Offline Mode

It’s possible to run KKP in an airgapped/offline environment, by mirroring all required Docker images to a local Docker registry. The kubermatic-installer mirror-images command is provided to aid in this process.

In general, to setup an airgapped system, the Docker images must be mirrored and the Helm charts / KubermaticConfiguration need to be adjusted to point to the new registry.

Download All Required Images

The functionality described in this section was provided by a tool called image-loader in previous KKP releases. That tool does not exist as a standalone tool anymore and has been rolled into the Kubermatic Installer.

There are a number of sources for the Docker images used in a KKP setup:

  • The Docker images used by KKP itself (e.g.
  • The images used by the various Helm charts used to deploy KKP (nginx, cert-manager, Grafana, …)
  • The images used for creating a usercluster control plane (the Kubernetes apiserver, scheduler, metrics-server, …).
  • The images referenced by cluster addons.

To make it easier to collect all required images, the kubermatic-installer mirror-images utility is provided. It will scan the Helm charts and uses the KKP code itself to determine all images that need to be mirrored. Once it has determined these, it will pull, re-tag and then push the images.

To use it, provide it with the KubermaticConfiguration as a YAML file and the values.yaml file used to install the Helm charts.

Download the latest KKP release, you will need both the kubermatic-installer binary and the charts directory. Extract the KKP release locally and then run the kubermatic-installer. Note that you need Helm 3.x installed on your machine.

./kubermatic-installer mirror-images \
  --charts-directory /path/to/the/extracted/charts \
  --config mykubermatic.yaml \
  --helm-values myhelmvalues.yaml \

Remove the --dry-run to let the tool actually download and push Docker images.


Note that by default, kubermatic-installer mirror-images will determine the configured addons Docker image from the KubermaticConfiguration, pull it down and then extract the addon manifests from the image, so that it can then scan them for Docker images to mirror.

You can skip this step by pointing the command to a local directory that contains all addons with the --adons-path flag:

./kubermatic-installer mirror-images \
  --charts-directory /path/to/the/extracted/charts \
  --config mykubermatic.yaml \
  --helm-values myhelmvalues.yaml \
  --addons-path /path/to/my/addons \

Configuring KKP

After having mirrored all required Docker images, it’s time to adjust the KKP configuration to point to the new images. For this the KubermaticConfiguration allows to override the Docker repository (but not the tag!) for all used images. Likewise, all Helm charts have options to reconfigure the repository as well.

For example, Dex can be installed by overwriting dex.image.repository either in the values.yaml file or on the command line:

helm -n oauth upgrade \
  --values myvalues.yaml \
  --set "dex.image.repository=" \
  oauth .

When adjusting the values.yaml, do not use the same file for kubermatic-installer mirror-images, as it would attempt to mirror to (a no-op). Either provide kubermatic-installer mirror-images with a stock configuration or set the overridden image repositories via --set when using Helm.

Likewise, carefully go through the KubermaticConfiguration and adjust the dockerRepository fields:

  # etc.

Re-apply the updated configuration to make the KKP Operator reconcile the setup:

kubectl apply -f mykubermatic.yaml

Worker Nodes Behind a Proxy

In situations where worker nodes will require a proxy to reach the internet, the datacenter specification for the Seed cluster must be updated. Find the relevant seed via kubectl:

kubectl -n kubermatic get seeds

Output will be similar to this:

#NAME        AGE
#hamburg     143d
#frankfurt   151d

You will then find the datacenter inside the spec.datacenters list of the right Seed. You need to set a couple of node settings:

      location: Hamburg
      country: DE
        # Configure the address of the proxy
        # It will be configured on all worker nodes. It results in the HTTP_PROXY & HTTPS_PROXY
        # environment variables being set.
        http_proxy: ""

        # Worker nodes require access to a Docker registry; in case it is only accessible using
        # plain HTTP or it uses a self-signed certificate, it must be listed here.
          - ""

        # The kubelet requires the pause image; if it's only accessible using a private registry,
        # the image name must be configured here.
        pause_image: ""

        # ContainerLinux requires the hyperkube image; if it's only accessible using a private
        # registry, the image name must be configured here.
        hyperkube_image: ""

Edit your Seed either using kubectl edit or editing a local file and applying it with kubectl apply. From then on new nodes in the configured datacenter will use the new node settings.