posted

0 Comments

By Patrick Daigle, Senior Technical Marketing Architect, Cloud-Native Apps 

There’s no doubt that cloud native services and practices boost developer productivity, and that’s a key reason why enterprises are turning to Kubernetes in droves. But as organizations put containerized applications into production, they quickly discover another fundamental truth: they need a secure way to store, scan, and sign their container images.  

 

Although it’s true that public image repositories give you a quick and easy way to start working with containers, public repositories pose challenges when the time comes to deploy applications into production. Understanding the provenance of an image is paramount. Can you trust that your images and their dependencies are free from tampering? Are the dependencies compliant with your internal policies and, if applicable, external industry regulations? Can you count on your system to predictably and rapidly push and deploy containers on demand?

 

Other challenges span development, testing, and production environments. At the top of the list is interoperability. Can the registry work within your operational processes and with other components of your developers’ cloud native stack? Does the registry meet the same requirements for security controls as your other IT infrastructure?

 

Harbor is an open source cloud native registry that solves these problems by delivering trust, compliance, performance, and interoperability. As a private on-premises registry, Harbor fills a gap for organizations or applications that cannot use a public or cloud-based registry or want a consistent experience across clouds.

 

The mission of Harbor is to provide users in cloud native environments with the ability to confidently manage and securely serve container images. To do so, Harbor stores, signs, and scans content. Here are some of the key features of Harbor:

 

  • Multi-tenant content signing and validation
  • Security and vulnerability analysis
  • Identity integration and role-based access control
  • Image replication between instances
  • Extensible API and graphical UI
  • Internationalization (currently English and Chinese)

 

Harbor is easy to deploy, use, and integrate with existing infrastructure.

 

For instance, Harbor can be deployed as a stand-alone registry by using a Docker Compose script, or Harbor can be deployed on Kubernetes by using a Helm chart.  

 

After Harbor is deployed, you can easily isolate your images by using a logical construct known as a project. You can then set permissions on a project so that, for example, only a select group of developers can push. Meanwhile, the permissions to pull images can be more open.

 

Harbor provides many of the controls necessary to integrate a container registry in an environment that’s operationalized for production. By looking at Harbor 1.5, let’s examine in more detail what that means.

 

Security

One of the main advantages of Harbor is security. It provides controls for access management, image integrity and auditing.

 

Multi-tenancy

Users and repositories are organized in projects and users can be assigned different permissions based on their role within a project.

 

Users are assigned specific roles that determine their permissions within each project.

 

Projects provide a logical boundary that can be used to reflect your organizational structure (for example, creating one project per team), deployment stages (for example, development versus production), or any other logical grouping.

 

Content Trust

Another important aspect of container image security is the ability to verify that images pushed to the registry came from a trusted source. Notary provides the ability to digitally sign images using keys that allow enterprises to securely publish and verify content. As in the case of vulnerability scanning, a policy can be set at the project level to prevent unsigned images from being pulled.

 

 

In this example, the image for ubuntu:1.0-corp was signed using Notary and the image for nginx:1.0-corp is unsigned.

 

 

Policy is set at the registry level, even if the client disables Content Trust (export DOCKER_CONTENT_TRUST=0), Harbor prevents the unsigned image from being pulled.

This can be useful to prevent unapproved content from being pulled and deployed in your environment.

 

Vulnerability Scanning

To verify if images contain any known CVE vulnerabilities, Harbor leverages Clair to scan the images at rest. Clair maintains and updates a vulnerabilities database by pulling from a configured set of sources. The repositories view provides a quick visual view of the results and a detailed report is available in the web interface.

 

Vulnerability scanning summary is available in the images list for quick visual assessment.

 

A more detailed vulnerability report is also provided with links to CVEs.

 

Images can be scanned manually, automatically (daily), or scanned when they are pushed  (through a project-level policy). You can also set policies on a per-project basis to automatically scan images when they are pushed to the registry. Similarly, you can prevent vulnerable images from being pulled from the registry based on the severity level of the vulnerability.

 

Per-project security policies can prevent vulnerable and/or unsigned images from being pulled.

 

Audit Logging

For auditing purposes, Harbor logs all operations to the repositories including the user who performed them. This can be especially useful for regulatory compliance where an audit trail of user operations is required.

 

All the operations to the repositories are tracked.

 

Identity (AuthZ/AuthN)

Harbor provides its own built-in user database or it can integrate with your company directory (Active Directory or LDAP) for authentication and to provide role-based access control to the registry.

 

Easy integration with LDAP and Active Directory for authentication.

 

Management

Harbor provides a rich, modern web-based interface that allows users to easily browse and search repositories as well as perform management tasks (global or project-scope) based on their assigned privileges.

 

We also added a new, user-friendly card view of repositories in version 1.5:

Easily browse available repositories using the new card view.

 

Image Replication

Harbor can replicate container images from one Harbor instance to another. This can be useful either for data protection or for keeping container images closer to their target build and run environments. Replication policies are set at the project level, can target images based on repository name or tag, and can be scheduled, triggered manually or triggered by push and delete events.

 

Labels and Other Recent Additions

Version 1.5 adds the concept of labels that can be applied to images to facilitate searching. Labels can be defined globally by the administrator (can be applied to images in any project) or at the project-level by the project administrator (can be applied only to images in the project).

Labels defined globally by the administrator can be applied to any image in any project repository.

 

Labels defined at the project level can be applied to images in the project.

 

Example of applying labels to an image (both global and project labels are available). Labels can be used as filters in search as well.

 

In version 1.5 we also introduced a global “read-only” mode to ensure consistency during Garbage Collection. While the registry is in “read-only” mode, images can only be pulled from the registry: push, delete and tagging operations are disabled.

 

Storage

By default, Harbor uses the local storage filesystem. Harbor also supports using external storage subsystems like Amazon S3, OpenStack Swift and others.

 

A Special Thanks to v1.5 Contributors

Many thanks to the community for their contributions to improve Harbor.

 

  • Steven Arnott, Paul Czarkowski, Alexandre Maari, Gregory May, and Luca Innocenti Mirri for adding the Harbor Helm chart
  • Patrick Fratczak for providing French translations for UI labels
  • Daniele Franceschi for fixing a UI bug
  • Ronak Banka for fixing an error in Harbor’s documentation

 

See Harbor Live

If you’re at DockerCon SF, stop by the VMware booth between 12:15 pm-1:00 pm today to see a demo of Harbor in action.

Try Harbor Out

If you can’t make it to DockerCon SF, don’t worry. Get started with Harbor in your own environment in no time by reading these easy to follow docs. If you want more information on how it works while you’re downloading and installing, the following YouTube videos are great starting points:

Join the Community