Air-gapped environments, while highly secure, pose challenges for deploying applications. Traditional methods like manual chart transfer through physical media and then using helm install are time-consuming and error-prone. Devtron's Software Distribution Hub (SDH) offers a solution that automates the deployment process to Air-Gapped Kubernetes Clusters. SDH leverages the Release Operator CRD to fetch, deploy, and monitor deployment status, simplifying the entire workflow and ensuring efficient and secure deployments.
What are Air gapped Environments?
Air-gapped environments are isolated clusters that have no direct connection to the internet. This physical separation makes them a highly secure solution for organizations handling sensitive data and critical infrastructure.
Why Organizations Use Air Gapped Environments?
- Enhanced Security: By removing direct internet access, air gapped environments can significantly reduce the risk of cyberattacks, such as:
- Ransomware: Malicious software that encrypts data and demands a ransom.
- Data Breaches: Unauthorized access to sensitive information.
- Supply Chain Attacks: Compromised software or hardware.
- Protection of Critical Data: Industries like energy, weapons systems, finance, and government rely on air-gapped environments to safeguard critical systems and prevent disruptions.
- Compliance & Regulations: Many industries have strict data privacy and security regulations, such as HIPAA, GDPR, PCI, and DSS. Air-gapped environments help organizations meet these compliance requirements.
By isolating their sensitive systems, organizations reduce the risk of cyberattacks and ensure the smooth continuity of their operations.
Why is it so tough to deploy?
Kubernetes is primarily designed for cloud-native environments. Container configurations often assume the availability of images on public repositories. However, when it comes to air gapped environments, this convenience is lost. The absence of internet connectivity prevents direct access to public registries, posing challenges in the deployment process. The only alternative approaches remaining are:
Manual Chart Transfer
- Physical Transfer: Chart packages are physically transferred via USB drives or other media. This method is time-consuming, prone to human error, and lacks the benefits of automated deployment pipelines.
- Manual Installation: Charts must be manually installed using the helm install command, requiring careful attention to configuration and dependencies.
Internal Repository Setup
Organizations must set up internal chart repositories within the air-gapped environment. This involves configuring a repository server, such as Harbor or ChartMuseum, and managing chart versions and dependencies. Charts must be manually pushed into the internal repository. This process can be time-consuming and error-prone, especially for large-scale deployments.
Overcoming these challenges requires careful planning, robust security measures, and specialized tools to automate and streamline the deployment process…Comes in Devtron
The Devtron’s Way: Execute Secure Deployments at Lightning Speed
With Devtron’s New Software Distribution Hub, client-side deployments have already become a piece of cake. Here’s a comprehensive document highlighting the ease of using SDH as compared to Normal Deployments.
Now with the bump up of the Isolated Clusters feature, Devtron’s Software Distribution Hub (SDH) has got you covered for deployments on Air-gapped clusters as well. Imagine deploying your code on an air gapped cluster, completely isolated from the internet, while monitoring the deployment status. With Devtron’s Release Operator CRD deployed on your air-gapped cluster, this dream becomes a reality.
A Breeze to Set Up
Prerequisites
- Devtron instance along with the Release Operator CRD is deployed into your Air-gapped cluster.
- Ensure the CRDs have private registry credentials, which will be used to manage the images and chart versions on the Air gapped Environment.
Step 1: Onboarding of the Air-gapped cluster and Creating the Environment
- To manage and execute deployments to your Air-gapped cluster, it’s required to onboard it on your Devtron dashboard.
- Navigate to Global Configuration > Clusters & Environments > Add Cluster > Add Isolated Cluster.
- Create an Environment in the Air gapped cluster, follow Devtron’s documentation for the creation of an environment
Step 2: Create CI/CD Pipelines
- To create CI/CD pipelines for your application, create a new Devtron application. Refer to the application configuration documentation of devtron
- At CD Pipeline select your registry and specify the repository name for the charts, typically your private registry used in the air-gapped environment.
Step 3: Prepare for Release
- Navigate to the Software Distribution Hub, map the environment to the tenant, and click save.
- A pop-up would ask whether to push the generated chart to the registry or save it locally. For now, we will choose to push the generated charts to the OCI registry of our isolated cluster.
- Now navigate to the Release Hub > choose Release Track, select the release that includes the environment, and initiate the deployment.
- This action generates a Helm chart package equipped with all necessary configurations and metadata for deployment across any Kubernetes cluster and pushes it to your registry.
- Once, the Helm Charts are pushed into the private registry that has been created in an isolated cluster the deployments are then handled by the Devtron’s Release Operator.
The Magic of the Devtron’s Release Operator
The Release Operator performs like a gatekeeper, it has an internal configurable cron setup that polls the registry at regular intervals.
When it detects a new tag, it springs into action, pulling the tag and creating a CRD named “Releases”. This CRD orchestrates the deployment of the chart on your air-gapped cluster.
Meanwhile, the Release Operator continuously fetches the status of the Release CRD and updates it back to Devtron’s main instance, if the firewalls permit it. Within minutes, your chart is deployed and operational on the air-gapped cluster.
FAQs
What is an air-gapped Kubernetes environment?
An air-gapped Kubernetes environment is a cluster completely isolated from the internet, used by organizations handling sensitive data. This setup protects critical infrastructure from external cyber threats by physically disconnecting it from external networks.
Why do companies use air-gapped environments?
Organizations use air-gapped environments for security, compliance, and data protection. These isolated setups reduce the risk of:
- Ransomware attacks
- Data breaches
- Supply chain vulnerabilities
They’re essential in sectors like finance, healthcare, defense, and government to meet strict regulations (HIPAA, PCI-DSS, GDPR) and secure critical operations.
What are the challenges of deploying to air-gapped clusters?
Deploying to air-gapped clusters is complex because:
- Public registries (DockerHub, Helm Hub) are not accessible
- Manual transfer of Helm charts is error-prone
- Internal registries must be set up and maintained
- No automation in traditional methods
These limitations make secure, fast, and reliable deployments difficult without the right tools.
Can Devtron handle OCI registry integrations for air-gapped deployments?
Yes, Devtron supports OCI-compliant registries for air-gapped environments. During the CD pipeline configuration, you specify the private registry and repository name, ensuring the chart is pushed and managed securely within the isolated setup.
Is Devtron suitable for enterprises with strict compliance needs?
Absolutely. Devtron’s architecture supports secure deployments, private registries, and audit-friendly practices, making it ideal for industries with compliance mandates like HIPAA, GDPR, and PCI-DSS.
