Skip to content

kindly refactor the airgap documentation #5202

New issue
New issue
Closed
#5220
Closed
kindly refactor the airgap documentation#5202
#5220

Description

@nimbius

nimbius
openedon Nov 9, 2024

Is your feature request related to a problem? Please describe.

Hi! thank you for your hard work and dedication to k0s :)
airgap documentation seems incorrect or incomplete. https://docs.k0sproject.io/stable/airgap-install/

documentation says to follow the manual install instructions which will fail.
curl --proto '=https' --tlsv1.2 -sSf https://get.k0s.sh | sudo sh
this cannot be executed on an airgap system and makes no sense to execute outside the cluster. please just provide instructions on downloading the binary.
(this curl also fails without sudo as /usr/local/bin isnt writeable by nonprivileged users, and curl|sudo sh type installations are considered harmful.

Describe the solution you would like

clearly document the installation steps to pull k0s. no scripts, no curl, just the location of k0s.

possibly create a tar.gz or archive bundle of the entire k0s installation (point released on github?) as it must exist in order to be completed at the time of installation. (similar to rke2?)

Describe alternatives you've considered

  • include k0s binary in the airgap installation documentation as a link
  • consider including a manifest, or document a means of listing, all files in the bundle.
  • consider providing the sum total of k0s documentation as a PDF or HTML bundle.

Additional context

airgap users are exceedingly rare, but often subject to overwhelmingly rigorous controls such as SCAP/STIG and NISPOM directives.
the airgap sysadmin frequently enjoys intense scrutiny by infosec, industrial security and counterintelligence teams at numerous levels of organizational competence. binaries must be closely evaluated and reviewed prior to inclusion in the airgap system, and should be provided as transparently as possible.

please understand:

  • once inside an airgap/sterile/closed area, internet connectivity is rarely available.
  • ingress of the k0s bundle and binaries is often subject to Bell–LaPadula model security
    • this means moving the bundle or binaries in and out is not possible
  • the ability to source k0s, its dependencies, or binaries may be extremely constrained.
    • assume no prior k0s exists to help strap the cluster.
    • assume any existing k0s exists in an environment that cannot be used for anything else.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    documentationImprovements or additions to documentation

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions