Air-gapped deployment isn’t an edge case anymore. For security-first environments, it’s the baseline. No internet. No external services. Every bit of code, configuration, and container image has to be shipped in, verified, and locked down. If you’re running Kubernetes this way, your challenges multiply fast — especially when it comes to network policies.
Kubernetes network policies in an air-gapped environment aren’t just guardrails. They are the walls, the gates, and the locks. Without them, services can talk freely across namespaces and pods, leaving attack surfaces open. In disconnected clusters, you have zero margin for misconfiguration.
Start with least privilege. Define exactly which pods can communicate, over which ports, in which direction. Every allow rule should be explicit. No assumptions. The default-deny stance isn’t negotiable — it’s the foundation. Apply it cluster-wide, then add fine-grained allows only for services that absolutely need them.
Air-gapped deployment means you can’t pull updates, plugins, or manifests from remote repos in real time. All manifests for network policies must be bundled and signed before they enter the environment. The same goes for CNI plugins like Calico or Cilium. Keep an internal image registry inside the gap, and mirror every dependency there. Version control at the artifact level is mandatory.
Testing in a connected dev environment isn’t enough. Simulate the air gap completely before production. Validate network policies under the same isolated constraints you’ll face in the real cluster. Run policy tests as part of your CI/CD pipeline. Break things on purpose to confirm that your deny rules actually stop traffic.
Compliance regimes — from PCI DSS to classified government workloads — often require this exact combination: air-gapped infrastructure with tight network segmentation. Kubernetes gives you the primitives, but you have to wire them correctly. YAML is unforgiving. A single missing selector can open a hole big enough for lateral movement inside the cluster.
Automation is your ally here. Templates for network policies reduce human error. Use policy-as-code, store it in Git, and bake it into your deployment artifacts. Apply changes atomically so you don’t leave gaps during rollout. Document everything locally since your cluster can’t call out for help.
Done right, Kubernetes network policies in an air-gapped deployment give you total control over pod-to-pod, pod-to-service, and ingress/egress traffic. Done wrong, they create invisible risks that only show when it’s too late.
If you want to see what this level of security and control feels like in action, take a look at hoop.dev — you can watch it run live in minutes, even for complex, restricted environments.