24-06-2020

Using Harbor with Otomi Container Platform

The Harbor container registry is now fully integrated into the Otomi Container Platform. This enables you to scan all images for possible vulnerabilities. With build-in policies you can enforce that only images from the local Harbor registry can be deployed.

What is Harbor?

Harbor is an open-source registry that secures artifacts with policies and role-based access control, ensures images are scanned and free from vulnerabilities, and signs images as trusted. As a CNCF Graduated project, Harbor delivers compliance, performance, and interoperability to help you consistently and securely manage artifacts across cloud-native compute platforms like Kubernetes and Docker. (source: https://goharbor.io/)

How Harbor can be used in Otomi Container Platform

When installing the Otomi Container Platform, you can now choose to use Harbor. Harbor is fully integrated into the Otomi Container Platform. This means you can directly use Harbor (offered as an app in the Otomi Console). During the setup of the Otomi Container Platform you can configure Harbor to use an external object storage. Based on the Cloud you’re running on (like S3 on AWS) to store images externally. Harbor can be used as the default registry for all images (optionally enforced with an OPA policy). If you are already using a registry (like Azure ACR), you can configure a replication. A replication will pull an image out of an external container registry, scan it for vulnerabilities, and then make the image available through a Harbor repository. How does this work? First: Go to Otomi Apps and choose Harbor.

harbor

As an administrator, you can now create a Harbor project for each team. We are currently working on a new feature to automatically create a project for each team on the cluster if Harbor is active. For now, we will use the default library project.

Setup a replication

First, add the external registry endpoint in Harbor. Go to administration and choose to add a NEW ENDPOINT. Choose the provider and provide a name, the URL of the endpoint, and optionally access credentials. You can now test the connection with the endpoint.

Now you can configure a replication rule. Go to replications and choose to add a “NEW REPLICATION RULE”. Provide a name for the rule, choose the source registry (the one we just created), optionally provide a name and tag (otherwise all images will be replicated), and select the destination namespace (the Harbor project). For now, we will replicate manually. When the replication rule is created, you can now replicate the image.

Now let’s look at the results. Go to your project and choose Repositories. Here you will see the replicated artifact. Select the artifact and scroll down to the Vulnerabilities. Wow, what a list.

Wrapping up

Otomi Container Platform now offers Harbor out-of-the-box. No need to deploy and configure it yourself. Using Harbor offers the ability to scan all images for possible vulnerabilities before they are deployed. But beware, this makes it visible that almost every container image has some vulnerabilities. 

Using the Otomi Container Platform saves you a lot of time compared to building and customizing a secure platform yourself, which doesn’t offer specific value to your organization. If you would like to run containers in a really secure way, start with creating secure base images for your developers.

Want to know more? Contact us for a live demo.

Let's get in touch!

Contact us