features include − Multi-tenant content signing and validation − Identity integration and role-based access control − Security and vulnerability analysis − Image replication between instances − Internationalization backup • Local access Agenda 1 Containers 101 2 Introduction to Harbor 3 Image Consistency 4 Image Security 5 Image Distribution 6 Registry Robustness / High Availability 20 Access Control to Images should have different access ■ Developer – Read/Write ■ QA / QE – Read Only • Different rules should be enforced in different environments ■ Dev/Test Environment – many people can access ■ Production –

• Repository for storing images • Intermediary for shipping and distributing images • Ideal for access control and other image management Registry - Key Component to Manage Images Agenda 1 Container • Apache 2 license. • https://github.com/vmware/harbor/ 8 Key Features • User management & access control – RBAC: admin, developer, guest – AD/LDAP integration • Policy based image replication Introduction 3 Consistency of Images 4 Security 5 Image Distribution 6 High Availability of Registry Access Control to Images • Organizations often keep images within their own organizations – Intellectual

local, private Docker registry. Harbor is an extension of the basic Docker registry that implements access controls, identity management, and a graphical interface. Using imagePullSecrets, Kubernetes resources Using Harbor Registry in Tenant Clusters Follow these steps to create a new tenant cluster with access to the Harbor registry: Step 1 Obtain the Ingress Root CA Certificate from the Kubernetes UI in use the output from Step 1. • For username and password, use the same credentials that you use to access the Harbor registry. • For repo-name, use the name of the helm repository that you have chosen.

Harbor���� 5 Harbor���� 6 x x Agenda 7 Confidential � ©2018 VMware, Inc. • Isolation • Access Control • Vulnerability • Content Trust • Replication • Control Policy SECURITY DISTRIBUTION Docker Kubernetes Cloud Foundry 12 Confidential � ©2018 VMware, Inc. SECURITY Isolation Access control Content Trust Vulnerability Scanning ���� NS �� ���� �� • ���������NS • ���������

Harbor���� 5 Harbor���� 6 x x Agenda 7 Confidential � ©2018 VMware, Inc. • Isolation • Access Control • Vulnerability • Content Trust • Replication • Control Policy SECURITY DISTRIBUTION Docker Kubernetes Cloud Foundry 12 Confidential � ©2018 VMware, Inc. SECURITY Isolation Access control Content Trust Vulnerability Scanning ���� NS �� ���� �� • ���������NS • ���������

• Security • Intellectual property stays in organization • Access Control 13 Enterprise Oriented Features • User management & access control • RBAC: admin, developer, guest • AD/LDAP integration

Swagger API doc Replication • Multiple filters support • Schedule, immediate and manual trigger Access Control • RBAC • AD/LDAP integration Audit Log • Operations recorded for audit Distribution Policy

stry服务。它以 服务。它以Docker公司开源的 公司开源的registry为基础，提供了管理 为基础，提供了管理UI， ， 基于角色的访问控制 基于角色的访问控制(Role Based Access Control)， ，AD/LDAP集成、以及审计日志 集成、以及审计日志(Auditlogging) 等企业用户需求的功 等企业用户需求的功 能，同时还原生支持中文。 能，同时还原生支持中文。Harbor的每个组件都是以