Air Gapped DevSecOps
Air Gapped DevSecOps? Our customers have situations where they need to deploy software on private, often extremely secure environments. These organizations are now looking to take advantage of Kubernetes and modernize their applications, while enabling deploying these on different environments, that are often not connected to the outside world.
There are several factors and challenges unique to a let’s say “air-gapped” deployment that can make full implementation of traditional DevOps harder than other deployments that function in an open environment. An air gapped deployment is usually set up as a standalone entity, all access to physical and digital objects are carefully vetted, the goal is having a documented process around access to the underlying system and its location at all times.
To implement DevSecOps, you should identify what aspects make these principles more difficult to adopt and end up becoming obstacles to your implementation:
- Absence of centralized document repository
- Partial or absent production environment access
- New requirements late in the software development life cycle (SDLC)
- Lack of centralized software installation
In addition to those listed above, air gapped deployments can present their own specific set of obstacles. Within one organization there can be several software development groups, and each group may function alone and under its own security policies.
If you have multiple siloed environments, these obstacles will typically surface in some form for each team. As a result, you’ll see teams take on different approaches determined by the obstacle that is currently present within each group.
Are Kubernetes clusters a viable air gapped DevSecOps solution?
Given the overhead required to set up and manage an isolated Kubernetes environment, are there easily deployed Kubernetes offerings that meet these security requirements or regulations?
The short answer is: Maybe.
If your team is proficient in Kubernetes already, you can certainly deploy clusters using Kubeadm, Kubespray or some custom Terraform code.
These clusters will offer full functionality and cluster resilience if done right, but maintaining these cluster is going to be harder because each new version you team will need to adapt the deployment code and manually gather the packages for ingest into the air-gapped environment.
There are also pre packaged options from providers that will easy this process for you. Red Hat OpenShift, Rancher and Docker all have offerings that will allow you to quickly download all offline packages and deploy or upgrade your air-gapped Kubernetes clusters.
Red Hat OpenShift provides a “restricted network” installation that involves mirroring the OpenShift repo locally and an Apache webserver and installation host where the install will be triggered from. More details here
Rancher provides similar functionality for offline installs. They give you scripts that will download the necessary images to import into your secure environment and clear instructions on the installation process. Follow along here
Docker Enterprise also has an offering that may suit single cluster installations. They provide offline install packages for their Docker UCP and DTR management plane functionality and instructions for install. You can read more about it here
What about other DevSecOps services?
On top of the K8s clusters you deploy, you can deploy CI/CD, Registry and other solutions to fill out the technology stack needed for effective DevSecOps.
Of course, it completely depends on the services your organization requires to run. Certain services like Jenkins and GitLab provide offline package options. Other services like Azure DevOps and GitHub Actions will require you to be online to leverage their services.