A safe Harbor for Kubernetes

Harbor is an open source trusted cloud native registry project that stores, signs, and scans content.

Executive Summary

Harbor is an incubating project in the Cloud Native Computing Foundation (CNCF). Harbor extends the open source Docker Distribution by adding the capabilities necessary for organizations such as: security, identity and management.

• Security and vulnerability analysis
• Automation accounts which support CI/CD
• Image replication across multiple registries
• OpenID connect for simple identity management
• API performance monitoring and Health Checks
• Over 11,500 stars on GitHub

Benefits to your organization

Harbor is a cloud native registry providing support for both container images and Helm charts. Granular access control grants or restricts user access to different repositories at the project level. A user can have different permission for images or Helm charts within a project.

Container images and Helm charts can be replicated (synchronized) between multiple registry instances based on policies. The policies can be filtered using tags and labels. If an error occurs during replication, harbor will automatically retry. To ensure your container images are free from known Common Vulnerabilities and Exposures (CVE’s), Harbor performs container image scans regularly and supports policy checks to prevent vulnerable images from being deployed.

Harbor leverages OpenID Connect (OIDC), a simple identity layer on top of the OAuth 2.0 protocol to verify the identity of users authenticated by an external authorization server or identity provider. Single sign-on can be can be supported for users logging into the Harbor portal. Harbor provides support for existing enterprise LDAP/AD for user authentication and management, and supports importing LDAP groups into Harbor granting permissions to specific projects.

To support container images signing Harbor integrates Notary for managing trusted collections of content. Publishers can digitally sign collections and consumers can verify integrity and origin of content.

Using the Harbor user portal, user can easily browse, search repositories and manage projects. All of the site operations to the repositories are audited and tracked through logs. Administrators can interact with the portal using REST API’s, the API definitions can be found in the Swagger Doc here.

Harbor containers can be can be easily deployed using into your Kubernetes cluster using Helm Charts or with Docker Compose.

Conclusion

Harbor is well along the maturity curve in becoming a graduated CNCF project, the recent Oct 2019 pentest concluded that the number of findings were very low, the overall results and general impression of the codebase were positive.

The capabilities gained by using an Open Source solution such as Harbor for: container security scanning, role base management, monitoring, auditing and logging can be a big win for your organization. Earlier adopters will be better positioned as inevitable product hardening and maturity is realized.

Reference information

• Harbor Git repository
• CNCF Harbor webinar slide deck
• Harbor install releases
• Harbor live demo