Inferensys

Glossary

Disconnected Container Runtime

A container orchestration engine configured to operate without pulling images from the internet, relying solely on a local, air-gapped container registry for all application deployments.
Isolated secure server room with network cables physically disconnected, minimal lighting, security-focused environment.
AIR-GAPPED ORCHESTRATION

What is Disconnected Container Runtime?

A container orchestration engine configured to operate without pulling images from the internet, relying solely on a local, air-gapped container registry for all application deployments.

A Disconnected Container Runtime is a container orchestration environment, typically a Kubernetes distribution, that has been deliberately severed from all external networks. It relies entirely on a local, air-gapped container registry to serve all application images, eliminating any dependency on public registries like Docker Hub. This architecture ensures that no container image pull, update, or dependency resolution ever traverses a network boundary.

In this configuration, the runtime's default image pull policy is strictly enforced to source artifacts only from the internal registry. All necessary base images, application binaries, and sidecar proxies are pre-staged via a sneakernet protocol or one-way data diode. This guarantees deterministic, verifiable deployments and prevents supply chain attacks that exploit upstream image poisoning, making it a foundational component of a Zero Trust Architecture for critical infrastructure.

AIR-GAPPED OPERATIONAL ANATOMY

Core Characteristics of Disconnected Runtimes

A disconnected container runtime is not merely a standard orchestrator without internet access. It is a fundamentally re-architected platform where every dependency, security check, and lifecycle operation must be satisfied from a strictly internal, pre-seeded supply chain.

01

Local Registry Dependency

The runtime is configured to deny all external image pulls by default. All container images must be sourced from a private, air-gapped registry hosted within the secure perimeter. This requires a complete mirror of all base images, application dependencies, and sidecar proxies. The runtime's imagePullPolicy is strictly enforced, and any attempt to resolve an external endpoint results in an immediate failure, ensuring no data leaks through DNS or pull requests.

02

Immutable Base Images

To maintain integrity, runtimes in disconnected environments rely on immutable, hardened golden images. These images are built, scanned, and signed in a secure build pipeline before being manually transferred via sneakernet or a data diode into the air-gapped registry. Once deployed, containers are never patched in place; a new signed image is pushed and the old container is destroyed, adhering to strict immutable infrastructure principles.

03

Offline Admission Control

Without connectivity to cloud-based policy engines, the runtime must enforce security policies locally. Admission controllers and Policy as Code (PaC) engines operate entirely offline, using internally stored Rego policies or custom webhooks. These controllers validate every resource creation request against cryptographic signatures, vulnerability scan results from an offline vulnerability scanner, and internal compliance rules before a pod is scheduled.

04

Static Network Identity

Service discovery is handled through local DNS and static service mesh configurations. Since there is no access to public certificate authorities, all inter-service communication is secured via mutual TLS (mTLS) using certificates issued by an offline certificate authority (CA). The CA root is physically secured and only activated in a controlled environment to sign subordinate certificates, eliminating trust-on-first-use vulnerabilities.

05

Manual Artifact Injection

The deployment pipeline relies on physical media validation. Updates, including new container images, model weights, and vulnerability definition files, are written to removable media in a low-side environment. This media is then rigorously scanned for malware before being mounted in the high-side environment. The runtime watches these local paths for new artifacts, triggering automated canary deployments only after the artifact's digital signature is verified against a hardware-backed keystore.

06

Measured Boot Chain

The runtime's host operating system and container engine integrity are verified at startup through a measured boot process. Each component in the boot chain cryptographically measures the next before loading it, storing the hashes in a Trusted Platform Module (TPM). The runtime will only initialize if the remote attestation quote matches the expected golden measurement, preventing execution on a compromised kernel or container engine.

DISCONNECTED CONTAINER RUNTIME

Frequently Asked Questions

Clear, technically precise answers to the most common questions about operating container orchestration engines in fully air-gapped environments without internet access.

A disconnected container runtime is a container orchestration engine configured to operate without pulling images from the internet, relying solely on a local, air-gapped container registry for all application deployments. In this architecture, the runtime—such as containerd, CRI-O, or a Kubernetes kubelet—is explicitly pointed to an internal registry mirror that hosts all required images. The runtime never initiates outbound connections to external registries like Docker Hub or Quay.io. Instead, all images are pre-staged by manually importing them via sneakernet protocols or one-way data diodes. This ensures that no runtime dependency, base image, or sidecar container can introduce a supply chain compromise through a network vector. The runtime's trust store is also locally managed, with internal certificate authorities signing all image references, making it impossible for a tampered image to be pulled without detection.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.