Air Gap Solutions

Our software combines maximum security with maximum flexibility for your critical systems.

A major security issue:
Kubernetes requires external connections

How do you secure a room? The simple answer is: you lock it. It's no different with IT systems. And the resulting security problem is also the same: if you want to use the room, you have to unlock it and go inside. But the more keys you distribute, the less secure the room becomes.

Normal operation of Kubernetes involves installing new software on your system. This usually involves downloading container images from public sources and installing them to the Kubernetes clusters. For this to work, external sources (such as Google, Docker, and many others) must be accessed through the firewall. Each of these connections represents a potential gateway for malware and unauthorized access, thereby increasing the attack surface. The larger the attack surface, the more difficult it is to ensure long term security of your systems.

What is air gap?

Air gap is a security measure in IT that involves isolating a system from external networks, reducing the attack surface. The separation can be physical, by not allowing any network connection. Sometimes this is also called dark site. Logical isolation is also sometimes referred to as an air gap. In this case, a network connection is physically present, but access is strictly regulated by encryption and access control methods.

How does KubeOps solve the problem?

Instead of allowing direct connections through the firewall, KubeOps KOSI - short for KubeOps Software Installer - lets you upload software that you want to bring into your Kubernetes system to your private and secure cloud storage. You then combine the various different software payloads into a single, unchangeable package. This way, your deployment consists of only one "delivery" to your critical system, instead of many smaller packages. This significantly reduces the attack surface and offers more protection against supply chain attacks, among other common attacking methods.

KubeOps supports physical and logical air gaps

All KubeOps software solutions are made with air gap scenarios in mind.
Safe delivery of your secured software packages.
With a logical air gap, you need to open fewer ports in your firewall, tightening your control over critical systems.
For physical air gaps, KOSI makes installation much easier, as you can simply deliver KOSI packages via flash drive or DVD.
Easy and secure cluster management with KubeOps COMPLIANCE, even in air gap environmens.

What are the defining features of KOSI packages?

KOSI packages combine security and flexibility when deploying programs and updates in air gap environments.

Validatable

Checksums ensure that the package contains exactly what you want.

Encrypted

KOSI encrypts value files, which store your critical access credentials, such as passkeys.

Private

When using KubeOps, you get your own secure package cloud storage.

Self-contained

Packages can contain all the necessary elements, often called artifacts, required for operation. This avoids external dependencies.

Supported

Our solutions are in active development. This means not only new features, but also quick responses to bugs or security concerns.

Intelligent

Plugins and templates can map entire deployment processes into a package. This allows you to put together a single complete package for a complex environment, storing logic and schemas in the package itself. This allows, for example, to select exactly which software is installed on each cluster depending on the operating system.

Who benefits from our solution?

Our suite of solutions is suitable for all institutions and companies that use Kubernetes and want improved usability. As evidenced by our air gap support, we also pay particular attention to security and compliance. This makes KubeOps the best choice for critical infrastructure companies, public institutions, medical data processors, and many more - in short, anyone working with sensitive data and systems.

Why can Kubernetes be a security risk without an air gap approach?

Kubernetes downloads container images and software packages from external sources such as Docker Hub or other repositories. This requires firewall ports to be opened, which creates potential points of attack. Every single external connection poses a risk and increases the attack surface for malware, supply chain attacks, and unauthorized access.

How does air gap reduce the attack surface in Kubernetes environments?

Physical or logical isolation minimizes or completely disables external network access. This prevents unvalidated images or malicious data from entering the system. The organization itself retains maximum control over every installation and update.

What is the difference between a physical and logical air gap?

Physical air gap: No wireless or wired connection to the external network. Updates are installed via physical media, like flash drives or DVDs.
Logical air gap: A connection may technically exist, but is secured by encryption, access control, and greatly reduced firewall ports. Only validated packages enter the system.

Why is KubeOps particularly well suited for air-gapped Kubernetes?

With KOSI, the KubeOps Software Installer, all necessary artifacts from external sources are collected in advance, checked, and combined into a single secure installation package. This eliminates the need for numerous insecure individual points of access and drastically reduces the attack surface.

How does KOSI ensure that packages have not been tampered with?

KOSI uses checksums and validation mechanisms to uniquely verify the contents of each package. Any changes or tampering after the fact would be immediately detectable. This guarantees that only what you intended to install is installed.

How are sensitive access data protected in KOSI packages?

Critical values such as access keys or passkeys are stored in encrypted form. This ensures that they remain secure even during transport or offline installation.

Can KOSI packages map complex Kubernetes deployments?

Yes. Plugins, templates, and integrated logic enable packages to map complete installation processes—including OS-dependent components, multi-cluster rollouts, and automated update workflows. The entire logic remains contained within the package itself.

Can I use KubeOps in my existing Kubernetes environment?

Yes. KubeOps can be integrated into existing Kubernetes clusters to benefit from secure package delivery, compliance functions, and air gap capabilities - without changing core operations.

Get started now and book your free initial consultation!

Want to improve your Kubernetes strategy? Contact us today for a personalized consultation or demo.