Project Harbor Introduction Open source trusted cloud native registry Henry Zhang, Chief Architect, VMware R&D China Steven Zou, Staff Engineer, VMware R&D China Nov. 2018 2 Confidential � ©2018 Agenda 7 Confidential � ©2018 VMware, Inc. • Isolation • Access Control • Vulnerability • Content Trust • Replication • Control Policy SECURITY DISTRIBUTION RELIABILITY DEPLOYMENT OVERVIEW • Chart�� ������������� Harbor�� API Routing Core Service (API/Auth/GUI) Image Registry Trusted Content Vulnerability Scanning Job Service Admin Service Harbor components 3rd party components

Project Harbor Introduction Open source trusted cloud native registry Henry Zhang, Chief Architect, VMware R&D China Steven Zou, Staff Engineer, VMware R&D China Nov. 2018 2 Confidential � ©2018 Agenda 7 Confidential � ©2018 VMware, Inc. • Isolation • Access Control • Vulnerability • Content Trust • Replication • Control Policy SECURITY DISTRIBUTION RELIABILITY DEPLOYMENT OVERVIEW • Chart�� ������������� Harbor�� API Routing Core Service (API/Auth/GUI) Image Registry Trusted Content Vulnerability Scanning Job Service Admin Service Harbor components 3rd party components

Harbor Deep Dive Open source trusted cloud native registry Henry Zhang, Chief Architect, VMware R&D China Steven Zou, Staff Engineer, VMware R&D China Nov. 2018 goharbor.io Initiated by VMware and PKS GitHub Repo: https://github.com/go harbor/harbor/ Apache 2.0 license An open source trusted cloud native registry project HARBOR More integrations in future Harbor Project History Harbor Policy • Based on content trust • Based on vulnerability • Based on RBAC Main Features （ Cont. ） 7 Vulnerability Scanning • Kinds of scanning policies • Elaborate scanning report Content Trust • Digital

1 Harbor James Zabala Maintainer Harbor Focus Harbor is a trusted cloud native registry that stores, signs, and scans content. The mission is to provide cloud native environments the ability to confidently adopted by users worldwide • Registry for containers and Helm charts • Focus: stores, signs and scans content − Provides consistent experience on- and off-prem • Open Source (Apache 2.0) • Accepted into sandbox Project Harbor Project History 10 Open Source Stats Registry features include − Multi-tenant content signing and validation − Identity integration and role-based access control − Security and vulnerability

0 …... docker pull ... docker pull/push ... Other security considerations • Enable content trust by installing Notary service – Image is signed by publisher’s private key during pushing vulnerabilities from being pulled – Regular scanning based on updated vulnerability database 21 Content trust for image provenance Registry Notary Image Creator Image Consumer Vulnerability Scanning

– 许多人可访问 – 生产系统– 少数人可以接触 • 可与已有内部用户系统集成 – LDAP/Active Directory 7 访问控制 8 • 内容信任（ content trust） – 发布者对镜像签名 – 下载镜像时使用签名摘要（Digest） • 漏洞扫描 – 阻止有漏洞对镜像被拉取 – 定期更新漏洞数据库 安全考虑