Using Harbor with Red Kubes Otomi Container Platform

Harbor container registry is fully integrated into Otomi Container Platform. This enables scanning of images for possible vulnerabilities. With build-in policies you can enforce that only images from the local Harbor registry can be deployed.

About Harbor?

Harbor is an open source registry that secures artifacts with policies and role-based access control, ensures images are scanned and free from vulnerabilities, and signs images as trusted. As a CNCF Graduated project, Harbor delivers compliance, performance, and interoperability to help you consistently and securely manage artifacts across cloud native compute platforms like Kubernetes and Docker. (source: https://goharbor.io/)

How Harbor can be used in Otomi Container Platform

When installing Otomi Container Platform, you can choose to use Harbor. Harbor is fully integrated into Otomi Container Platform. This means you can directly use Harbor (offered as an Otomi App in the Otomi Console). During setup of Otomi Container Platform you can configure Harbor to use an external object storage based on the Cloud you’re running on (like S3 on AWS) to store images externally. Harbor can be used as the default registry for all images (optionally enforced with an OPA policy). If you are already using a registry (like Azure ACR), you can configure a replication. A replication will pull an image out of an external container registry, scan it for vulnerabilities and then make the image available through a Harbor repository. How does this work?

First: Go to Otomi Apps and choose Harbor.

When you create a team in, Otomi Container Platform will automatically create a project for the team on the cluster. Team members can login usining SSO provided using Keycloak.

For the example we will use the default library project.

First add the external registry endpoint in Harbor. Go to administration and choose add a NEW ENDPOINT. Choose the provider and provide a name, the URL of the endpoint and optionally access credentials. You can now test the connection with the endpoint.

Now you can configure a replication rule. Go to replications and choose to add a NEW REPLICATION RULE. Provide a name for the rule, choose the source registry (the one we just created), optionally provide a name and tag (otherwise all images will be replicated) and select the destination namespace (the Harbor project). For now we will replicate manually. When the replication rule is created, you can now replicate the image.

Now let’s look at the results. Go to your project and choose Repositories. Here you will see the replicated artefact. Select the artefact and scroll down to the Vulnerabilities.

Wrapping up

Otomi Container Platform offers Harbor out-of-the-box. No need to deploy and configure it yourself. This offers the ability to scan all images for possible vulnerabilities, before they are deployed. But beware, this makes it visible that almost every container image has some vulnerabilities.

Using Otomi Container Platform saves you a lot of time compared to building and customizing a secure container platform yourself, which doesn’t offer specific value to an organization. If you would like to run containers in a really secure way, start with creating secure base images for your developers.

Wan’t to know more? Visit the Red Kubes website here