Air Gap Implementation (Airplane Mode)

Kubernetes AirGap Implementation (An Airplane Mode)

For someone who is new to air gap environments, it is a security measure where a network or system is physically isolated from other networks, including the internet, to prevent unauthorized access.

In this use case, the task is to build a working application prototype in a connected network. After security clearance, the prototype must be moved to an air-gapped Kubernetes environment where it will live and operate.

Basic Components used:

1. Talos:

A Kubernetes-optimized OS offering a secure, minimal environment with an API-first approach, immutable infrastructure, and automated Kubernetes operations.

2. Zarf:

Facilitates packaging all necessary components including container images, Helm charts, and configuration files, into a single deployable unit for an offline deployment.

How It Works ?

1. CLI: Zarf uses a command-line tool to create and manage packages for air-gapped deployments.

2. init: The init step gathers all the software, settings, and security rules needed into one package.

3. zpkg: Zarf delivers and installs this package using .zpkg files, allowing easy deployment without internet access.

An overview of Zarf package structure and eco system 👇️

The Air Gap Implementation Architecture:

1. Package Creation:

In a network-connected setting, 𝘻𝘢𝘳𝘧 𝘱𝘢𝘤𝘬𝘢𝘨𝘦 𝘤𝘳𝘦𝘢𝘵𝘦 is used to assemble Zarf packages, bundling all essential deployment artifacts.

2. Secure Transfer:

These Zarf packages are then securely conveyed to the air-gapped zone utilizing secure transfer methods, ensuring the environment where Talos operates is safeguarded.

3. Deployment by Talos:

Received by Talos nodes, the command 𝘵𝘢𝘭𝘰𝘴𝘤𝘵𝘭 𝘢𝘱𝘱𝘭𝘺-𝘤𝘰𝘯𝘧𝘪𝘨 is then employed to deploy these packages, which initializes and activates the Kubernetes workloads.

4. Management and Operations:

The Talos API is the channel for all management and operational tasks, with commands such as 𝘵𝘢𝘭𝘰𝘴𝘤𝘵𝘭 to manage nodes.

Zarf ensures all essential tools and resources are available on the nodes for successful deployment and full functionality in the air-gapped environment.

This is one unusual and exciting project I couldn't stop sharing.

Chances to work on an air gap implementation are very rare. Typically, defense, government, and security domain clients prefer this airplane mode.