is an example setup using popular tools that align with air-gapped constraints.

1. Install Kubernetes in Your Air-Gapped System

First, ensure you’ve bootstrapped Kubernetes using air-gapped-friendly images. Tools like kubeadm allow you to specify preloaded images stored locally in your private registry.

Continue reading? Get the full guide.

Kubernetes RBAC + Deployment Approval Gates: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Tip: Preload ingress controller images (e.g., nginx-ingress-controller) into your private registry during the cluster setup process.

2. Deploy a Local Load Balancer Compatible with Your Environment

In air-gapped deployments, a load balancer like MetalLB is a common choice for bare-metal setups.

MetalLB can operate in layer 2 mode or BGP mode for internal IP allocation.
Configure a pool of static IPs to be used for ingress services.

apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
 name: ingress-ip-pool
spec:
 addresses:
 - 10.0.0.100-10.0.0.200

3. Install and Configure an Ingress Controller

Choose a lightweight ingress controller suited for private environments like nginx-ingress.

Deploy it with customized parameters to align with your internal DNS and static IP setup:

apiVersion: v1
kind: Service
metadata:
 name: ingress-nginx
spec:
 type: LoadBalancer
 loadBalancerIP: 10.0.0.100

4. Manage TLS Certificates

Set up cert-manager with access to your private certificate authority, or preload certificates manually:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
 name: example-ingress
spec:
 tls:
 - hosts:
 - app.internal.local
 secretName: tls-secret
 rules:
 - host: app.internal.local
 http:
 paths:
 - path: /
 pathType: Prefix
 backend:
 service:
 name: app-service
 port:
 number: 80

5. Configure Internal DNS

Finally, update your internal DNS server or manually adjust /etc/hosts on downstream machines to point app.internal.local to the static ingress IP (e.g., 10.0.0.100).

By the end of these steps, your air-gapped cluster will have fully functioning ingress, compatible with its isolated constraints.

Troubleshooting Common Issues

Setting up ingress in air-gapped environments may involve unexpected hurdles. Be alert to these common problems:

Image Pull Failures: Verify all ingress controller images are preloaded or accessible from your private registry.
TLS Configuration Errors: Debug certificate creation issues and verify access to your private CA.
DNS Resolution Failures: Double-check DNS mappings and static IP configurations.

Proper logging and monitoring solutions are also crucial for identifying bottlenecks in your ingress pathway. Consider using tools like Prometheus or Grafana to track usage and errors in real time.

See an Air-Gapped Kubernetes Ingress in Action

Efficient air-gapped app deployment often feels complicated, but tools built with simplicity and automation in mind—like Hoop.dev—can make the process easier. Test how you can set up reliable Kubernetes endpoints, ingress rules, and TLS in minutes by signing up today.

Streamline your air-gapped deployments and leave ingress headaches behind with Hoop.dev.