Servers close up. Modern datacenter. Cloud computing. Blade server and storage. 3d rendering
VMware Security Response Center

Embedded vSphere Harbor default enablement results in an insecure configuration

This post is relevant to administrators that have enabled the embedded Harbor version in vSphere 7.0 or 8.0 as explained in Enable the Embedded Harbor Registry on the Supervisor Cluster.

Harbor-helm issue
Harbor when installed with harbor-helm will use a default key pair if no key pair is specified in core.secretName in values.yaml. This default key pair is public and can be used to sign the JWT token. This token allows for pulling and pushing images in Harbor. See here for the Harbor-helm advisory which documents the issue.

vSphere
The embedded Harbor registry on a vSphere Supervisor has an insecure configuration due to the Harbor-helm issue. Normally, projects on an embedded Harbor registry are private and 1:1 mapped to Supervisor namespaces, and only users with proper permissions to Supervisor namespaces can pull / push images to the corresponding Harbor projects. However, this issue can break the isolation and protection of the container image access in those projects.
The issue is present in all current versions of vSphere prior to vCenter Server 7.0 U3l and vCenter Server 8.0c that have the embedded Harbor enabled and that have not changed the default configuration.

Existing enabled embedded Harbor registry in vSphere
VMware advises customers that have enabled the embedded Harbor version in vSphere and that have not changed the default configuration, to:
– Deploy vCenter Server 7.0 U3l or vCenter Server 8.0c which address the issue for existing embedded Harbor registries that are enabled by removing the default key pair, or
– Change the default configuration by following the temporary workaround steps listed in VMware Knowledge Base article 91452.

Newly enabled embedded Harbor in vSphere
In case the embedded Harbor registry is enabled on vCenter Server 7.0 U3l or vCenter Server 8.0c, the issue is not present.

Note
The VMware Harbor Container Registry for Tanzu Kubernetes Grid Integrated Edition is not installed through Harbor-helm and therefor it doesn’t have the Harbor insecure default installation.

Acknowledgement
VMware would like to thank Sam Erb from Google for reporting this issue to us.