harbor

随着容器技术在业界得到广泛使用,如何管理容器化应用程序为平台工程师带来了新的挑战。挑战之一是如何安全有效地管理容器镜像。Project Harbor 是一种可信任的开源云原生 registry 项目,可存储、签署和扫描内容,以解决常见的镜像管理挑战。在本次演讲中,我们将重点介绍如何通过 Harbor 管理容器镜像。我们将确定组织面临的挑战并提供解决方案,其中包括 RBAC(基于角色的访问控制)、漏洞扫描、大规模镜像分发、镜像复制和镜像来源(公证)。本会议将讨论实际用例。
展开查看详情

1.Project Harbor Introduction Open source trusted cloud native registry Henry Zhang, Chief Architect, VMware R&D China Steven Zou, Staff Engineer, VMware R&D China Nov. 2018

2. Image Management through Pipeline Registry Registry Registry Registry STAG DEV TEST PROD ING Multiple Multiple Security Availability Multiple roles Distributions teams Platforms Commit UT Build FVT SVT Verify Environment image image image image Confidential ©2018 VMware, Inc. 2

3. goharbor.io VMware Apache 2.0 GitHub Repo: , :VIC PKS https://github.com/goharbor /harbor/

4. Harbor Project history

5.Harbor 5

6.Harbor x x 6

7.Agenda OVERVIEW SECURITY DISTRIBUTION RELIABILITY DEPLOYMENT • Isolation • Replication • HA Supporting • Helm Chart • Access Control Repo • Control Policy • Vulnerability • Deployments • Content Trust Confidential ©2018 VMware, Inc. 7

8. Main Features OVERVIEW Architecture Confidential ©2018 VMware, Inc. 8

9. GUI Restful API Clarity API Swagger API , AD/LDAP RBAC 9

10. HA Helm Chart Helm Chart 10

11.Harbor Consumers 3rd party components Container Users (GUI/API) Schedulers/Runtimes Harbor components Persistence components Supporting services API Routing Docker LDAP/Active Harbor Packaging Directory Core Service (API/Auth/GUI) Trusted Kubernetes Content Admin Vulnerability Job Service Service Scanning Image Cloud Foundry Registry Key/Value SQL Database Storage Local or Remote Storage (block, file, object)

12. Isolation Access control SECURITY Content Trust Vulnerability Scanning Confidential ©2018 VMware, Inc. 12

13. • NS • • NS •

14. • Members Images • Guest : docker pull ... • Developer : docker pull/push ... • LDAP/AD operation & management Admin : Settings

15.• • • • LDAP/AD

16. 3. V e of statu rify sign ure Notary s, fe a tch d ture ig nat ifest n iges 2. S ’s ma t. • tag Verify signature status. • Policy Controller Digest 1. d ock igest d er p ush pull $ tag ocker 4. d Registry

17.• • Digest

18. Harbor Retrieve vulnerability metadata • Dispatch Jobs Scan CVE Job Service Clair 2 4 0 Repos • Rest API § Console API 3 Get Info 6 Save Data 1 § Pull Layers § Registry V2 DB 5 • • § Debian Security Bug Tracker § Ubuntu CVE Tracker § Red Hat Security Data § Oracle Linux Security Data § Alpine SecDB

19.• • § § § • • § Debian Security Bug Tracker § Ubuntu CVE Tracker § Red Hat Security Data § Oracle Linux Security Data § Alpine SecDB

20. Replication DISTRIBUTION Policy Confidential ©2018 VMware, Inc. 20

21.• • • •

22.Image Replication Source Repo Target Repo Trigger • Target Pro Source pro • Initial Replication • Incremental • • Policies

23. - push Docker Client • registry • Registry • registry • pull pull • Master – Slave

24.• • •

25.• Repo • Tag • • • •

26. • / • < • • >=

27.• / • • •

28.RELIABILITY HA Confidential ©2018 VMware, Inc. 28

29.Deploy Harbor HA via Harbor Helm chart API Routing Core Service (API/Auth/GUI) Trusted Content Admin Vulnerability Job Service Service Scanning Image Registry Key/Value SQL Database Storage Chart.yml