►
From YouTube: CNCF SIG Security 2020-04-22
Description
CNCF SIG Security 2020-04-22
A
A
B
B
B
A
All
right
so
I
started
in
presentation
mode
and
I
will
reference
back
to
the
due
diligence
self
assessment
document
as
well
as
necessary.
We
want
to
make
this
interactive
so
for
the
last
three
plus
weeks
myself
and
Daniel
from
the
harbor
team.
Daniel
is
our
architect,
as
well
as
the
security
review
team
of
Andres,
Justin
chase
Vinay,
Robert
Martin
and
a
couple
of
others
also
have
added
comments.
A
I've
been
going
through
the
due
diligence
of
assessment,
the
harbour
has
created
two
kind
of
basically
complete
a
story
who
are
all
the
different
actors
that
are
in
the
system.
What
are
the
different
pieces
are
involved
in
different
assets
are
being
protected.
What
happens
when
there's
a
vulnerability,
and
this
review
and
the
presentation
today
is
kind
of
Center
on
the
main
key
areas
that
you
have
identified
as
part
of
the
reveal
harbor
like
Andres
mentioned.
A
A
I'm,
assuming
recording
this
like
undress
right
under
soar.
This
is
being
recorded,
correct.
It
is
being
recorded
cool.
Thank
you,
then
we're
gonna
go
through
an
overview
of
actors
and
a
tenancy
model.
The
harbor
has
we're
gonna
go
through
an
overview
of
the
protected
assets,
blast,
radius
and
recovery,
and
then
we're
gonna
focus
on
the
assessment
findings
and
recommendations.
Summary
obviously
leave
some
time
for
Q&A
as
well.
A
So,
let's
start
away
with
Harbor.
So
Harbor
is
an
open
source
container
image
registry.
That
means
that
it's
not
a
hosted
service,
an
enterprise
or
a
user
will
download
harbor
and
will
install
on
their
hardware
within
their
own
environment
and
harbor
is
gonna,
enable
them
to
secure
their
images
and
ensure
they're
free
from
vulnerabilities.
I
will
give
euro
based
access
control,
so
you
can
enforce
who
can
access
what
images
and
how
it
will
scan
images
for
such
vulnerabilities,
and
it
will
enable
you
to
sign
your
images
as
trusted
to
establish
provenance.
A
Our
mission
as
a
register
is
to
be
the
most
secure
performance,
scalable
and
available
cloud
native
repository
for
kubernetes,
so
we're
aligning
our
vision
and
the
capabilities
that
we
support
with.
You
know
the
vision
and
the
market
momentum
that
kubernetes
has
so
some
of
the
key
features
of
harbor
at
the
high
level,
security
and
compliance.
What
does
that
mean?
It
means
that
me,
as
an
opera
Harbor,
can
go
and
create
enforcement
rules
and
policy.
A
A
These
are
some
types
of
policing,
there's
more
who
have
severe
exceptions
and
other
policies
that,
as
a
operator
of
harbor,
you
can
go
and
force
to
have
the
peace
of
mind
that
my
developers
can
operate
in
a
self-service
way,
meaning
the
compulsion,
pull
images
but
they're
certain
guardrails
of
what
can
and
cannot
happen
well
high
performance.
We
can
actually
scale
to
thousands
of
containers
and
images
under
management.
A
You
can
scale
to
support
200
plus
kubernetes
clusters
and
we
can
scale
to
terabyte
of
storage
under
management
who
have
customers
there
in
the
50
terabytes
of
storage
in
harbor
or
interoperable
I'm,
going
to
cover
that
in
a
little
bit
when
I,
when
I
show
you
guys
the
architecture
diagram,
so
I'll
skip
it
for
now,
but
the
last
part,
as
part
of
our
lining,
our
vision
with
kubernetes
were
providing
you
with
this
consistent
image.
Management
and
consistency
is
important.
A
A
Let's
take
a
look
at
the
harbour
architecture,
a
little
bit
and
I'm
going
to
start
from
the
edges
first,
so
on
the
left,
and
it's
going
to
be
very
everything
when
we
talk
about
interoperability
on
the
left
to
have
the
authentication
providers.
This
is
where
harbor
enables
you
to
bring
your
own
identity.
So
we
allow
Federation
of
identity
to
come
from
an
external
identity
provider
and
we
support
Active,
Directory
l-dub
as
well
as
OID
C,
and
we
only
support
one
identity
provider
to
be
attached
to
harbor.
A
So
you
can
either
use
the
built-in
authentication
the
harbor
has
or
you
can
use
YDC
or
LDAP
for
customers
are
interested
in
creating
multiple
identity
providers.
They
can
use
decks
as
kind
of
an
intermediary
and
ex-confederate
to
multiple
identity
providers
in
front
of
it.
So
think
of
this
deck
see
becomes
almost
like
a
proxy
identity
provider.
A
On
the
right
side.
We
support
built
in
awkward
3v,
as
well
as
clear
as
the
scanning
providers.
This
is
really
the
engine
that
basically
does
a
static
analysis
on
an
image
it
cracks.
It
open
and
looks
for
vulnerabilities
that
are
tied
to
vulnerability
database.
So
if
it's,
if
a
CV
is
not
in
a
vulnerability
database,
then
the
scanner
cannot
identify
it
and
the
scanner
cannot
detect
it
in
an
image.
But
if
it
is
reported,
then
depending
different
scanners
have
different
databases
of
the
check,
but
eventually
it
will
detect
the
vulnerability
and
produce
a
result.
A
The
harbor
will
then
take
on
and
be
able
to
show
in
our
user
interface
and
API.
So,
for
example,
I
have
an
image.
Let's
say
of
nginx
nginx
version:
2.1
has
a
lot
of
vulnerabilities,
3v
or
claire
will
detect
it.
It
will
report
it
in
harbor
and
then
a
policy
could
apply
that
says
well.
Nginx
has
multiple
high
severity
vulnerabilities.
Don't
allow
anybody
to
push
it.
Then
a
developer
can
come
in
and
push
nginx
version
5
into
harbor,
and
this
one
has
no
vulnerabilities
into
it.
A
It's
clean
after
the
scan
and
our
developer
can
pull
it.
So
if
I
develop
her
in
their
manifest
in
kubernetes,
says,
I
want
to
use
nginx
version
3,
for
example,
they
won't
be
able
to
pull
it
and
that
image
will
not
run
in
kubernetes,
but
as
soon
as
they
update
the
manifest
to
be
nginx
version
5,
it
would
work
just
fine
and
will
be
pull
about
from
harbor.
Now
the
scan
provider
is
a
pluggable
interface.
It
is
popular
out
there
and
who
have
five
scan
providers
today.
A
So
we
have
aqua
3v
as
well
as
CS,
we'll
have
to
form
aqua.
We
have
to
form
encore
both
engine
and
Enterprise
ducek,
which
is
a
security
provider
in
China
also
has
provided
a
scanning
adapter.
We
have
already
developed
the
clear
scanning
provider,
because
that
was
the
original
building
into
harbor
and
then
Cystic
is
in
the
middle
of
finalizing
there
they're
scanning
provided
for
harbors
wall
and
pretty
much
any
issue.
A
All
the
scanning
companies
out
there
to
ask
them
to
create
an
adapter,
so
I
think
twist,
lock
or
or
palazzo
networks,
I
guess
sneaked
and
in
others,
as
well,
now
continuing
on
the
path
replicated
registered
providers
as
part
of
harbor
being
a
good
ecosystem
citizen.
We
understand.
There's
a
lot
of
customers
are
deployed,
harbor
in
a
hub-and-spoke
model
where
they
can
use
harbor
within
their
data
center
to
do
scanning
of
all
the
images
from
Munnar
ability
to
the
signing
being
able
to
enforce
policy.
A
But
then
there
were
close
may
not
run
in
that
data
center,
so
they
might
have
some
were
closed
at
the
edge
or
somewhere
close
and,
let's
say
East
Asia
running
on
one-way
infrastructure
or
in
Western
Europe
running
on
Google.
So
it's
very
important
that
we
enable
our
customers
to
replicate
either
to
or
from
harbor
with
a
set
of
pluggable
registry
providers.
So
you
can
push
content
in
and
out
of
those
providers.
So
hardware
ultimately
becomes
your
policy
enforcement
engine
and
this
what
we
scan
images.
A
But
you
can
push
and
pull
images
to
other
providers
and
on
the
right
you
can
see
some
of
the
most
popular
ones,
one
sweep
with
support,
but
there's
more
and
more
support
coming
in
as
you
go
as
well
as
the
communities
asking
for
additional
providers,
for
example,
or
adding
equated
I
all
right
now
and
we're
adding
a
couple
of
others
like
active
factory,
one
as
well
looking
at
some
of
the
major
components
of
harbor
who
have
a
notary
component,
that's
responsible
for
signing
images
and
forms
in
that
provenance.
I'll
have
the
docker
registry.
A
This
is
what
basically
implements
our
docker
distribution
for
basically
pulling
and
pushing
images
who
have
the
chart
New
Zealand
ability
for
pushing
pulling
Hampshire's,
and
then
we
have
different
controllers
and
services
that
basically
are
the
core
of
harbor
right.
So,
for
example,
quota
management,
the
tag
retention,
the
replication
components,
the
logging,
the
job
service,
all
of
those
are
different
services
that
really
are
the
core
of
harbors
operations
and
the
backend,
who
have
free
storage
and
data
access
layers
who
have
read
each
database
tab
is
our
key
value
store.
A
This
is
where
we
whole
session
accounts
and
all
of
the
data
that
has
needs
frequent
access
with
a
very
small
penalty
for
being
able
to
access
them,
our
local,
remote
storage.
This
is
where
we
store
the
actual
artifacts.
If
you
push
a
container
image,
they
will
end
up
going
into
storage,
and
then
our
sequel
databases
build
on
top
of
Postgres,
contains
the
entire
configuration
of
harbors
all
most
of
the
data,
in
terms
of
who
has
access
to
what.
How
often
do
me
to
garbage
collect?
Does
this
project
have
a
code
of
gigabyte
or
a
terabyte?
A
A
All
right
moving
on
well
I
wanted
to
bring
this
because
there
was
a
lot
of
questions
on
pluggable
scanners
in
the
document.
I
decided
to
include
this
slide
as
well,
and
I'll
spend
a
couple
of
minutes
on
this.
Essentially,
this
is
the
scanning
pluggable
scanning
framework.
Harbor
has
access
to
all
of
the
images
as
well
as
access
to
their
configuration
and
the
policy
around.
How
often
do
you
want
a
scan
if,
for
example,
you
wanna
bring
a
pluggable
scanner
like
aqua
or
Angkor,
or
three
V
or
any
other
adapter
they
implement?
A
That
interface,
which
is
very
simplistic,
is
a
few
API
calls
like
an
API
call
that
says,
go
ahead
and
scan
and
during
the
scan
interface
will
give
them
credentials
to
a
robot
account
that
was
created
and
tied
to
a
project.
So
it
has
a
limited
scope
and
it
has
a
limited
lifetime.
The
robot
account
has
a
lifetime
of
as
long
as
the
scan
job
happens,
and
then
the
scanner
API
is
gonna
use.
This
robot
account
to
pull
images
from
harbor
scan
them
and
then
report
back
the
results,
so
the
API
is
scan.
A
All
right,
so,
let's
go
ahead
and
start
talking
a
little
bit
about
the
overview
of
the
different
actors
in
the
system
and
the
tenancy
model.
When
I
make
it
clear
that
the
end
user
authentication
that
you
have
using
built-in
authentication
where
all
of
the
data
is
stored
in
the
Postgres
database,
the
harbor
has
what,
if
you
using
external
federated
identity,
using
YDC
or
LDAP
or
Active
Directory,
this
is
just
for
off.
So
there's
nothing
else.
There's
no
way
that
someone
can
create
a
new
ID.
A
Is
he
talking
that
has
another
only
authentication,
but
it
also
has
claims
and
entitlements
that
doesn't
work
in
harbor.
Today
we
don't
have
that
capability,
so
we
start
with
off.
It
is
a
built-in
authentication,
that's
usually
used
for
dev
test
environments,
or
you
know
for
for
for
developers
desktops
for
example,
but
as
soon
as
you
push
Harbor
in
production
most
likely
and
what
I've
seen
pretty
much
100%
of
the
enterprises
is
that
they
use
IDC
or
LDAP
to
federated
existing
identities
and
then
tie
them
to
harbor
projects.
So
now
you
brought
your
identity
into
harbor.
A
Would
you
do
with
that?
Well,
harbor
has
a
fairly
robust
role,
based
access,
control
and
conceptual
multi-tenancy,
and
the
way
that
works
is
that
we
have
two
main
concepts.
One
of
it
is
the
project
white
config.
That
can
only
be
happy
that
can
only
be
an
forced
and
change
by
the
harbor
system
administered.
This
is
the
overall
admin
that
owns
Harbor
operations,
and
then
we
have
the
logical
concept
of
projects
think
of
projects
as
a
way
to
bundle
tenancy.
So
a
project
can
contain
users.
A
These
users
can
be
part
of
different
roles
and
when
I
talk
about
the
roles
in
a
second,
the
project
can
contain
images
and
a
project
can
contain
policy.
So,
for
example,
you
can
create
a
project,
that's
your
production
images
and
put
all
your
production
images
in
there
and
say,
because
these
images
are
going
to
go
into
production,
don't
allow
an
image
with
high
vulnerabilities
to
ever
be
deployed
and
on
low
an
image.
A
That's
not
signed
to
be
deployed
and
then
only
allow
these
two
or
three
functional
accounts
from
kubernetes
to
be
able
to
pull
images
from
this
project
and
nobody
else.
Now
you
can
have
another
project
that
might
your
taffetas
playground
for
the
finance
team,
and
you
can
say
you
can
do
whatever
you
want
in
this
project.
Go
ahead
and
push
images
pool
run
it
through
your
CI
CD
systems
test
them,
but
these
cannot
be
pulled
in
a
kubernetes
production,
cluster
and
I.
A
A
Now
harbor
has
five
different
roles
in
within
the
concept
of
a
project
of
the
limited
guest.
Think
of
these
guests.
As
someone
that
has
a
read-only
operations,
so
he
can
pull
images,
but
there's
very
few
permissions
for
that
limited
guest.
Beyond
that,
then
you
have
the
guest.
Who
is
someone
that
can
log
into
our
UI?
He
can
pull
images,
he
can
view
other
users
in
the
project,
but
doesn't
have
really
any
access
to
modify
things.
Then
you
have
the
developer
who's
the
person
that
can
actually
push
images
as
well
to
the
project.
A
Then
you
have
the
master
in
the
project.
That
means
they
have
elevated
permissions.
They
can
create
robot
accounts,
they
can
change
policy
for
the
project
they
can
change,
who
the
scanner
should
be
on
a
per
project
basis.
So
a
lot
of
the
configuration
that
happens
here
it
happens
at
the
master
or
project
at
mid-level.
A
The
number
of
permissions
gets
increased
depending
on
the
needs
and
the
type
of
account.
Okay.
The
second
thing
I
want
to
show.
You
is
because
sometimes
is
easier
to
basically
see
some
of
these
things
in
action.
So
I'm
gonna
go
ahead
and
log
into
my
Harbor
project
here
and
I'm
gonna
pick
an
account
that
I
personally
don't
have
access
to
well
I'm
the
system
overall
administer
so
I
can
see.
Everything
I
think
now
create
this.
So
I'm
gonna
show
you
guys
a
few
different
things
that
the
project
and
capsulation
provides
in
harbor.
A
A
I,
have
50
negligible,
19,
low
11,
medium
and
0
high
or
critical,
so
I
get
to
see
a
very
quick
summary
and
I
can
click
into
it
and
I
get
the
full
view
of
all
the
vulnerabilities
that
you
have
for
this
image.
If
I
wanted
to
right
so
I
can
click
here
and
I
get
to
see
the
full
a
venerable
in
you
can
even
click
all
the
different
CVS
and
get
additional
info
beyond
images.
A
I
also
get
home,
charts
there's
nothing
here,
but
if
I
had
any
they'll
show
up
in
here
as
well,
I
get
to
see
members
so
I
can
see
who
the
different
members
of
my
project
are.
So
I
can
say:
I
want
to
create
a
new
user
and
the
arbok
permissions.
Our
dimensional
they'll
come
into
play
so
I
can
create
Andres
here
and
make
him
I.
A
A
We
can
have
you
get
to
see
logs.
You
know
what's
happening
here,
who
pulled
image?
What
image
at
what
time
and
I
can
do
some
introspective
or
forensics
into
my
project
will
have
robot
accounts
and
think
of
robot
accounts
as
an
account
that
you
can
create
for
CI
CD
that
enables
you
to
control
assets
within
this
project
in
harbor,
so,
for
example,
can
create.
So
you
have
to
know
your
name
and
respect
and
create
the
address.
See
I
see
the
robot
account
here
and
I
can
say
what
permissions
I
wanted
to
have.
A
Where
for
images
or
ham
charts.
Do
you
wanna,
allow
him
to
push
images
or
only
pull?
Do
you
want
him
to
hide
love?
Pushing
ham
charts
are
only
poor
and
depending
on
the
needs
of
that,
you
get
to
define
what
permissions
that
you
want
to
have
right.
So,
let's
say
I
click
Save
right
now.
It's
gonna
basically
create
a
JWT
token
for
me
and
I
get
to
copy
this
token.
It's
only
viewable
once
I
can
never
retrieve
it
again
so
now,
I
can
click
on
this
account
and
I
can
either
disable
it
or
delete
it.
A
Well,
the
concept,
contact
retention
is
a
type
of
policy
like
how
far
back
do
you
wanna
keep
images?
So,
for
example,
you
can
have
a
compliance
policy
in
your
enterprise
that
says
I
don't
want
to
keep
images
beyond
nine
months,
so
a
retention
will
enforce
deletion
of
those
images
we
have
talking
mutability
and
what
that
does
is
you
could
say:
I
want
to
make
sure
that
when
someone
pushes
the
image
in
gene
X
version,
3
da
da,
nobody
can
come
and
override
it,
whether
that's
a
bad
actor
or
not.
A
I
won
when
I
publish
a
release.
Version
of
my
image
mark
them
as
immutable.
Don't
allow
anybody
to
over
I
didn't
harbor
will
enforce
that
who
have
webhooks
I
want
to
be
able
to
be
notified
when
things
happen
in
harbour,
so
I
can
come
over
here
to
my
documentation
and
I
can
search
for
web
hooks
and
I
can
see
the
different
web
hooks.
A
That
harbour
pushes
so
I
can
create
a
policy
that
says,
go
ahead
and
notify
me
when
a
scanning
is
finished,
so
I
can
go
and
execute
a
third
party
or
fourth
party
action
and
second-to-last
is
a
scanner
I
want
to
tell
you
as
harbor
which
scanner
I
want
to
use
for
this
project.
So
if
you
have
multiple
scanning
adapters
deployed
this
case,
I
don't.
But
if
you
did
you
get
to
pick
which
one
you
want
to
use.
You
want
to
use
Claire.
A
B
D
A
Concept
we
actually
struggled
with
that
in
the
kubernetes
community
in
the
cloud
Native
community.
They
are
known
as
robots-
it's
not
just
as
others
have
called
this
wall.
So
if
you
call
them
like
headless
accounts
or
service
accounts
or
functional
accounts,
which
is
what
they
are
they're,
not
tight,
they're
functional
accounts
right
they're,
not
tight
to
use
a
persona.
Then
we
have
created
more
confusion
because
we
will
not
be
aligning
with
what
others
are
calling
them.
So
if
I,
if
I
come
over
here,
I'll
do
a
very
quick
search
right
and
I
create
I
type.
A
D
A
A
So,
for
example,
I
can
come
in
and
say
deployment
security,
allow
only
verify
images
to
be
deployed
or
prevent
vulnerable
images
from
running,
prevent
images,
vulnerability,
severity,
higher
or
above
from
being
deployed,
automatically
scan
images
on
push
create
some
whitelist.
All
of
these
policies
are
tied
to
the
project.
A
E
A
So
we
don't
so
when
you
try
to
pull
an
image
that
fails
the
vulnerability
threshold,
for
example,
it
will
tell
you
that
hey
I
couldn't
put
this
image
because
it
has
high
severity
vulnerabilities
in
it.
So
we'll
tell
you
that,
but
in
the
UI
we
we
don't
intermingle
the
policy
with
the
actual
vulnerabilities
found
here,
we'll
just
tell
you
what
we
found
and
give
you
the
breakdown.
But
you
don't
tell
you
if
your
policy
will
prevent
you
from
pulling
this
image
or
not.
Ok,.
E
So
the
follow-up
question
I
can
oh,
go
ahead,
go
ahead,
asking
it
so
in
regards
to
our
burn
so
I'm,
actually
using
it
right
now
for
testing
and
I
was
curious,
so
you
can
mirror
docker
image
repo
registry-
let's
say
yes,
let's
say
you
detect
a
vulnerability
in
that
image.
Can
you
use
web
hooks
or
some
other
form
from
harbor
to
indicate
in
doctors
that
that
image
can
be
used
if
you're
not
using
Harbor
solely
as
your
primary
image,
reg
yeah.
A
Absolutely
so,
if
you
come
in
from
doctor
to
harbor,
because
you
wanted
to
check
an
image
from
where
normally
in
Harbor,
because
doctor
doesn't
have
that
ability,
you
can
use
our
web
hook
to
go
back
and
trigger
an
action
that
says,
go
and
mark
that
image
on
available
in
docker.
You
have
to
use
the
doctor
API,
but
you
can
do
that.
That's
exactly
why
the
web
hooks
are
very
valuable
in
that.
E
A
An
additional
web
who
will
be
going
to
create
an
admission
controller
in
in
kubernetes
and
say,
don't
allow
this
image
to
be
to
be
deployed.
Well,
thanks,
ok,
a
question
from
ash:
do
you
have
a
plugin
for
external
authorization?
We
do
not
today
we're
actually
looking
into
what
thou
potentially
will
look
like
in
the
future.
A
Our
users
and
permissions
are
tied
to
a
project.
So
you
come
to
a
project
and
you
say
which
users
have
access
to
it
and
that's
great.
But
one
of
the
things
that
we
can
do
is
that
you
can
extract
the
users
out
of
the
projects.
You
can
create
logical
groupings
of
users
and
then
tie
those
users
to
projects.
A
So
you
can
tie
the
same
set
of
users
with
three
projects,
for
example,
without
having
to
recreate
that
are
back,
so
we're
looking
into
that
once
we
do
that,
an
optional
added
feature
of
that
will
be
enabling
that
these
claims
and
entitlement
from
healing
can
this
be
installed
and
run
locally.
Absolutely
I
was
one
of
the
first
things
we
talked
about
that
the
hardware
is
a
it's
a
packaged
software.
You
get
to
install
it
whatever
you
want,
it's,
it's,
not
a
service
or
a
hosted
solution.
A
A
Talk
a
little
bit
about
protected
assets.
If
you
haven't
read
the
document,
some
of
this
might
be
a
little
bit
I,
don't
wanna
call
them
obscure
but
be
hard
to
kind
of
put
the
relevance
into
it,
but
you
have
a
variety
of
protected
assets
in
harbor
and
I.
Put
two
nodes
here:
like
you
know,
can
this
asset
be
rotated
and
if
it
can't
be
rotated,
is
it
hard
to
rotate
or
not?
And
you
can
see
that
that
that
that
indexing
on
on
some
of
this,
so
starting
from
the
top,
we
have
the
harbor
private
key.
A
This
is
the
one
of
the
key
capabilities
in
harbor
this
key
essentially,
and
we
actually
show
you
guys
one
thing
really
quickly:
oops,
sorry
for
in
the
slide,
if
any
of
you
want
to
kind
of
read
along,
we
have
the
scene,
cf6
security,
harbor
self-assessment.
That's,
let's
basically
push
the
link
here
as
well
on
the
chart,
but
essentially
here
in
this
document.
If
you
look
at
the
kind
of
the
the
index
here,
there's
a
couple
of
areas
that
we're
going
to
talk
about
this
is
a
blast
radius
and
recovery.
A
I'm
gonna
mention
a
little
bit
and
then
we
have
the
breakdown
of
access
and
tokens,
and
this
is
what
we're
talking
on
right
now.
So
if
you
want
to
take
a
look
at
that
feel
free
to
do
so,
okay,
so
so
coming
back
to
this
and
the
harbor
private
key
is
think
of
this
as
the
key
that
Harbor
generates
your
installation-
and
this
is
the
key
that
we
use
for.
A
Use
it
for
a
variety
of
harbours,
internal
operations.
The
next
one
is
the
harbor
encryption
secret
key,
and
this
is
what
they
used
to
in
creating
much
every
secret
in
Harbor,
so
think
of
earlier.
We
talked
about
being
able
to
other
application
provider
in
Harbor.
Well,
when
the
other
application
provider,
one
of
the
things
that
you
need
to
do,
you
have
to
give
access
credentials,
username
and
password.
We
encrypt
those
using
the
encryption
secret
key.
A
The
fqdn
certificate
is
the
front
door
certificate
for
Harvard,
like
basically,
you
enable
SSL
in
Harbor
and
and
you
try
to
access
HTTP
Co
Harbor
deployment,
for
example.
That's
the
certificate
that
you
have.
We
have
the
notary
signer
certificate,
and
this
is
a
certificate.
That's
basically
used
by
its
generate
by
harbor
and
use
by
notary,
for
basically,
the
the
notary
operations
like
this
is
were
reinforced
and
maintained.
That
images
are
signed
in
harbor,
then
Harbor
itself.
You
know
this
from
the
diagram
three
slides
ago
has
a
number
of
course
services
here.
A
A
Then
you
have
the
docker
client
credentials.
These
are
the
credentials
that
you
provide
to
be
able
to
push
and
pull
images
through
the
docker
distribution.
We
have
the
replication
credentials.
These
are
credentials
that
are
encrypted
using
the
encryption
secret
key
up
at
the
top
right.
So
this
is
basically,
for
example,
I
added
docker
hub
between
believers.
We
needed
asked
earlier
so
have
docker
hub
and
I
replicate
from
docker
hub
into
harbor.
These
are
the
credentials
of
my
account
into
docker
hub.
A
If
you
can
see
here,
the
bottom
ones
are
much
easier
to
replace
right.
Let's
say,
for
example,
the
robot
credential
needs
to
be
rotated.
I
delete
the
robot
account
I
recreated
I
have
a
new
credential.
The
scanner
credential
is
rotated
automatically
on
every
scanner
jobs.
Every
time
we
start
the
scan,
we
generate
a
new
account
so
easy
to
wrote
it
an
application
credentials
or
something
bad
happen.
Go
ahead,
deleted
account,
recreated
or
update
the
password.
You
can
new
password.
A
A
The
encryption
secret
key.
Well,
it
cannot
be
rotated.
Why?
Because,
once
you
rotate
that
key
everything
that
you
encrypted
in
harbor
so
far
kernel
number
to
be
decrypted,
so
is
it
rotatable
in
essence?
Yes,
it
is.
That
means
you
have
to
go
and
update
every
single
password
in
harbour
again,
so
you
have
to
go
Andrea.
Add
all
your
application
credentials.
We
add
all
your
CLI
secrets.
We
add
anything
that
the
basic
was
encrypted
in
harbour
and
you
can
do
it
doable
are
very,
very
hard.
A
A
Okay,
let's
move
on
to
this
slide,
and
this
is
what
we
call
the
blast
radius
believe
he
was
just
in
campus
that
I
mentioned
this.
This
term
I
like
the
I
started
using
it
I'm
assuming
is
common
in
your
industry.
It
wasn't
common
in
mine,
but
basically
this
is
around
when
bad
things
happened.
What's
your
exposure?
What
and
how
can
you
recover
from
it?
A
If
you
want
to
get
a
lot
of
details
about
this,
you
actually
need
to
read
the
dark
I'm
not
going
to
keep
it
service
if
or
by
condensing
it
here,
but
essentially
the
the
big
thing
that
I
want
to
mention
here
is
other
certain
areas
of
harbor
that
when
they
get
compromised
it's
worse
than
others
and
I've
classified
them
into
three
categories.
Risk
is
read
as
in
shut
things
down.
Things
are
really
bad.
A
If
this
happened,
you
need
to
stop
stop
everything
figure
out
how
to
plug
the
hole,
identify
everything
that
was
compromised,
everything
that
was
changed
and
then
corrected.
You
might
potentially
have
to
go,
restore
certain
things
from
back
up
and
then
you
can
start
all
over
again,
but
why
is
this
important?
A
Now
the
idea
actually
really
really
bad
and
then
the
second
thing
that
I
added
here
is
this
recovery.
It
is
contained
and
what
I
mean
by
contained
is:
is
a
recovery
contained
to
a
small
portion
of
the
product
versus
having
to
deal
with
a
wide-ranging
recovery?
All
of
these
are
indexed
by
number,
and
this
is
how
they
are
also
indexed
in
the
blast
radius
section
in
the
document
as
hall.
So
if
you
look
for
number
17,
you
can
find
number
17
in
the
document
now.
A
I
want
to
go
through
some
of
the
yellows,
for
example,
here
right,
because
it's
easier
first
compromise
robot
account.
Well,
the
recovery
is
contained
because
a
robot
account
only
has
access
to
single
project.
So
if
someone
compromised
a
robot
account,
he
didn't
get
access
to
your
entire
harbour
installation
he
could
access
to
her
to
a
single
project.
So
what
can
you
do?
Well
if
they
compromised
the
robot
account
that
only
has
read-only
access,
then
just
delete
account
recreated
and
you're
done
easy.
A
If
the
robot
account
also
has
push
access,
then
you
have
to
actually
run
forensics
and
figure
out.
Did
our
robot
accomplish
an
image
and
if
yes
could
delete
the
image
they
pushed
that
way
you
clean
up
after
them
right,
but
then
you
create
the
account
and
you're
done
come
from
my
scanner.
Well,
a
compromise
kind
of
can
do
a
lot
of
things.
A
They
can
tell
you
that
an
image
is
free,
one
from
runner
abilities
when
it's
not
a
compromised
scanner
can
tell
you
an
image
has
vulnerabilities
when
it
doesn't
and
create
a
DOS
attack,
because
that
image
can
no
longer
be
pulled
from
your
cluster
or
that
the
scanner
can
do
a
lot
of
other
bad
things
right.
It
can
basically
never
return.
A
So
the
scanning
will
never
complete
for
an
image,
for
example,
so
so
the
fact
that
the
scanner
is
relied
on
to
provide
a
report
on
for
no
belief
in
your
system,
if
it's
compromised
is
bad,
but
how
can
you
recover?
Is
it
delete
the
scanner
redeploy,
the
scanner
in
safe
infrastructure,
with
strong
passwords
and
tied
to
harbours
again
and
you're
safe?
You
know
these
are
the
yellows
with
the
green
recovery.
Let's
talk
all
about
something:
that's
bad!
A
Someone
compromised
your
Harbor
administrative
password,
that's
the
password
that
has
access
to
the
entire
hub
or
installation,
API
and
the
like.
Well,
the
recovery
is
really
really
bad,
because
that
means
you
have
to
figure
out
every
single
bad
thing
that
they
did
from
being
able
to
push
and
pull
bad
images,
creating
accounts
for
themselves
masquerading
as
other
users,
for
example,
or
deleting
robot
accounts
changing
policies.
They
can
do
a
lot
of
bad
things
in
Harbor.
They
have
full
access
to
the
entire
environment.
A
All
right,
I
can't
find
it
I
guess:
maybe
I
missed,
adding
it
somewhere,
but
let's
say
they
compromise
the
identity
provider.
What
can
they
do?
Well,
that
means
that
you're
thinking
that
Andres
is
logging
in,
but
it's
not
undresses
under
the
dash,
the
malicious,
unless
that's
logging
in
so
whatever
access
under
his
hat,
this
new
user
will
have.
How
do
you
clean
up
and
how
do
you
recover
from
this?
You
have
to
actually
run
four
engines
and
figure
out
everything.
A
This
hundreds
did
in
the
time
span
that
you
were
infected
and
go
back
and
clean
that
up
a
very
time-consuming
process,
and
potentially
you
have
loss
of
data.
Someone
compromise
your
Postgres
database
on
its
own
is
not
bad
because
certain
items
are
encrypted
in
there,
but
if
they
were
also
able
to
compromise
your
private
key,
your
encryption
key
number
ten
here,
yeah,
that's
why
I
couldn't
find
it.
It
was
blue,
but
they
also
if
they
compromise
your
Postgres
database
as
well
as
number
ten,
your
encryption
key.
A
That
means
not
only
can
they
read
everything
in
the
database
and
change
the
configuration,
but
they
can
also
get
access
and
decrypt
the
passwords.
So
now
they
get
the
password
to
that.
Docker
hub
account
that
Binay
added
in
to
be
able
to
pull
images.
So
now
they
can
go
and
recover
not
only
in
harbor
but
also
in
your
docker
hub
account.
A
If
you
combine
number
sixteen
with
ten
and
three,
that
means
they
have
a
lot
of
access.
They
compromised
the
infrastructure
node,
so
they
are
access
to
your
storage.
They
have
access
to
your
database
and
they
can
decrypt
everything
in
your
database
really
bad
things
happening,
and
then
I
want
to
talk
a
little
bit
about
the
harbour
front
door
certificate.
Should
they
compromised
the
front
door
certificate
to
harbor.
That
means
everything
you
push
and
pull
into
harbor
can
be
clear
text
from
them.
It
can
do
a
man-in-the-middle
attack.
A
So
when
you're
coming
to
Harbor
and
saying
go
ahead
and
create
a
new
robot
account
and
harbor
gives
you
back
a
token,
they
can
read
that
talk,
so
that
means
they
can
actually
use
it
to
do
bad
things
with
it.
When
you
say
I
want
to
connect
harbor
to
talk
or
hub
and
Renee
his
username
and
password
there
that's
transmitted
in
clear-text.
They
be
able
to
pick
it
up
and
do
bad
things
with
it.
A
Not
on
their
three-month
roadmap,
we
have
a
few
other
things
were
working
on
right
now,
but
it's
after
that,
you
know
really
balance
every
three
months
after
that
will
rebalance
and
if
it
makes
sense
for
us
to
to
support
TLS
1.2,
we
will
be
aware.
The
harbor
on
its
own
cannot
be
the
only
one
that
can
make
that
choice.
We
depend
on
components,
for
example,
notary,
Claire,
3
V
docker
registry
to
also
be
able
to
support
1.3.
So
all
of
these
have
to
support
one
two
three
for
us
to
support
it.
E
A
A
We
I
actually
have
another
project
that
is
looking
into
HTTP
3
support
and,
seeing
you
know
it
kind
of
kind
of
kind
of
gauge
the
communities
haven't
looked
at
even
harbour.
To
be
honest
with
you,
okay,
I,
don't
know,
that's
just
not
something
that
came
up
yet
yeah
generally
a
lot
of
these
things,
we
kind
of
use
our
user
base
and
our
customers
to
kind
of
guide
us
and
where
they
are
and
what
they
want.
A
Like
the
other
day,
someone
asked
for
ipv6
support,
and
you
know
kubernetes
itself
doesn't
support
ipv6,
yet
not
on
its
own.
It
supports
a
dual
stack
and
even
that
that's
alpha
right,
so
we
can't
go
support
ipv6
yet
to
have
to
follow.
You
know,
because
we
depend
on
a
kubernetes
deployment.
We
have
to
wait
for
some
of
the
other
infrastructure
tech
to
support
some
of
these
things
as
well,
all
right,
Andres.
The
mic
is
yours.
B
Thank
you,
Michael,
just
quick
overview
for
those
that
may
be
new
to
the
call
in
the
process
that
the
golden
security
assessment
is
to
review
the
project,
design,
goals
and
respect
to
security
and
analyze
the
different
and
aspects
that
kid
introduced
risk.
What
aspects
of
security
are
to
be
handled
upstream?
B
What
items
are
to
be
handled
downstream
or
complementary
software
in
order
to
harden
the
solution,
and
what
steps
can
the
project
take
towards
a
more
secure
cloud
native
ecosystem
within
the
project
itself,
as
well
as
increasing
the
security
of
other
applications
that
may
interact
with
the
system
we
are
about
three
weeks
and
into
the
assessment
we're
close
to
wrapping
up
there.
There
are
discussions
still
happening
between
the
reviewers
to
summarize
or
face
our
findings?
B
Some
of
the
salient
observations
are
that
there
are
a
lot
of
different
components:
a
lot
of
different
technologies
that
Harbert
utilizes
that
are
moderately
complex,
take
scanners,
registries,
identity
providers
and
each
of
those
systems
have
their
own
security
properties
and
the
interaction
between
these
projects.
I
mean
this
different
components
needs
to
be
further
analyzed.
In
order
to
have
strengthen
the
security,
there
could
be
improvements
in
some
of
those
areas.
B
Harbor
thus
I
have
some
defaults
there,
but
we
believe
there
there's
opportunity
where
or
the
boundaries
between
those
different
projects
the
different
technologies
there's
opportunity
for
improvement
there
we
feel
detection
of
attacks
and
recovery
from
attacks
should
be
studied
in
more
detail.
It
warrants
a
formal
security
audit
to
uncover
cases
an
attacker
may
perform
attacks
without
detection
or
what
forensic
needed
to
recover
from
difficult
attacks.
Same
goes
for
consideration
of
you
saw
the
table
around.
B
The
different
are
back
rolls
how
this,
how
coarse-grained
could
conduce
be
and
leading
towards
the
combination
of
what
rolls
to
use
more
so
enters?
How
to?
How
do
we
do
you,
production
ice,
harbor
securely?
How
do
users
are
actually
deploying
it
and
using
it
in
practice,
and
what
configurations
of
the
system
are
set
up
in
a
reasonable
way
or
which
knobs
do
they
want
them
to
turn
on
or
flip
to
to
make
sure
they're
there
in
a
more
secure,
Harbor
operation?
B
B
Opportunity
to
guide
users
on
water,
so
what
are
the
recommended
practice
practices
to
build
on
top
of
the
properties
that
the
system
has
for
security
as
default
versus
which
not
well
well
I
hold
the
floor.
I
will
open
it
up
to
some
of
the
other
reviewers.
If
there's
anything,
they
would
like
to
add.
Some
are
on
the
call,
perhaps
starting
by
by
Justin.
C
I
think
you've
covered
a
lot
of
the
points
that
I
sent.
Yeah
I
mean
I,
think
it's
it's
a
nicely
put
together
project
and
you
know
anytime,
you
combine
complicated
things
together,
though,
you
really
have
to
worry
about
how
you
combine
them,
and
so
I
want
to
re-emphasize
that
point.
I
also
think
a
lot
more
diving
into
how
it's
used
in
practice
and
how
people
could
try
to
recover
from
things
in
practice.
I
just
want
to
reinforce
those
points.
I
think
those
are
those
are
important
and
I'm
not
by
the
way
I'm.
C
A
And
by
the
way,
Justin
that's
100%
valid
I.
Just
to
give
you
guys
an
update,
cuz
I
know
for
the
folks
that
haven't
read
it.
So
harbor
has
been
through
three
pen
testing
so
far,
so
we
had
the
first
one
by
VMware,
so
VM
were
white
hat
testers,
tester
Harbor.
For
about
two
and
a
half
three
weeks,
then
we
had
a
team
of
10
folks
from
Cure
53
that
basically
put
the
screws
on
harbor
and
tested
that
and
identify
someone
or
abilities
that
we
immediately
fixed
and
then
have
one
of
our
commercial
accounts.
A
That
is
a
financial
institution
that
securities
of
the
utmost
importance
that
run
a
pen
test
on
harbor
and
was
only
able
to
identify
one.
My
notes
item,
so
we've
had
three
pen
tests
happening
already,
just
kind
of
them.
The
outcome
of
this
harbor
is
actually
applying
on
our
beat
to
graduation.
So
six
security
is
the
last
assessment,
that's
happening
at
6:30,
SiC
runtime
and
seek
and
seek
up
delivery
and
generally
what
what
from
what
I
understood?
It's
the
what's.
A
C
Mean
we
tend
to
to
give
non
binary
feedback
we
would
in
extreme
cases
like
I,
won't
mention
you
know,
there's
there's
a
project.
That's
been
discussed
a
lot
on
here.
This
actually
graduated
project
that
has
a
bunch
of
security
limitations
and
I.
Think
you
know
that
would
err
on
the
side.
We
would
be
as
close
to
giving
a
binary
feedback
with
a
project
like
that
as
I
would
imagine
we'll
get,
but
for
everything,
even
for
the
thing
that
we
think
are
quite
secure,
our
goal
is
to
say
these
are
the
things
it
does
well.
C
C
A
Did
absolutely,
and
actually,
as
an
aside
I've
reached
out
to
christen
a
chick
from
from
CN
CF,
maybe
about
three
weeks
ago
and
I
asked
him
if
you
can
do
excuse
another
cure,
53
pen
test
where
I
give
them
the
six
security
assessment
document
that
we
created
and
it's
fairly
comprehensive
and
tell
them
hey
I,
identify
angles
that
you
can
attack
Harbor
using
this
assessment,
and
these
results
so
there'll
be
a
very
valuable
exercise.
But
what
I
don't
want
to
do
is-
and
you
know,
I,
don't
wanna
I.
A
Thank
you.
Thank
you.
So
basically,
what
I
don't
want
to
do
is
I'd
like
move
like
I.
Don't
want
to
go,
tell
Chris.
We
want
to
do
this
and
he
says
oh
yeah.
Maybe
we
should
wait.
Graduation
until
kill
53
get
another
look
at
it
and
then
we
will
have
to
wait
another
three
months.
That
would
be
detrimental
to
our
project.
Yeah
I
mean
we.
C
C
F
Michael
and
the
assessment
team-
you
know
I
know
you
know
we
we've
sort
of
identified.
You
know
complexity
in
this
project
and
you
know
dependencies
downstream.
You
know
in
our
in
our
results.
Is
there
anything
downstream
where
you
know,
as
in
the
security
sig,
you
know
we
would
take
learnings
from
Harbor
and
advise
any
of
the
new
downstream
products
that
they
can
make
any
specific
improvements
on
the
security
interfaces
or
the.
D
Maybe
I
have
a
question
down
on
that
and
Michael
I
think
you
answered
it.
You
know
I
was
thinking
about
using
you
know.
The
encryption
keys
are
exposed,
I
forget
which
one
specifically
it
was
in
the
assessment,
but
using
kubernetes
secrets,
and
my
sense
is
that's.
Not
the
strongest
posture
and
I
had
a
concern
around
that
and
would
love
to
take
it
offline
and
have
a
discussion
about
that.
You.
A
A
You
know,
obviously,
community
secrets
have
limitations
and
we
talked
about
in
the
assessment
about
some
things
that
you
can
do
to
harden
the
kubernetes
environment,
but
creating
a
using
a
vaulting
solution
is
probably
the
best
way.
I
don't
have
a
volume
solution
that
we
know
that
works
with
harbor,
but
you
can
work
with
you
to
identify
one
and
use
it.
You
may
have
to
do
a
little
legwork
there
too.
C
Yeah,
there's
also
a
little
bit
with
the
interface
with
notary.
That
feels
a
little
odd
to
me,
but
that's
probably
a
discussion.
That's
in
no
way
meant
to
be
like
a
blocking
thing,
or
something
like
that.
It's
more
meant
to
be
here's
an
area
to
look,
and
you
know
that
we
should
probably
have
a
discussion
with
like
Justin,
Cormac
and,
and
you
know,
and
get
that
all
together
and
then
take
a
look
to
see.
A
A
You
know
I
want
to
thank
everybody
that
spend
a
significant
amount
of
their
person
time
on
on
harbor
right
without
the
ravine
dogs,
reviewing
the
assessment
and
asking
questions.
Reading
the
answers.
I
think
you.
Thank
you
all.
For
all
your
time.
It's
been
incredibly
valuable,
twice
as
hard
board
to
kind
of
put
those
things
down
of
always
thinking
about
security,
always
thinking
about
other
things,
but
kind
of
riding.
All
that
down
in
a
single
document
and
going
through
our
extensive
list
was
very
valuable
and
it
would
definitely
benefit
us
in
the
future
as
well.