Project Harbor Introduction Open source trusted cloud native registry Henry Zhang, Chief Architect, VMware R&D China Steven Zou, Staff Engineer, VMware R&D China Nov. 2018 2 Confidential � ©2018 Agenda 7 Confidential � ©2018 VMware, Inc. • Isolation • Access Control • Vulnerability • Content Trust • Replication • Control Policy SECURITY DISTRIBUTION RELIABILITY DEPLOYMENT OVERVIEW • Chart�� ������������� Harbor�� API Routing Core Service (API/Auth/GUI) Image Registry Trusted Content Vulnerability Scanning Job Service Admin Service Harbor components 3rd party components

Project Harbor Introduction Open source trusted cloud native registry Henry Zhang, Chief Architect, VMware R&D China Steven Zou, Staff Engineer, VMware R&D China Nov. 2018 2 Confidential � ©2018 Agenda 7 Confidential � ©2018 VMware, Inc. • Isolation • Access Control • Vulnerability • Content Trust • Replication • Control Policy SECURITY DISTRIBUTION RELIABILITY DEPLOYMENT OVERVIEW • Chart�� ������������� Harbor�� API Routing Core Service (API/Auth/GUI) Image Registry Trusted Content Vulnerability Scanning Job Service Admin Service Harbor components 3rd party components

and update the Procfile as following: web: waitress-serve \ --listen "*:$PORT" \ --trusted-proxy '*' \ --trusted-proxy-headers 'x-forwarded-for x-forwarded-proto x-forwarded-port' \ --log-untrusted-proxy-headers output to the console when we request a page: 00:50:53,694 INFO [wsgiapp] Returning: Hello World! (content-type: text/plain) 00:50:53,695 INFO [wsgi] 192.168.1.111 - - [11/Aug/2011:20:09:33 -0700] "GET /hello function. 2. You can pass certain well known proxy headers from your proxy server and use waitress's trusted_proxy support to automatically configure the WSGI environment. 1.3.1 Using url_scheme to set wsgi

file a update the Procfile as following: web: waitress-serve \ --listen "*:$PORT" \ --trusted-proxy '*' \ --trusted-proxy-headers 'x-forwarded-for x-forwarded-proto x-forwarded-port' \ --log-untrusted-proxy-headers output to the console when we request a page: 00:50:53,694 INFO [wsgiapp] Returning: Hello World! (content-type: text/plain) 00:50:53,695 INFO [wsgi] 192.168.1.111 - - [11/Aug/2011:20:09:33 -0700] "GET /hello function. 2. You can pass certain well known proxy headers from your proxy server and use waitress’s trusted_proxy support to automatically configure the WSGI environment. 1.3.1 Using url_scheme to set wsgi

file a update the Procfile as following: web: waitress-serve \ --listen "*:$PORT" \ --trusted-proxy '*' \ --trusted-proxy-headers 'x-forwarded-for x-forwarded-proto x-forwarded-port' \ --log-untrusted-proxy-headers output to the console when we request a page: 00:50:53,694 INFO [wsgiapp] Returning: Hello World! (content-type: text/plain) 00:50:53,695 INFO [wsgi] 192.168.1.111 - - [11/Aug/2011:20:09:33 -0700] "GET /hello function. 2. You can pass certain well known proxy headers from your proxy server and use waitress’s trusted_proxy support to automatically configure the WSGI environment. 1.3.1 Using url_scheme to set wsgi

Logging 5 waitress Documentation, Release 1.4.3 00:50:53,694 INFO [wsgiapp] Returning: Hello World! (content-type: text/plain) 00:50:53,695 INFO [wsgi] 192.168.1.111 - - [11/Aug/2011:20:09:33 -0700] "GET /hello function. 2. You can pass certain well known proxy headers from your proxy server and use waitress’s trusted_proxy support to automatically configure the WSGI environment. 1.3.1 Using url_scheme to set wsgi add to Apache: RequestHeader set X-Forwarded-Proto https Configure waitress’s trusted_proxy_headers as appropriate: trusted_proxy_headers = "x-forwarded-for x-forwarded-host x-forwarded-proto x- ˓→forwarded-port"

Logging 5 waitress Documentation, Release 1.3.1 00:50:53,694 INFO [wsgiapp] Returning: Hello World! (content-type: text/plain) 00:50:53,695 INFO [wsgi] 192.168.1.111 - - [11/Aug/2011:20:09:33 -0700] "GET /hello function. 2. You can pass certain well known proxy headers from your proxy server and use waitress’s trusted_proxy support to automatically configure the WSGI environment. 1.3.1 Using url_scheme to set wsgi add to Apache: RequestHeader set X-Forwarded-Proto https Configure waitress’s trusted_proxy_headers as appropriate: trusted_proxy_headers = "x-forwarded-for x-forwarded-host x-forwarded-proto x- ˓→forwarded-port"

mathematics, computations and their rich media output. Notebook documents: a representation of all content visible in the web application, including inputs and outputs of the computations, explanatory text untrusted code from executing on users’ behalf when notebooks open, we store a signature of each trusted notebook. The notebook server verifies this signature when a notebook is opened. If no matching signature by re-executing the cells. Any notebook that you have fully executed yourself will be considered trusted, and its HTML and Javascript output will be displayed on load. If you need to see HTML or Javascript

mathematics, computations and their rich media output. Notebook documents: a representation of all content visible in the web application, including inputs and outputs of the computations, explanatory text untrusted code from executing on users’ behalf when notebooks open, we store a signature of each trusted notebook. The notebook server verifies this signature when a notebook is opened. If no matching signature by re-executing the cells. Any notebook that you have fully executed yourself will be considered trusted, and its HTML and Javascript output will be displayed on load. If you need to see HTML or Javascript

mathematics, computations and their rich media output. Notebook documents: a representation of all content visible in the web application, including inputs and outputs of the computations, explanatory text untrusted code from executing on users’ behalf when notebooks open, we store a signature of each trusted notebook. The notebook server verifies this signature when a notebook is opened. If no matching signature by re-executing the cells. Any notebook that you have fully executed yourself will be considered trusted, and its HTML and Javascript output will be displayed on load. If you need to see HTML or Javascript