Locking Down Kubernetes Security, Compliance with Harbor
The rush to take advantage of the immense resource-savings and scaling opportunities deployments on microservices and Kubernetes offer have not come without challenges. First, Cloud Native computing and Kubernetes is not for everyone, as many organizations, especially smaller ones, often lack the investment capacity and the needs to scale deployments and operations to a certain scale Kubernetes is designed for.
Also, some enterprises may discover that making the shift does not come without a set of new security challenges, with the latest Docker vulnerability serving as one example.
As one way to potentially begin protecting images before they get deployed to production on platforms such as Kubernetes is for organizations to add Harbor to their lists of DevOps tools, Michael Michael, director of product management at VMware, said during this demonstration for The New Stack.
A security tool that services as security registry before code is deployed is also seen as plus for Kubernetes developers who might err on “failing fast and often” as part of their work style. “In this cloud native world, developers have more power, right? They get more capabilities whether that’s through Kubernetes or other orchestrators, where they get to push things into production in a little more, free-flowing way,” Michael said. “So that’s where these needs for security and compliance comes into and why Harbor is important there.”
As an enterprise-class registry built as an open source project that has been donated to the Cloud Native Computing Foundation — which is also in incubating status — Harbor is “one piece of a very important puzzle around protecting your cloud native assets,” Michael said. “So, as more and more enterprises and users are moving to cloud native and technologies like Docker and Kubernetes, they’ve seen that they’re building all these cloud native applications and pushing them into some form of repository,” Michael said. “But there’s not a lot of process and policy around that to ensure that enterprises get the security and compliance that they need for production-type workloads.”
Michael described and showed during his demo how Harbor, as an open source cloud native registry, “stores, signs and scans container images for vulnerabilities.” “Our mission, both as a community and that’s VMware being the biggest contributor to Harbor, is to provide users with the ability to complement the manage and sort container image,” Michael said. “If you create a certain set of artifacts from an enterprise that comprise your applications or your microservices, I want to give you the ability to say, ‘I am compliant, I trust that whatever it is deployed is the right thing or the same image that I pushed.’”
Among the features Michael revealed during the demo, consisted of how to enable content trust, vulnerability static analysis and developing a policy to guide for users about how containers need to be managed depending on the environment. be used. Policies metrics include “who is allowed to download containers or do these containers have any CVEs in them that make them vulnerable,” Michael said. Michael also showed how Harbor is used for content signing and validation.
Michael also showed how Harbor’s trusted content service that integrates with Notary helps to ensure the signing and the certificate management around images and how vulnerability scanning using Red Hat’s Clair to scan the different layers of Docker images “to make sure no CVEs are present and give you a good catalog of everything that they found,” Michael said.
“So, on the underpinning of everything, we’ll have local or remote storage. So, you can use local storage on your nodes where Harbor is running or you can use S3 compatible storage or any other block file object storage that you want in order for you to have a pretty good reliable and resilient repository to host your images,” Michael said.
The Cloud Native Computing Foundation, Red Hat, and VMware are sponsors of The New Stack.