Deploying Production-Grade Kubernetes in Air-Gapped Environments
Start your air-gapped journey here
Air Gapped On Premises
To balance between the myriad risks of connecting to the Web and the need to operate offline, air-gapped Kubernetes is ideal. For On-Premises or Private Cloud environments, D2iQ provides local repositories that keep Kubernetes humming without the need for a continuous connection and a secure Bastion node that communicates via secure tunnel at need.
AWS Air Gapped
To balance between the myriad risks of connecting to the Web and the need to operate offline, air-gapped Kubernetes is ideal. For Public Cloud environments, D2iQ provides local repositories that keep Kubernetes humming without the need for a continuous connection and a secure Install node within the Public Cloud that communicates via secure tunnel at need.
Benefits of Kubernetes in Air-Gapped Environments
Because the network is offline, air-gapped environments can keep critical systems and sensitive information safe from potential data theft or security breaches. As another layer of protection, organizations can vet the container images that they allow to run on their clusters to reduce the risk of a malicious attack. In addition, organizations are also not exposed to rate limiting on the downloads of these images. Finally, they can operate in low bandwidth or with a poor internet connection, ensuring the continuous availability of their mission-critical applications. While air-gapped environments offer many security and workflow advantages, they also introduce new challenges.
Challenges of Kubernetes in Air-Gapped Environments
Set-Up is Manual and Time-Consuming
Running Kubernetes in offline, air-gapped environments means having private registries and repositories in place for Kubernetes and Docker to run Kubernetes in production. In addition, your software and open-source components will need to be tightly integrated, secured, tested for vulnerabilities, and made locally accessible to your application and deployment environment. This is not only a very manual process, but requires a number of steps on top of that to make it work, making it difficult to build a robust production platform to support mission-critical workloads.
Lack of Two-Way Connectivity
Kubernetes simplifies and automates many of the operational tasks by providing a communication path between the control plane and clusters. However, in an air-gapped environment, the control plane may not have easy access to your clusters because they are behind a firewall, NAT gateway, or Proxy, or in a DMZ. When two-way connectivity isn’t available, there is no way to keep your clusters running in line with the specifications you set them up with, which can lead to an increase in failures, downtime, and operational costs.
How DKP Delivers Value for Federal and Public Sector Organizations
Leverage Pure Upstream, Open-Source Kubernetes
Harness Best-of-Breed Open-Source Components
While there are many Kubernetes distributions available, simply installing Kubernetes is not enough. Compliance-minded organizations require a broader set of services for their production environment. DKP is built on pure-upstream Kubernetes and the best supporting open-source components from the CNCF that are tightly integrated, secured, and tested at scale to ensure the continuous interoperability of key services. DKP is pure open-source and works out-of-the-box with air-gapped environments, offering tremendous flexibility to support the simplest of pilot projects to the most complex, highly advanced programs.
Simplify Air-Gapped Kubernetes Deployments
Standardize Kubernetes Across Projects, Teams, and Infrastructures
DKP leverages the new Cluster API (CAPI) from the CNCF to simplify the provisioning, upgrading, and operating of multiple air-gapped clusters. For on-premise deployments, the Konvoy image builder tool simplifies the creation of bundles containing every needed component. For air-gapped deployments on AWS, you can create an AMI with everything needed to stand up a production Kubernetes environment. And because you can run multiple, identical instances from a single API, you can standardize Kubernetes across different roles, responsibilities, and environments in a compliant and secure manner. The result is a consistent, repeatable approach to standing up Kubernetes in production and an accelerated time-to-market for new application needs.
Sr. Cloud Executive
One of the largest Law Enforcement Agencies for the federal government
Centralized Multi-Cluster Management
Deliver Centralized Command and Control
The Kubetunnel feature allows for cluster management in environments with network restrictions. With this new capability, communication can take place unidirectionally, as needed, to remove the need for always-on bi-directional connectivity between the control plane and clusters. In addition, operators receive alerts, metrics, and Kubecost data to easily monitor and obtain insights about your organizational clusters and infrastructure at scale. With a single-view control plane for multi-cluster management, monitoring and logging dramatically reduce the time needed to troubleshoot issues and deliver better resource utilization.
Military-Grade Security, Governance, and Access Controls
Ensure Conformance and Compliance
DKP comes with built-in military-grade security, policy, and governance features to meet the strict demands of national security. With federated Role-Based Access Control (RBAC) and single sign-on across your clusters, teams can leverage their existing authentication mechanism already in place to access clusters and operators can centrally manage roles, access levels, policies, and more, securely and consistency. In addition, by obtaining Federal Information Processing Standards (FIPS) 140-2 validation, D2iQ eliminates your need to obtain domain-specific expertise in encryption protocols. We ensure that our infrastructure components automatically enforce encryption in-transit, vital to workload orchestration, and for the storage of sensitive data.
Deliver Open-Source Community Leadership and Direction
D2iQ is the only US based organization to serve as a Certified Kubernetes Service Provider, Certified Kubernetes Training Partner, and top 25 contributor to Kubernetes. As a founding member of the CNCF with numerous leadership roles in the community, we contribute to a broad set of open-source projects on behalf of our compliance-minded customers so they can tackle projects of great importance and make a huge impact on mission-critical initiatives. We also have a robust partner ecosystem to help organizations service missions, and a number of contract vehicles in place to remove barriers to entry, such as GSA, NASA SEWP, DoD ESI, DoD DevSecOps Software BOA, and more.
Key Features and Benefits
Leverage an industry standard distribution of open-source Kubernetes for cluster and container management.
Declarative Automated Installer
Accelerate time-to-production on any infrastructure with a highly automated installation process that includes all of the necessary open-source components needed for production.
Application Management and Deployment
Deploy applications and services within Kubernetes clusters with Helm.
Manage logs by tenant or workspace, for more granular control and simpler troubleshooting of problems.
Save operational costs by scaling down capability when it’s not needed, and add capacity when there is greater demand.
Backup, Recovery, and Migration
Ensure business continuity and disaster recovery with Velero.
Networking and Routing
Enable unidirectional connectivity between the control plane and clusters with Kubetunnel.
Fine-Grained Cluster Upgrades
Reduce operational overhead with non-disruptive patching or parallel worker node upgrades.
Provide instant visibility and operational efficiency into the Kubernetes landscape from a single-view control plane.
Ensure consistent upgrades, deployment, and security policies for both infrastructure (through CAPI) and applications (through FluxCD).
Gain deep insight into your Kubernetes clusters and applications with open-source metrics leveraging Telegraf, Prometheus, and Grafana.
Governance Policy Administration
Meet the requirements of security and audit teams with centralized cluster policy management.
Granular Cost Control
Drill down into cluster costs in real-time with an accurate and consolidated cost management across your cluster landscape.
Service Mesh Integration
Add advanced networking capabilities, such as multi-cluster and cross-cluster service discovery, load balancing, and security across a variety of hybrid, multi-cloud, and air-gapped environments.
Centralized Authorization and Authentication
Enable single sign-on (SSO) across an organization’s cluster footprint and govern authorization with RBAC and Open Policy Access to enhance security and reduce risk.