DevOps / Kubernetes Platform Engineering

Air-Gapped, Offline and Hardened Kubernetes with Kubespray

A documentation-first project for building a production-style Kubernetes cluster in a restricted or fully air-gapped environment using Kubespray, Rocky Linux, Nexus Repository Manager, containerd and Cilium.

What this project solves

Many Kubernetes examples assume direct Internet access, public registries and a simple cluster. This project documents the real-world path for deploying Kubernetes where nodes must use internal repositories and controlled artifact flows only.

Offline-first deployment

Prepare RPM packages, Python wheels, Kubernetes binaries and container images before entering the restricted network.

Internal artifact supply chain

Use Nexus Repository Manager as the internal source for OS packages, raw files and container images.

Operational runbooks

Document validation, troubleshooting, firewall rules, day-2 changes and CI/CD-based re-apply workflows.

Reference architecture

The runbook uses a multi-node Kubernetes design with an HA control plane, private repositories and separated management/data-plane addressing.

Core design

  • Three control-plane nodes.
  • Worker nodes for application workloads.
  • A Kubespray automation host with SSH access to Kubernetes nodes.
  • Nexus as the internal RPM, raw artifact and container image source.
  • API access through a load-balanced VIP on port 6443.

Production safety notes

  • Replace all sample IP addresses, hostnames and repository names.
  • Never commit real passwords, tokens, private keys or certificates.
  • Validate checksums before promoting offline artifacts.
  • Test the full workflow in a lab before using it for a real environment.

Documentation map

Start with the main runbook, then use the supporting documents for Nexus, firewalld, Kubespray variables and helper scripts.

Deployment flow

The repository is organized around a simple sequence: prepare artifacts, move them offline, seed Nexus, configure Kubespray, deploy, then verify.

  1. Prepare online artifacts Sync RPM repositories, download Python wheels, generate offline lists, pull images and save required binaries.
  2. Move artifacts into the offline network Transfer image archives, RPMs, wheels and binaries through a controlled path and keep a versioned copy.
  3. Seed Nexus Create YUM, raw and Docker hosted repositories, then upload or push the offline artifact set.
  4. Prepare nodes Configure hostnames, DNS or hosts files, NTP, swap, SSH access and firewall behavior.
  5. Configure Kubespray Update inventory, offline.yml, containerd.yml, cluster variables, CNI values and hardening settings.
  6. Deploy and verify Run Kubespray, validate node readiness, API health, Cilium, CoreDNS and internal image pulls.

Repository layout

The repository keeps the main guide at the root and places supporting runbooks, configuration examples and scripts under one supporting directory.

.
├── README.md
├── Installing-Airgapped-Hardened-Kubernetes-Cluster-Using-Kubespray.md
├── index.html
└── Scripts, appendices and Configurations/
    ├── Configurations/
    │   ├── containerd-yml.md
    │   ├── hardening-yaml.md
    │   ├── k8s-cluster-yml.md
    │   ├── k8s-net-custom-cni-yml.md
    │   └── offline-yml.md
    ├── Firewalld  Preparation/
    │   └── Firewalld Configuration.md
    ├── Nexus Preparation/
    │   └── Nexus Repository Manager for Air-Gapped Kubespray Deployments.md
    └── Scripts/
        ├── files-push-repo.sh
        ├── files.sh
        ├── images-load-and-retag.sh
        ├── images-verify.sh
        └── images.sh

Skills demonstrated

This project is documentation-heavy on purpose: it shows platform engineering decisions, implementation steps, validation checks and operational trade-offs.

Platform engineering

Kubespray-based Kubernetes provisioning, HA control-plane design, inventory management and node preparation.

Offline supply chain

RPM mirroring, private registries, image retagging, artifact staging and internal repository design.

Operations and hardening

Firewall rules, admission plugin control, verification, rollback thinking, CI/CD re-apply workflows and runbook quality.