check-circle-line exclamation-circle-line close-line


This topic describes how to install Tanzu Kubernetes Grid in air-gapped environments, namely environments that are not connected to the Internet. The procedures described here only apply to deployments to vSphere.

If you are installing Tanzu Kubernetes Grid in a connected environment that can pull images over an external internet connection, you do not need to perform this procedure.


To deploy Tanzu Kubernetes in an air-gapped environment, you require the following.

  • Within your firewall, install and configure a private Docker Registry. For example, install Harbor, which is the registry against which this procedure has been tested. For information about how to install Harbor, see Harbor Installation and Configuration.
  • A valid SSL certificate for the Docker Registry. For information about how to obtain the Harbor registry certificate, see the Harbor documentation. Alternatively, you can obtain a DNS wildcard SSL certificate by using a service such as Let's Encrypt.
  • A system with an external internet connection to perform the initial downloads and the mirroring of the required images.
  • The internet-connected machine must have Docker installed and running.
  • You can connect to the private registry from the internet-connected machine.


  1. On a machine with an internet connection, follow the instructions in Set Up the Bootstrap Environment for Tanzu Kubernetes Grid to download, unpack, and install the Tanzu Kubernetes Grid CLI binary on your internet-connected system.
  2. Follow the instructions in Prepare to Deploy the Management Cluster to vSphere to create SSH keys and to import into vSphere the OVAs from which node and loadbalancer VMs are created.
  3. Pull the following images into your local Docker image store.

    Copy and run the following command without changing it.

    xargs -n1 docker pull << 'EOF'
  4. Set the IP address or FQDN of your local registry as an environment variable.

    For example, replace <local-registry-address> with

  5. Log in to your local private registry.
    docker login ${LOCAL_REGISTRY}
  6. Tag all of the images in your image store so that you can push them to the local registry.

    Copy and run the following command without changing it.

    xargs -n2 docker tag << EOF ${LOCAL_REGISTRY}/kind/node:v1.17.3_vmware.2 ${LOCAL_REGISTRY}/calico-all/cni-plugin:v3.11.2_vmware.1 ${LOCAL_REGISTRY}/calico-all/kube-controllers:v3.11.2_vmware.1 ${LOCAL_REGISTRY}/calico-all/node:v3.11.2_vmware.1 ${LOCAL_REGISTRY}/calico-all/pod2daemon:v3.11.2_vmware.1 ${LOCAL_REGISTRY}/ccm/manager:v1.1.0_vmware.2  ${LOCAL_REGISTRY}/cluster-api/cluster-api-aws-controller:v0.5.2_vmware.1 ${LOCAL_REGISTRY}/cluster-api/cluster-api-controller:v0.3.3_vmware.1 ${LOCAL_REGISTRY}/cluster-api/cluster-api-vsphere-controller:v0.6.3_vmware.1 ${LOCAL_REGISTRY}/cluster-api/kube-rbac-proxy:v0.4.1_vmware.2 ${LOCAL_REGISTRY}/cluster-api/kubeadm-bootstrap-controller:v0.3.3_vmware.1 ${LOCAL_REGISTRY}/cluster-api/kubeadm-control-plane-controller:v0.3.3_vmware.1 ${LOCAL_REGISTRY}/csi/csi-attacher:v1.1.1_vmware.7 ${LOCAL_REGISTRY}/csi/csi-livenessprobe:v1.1.0_vmware.7 ${LOCAL_REGISTRY}/csi/csi-node-driver-registrar:v1.1.0_vmware.7 ${LOCAL_REGISTRY}/csi/csi-provisioner:v1.4.0_vmware.2 ${LOCAL_REGISTRY}/csi/volume-metadata-syncer:v1.0.2_vmware.1 ${LOCAL_REGISTRY}/csi/vsphere-block-csi-driver:v1.0.2_vmware.1 ${LOCAL_REGISTRY}/cert-manager/cert-manager-controller:v0.11.0_vmware.1 ${LOCAL_REGISTRY}/cert-manager/cert-manager-cainjector:v0.11.0_vmware.1 ${LOCAL_REGISTRY}/cert-manager/cert-manager-webhook:v0.11.0_vmware.1
  7. Push all of the images from your image store into the local registry.

    Copy and run the following command without changing it.

    xargs -n1 docker push << EOF
  8. Run tkg get management-cluster to populate your local ~/.tkg folder.
  9. Use the search and replace utility of your choise to replace with <local-registry-address> recursively throughout the ~/.tkg folder.

    Make sure that the search and replace operation includes the ~/.tkg/providers folder and the ~/.tkg/config.yaml file.

  10. Turn off your internet connection.
  11. Run any Tanzu Kubernetes Grid CLI command, for example tkg init --ui.

    The Tanzu Kubernetes Grid installer interface should open.

What to Do Next

Your air-gapped environment is now ready for you to deploy Tanzu Kubernetes Grid management clusters to vSphere.