►
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Hello:
everyone,
my
name
is
Chung
Zhang
I'm,
the
engineer
from
VMware
and
now
I'm
working
for
the
project
Harbor.
As
you
know,
security
is
gradually
receiving
more
and
more
attention
and
it's
a
very
important
aspect
for
Enterprise
users.
So
today
our
session
will
discuss
about
how
to
use
hammer
and
narrows
to
reshape
Security
in
Cloud
native.
There
are
two
parts
for
this
session.
The
first
part
I
will
introduce
the
project
Harbor
and
the
next
part.
My
colleague
Simon
will
show
the
project
Narrows.
A
Harvard
is
an
open
source
trusted
Cloud
native
registry
that
projects
such
Source
signs
and
scans
content
cover,
extends
the
open
source.
Local
distribution
by
adding
the
functionalities
usually
required
by
users
such
as
security,
identity
and
management.
Our
registry
closer
to
the
build
and
run
environment
can
improve
the
image.
Transport
efficiency,
however,
also
supports
replication
of
images
between
Registries
and
also
offers
Advanced
security
features
such
as
user
management,
access
control
and
audit
log.
The
mission
of
Hardware
is
help
user
consistently
and
securely
manager.
Aspects
for
kubernetes.
A
Let's
go
through
the
core
capabilities
that
Harbor
can
provide
the
multi.
The
multi-tenancy
is
important
for
the
Enterprise
users.
Power
provides
the
buyback,
the
user
can
be
assigned
as
different
results
with
different
results.
Permissions
and
different
teams
also
can
manage
their
results
on
their
own
by
the
project.
Isolation
by
the
policy
user
can
manage
quotas
for
different
projects
when
the
quota
reached
user
can
use
the
retention
and
garbage
collection
to
clean
up
some
useless
artifacts
in
Harbor
to
release
the
storage.
A
If
users
want
to
protect
some
artifacts
already
released
or
published,
they
can
apply
the
immutable
rule
by
matching
specified
repulsaries
and
tax
name.
The
vulnerabilities
can
be
managed
as
by
policy
as
well.
A
user
can
add
false
positive
series
to
the
system
of
project
analyst
to
bypass
the
deployment
security.
Restrictions
for
the
distribution
of
artifacts,
however,
also
provides
Rich
functions.
In
addition
to,
however,
there
are
also
many
well-known
Registries
in
Cloud
natives,
such
as
stock
Hub,
AWS,
ECR,
Azure,
HCR
and
so
on.
So,
however,
provides
the
ability
to
copy
artifacts.
A
It
is
convenient
to
copy
the
attacks
between
the
hardware
and
these
third-party
Registries.
This
is
a
very
convenient
and
useful
function
for
some
users
who
want
to
copy
the
effects
on
the
hardware
to
their
Registries
as
a
backup
or
migrate
from
other
registry
to
the
harbor.
In
addition,
Hardware
currently
also
supports
the
functions
of
acting
as
a
proxy.
The
proxy
will
cache
the
remote
artifacts
on
the
Harbor
when
the
remote
artifact
is
updated.
The
cached
image
of
the
hardware
will
also
be
updated
by
the
user.
Pull
requests
in
scenario
as
well.
A
The
remote
registry
network
is
limited,
or
there
are
some
rate
limits
for
API.
It
can
help
users
pull
the
artifacts.
They
want
from
the
hover
directly
instead
are
from
remote
registry.
At
the
same
time,
with
the
increase
of
the
scale
of
the
Enterprise
kubernetes
cluster,
the
warehouse
of
a
single
Center
is
often
unable
to
meet
the
pull
request
of
a
large
number
of
nodes
in
a
short
period
of
time.
So
some
Enterprise
users
will
use
the
P2P
to
speed
up
the
distribution
of
artifacts,
so
hover
also
integrates
the
P2P
preheating
function,
a
brilliant
Hardware.
A
Hub
also
provides
the
IAM
artifact
sign
and
scan
CV
exceptions
to
guarantee
the
security
and
the
compilence
in
terms
of
externals
capability,
high
response,
configurating
webhook
notifications
by
project
sending
notifications
to
the
consumer
when
the
events
are
occurred
in
Harbor,
the
plug
Bowl
scanner
realized
the
freedom
of
the
scanner
and
the
scanner
from
different
vendors
can
be
connected
to
the
hardware
Theme
tab.
In
addition,
in
CI
and
City
scenario,
developed
account
can
interact
with
Harbor
more
conveniently
and
effectively
and
also
ensure
the
security.
A
This
is
the
architecture
of
Harbor
from
the
top
to
down
the
top
layer.
Is
the
client
such
as
cubelet
and
Docker
client?
The
outer
layer
of
a
hardware
service,
has
a
proxy,
maybe
an
index
increase,
which
is
reasonable
for
forwarding
the
traffic
to
the
corresponding
components
and
then
comes
to
the
core.
A
Next,
we
will
dive
into
replication
and
scanning,
as
Narrows
will
mainly
rely
on
these
two
functions.
The
goal
of
replication
is
pulling
artifacts
to
local
hardware
phone
remote
or
push
artifacts
in
local
hardware
to
remote
from
the
picture,
we
can
see
that
results
are
refined
internally
and
each
result
has
its
own
manager,
Central
policy
and
registry.
A
A
The
integration
service
handles
the
scanning
for
artifacts
Harbor
defines
a
common
spec
to
the
public
plugable
scanner.
The
spec
is
the
contract
between
hardware
and
scanner,
so
the
vendor
of
scanner
should
also
implement
the
adapter
service,
which
followed
the
spec
to
connect
their
heart
scanners
to
hover.
The
scan
requests
also
be
converted
to
the
job
or
job
service.
The
job
will
send
HTTP
requests
to
a
dental
service
and
wait
for
collecting
and
greetings
against
summary
report.
A
A
The
description
is
optional.
The
endpoint
URL
is
required.
It
can
be
an
IP
address
or
fqdn,
which
can
be
accepted
by
Hardware.
The
access,
ID
and
access
Secret
can
be
used
when
your
remote
registry
is
private
and
harbor
needs
the
credential
to
pull
or
push
images
from.
Yet
the
last
configuration
is
assert.
You
can
uncheck
the
checkbox
to
disable
hover,
verify
the
remote
registry
search
it's
used
for
if
your
remote
registry
was
deployed
by
self
sign.
A
You
need
to
name
your
rule,
let's
try
test,
the
description
is
optional
and
there
are
two
modes
push-based
and
the
pool
based
push-based
means
push
the
image
from
local
hardware
to
remote
registry
pool
based
means
post
the
images
from
remote
registry
to
local
Harbor.
There
are
two
replications
in
opposite
directions.
A
Next
section
is
South,
South
results,
filter.
A
A
Then
choose
the
registry
which
added
in
the
previous
step,
the
destination.
Namespace
means
you
want
to
put
the
image
under
which
results
for
Harbor
it's
its
project
name.
If
we
leave
it
empty,
it
will
use
the
name
as
same
with
the
results.
You
can
also
reduce
the
nest
to
the
repulsory
structure
by
configurating.
The
pattern
there
are
three
trigger
modes
in
Hardware
by
default
is
manual
manual
means
you
need
to
run
the
replication
by
manually.
Call
the
hardware
API
or
click
from
hover
UI.
A
The
scheduled
means
that
it
can
set
the
replication
trigger
the
periodically
by
providing
a
chrome
string
for
the
last,
for
the
last
is
the
event
based
it's
especially
used
for
when
you
want
to
backup
the
new
pushed
image
to
the
remote
registry,
a
replication
will
be
triggered
if
the
new
image
pushed
events
happened,
you
can
also
click
the
checkbox.
If
you
want
to
replicate
the
deletion
operation
in
simple
words,
hover
will
delete
the
image
from
remote
registry.
If
the
deletion
happened
on
the
local
Harbor.
A
If
you
want
to
limit
the
network
input
or
up
output
for
the
replication
job,
the
last
option
is
override
enable
this
to
will
override
the
remote
results
if
it
exists
same
with
the
songs
for
demo,
let's
replicate
only
one
radish
image
from
Docker
Hub
to
local
hardware
and
leave
other
options
defaults,
test
pool.
A
A
A
A
A
Yep,
it
has
been
located
here
and
can
click
the
digest
for
more
aspect
details
all
right.
This
is
a
simple
demo
for
replications
for
Harbor,
but
after
user
pushed
or
replicated
images
to
Harbor,
how
can
we
guarantee
the
security
of
the
image?
Now
the
integration
service
integration
service
will
come
into
work.
Click.
The
integration
service
to
check
scanners
in
Harbor
by
default
theory
is
built-in
and
default
scanner
for
Hardware.
A
You
can
add
other
scanners
by
providing
some
scanner
informations
after
adding
it,
you
can
click
it
to
see
more
to
see
more
metadata
like
scanner,
vendor
or
version
or
more
specific
configurations.
If
you
have
multiple
scanner
instance,
you
can
choose
one
as
the
default
and
also
support
customized
for
every
project.
A
A
A
A
A
A
Yep
right
now
the
image
can
be
pulled
successfully,
although
it
includes
two
critical
vulnerabilities,
but
they
were
added
in
the
allow
list.
So
this
is
as
expected,
not
only
for
this
Harbor
has
more
advanced
security,
related
functions,
waiting
for
your
exploring
to
protect
your
artifacts.
That's
all
the
demo.
Thank
you.
C
Harbor
is
the
number
one
trusted
Cloud
native
registry
for
on-premise,
container
images
and
they're
trusted
for
good
reason.
They
use
third-party
static
scanning
tools
whenever
an
image
is
created
to
ensure
the
images
are
free
from
vulnerabilities
and
while
static
scanning
is
valuable,
it
doesn't
prevent
multi-step
or
supply
chain
attacks.
Some
malware
contains
code
that
only
activates
during
run
time
and
by
then
it's
too
late
today,
we're
announcing
project
Narrows,
which
adds
Dynamic
scanning
to
Harbor.
C
It
allows
you
to
assess
the
security
posture
of
kubernetes
clusters
at
runtime,
so
vulnerabilities
are
identified,
images
are
flagged
and
workloads
can
be
quarantined.
Project
Narrows
runs
on
the
workload
cluster
and
looks
at
the
full
end-to-end
life
cycle
of
an
image.
In
a
container
you
can
easily
analyze
the
data
collected,
assess
the
security
postures
of
your
workloads,
generate
reports
and
enforce
predefined
policies,
get
ready
to
meet
your
compliance
needs
by
adding
Dynamic
scanning
to
your
security
Arsenal.
Today,.
B
Okay,
as
we
all
know,
there
are
three
major
challenges
in
cognitive
security
areas,
including
misconfigurations,
known
or
unknown
vulnerabilities
and
exposure
or
secrets,
currently
organizations
typically
Implement,
a
cloud
native
security
strategy
to
ensure
security
and
January.
The
strategy
consists
or
consideration
of
some
principles,
including
something
like
shift:
security
left,
continuous
security
controls,
CSD
pipelines,
integration
and
accessibility,
accountability
and
readability.
B
Today,
Cloud
native
users,
leverage
Harbor
to
provide
static
analysis
on
vulnerabilities
in
images
using
scanners
such
as
tree,
clear,
anesthetic
analysis
analysis
will
scan
the
images
after
they've
been
pushed
to
a
residency
project.
Narrows
will
provide
a
unique
addition
along
with
Hardware,
as
if
we
allow
users
to
access
the
security.
C
B
And
make
sure
the
actual
security
situations
match
their
security,
complex,
its
petitions
and
alert
and
a
breakage
in
a
meanwhile
users
can
set
up
a
policy
to
quarantine
the
workloads
sourced
from
vulnerable
images
and
stopping
the
propagation
of
the
risks
and,
furthermore,
it
can
also
scan
the
Implement.
His
cluster
misconfigurations
following
the
CIS
benchmark.
B
B
B
B
B
Nor
does
the
configurations
are
complete.
The
create
auditor
can
specify
the
scanning
rules
in
the
policy
section
to
create
a
policy.
There
are
a
number
of
fields
to
Fields,
including
holes
and
the
skies
drawn
scanners.
You
would
like
to
enable
the
configurations
of
their
open
search
instance.
So
all
the
reports
generated
can
be
aggregated
into
the
central
base.
B
They
say
is
a
customer
for
selection
of
sorted
pre-packaged
application
components
that
are
continuously
maintenance,
verified
for
use
in
production
environment
with
the
involvement
of
VC
it
opens
several
OSS
inspection
use.
Cases
for
users
offers
us,
the
user
can
Define
the
baselines
to
set
up
the
security
expectations
is
important
because
workloads
that
varies
any
of
these
baselines
defined
will
be
flagged.