Running kubectl in an air-gapped environment
The cluster was offline. No internet. No external repos. And yet, deployments had to ship.
Running kubectl in an air-gapped environment is not optional for teams handling strict compliance, classified systems, or isolated data centers. It’s a hard constraint. Every image, every manifest, every plugin must be available inside the perimeter before a single command can succeed.
Start with the basics. Kubernetes tools, including kubectl, are not magical. They talk to the API server, which lives inside your cluster. In an air-gapped Kubernetes setup, nothing pulls from public networks. That means your workflows depend on internal mirrors, private registries, and locally cached binaries.
Download kubectl from a trusted source ahead of time. Check its checksum. Store it in a secure, internal location. Distribute it through your configuration management or provisioning pipeline. Never assume the binary will be available later—you will not be able to curl or wget anything once inside the air gap.
Next, replicate container images into an internal registry. Use docker save or ctr to create tar archives. Import them into your private registry before deployment. Update manifests to point to internal image paths. If kubectl applies a manifest pointing to docker.io/library/nginx, it will fail in an air-gapped zone unless you’ve mirrored that image locally.
For extensions like kubectl plugins or Krew, pre-fetch and package them into your environment. Bundle plugin binaries into your Git repo or artifact repository. Air-gapped systems require a one-time load-through before operational use.
Testing is critical. Spin up a network-restricted sandbox. Run your kubectl commands there. Watch for failures when the CLI tries to reach external endpoints. This process will surface missing images, unmirrored charts, or absent binaries before production.
Security benefits are direct—air-gapping cuts the attack surface dramatically—but operational discipline must rise to match. Every dependency becomes part of your inventory. Every update must be staged and signed before crossing into the gap.
When done right, kubectl in air-gapped Kubernetes runs as smoothly as in connected clusters—provided you control every artifact. When done wrong, a single missing image or binary halts deployment.
Want to see how air-gapped workflows can be streamlined without losing control? Check out hoop.dev and spin it up. See it live in minutes.