Getting Started with the VMWare Harbor Registry and Nirmata
Nirmata is excited to officially support Project Harbor as a container registry for your managed Kubernetes cluster! Originating from VMware, Harbor is an open source project that extends the docker registry source code to provide an enterprise-class registry server. By providing additional flexibility and security to docker registries, Harbor enables enterprises to create a repository for Docker images for use within their infrastructure.
But why extend the Docker Registry to begin with?
Containerization technology, with its extreme portability and encapsulation of dependencies, stands to benefit enterprises the most since they have traditionally had to struggle with inconsistent developer environments for decades. Yet, many publicly available docker container registries, such as DockerHub, do not meet the various requirements necessary for an enterprise organization. Among these requirements include being security, scaled independently within their own architecture and identity access management (IAM).
Project Harbor, from VMware, sought to offer an open-source solution of the docker registry that did include these features and many others that would lend enterprises more control over how they managed their registry services.
In this article, we will go over some of the unique capabilities of Project Harbor that set it apart from the default docker registry. We also provided a video tutorial to help you quickly get started with Project Harbor and Nirmata.
VMware Harbor Capabilities and Features
Described below are some of Harbor’s features designed to help enterprises better utilize container registries in their application strategy.
Master-Slave Registry replication
Like any component of a distributed system, a container registry can serve as a single point of failure or bottleneck that could cripple an entire architecture. In order to let enterprises build more robust registries, Harbor has the capability to replicate instances of its registry service via a Master-Slave type architecture. As slave instances are scaled horizontally, Harbor will load balance requests to them.
Policy based image synchronization and consistency of images
Given that Harbor comes with the capacity for scaling a registry service, replication becomes an important issue when dealing with Docker images that are maintained across registry instances. In what is one of its most popular features, Harbor can automatically replicate a new Docker image that is pushed to one instance across other instances based upon a prespecified policy. After this initial replication, Harbor will ensure copies of this image are synchronized. This guarantee extends to deletion of a docker image across instances.
Additionally, when reversioning and promoting Docker images between development stages, ensuring the same Docker image is being used is essential. To make this easier for teams, Harbor ships images in binary format to maintain the consistency of a Docker image as it passes through various stages of of a production pipeline.
Role Based Access Control (RBAC)
Harbor provides Role Based Access Control, a feature that is necessary once we expand our scope to that of enterprises. Enterprises typically provide a limited number of users admin access and impose limitations on testers, developers, and guests. Therefore, Role Based Access Control is necessary to secure systems against unwanted changes and protect data.
Harbor also makes it easy to setup Role Based access control by integrating directly with existing LDAP/Active Directory that an enterprise might use for organizational management.
Web Graphical User Interface
A criticism of the default docker registry is that it contains no default graphical user interface from which the registry, and policies regarding the registry, can be managed. VMware seeks to solve this with including a well-designed GUI that lets admin control the above mention Role Based Access Control easily.
Notary Service for Trustable Content and Vulnerability Scanning
To provide enterprises with the peace of mind that all content being pushed to the registry can be trusted, Harbor utilizes a Notary Service. This works by making a developer sign a docker image with his private key when pushing an image to Harbor. The Docker image is then stored along with a a digest in the Notary Service. This digest is then used to ensure authenticity by the client when an image is pulled from the registry.
Of course, even if all content can be trusted, the potential for software vulnerabilities being pushed to a registry is still present. To combat this, Harbor scans docker images being pushed for vulnerabilities, by referring to an up to date vulnerability database. Once a vulnerability has been detected, Harbor prevents this image from being pulled from the registry.
How do I use VMware Harbor with Nirmata?