Managing Kubernetes in Classified Environments with New IC Cloud Support
March 18, 2025
We’re excited to announce a technical preview of our new IC Cloud Support offering for Rancher Government Solutions (RGS) customers, designed specifically to address the challenges faced by government and military customers operating in classified cloud environments.
The Classified Environment Challenge
Organizations and agencies working in classified cloud regions such as AWS or Azure face a fundamentally different operating environment than what they experience in commercial clouds. These classified environments are completely air-gapped by design, with no connectivity to the internet or outside networks, forcing teams to rely on manual processes for moving resources in and out of these environments. In many cases, teams are still burning discs with needed resources, carrying them into a SCIF, and loading them in.
Access management presents another hurdle. In commercial clouds, users typically have the freedom to create and manage their own Identity Access Management (IAM) roles, keys, and secrets to interface with cloud APIs. However, in classified environments, IAM access is often severely restricted or entirely unavailable. This means organizations generally have no ability to create AWS keys or secrets needed to interface with APIs, a requirement for most cloud management tools, including the standard Rancher Government deployment.
Another hurdle is that classified environments use different API endpoints than their commercial counterparts (such as .gov domains instead of .com). These unique endpoints are incompatible with standard libraries and SDKs, forcing teams to write custom code just to handle basic cloud operations. Classified environments also rely on custom certificate authorities and chains of trust that can’t be verified out-of-the-box by browsers or standard tools.
Until now, these limitations have made managing Kubernetes in classified environments a cumbersome, labor-intensive process that lacks the intuitive experience users expect from modern container orchestration platforms.
Announcing RGS IC Cloud Support
Today, we’re overcoming those limitations with our IC Cloud Support offering. This solution brings the familiar Rancher Government experience directly into some of the most secure and isolated cloud environments in the world.
The core of our solution is a differentiated build of Rancher Government that works with the constraints of classified environments. With IC Cloud Support, when creating clusters in these environments, users can now simply toggle the “Carbide Instance Credential” option in the Rancher Government control panel. This approach eliminates the need for manually managing access and secret keys by using the instance’s own IAM role instead.
This offering is fully compatible with classified API endpoints, allowing Rancher Government to communicate natively with these interfaces without requiring custom code development. More importantly, customers enjoy the same user experience when working in AWS Commercial or AWS GovCloud environments, creating a consistent operational model across all cloud environments.
With IC Cloud Support, organizations have direct access to AWS resources like Load Balancers and EBS Volumes within their Kubernetes clusters. The offering also improves Day-2 Operations for managing Kubernetes infrastructure, including certificate and encryption key rotation, intuitive scaling, and console access to instances.
Provisioned vs. Import Clusters
To appreciate the full impact of this offering, consider how organizations previously operated. Before this solution, customers in classified environments were limited to manually creating clusters and then importing them into Rancher Government, which severely restricted their management capabilities.
The table below shows the expanded functionality now available to classified environment users:
With provisioned clusters, users gain capabilities that weren’t previously available with imported clusters, including:
- Complete node management (adding, removing, scaling)
- SSH shell access to nodes
- Certificate rotation
- Encryption key rotation
- Snapshot, backup, and restore functionality
These capabilities dramatically improve operational efficiency in classified environments and bring parity with what users expect from Rancher Government in commercial clouds.
The Technical Implementation
Let’s take Amazon EC2 as an example of the power of this offering. Our approach uses the existing EC2 instance role to interact with the cloud provider API, eliminating the need for manually created access keys and secrets. When you toggle the “Carbide Instance Credential” option in Rancher Government, you can select your isolated region and provision clusters without providing AWS credentials.
This method takes advantage of the AWS EC2 instance metadata service to allow the Rancher Government server to assume the IAM role attached to its instance. The RGS engineering team has also developed custom code to handle the API endpoints and certificate requirements of classified environments, making the entire experience seamless for end users.
The offering works with both RKE2 custom cluster and managed Kubernetes offerings like EKS, providing flexibility to meet various deployment requirements in classified environments.
Who Benefits
The new capability is an advantage for both existing and potential customers. For current RGS users operating in classified environments, you now gain the full power for RGS provisioning and Day-2 Operations capabilities that were previously unavailable to you.
For agencies and organizations evaluating container management solutions for classified environments, RGS now offers a pioneering solution unmatched in the market today. As of this preview, RGS is the only Kubernetes management platform offering native support for classified cloud regions.
Getting Started with IC Cloud Support
The IC Cloud Support offering is available to all Rancher Government customers. You can access this new capability through the customer portal by looking for “Rancher Government” in the downloads section. Once downloaded, you can deploy it following standard Rancher installation procedures.
When creating cloud credentials in Rancher Government, you’ll now see the “Carbide Instance Credential” toggle that supports working within classified environments. Simply turn on this toggle, select your isolated region from the drop-down, and begin creating clusters just as you would in commercial environments.
Looking Ahead
We’re excited to bring this offering to RGS customers working in classified environments. This new offering is currently not yet supported in production, but working towards GA. A separate announcement will be made when this offering is available. As always, your feedback will be invaluable as we continue to refine and improve the solution.
Watch this space for more updates as we move toward general availability. For more information or to schedule a demo, contact us at info@ranchergovernment.com or call us at 844-RGS-7779.