24-06-2020

Using Harbor with Otomi Container Platform

Harbor container registry is now fully integrated into Otomi Container Platform. This enables you to scan all images for possible vulnerabilities. With build in policies you can enforce that only images from the local Harbor registry can deployed.

What is Harbor?

Harbor is an open source registry that secures artifacts with policies and role-based access control, ensures images are scanned and free from vulnerabilities, and signs images as trusted. As a CNCF Graduated project, Harbor delivers compliance, performance, and interoperability to help you consistently and securely manage artifacts across cloud native compute platforms like Kubernetes and Docker. (source: https://goharbor.io/)

How Harbor can be used in Otomi Container Platform

When installing Otomi Container Platform, you can now choose to use Harbor. Harbor is fully integrated into Otomi Container Platform. This means you can directly use Harbor (offered as an app in the Otomi Console). During setup of Otomi Container Platform you can configure Harbor to use an external object storage based on the Cloud you’re running on (like S3 on AWS) to store images externally. Harbor can be used as the default registry for all images (optionally enforced with an OPA policy). If you are already using a registry (like Azure ACR), you can configure a replication. A replication will pull an image out of an external container registry, scan it for vulnerabilities and then make the image available through a Harbor repository. How does this work? First: Go to Otomi Apps and choose Harbor.

As an administrator, you can now create a Harbor project for each team. We are currently working on a new feature to automatically create a project for each team on the cluster if Harbor is active. For now we will use the default library project.

First add the external registry endpoint in Harbor. Go to administration and choose add a NEW ENDPOINT. Choose the provider and provide a name, the URL of the endpoint and optionally access credentials. You can now test the connection with the endpoint.

Now you can configure a replication rule. Go to replications and choose to add a NEW REPLICATION RULE. Provide a name for the rule, choose the source registry (the one we just created), optionally provide a name and tag (otherwise all images will be replicated) and select the destination namespace (the Harbor project). For now we will replicate manually. When the replication rule is created, you can now replicate the image.

Now let’s look at the results. Go to your project and choose Repositories. Here you will see the replicated artefact. Select the artefact and scroll down to the Vulnerabilities. Wow, what a list.

Wrapping up

Otomi Container Platform now offers Harbor out-of-the-box. No need to deploy and configure it yourself. Using Harbor offers the ability to scan all images for possible vulnerabilities, before they are deployed. But beware, this makes it visible that almost every container image has some vulnerabilities. 

Using Otomi Container Platform saves you a lot of time compared to building and customizing a secure platform yourself, which doesn’t offer specific value to your organization. If you would like to run containers in a really secure way, start with creating secure base images for your developers.

Want to know more? Contact us for a live demo.

Let's get in touch!

Contact us