Modern application platforms are no longer optional for many organizations. Federal agencies, defense contractors, and highly regulated enterprises are increasingly looking to Kubernetes-based platforms to modernize application delivery, improve operational consistency, and accelerate software deployment.
At ClearBridge, we see this shift every day in conversations with clients exploring VMware Cloud Foundation (VCF), VMware Kubernetes Service (VKS), and broader platform engineering initiatives. But unlike many commercial cloud deployments, these environments often operate under strict security requirements, disconnected networking models, or fully air-gapped conditions, where direct internet access is unavailable. That changes everything about how Kubernetes platforms must be designed and operationalized.
Our Senior Consultant, Devyn Harrington, recently completed a client engagement focused on validating VKS workloads in a disconnected VCF 9 environment. The project centered on a challenge we frequently encounter in federal and regulated spaces: enabling modern Kubernetes application delivery when public image registries and cloud-native internet dependencies are unavailable.
This wasn’t just about enabling Kubernetes features. It was about proving that a secure, disconnected platform could reliably support real workloads end-to-end.
The Real Challenge in Air-Gapped Kubernetes Environments
In connected Kubernetes environments, application deployment is often straightforward. Developers reference images from public registries, deploy workloads, and the platform automatically retrieves dependencies.
Disconnected environments operate differently. Many government and defense customers cannot allow Kubernetes clusters to reach public registries such as Docker Hub or external SaaS endpoints. Every container image, registry interaction, and certificate trust relationship must be controlled internally. That introduces a completely different operational model for platform teams.
Before a workload can even be deployed, organizations must solve several foundational problems:
- Establishing an internal container registry
- Managing secure image lifecycle workflows
- Supporting trusted certificate distribution
- Ensuring workload clusters trust internal registries
- Designing namespace and network segmentation correctly
- Exposing applications securely through controlled network paths
- Aligning Kubernetes consumption with broader enterprise governance models
These are not simply Kubernetes administration tasks. They become architecture decisions that directly impact how usable the platform will be for application teams. That was the focus of this engagement.
Building on a Strong VCF Foundation
Our client’s environment already had VMware Cloud Foundation 9 deployed, with Supervisor enabled and VPC networking intentionally configured to support future growth of the application platform.
That initial platform design mattered because VKS relies heavily on the underlying Supervisor and networking architecture. Decisions around networking, workload segmentation, external IP planning, and namespace design all influence how applications are ultimately consumed.
For organizations pursuing modern platform operating models, particularly those aligned with VMware’s “All Apps” vision, these design choices become increasingly important. Kubernetes is no longer an isolated infrastructure. It becomes part of a broader application-delivery ecosystem that must securely and consistently support both traditional and cloud-native workloads. With the Supervisor operational, the next step was validating that workloads could actually run in the disconnected environment.
Why Internal Registries Become Critical
One of the biggest hurdles in air-gapped Kubernetes environments is container image management. If worker nodes cannot access public registries, the platform requires a trusted internal source for all application images. In this engagement, our client implemented Harbor as its internal enterprise registry. This is a pattern we often see among federal customers. Internal registries become a central component of the Kubernetes platform because they provide:
- Controlled image distribution
- Security and compliance oversight
- Internal artifact lifecycle management
- Vulnerability scanning workflows
- Offline image synchronization capabilities
- Reduced dependency on external services
However, deploying the registry itself is only part of the challenge. The larger issue is ensuring Kubernetes nodes trust the internal registry and can securely consume images from it.
Solving the Registry Trust Problem
One of the first major obstacles encountered during validation was a certificate trust failure between the VKS workload nodes and the internal Harbor registry.
This is an extremely common issue in disconnected enterprise Kubernetes environments. Even if the registry itself is functioning correctly, Kubernetes worker nodes must trust the certificate authority that signed the registry certificate. Without that trust relationship, image pulls fail and workloads never start successfully. This is where many disconnected Kubernetes deployments stall.
The engagement focused on validating the proper trust workflow so workload clusters could securely consume images from the internal registry as part of cluster provisioning. Once the trusted certificate configuration was aligned correctly, workload deployment succeeded, and the platform could reliably consume hosted container images internally.
From a consulting perspective, this is often the difference between “Kubernetes is enabled” and “Kubernetes is operational.”
Validating the Platform with a Real Workload
To prove the environment worked end-to-end, Devyn deployed a practical containerized application workload through VKS using images hosted entirely within the internal Harbor registry. The goal was not application development itself. The objective was to validate the complete operational workflow:
- Internal image hosting
- Secure registry connectivity
- Workload cluster provisioning
- Namespace functionality
- Application deployment
- Container runtime validation
- Kubernetes service exposure
- External application reachability
Successfully validating this workflow showed the environment can support real-world application consumption, even with a disconnected architecture. For clients operating under federal compliance requirements, that validation is critical. Modern application platforms are only valuable if they can actually deliver applications securely and consistently under operational constraints.
What This Means for Federal and Regulated Customers
Projects like this reinforce a broader trend we continue to see across the federal market. Interest in Kubernetes and platform engineering is accelerating rapidly, but many organizations are still navigating the operational realities of disconnected infrastructure. Air-gapped environments require a very different mindset than cloud-native deployments built around public internet access.
At ClearBridge, we help clients bridge that gap by focusing on both enabling technology and operationalizing platforms in ways that align with security, compliance, and long-term maintainability.
That includes:
- Modern application platform architecture
- VMware Cloud Foundation and VKS design
- Air-gapped Kubernetes operations
- Secure container registry workflows
- Networking and segmentation strategy
- Platform lifecycle planning
- Automation and GitOps alignment
- Platform engineering operating models
The technical tooling matters, but the operational design matters even more.
Moving Beyond “Kubernetes Enabled”
One of the biggest misconceptions in enterprise Kubernetes projects is that enabling the platform is the finish line. It isn’t. The real milestone occurs when development teams can reliably consume the platform, deploy workloads securely, and operate applications consistently within enterprise constraints.
In this engagement, our client successfully validated that path:
VCF Supervisor → VKS workload cluster → Internal Harbor registry → Trusted image lifecycle → Kubernetes workloads → Secure application exposure
That progression transformed the environment from a feature-enabled infrastructure stack into a functioning application platform capable of supporting modern workloads in a disconnected enterprise environment. And that is ultimately where organizations begin realizing the real value of platform modernization.
Through strategic troubleshooting, platform alignment, and operational validation, Devyn demonstrated how federal and regulated organizations can confidently operationalize VKS for real-world application delivery. For a deep dive into the technical details, visit Devyn Harrington’s blog, After the Supervisor: Deploying VKS Workloads from Harbor in an Air-Gapped VCF Environment.
Ready to Operationalize Kubernetes in Disconnected Environments?
Modernizing infrastructure is one thing. Building a secure, operational Kubernetes platform that works reliably in air-gapped and highly regulated environments is something entirely different.
At ClearBridge, we help federal agencies, defense organizations, and enterprise customers design and operationalize modern application platforms that align with real-world security, compliance, and mission requirements. From VMware Cloud Foundation and VKS architecture to secure registry design, networking strategy, and platform automation, our teams help customers move beyond “Kubernetes enabled” and into fully consumable platform operations.
If your organization is evaluating VKS, platform engineering initiatives, or modern application delivery in disconnected environments, ClearBridge can help you move faster and avoid common deployment pitfalls.
Contact ClearBridge to learn how we help organizations build secure, scalable, and production-ready Kubernetes platforms for the modern enterprise.
Recent Comments