All posts
ConceptsOctober 16, 20251 min read

Running kubectl in an air-gapped environment

The cluster was offline. No internet. No external repos. And yet, deployments had to ship. Running kubectl in an air-gapped environment is not optional for teams handling strict compliance, classified systems, or isolated data centers. It’s a hard constraint. Every image, every manifest, every plugin must be available inside the perimeter before a single command can succeed. Start with the basics. Kubernetes tools, including kubectl, are not magical. They talk to the API server, which lives in

Free White Paper

Just-in-Time Access: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

The cluster was offline. No internet. No external repos. And yet, deployments had to ship.

Running kubectl in an air-gapped environment is not optional for teams handling strict compliance, classified systems, or isolated data centers. It’s a hard constraint. Every image, every manifest, every plugin must be available inside the perimeter before a single command can succeed.

Start with the basics. Kubernetes tools, including kubectl, are not magical. They talk to the API server, which lives inside your cluster. In an air-gapped Kubernetes setup, nothing pulls from public networks. That means your workflows depend on internal mirrors, private registries, and locally cached binaries.

Download kubectl from a trusted source ahead of time. Check its checksum. Store it in a secure, internal location. Distribute it through your configuration management or provisioning pipeline. Never assume the binary will be available later—you will not be able to curl or wget anything once inside the air gap.

Next, replicate container images into an internal registry. Use docker save or ctr to create tar archives. Import them into your private registry before deployment. Update manifests to point to internal image paths. If kubectl applies a manifest pointing to docker.io/library/nginx, it will fail in an air-gapped zone unless you’ve mirrored that image locally.

Continue reading? Get the full guide.

Just-in-Time Access: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

For extensions like kubectl plugins or Krew, pre-fetch and package them into your environment. Bundle plugin binaries into your Git repo or artifact repository. Air-gapped systems require a one-time load-through before operational use.

Testing is critical. Spin up a network-restricted sandbox. Run your kubectl commands there. Watch for failures when the CLI tries to reach external endpoints. This process will surface missing images, unmirrored charts, or absent binaries before production.

Security benefits are direct—air-gapping cuts the attack surface dramatically—but operational discipline must rise to match. Every dependency becomes part of your inventory. Every update must be staged and signed before crossing into the gap.

When done right, kubectl in air-gapped Kubernetes runs as smoothly as in connected clusters—provided you control every artifact. When done wrong, a single missing image or binary halts deployment.

Want to see how air-gapped workflows can be streamlined without losing control? Check out hoop.dev and spin it up. See it live in minutes.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts