The "invisible" goal is harder than it sounds in air-gapped setups. We run AKS for a public sector client — private API server, no public egress, Azure Firewall with explicit allowlists. K8s is the right call, but invisible it is not. Podman for builds works fine until someone adds a base image that isn't mirrored locally. Then you get a silent pull failure at 2am.Most tooling just assumes outbound connectivity. Helm charts, operators,even some CNI plugins phone home somewhere at install. You don't find out until it breaks in prod.Not disagreeing with the direction just that invisible infrastructure means something different when egress is locked down by policy, not convention.