Tracking and managing containers can pose obvious challenges for organizations today. But as containers and Kubernetes enter the fray, the task gets that much harder, given containers’ porous nature, among things.
Up-and-coming Harbor open source container image management registry is one purported approach for storing and scanning container images for vulnerabilities.
How and why Harbor can help address security concerns for cloud native deployments, as well as how it came to be developed, were among the topics of discussion during a podcast Alex Williams, founder and editor-in-chief of The New Stack, recently hosted at KubeCon + CloudNativeCon 2018 in Shanghai. He was joined by Henry Zhang chief architect, cloud native apps, for open source Harbor, and Paul Dul, vice president of product management, cloud native applications, VMware.
“The key thing is the security,” Zhang said, adding that Harbor offers features such as access, control and replication, as well as vulnerability scanning.
Harbor was also designed so the registry is behind the firewall. “Suppose you’re going out to a Docker hub or a publicly hosted registry — you’re then able to have a curated registry with curated images that sit behind the firewall,” Dul said “So, you have a lot more control over it.”
As mentioned above, Harbor is both open source and geared for cloud native deployments. “Since Harbor is open source, which is a great advantage, it’s got a great [reception] in the open source community,” Dul said. “And it’s really focused on Kubernetes where some of the other registries may have a broader focus.”
The genesis of Harbor can be traced back to about four years ago when Zhang noticed how tools for managing container images were lacking. “When I attended meetups or conferences at that time, I often saw people were using their own way to manage container images, with all kinds of hacking and workarounds,” Zhang said. “So, at that time, we thought we might be able to do something to create a common tool for people to use.”
Zhang and his team then created a prototype solution for managing container images at VMware’s R&D center in China. After gathering feedback to gradually improve the software, the project was open sourced.
Dul described how VMware wanted to help customers be able to have more control over their container images. One of the key points of interest was how Harbor, from the outset as an open source alternative, served as a private, as opposed to a public, registry. The second main attribute was its vulnerability-scanning capability. While many vulnerability scanners exist that are open source, “it’s the integration of these together” that really counts, Dul said.
The Harbor team has more recently added Helm charts for those who run Helm on top of Kubernetes, to improve “leveraging the capabilities of Kubernetes to manage Harbor,” Zhang said. “So, it’s a revolving way depending on their need,” Zhang said.
Previously, developers had to use Helm to deploy their application, while the Helm chart consisted of a “a bunch of files on a disk,” Zhang said. By integrating the Helm charts with the container image in order to form a consistent management system within Harbor, users can check their Helm chart and their container image together, before deploying to the Kubernetes cluster, Zhang said.
Indeed, Helm was gaining in popularity “and we found from our users that they would really like to see support for Helm charts,” Dul said. “And then, additionally, we’re working on other capabilities around scalability and high availability.”
Harbor’s development team’s goal is to continue improving the registry for a better user experience, Zhang said. “I suppose that we also want to make it more reliable and more useful for the Kubernetes users,” Zhang said.
In this Edition:
1:40: What is Harbor, and why is it important now?
7:04: Exploring Helm’s capabilities with template management
11:30: Tell me about the monitoring that happens underneath, and what are the tools you’re using for monitoring?
16:32: Dul’s philosophy on how the CI/CD pipeline works
20:47: What are the gaps in the Harbor technology now that you’re looking to fill within the community?
26:25: How does this fit into the larger story that we’re hearing from VMware?
Raygun sponsored this podcast, which was produced independently by The New Stack. KubeCon+CloudNativeCon and VMware are sponsors of The New Stack.