Offline-first deployment
Prepare RPM packages, Python wheels, Kubernetes binaries and container images before entering the restricted network.
DevOps / Kubernetes Platform Engineering
A documentation-first project for building a production-style Kubernetes cluster in a restricted or fully air-gapped environment using Kubespray, Rocky Linux, Nexus Repository Manager, containerd and Cilium.
Many Kubernetes examples assume direct Internet access, public registries and a simple cluster. This project documents the real-world path for deploying Kubernetes where nodes must use internal repositories and controlled artifact flows only.
Prepare RPM packages, Python wheels, Kubernetes binaries and container images before entering the restricted network.
Use Nexus Repository Manager as the internal source for OS packages, raw files and container images.
Document validation, troubleshooting, firewall rules, day-2 changes and CI/CD-based re-apply workflows.
The runbook uses a multi-node Kubernetes design with an HA control plane, private repositories and separated management/data-plane addressing.
6443.Start with the main runbook, then use the supporting documents for Nexus, firewalld, Kubespray variables and helper scripts.
The repository is organized around a simple sequence: prepare artifacts, move them offline, seed Nexus, configure Kubespray, deploy, then verify.
offline.yml, containerd.yml, cluster variables, CNI values and hardening settings.
The repository keeps the main guide at the root and places supporting runbooks, configuration examples and scripts under one supporting directory.
.
├── README.md
├── Installing-Airgapped-Hardened-Kubernetes-Cluster-Using-Kubespray.md
├── index.html
└── Scripts, appendices and Configurations/
├── Configurations/
│ ├── containerd-yml.md
│ ├── hardening-yaml.md
│ ├── k8s-cluster-yml.md
│ ├── k8s-net-custom-cni-yml.md
│ └── offline-yml.md
├── Firewalld Preparation/
│ └── Firewalld Configuration.md
├── Nexus Preparation/
│ └── Nexus Repository Manager for Air-Gapped Kubespray Deployments.md
└── Scripts/
├── files-push-repo.sh
├── files.sh
├── images-load-and-retag.sh
├── images-verify.sh
└── images.sh
This project is documentation-heavy on purpose: it shows platform engineering decisions, implementation steps, validation checks and operational trade-offs.
Kubespray-based Kubernetes provisioning, HA control-plane design, inventory management and node preparation.
RPM mirroring, private registries, image retagging, artifact staging and internal repository design.
Firewall rules, admission plugin control, verification, rollback thinking, CI/CD re-apply workflows and runbook quality.