The Air-Gapped Paradigm: Security Architectures for Isolated On-Premise Environments

In discussions about cloud transformation, the narrative often suggests that the future of IT lies solely in globally connected, public cloud infrastructures. However, for operators of critical infrastructures (KRITIS), defense companies, research-intensive industries, or highly regulated sectors in finance and healthcare, the reality is entirely different. When systems control nuclear command centers, core medical areas, or sensitive state secrets, the risk of internet connectivity is simply unacceptable.

The ultimate level of security for such highly sensitive workloads is the Air-Gapped Paradigm—operating IT infrastructures in environments that are completely isolated from the internet both physically and logically. Yet, even in these “digital fortresses,” modern development teams want and need to use agile technologies like Docker, containerd, and Kubernetes. The architectural challenge is: How do you operate a highly available Container Registry when no package can ever “call home” or query public repositories (like Docker Hub)?

The Challenge in the Isolated Network: The Dependency Dilemma

Modern software development thrives on external dependencies. A typical containerized application project pulls dozens of base images, libraries, and auxiliary tools from the internet in the background.

When a Kubernetes cluster is transplanted one-to-one into an air-gapped environment, this pipeline immediately breaks down at three points:

1. The “Pull Vacuum” on the Nodes

When a Kubernetes node receives the command to start a new pod, the local container runtime (containerd) attempts to download the corresponding image. In an air-gapped system, this attempt inevitably results in a network timeout. Without a local, fully functional mirror instance, the cluster remains completely inoperative.

2. The Blockade of Software Updates and Patches

Security-related requirements like NIS-2, DORA, or the Cyber Resilience Act (CRA) demand proactive vulnerability and update management even in closed networks. If the integrated CVE scanner in the registry lacks an internet connection to update its internal vulnerability databases, the system’s security level ages with each day it remains isolated.

3. The Lack of Global Failover (Disaster Recovery)

Air-gapped does not necessarily mean there is only one data center. Large organizations often operate multiple isolated locations. Without automated, network-internal replication between sites, synchronizing software states devolves into manual, error-prone data carrier exports (sneakernet via USB stick/hard drive).

The Architecture of the Sovereign Fortress: Harbor in Air-Gapped Operation

To bring modern cloud-native workflows into isolated networks without internet compromises, an on-premises infrastructure is built where the container registry acts as an autonomous software asset. The technological foundation for this is a managed Harbor registry, coupled with a local S3-compatible object storage (e.g., via Ceph).

1. The Lock Principle for Data Transfer (Secure Ingestion)

Since no direct data flow from the internet is allowed, a strictly controlled, asynchronous import process is established. Images are built in a separate, internet-enabled staging environment, automatically scanned, and cryptographically signed. The OCI artifacts are then exported as tar archives, checked via a physical data lock (data diode or dedicated transfer media), and imported into the isolated Harbor registry of the air-gapped network.

2. Autonomous Storage Backend via S3 on Own Infrastructure

The Harbor registry does not store container layers on local disks of individual servers but uses a highly available, on-premises operated S3 storage cluster in the background. This keeps the storage architecture completely identical to modern public cloud environments: scalability, encryption at rest (via customer-managed keys), and object security are directly mapped in the own data center without dependencies on external cloud hyperscalers.

3. Local Geo-Replication over Protected Lines

If the company operates multiple air-gapped sites, the platform uses Harbor’s integrated Geo-Replication Engine. Once a new, verified image is released and integrated at main site A, Harbor pushes this artifact in the background over dedicated, encrypted factory lines to the Harbor registries of sites B and C. The local Kubernetes clusters at all sites can pull the image with maximum performance and without latency directly from their own LAN.

Strategic Value: Absolute Data Sovereignty (SEAL-4)

The consistent implementation of the air-gapped paradigm based on open-source standards like Harbor elevates digital sovereignty to the absolute maximum—the SEAL-4 level (Full Digital Sovereignty):

• Uncompromising protection against espionage and sabotage: Since no physical network connection to the outside exists, classic attack vectors over the internet (such as remote code execution or ransomware injections from overseas) are physically excluded. Your sensitive source codes and trade secrets never leave your own walls.
• 100% Autonomy in Crisis Situations: Should global undersea cables be damaged, political conflicts impair network infrastructure, or U.S. tech companies block access to their cloud platforms, your operations continue unchanged. Your supply chain, your clusters, and your applications are entirely in your hands.
• Perfect Compliance Audits for KRITIS: For facilities subject to the strictest state security reviews, the air-gapped setup is often the only way to provide the required operational continuity evidence seamlessly. The architecture is completely transparent, auditable, and free of foreign black-box components.

Conclusion: Modernization Does Not Require Openness

The air-gapped paradigm impressively demonstrates that modern, agile software development with Kubernetes and containers does not have to come at the expense of maximum IT security. By using sovereign, standards-compliant on-premises components like a managed Harbor registry on own S3 storage, the speed of the cloud can be seamlessly integrated into the security of a physically isolated fortress. Companies retain absolute control over every code component, meet the strictest regulatory requirements, and secure their operational capability against any conceivable geopolitical and network-related crisis.

FAQ: Air-Gapped Registry Practice

How do you update the CVE databases of the scanner in an air-gapped registry?

Since the scanner (e.g., Trivy or Clair within Harbor) cannot directly retrieve global vulnerability databases via HTTP, an offline update process is set up. The latest CVE definitions are downloaded daily as a compact package file in the internet-enabled staging environment, transferred via the physical data lock, and locally integrated into the Harbor database using an automated script. This keeps vulnerability scanning up-to-date even without an internet connection.

Can we use GitOps tools like ArgoCD despite the air-gap?

Yes, absolutely. GitOps is a logical concept and works just as well in isolated networks as in the cloud. The only requirement is that, in addition to the container registry, the Git repository (e.g., a local GitLab or Gitea instance) is operated on-premises within the air-gapped network. ArgoCD reads the manifests from the local Git and controls the local Kubernetes cluster, which in turn pulls the images from the Harbor registry via local imagePullSecrets.

How does the licensing of open-source software behave in air-gapped operation?

This is a huge advantage of solutions that consistently rely on genuine open-source standards. Since tools like Harbor, Kubernetes, and Ceph are under free licenses, they require no online activation, no “call home” to license servers, and no subscriptions that become invalid when the network is disconnected. The operation is permanently, legally secure, and technically unrestricted.