Harbor Instances Can Be Replicated in Other Registries
The release of Harbor 1.8 revealed a number of new features, including the ability to share Harbor with other registries.
Previously, Harbor, designed for container images and Helm Charts, could only extend other registry instances. Harbor instances can now be replicated between the Docker Hub, Docker Registry, and the Huawei Cloud registry with both push- and pull-mode replication.
While a timescale was not disclosed, the project members have plans for Harbor to support ECR (AWS), GCR (Google Cloud) and ACR (Azure).
“Before, it was just Harbor to Harbor, but now, it is Harbor to others,” Haining Henry Zhang, founder of Project Harbor and chief architect, VMware China R&D, told The New Stack, during KubeCon + CloudNativeCon Europe at Barcelona. “Many people in the community were asking about this feature, so we implemented it.”
The idea behind the Cloud Native Computing Foundation-backed image registry project was to create an open source cloud-native registry for storing and scanning container images for vulnerabilities. The capability thus also helps to remove associated management tasks for container images and Helm charts.
Zhang noted access-management control remains one of the more popular Harbor features. This role-based access control (RBAC) applies to Identity providers, AD/LDAP, OIDC and robot account, for processes such as CI/CD.
Harbor 1.8 also offers, of course, other features that have “made it more efficient,”
Michael Michael, Harbor core maintainer and director of Product management, VMware. Michael described how Harbor also provides an upgrade and migration tool as a Docker container in order to upgrade Harbor 1.7. installations to 1.8 with rollback support “in case of any issues.”
“Harbor 1.8 is one of our more significant and feature-rich releases,” Michael said. “This is a direct result of significant contributions from community members.”
Other key features Michael described include:
- Support for OpenID Connect for integrating the IA&M of Harbor with external identity providers and enabling users to utilize SSO and federated identity;
- Robot Accounts for integrating Harbor with automated tools like CI/CD;
- Support for defining cron-based scheduled tasks in the Harbor UI;
- An introduction of the Health check API, which includes detailed status and health of all Harbor components.
Harbor is also seen as a practical way to scan container images for vulnerabilities ahead of their cloud native deployments during the development cycle. In a blog post, Michael described how Harbor is often integrated with CI/CD tools that “are unable to perform SSO with federated enterprise identity providers.”
With version 1.8, Michael wrote how administrators can create robot accounts, “a type of special account that allows Harbor to be integrated and used by automated systems, such as CI/CD tools.” “You can configure robot accounts to provide administrators with a token that can be granted appropriate permissions for pulling or pushing images,” Michael said. “Harbor users can continue operating Harbor using their enterprise SSO credentials, and use robot accounts for CI/CD systems that perform Docker client commands.”
Besides sitting behind a firewall, the registry, Harbor’s OpenID Connect (OIDC), for examples, provides an additional authentication layer, for example, on top of OAuth 2.0. This capability, Michael wrote in a blog post, enables Harbor to check the identity of users based on the authentication performed by an external authorization server or identity provider.
“Administrators can now enable an OIDC provider as the authentication mode for Harbor users, who can then use their single sign-on credentials to log in to the Harbor portal,” Michael wrote. “In most situations, tools like the Docker client are incapable of logging in by using SSO and federated identity when the user has to be redirected to an external identity provider. To remedy this issue, Harbor now includes CLI secrets, which can provide end users with a token that can be used to access Harbor via the Docker or Helm clients.”
The Cloud Native Computing Foundation, KubeCon + CloudNativeCon, and VMware are sponsors of The New Stack.
Feature image by Pixabay.