Kubernetes and Airgap

Best practices for creating airgap installations on Kubernetes

This content is associated with a legacy version of the Replicated product. For the current Replicated product documentation, see docs.replicated.com.

Kubernetes and Airgap

An airgap cluster is any cluster that doesn’t have outbound internet access, and therefore cannot pull application images from a Docker registry. This can make it difficult to set up and to manage.

Replicated kURL is an open source Kubernetes distro creator that enables anyone to customize their own airgap installable Kubernetes cluster. Through kURL, Replicated also provides a full airgap Kubernetes installer with several popular components that is freely available for download & use. Once download or move the tar.gz to a compatible airgapped Linux server and untar the directory, which will include these contents: air gap Kubernetes installer Once you have untarred the installer you can run the install.sh from the Linux server that you want to install K8s on.

tar xvf latest.tar.gz
cat install.sh | sudo bash

Or run the installer with any of the advanced install options (such as HA mode):

tar xvf latest.tar.gz
cat install.sh | sudo bash -s ha

From there you should be able to follow the instructions printed at the end of the install process to add nodes or connect remotely via kubectl.

If you or your customer already has an airgap cluster ready for your installation you can use Replicated KOTS to deliver and manage the application.

The recommended way to deploy applications to airgap clusters is to require a Docker registry that’s already running in the customer environment.

When requiring an existing Docker registry to use, the images will have to be retagged and pushed to the registry at install time. Both Replicated Kots & Replicated Ship supports this workflow from the workstation that’s performing the installation:

  1. Require that the installer provide the registry name and namespace in the registry
  2. Require that the workstation running the installation be logged in to the registry

Once these requirements are met, the Ship assets and scripts can:

  1. Pull all public and private images using Docker
  2. Retag the images to match the registry endpoint and namespace
  3. Update the Kubernetes YAML to reflect the correct registry to pull from

Example using Kubernetes and a Registry

    - docker:
        dest: ./images/redis.tar
        image: redis:4.1
    - inline:
        dest: ./k8s/redis.yml
        contents: |
          apiVersion: v1
          kind: Pod
            name: redis
            - name: redis
              image: {{repl ConfigOption "registry_endpoint"}}/{{repl ConfigOption "registry_namespace"}}/redis:4/1
              - name: MASTER
                value: "true"
              - containerPort: 6379
    - inline:
        dest: ./install.sh
        mode: 0755
        contents: |

          docker load < ./installer/images/redis.tar
          docker tag redis:4.1 {{repl ConfigOption "registry_endpoint"}}/{{repl ConfigOption "registry_namespace"}}/redis:4.1
          docker push {{repl ConfigOption "registry_endpoint"}}/{{repl ConfigOption "registry_namespace"}}/redis:4.1

          kubectl apply -f ./installer/k8s

    - name: registry
      title: Docker Registry
        - name: registry_endpoint
          type: text
          required: true
          help_text: registry.mycompany.com
        - name: registry_namespace
          type: text
          required: true
          help_text: myapp