Performing an Airgap Install on an Existing Kubernetes Cluster

Treva Williams
Jun 3, 2021
airgap title card

Depending on your background, how word association works in your mind, or your search engine technique, hearing the phrase “airgap environment” might trigger thoughts of anything ranging from spaceships to dishwashers. Despite the interesting and seemingly unrelated word choice, Replicated has not decided to move into the home improvement space – though there may be some space-related announcements in the future – but instead has provided a way for enterprise application developers to deliver and maintain their airgap Kubernetes apps to extremely high-security environments using KOTS.

What is an airgap environment?

Before we dive into airgap on KOTS, let’s talk about airgap environments a bit. For this context, an airgap environment describes a computer or server network that has been completely isolated from all public and unsecured networks. In some cases, these instances can be accessed remotely from something called a “jump host,” or a (hopefully) highly secured interim server connected to the airgapped network with limited public network access. A 3rd party, like a sysadmin or engineer –  connects to the interim machine then “jumps” to the fully airgapped instance. There are usually additional VPN and authentication layers to further secure the connection and keep the bad guys away, but every environment is unique. In some instances, servers hosting extremely sensitive data won’t have a jump host, and can only be accessed from that location. I’m sure you can imagine how much of an inconvenience that would be and therefore why the method isn’t used except when absolutely necessary. 

While the extra steps like jump hosts, VPNs, auth policies, and whatever other security policies an organization may require can be a bit of a headache to deal with, the peace of mind that comes with knowing that your and/or your clients’ most sensitive data is well-protected is worth the extra steps. 


[.pre]$ curl | bash && kubectl kots install my-awesome-app[.pre]

With that said, there is an additional trade-off as airgapped environments sometimes require a bit of MacGuyvering when it comes to the installation of new software. As you’re aware, KOTS is an application management console and kubectl plugin that allows developers to quickly and efficiently release, update, monitor, license, and graduate their applications from the Vendor Portal. In a “normal” (meaning not-airgapped) environment, the KOTS plugin is installed with a cURL one-liner, then the plugin is used to download and install the vendor’s application using the kubectl kots install command  – but that clearly won’t work if the network has no connection to the public internet. Fortunately, the always security-minded developers at Replicated included the built-in capability to install KOTS applications in airgapped environments by packaging all needed files for your app in a compressed archive, which can then be sent to clients for installation. 


[.pre]$ kubectl kots admin-console push-images \./kotsadm.tar.gz\ --registry-username $USER_NAME --registry-password $PASSWORD[.pre]

If you’re curious to see how that’s done, check out the video by my colleague Fernando Cremer for a full walkthrough on performing airgap Kubernetes installations.