Air-gapped deployment with kubectl

Andrios Robert

16 Sep 2025 • 1 min read

You pull the network cable. Silence. The cluster still needs you.

Air-gapped deployment with kubectl is the moment you stop relying on the internet and own the full path from plan to production. But in an offline environment, every command, every image pull, every manifest push demands forethought. There are no last-minute fixes from public repos. There’s only what you prepare.

An air-gapped Kubernetes environment keeps critical systems isolated from external networks. This means securing not only your workloads, but also your operational tools. If you use kubectl to manage your clusters, you need a bulletproof setup that works without a single outbound request.

Start with the binaries. Download your targeted version of kubectl from a trusted source on a connected machine. Verify checksums. Move it into your secure zone via approved transfer methods. Install it where you'll run operations.

Next, think container images. Your workloads need a local container registry inside the air gap. Preload every required image—application, infrastructure, sidecars—before the gap closes. Use kubectl with --image references that point to your internal registry. Keep image tags immutable to avoid drift.

Manifests and configs come next. Store them in a version control repository that lives within the air-gapped environment. Pull requests, reviews, and CI/CD should all happen behind the firewall. External dependencies—Helm charts, CRDs—must be downloaded, verified, and imported before deployment.

When it’s time to apply changes, kubectl apply -f works exactly the same way—but only because you’ve already done the extra work. Logging and monitoring must also be internal. Export metrics to local Prometheus, store logs locally, run dashboards without leaving the zone.

Security isn’t a feature in air-gapped deployment. It’s the default. No outside traffic means no direct path for attacks, but only if your source materials are clean. Always scan images before you move them in. Keep your cluster updated by periodically importing signed patches from outside sources via controlled media.

Air-gapped deployment with kubectl is less about limitation, more about control. When everything from CLI tooling to images to manifests is under your hand, there’s no question about uptime, compliance, or provenance. The cluster doesn’t guess. It executes.

Want to see this kind of operational certainty in action? Try it on hoop.dev—spin up a live, isolated Kubernetes workflow in minutes, and know exactly what’s running, where, and why.

Sign up for more like this.