Project Harbor Introduction Open source trusted cloud native registry Henry Zhang, Chief Architect, VMware R&D China Steven Zou, Staff Engineer, VMware R&D China Nov. 2018 2 Confidential � ©2018 Agenda 7 Confidential � ©2018 VMware, Inc. • Isolation • Access Control • Vulnerability • Content Trust • Replication • Control Policy SECURITY DISTRIBUTION RELIABILITY DEPLOYMENT OVERVIEW • Chart�� ������������� Harbor�� API Routing Core Service (API/Auth/GUI) Image Registry Trusted Content Vulnerability Scanning Job Service Admin Service Harbor components 3rd party components

Project Harbor Introduction Open source trusted cloud native registry Henry Zhang, Chief Architect, VMware R&D China Steven Zou, Staff Engineer, VMware R&D China Nov. 2018 2 Confidential � ©2018 Agenda 7 Confidential � ©2018 VMware, Inc. • Isolation • Access Control • Vulnerability • Content Trust • Replication • Control Policy SECURITY DISTRIBUTION RELIABILITY DEPLOYMENT OVERVIEW • Chart�� ������������� Harbor�� API Routing Core Service (API/Auth/GUI) Image Registry Trusted Content Vulnerability Scanning Job Service Admin Service Harbor components 3rd party components

Harbor Deep Dive Open source trusted cloud native registry Henry Zhang, Chief Architect, VMware R&D China Steven Zou, Staff Engineer, VMware R&D China Nov. 2018 goharbor.io Initiated by VMware and PKS GitHub Repo: https://github.com/go harbor/harbor/ Apache 2.0 license An open source trusted cloud native registry project HARBOR More integrations in future Harbor Project History Harbor Policy • Based on content trust • Based on vulnerability • Based on RBAC Main Features （ Cont. ） 7 Vulnerability Scanning • Kinds of scanning policies • Elaborate scanning report Content Trust • Digital

TCP Original Address Preserve Background Demo 1. HTTP Original Address Preserve #IstioCon Content 1. TCP Original Address Preserve Background Demo 1. HTTP Original Address Preserve #IstioCon skip_xff_append is set false. xff_num_trusted_hops : If use_remote_address is true and xff_num_trusted_hops is set to a value N that is greater than zero, the trusted client address is the Nth address from from the right end of XFF. #IstioCon Content 1. TCP Original Address Preserve Background Demo 1. HTTP Original Address Preserve #IstioCon Preserve TCP Original Src Addr - inner svcA svcB envoy

permissions to manage the Kubernetes cluster for deployments of Dapr in Kubernetes mode. Fully trusted Application user A user of the application that the Dapr sidecar has been deployed alongside. Fully nil { return } return } The check for path traversal attacks is unnecessary if the input is trusted. The second example we found was another defense against path traversal in the HTTP binding: https://github Errorf("invalid path: %s", path) } } This check is also unnecessary in case the InvokeRequest is trusted. 14 Dapr security audit 2023 Fuzzing During the audit, Ada Logics wrote five new fuzzers for

1 Harbor James Zabala Maintainer Harbor Focus Harbor is a trusted cloud native registry that stores, signs, and scans content. The mission is to provide cloud native environments the ability to confidently adopted by users worldwide • Registry for containers and Helm charts • Focus: stores, signs and scans content − Provides consistent experience on- and off-prem • Open Source (Apache 2.0) • Accepted into sandbox Project Harbor Project History 10 Open Source Stats Registry features include − Multi-tenant content signing and validation − Identity integration and role-based access control − Security and vulnerability

128 name: User-Agent response: - maxLength: 256 name: Content-Type - maxLength: 256 name: Content-Length OpenShift Container Platform 4.13 网 网络 络 40 headerBufferMaxRewriteBytes OpenShift Container Platform 4.13 网 网络 络 204 2. 要将可信 CA 捆绑包注入配置映射中，请运行以下命令将 config.openshift.io/inject-trusted- cabundle=true 标签添加到配置映射中： 3. 运行以下命令更新外部 DNS Operator 的订阅： 验证 验证 部署外部 DNS Operator 后，运行以下命令来验证可信 输出示例 $ oc -n external-dns-operator create configmap trusted-ca $ oc -n external-dns-operator label cm trusted-ca config.openshift.io/inject-trusted- cabundle=true $ oc -n external-dns-operator patch

openshift-config 命名空间中生成名为 user-ca-bundle 的配置映 射，其包含代理 HTTPS 连接所需的一个或多个额外 CA 证书。然后，Cluster Network Operator 会创建 trusted-ca-bundle 配置映射，将这些内容与 Red Hat Enterprise Linux apiVersion: v1 baseDomain: my.domain.com proxy: > 2 noProxy: example.com 3 additionalTrustBundle: | 4 -----BEGIN CERTIFICATE----- TRUSTED_CA_CERT> -----END CERTIFICATE----- additionalTrustBundlePolicy: openshift-config 命名空间中生成名为 user-ca-bundle 的配置映 射，其包含代理 HTTPS 连接所需的一个或多个额外 CA 证书。然后，Cluster Network Operator 会创建 trusted-ca-bundle 配置映射，将这些内容与 Red Hat Enterprise Linux CoreOS（RHCOS）信任捆绑包合并， Proxy 对象的 trustedCA 字段中也会引用此配置映

openshift-config 命名空间中生成名为 user-ca-bundle 的配置映 射，其包含代理 HTTPS 连接所需的一个或多个额外 CA 证书。然后，Cluster Network Operator 会创建 trusted-ca-bundle 配置映射，将这些内容与 Red Hat Enterprise Linux CoreOS（RHCOS）信任捆绑包合并， Proxy 对象的 trustedCA 字段中也会引用此配置映 > 2 noProxy: example.com 3 additionalTrustBundle: | 4 -----BEGIN CERTIFICATE----- TRUSTED_CA_CERT> -----END CERTIFICATE----- additionalTrustBundlePolicy: > 2 noProxy: example.com 3 additionalTrustBundle: | 4 -----BEGIN CERTIFICATE----- TRUSTED_CA_CERT> -----END CERTIFICATE----- additionalTrustBundlePolicy:

securing networking between clients and servers. On the data plane, the Kyuubi engines use the same trusted client identities to instantiate themselves. The resource acquirement and data and metadata access is used to verify the user identity that a client used to talk to the kyuubi server. Once done, a trusted connection will be set up between the client and server if successful; otherwise, rejected. Note: data integrity as they go about their business. The Kerberos architecture is centered around a trusted authentication service called the key distribution center, or KDC. Users and services in a Kerberos