►
From YouTube: Harbor Community Meeting 20191204 - Americas Time zone
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Hello,
everybody
and
welcome
to
another
hardboard
meeting.
It's
the
4th
of
december-
and
this
is
the
united
states,
slash
european
version
of
the
harbor
community
meeting,
so
we
had
a
fairly
successful
san,
diego
cubicle
event.
Two
weeks
ago,
harbor
was
very
well
represented.
We
had,
I
believe,
six
maintainers
from
harbor.
At
the
event
we
had
hours
at
the
cncf
answer
bar.
We
were
also
had
two
sessions
on
introduction,
as
well
as
a
deep
dive
on
harbor.
A
So,
overall
we
got
a
ton
of
community
engagement
as
well
as
community
touch
points.
So,
let's
deep
dive
into
that
very
quickly,
we
had
starting.
On
the
18th
of
november,
we
had
the
hard
work,
lunch
and
learn
workshop
had
about
50
attendees.
This
is
where
attendees
showed
up.
We
basically
gave
them
a
high
level
overview
of
hardware
and
then
from
there
on
we,
they
had
a
scenario
based
set
of
test
cases
that
they
had
to
execute,
to
learn
more
about
hardware
and
get
to
exercise
some
of
the
functionality
on
the
19th.
A
We
had
the
hardware
introduction
where
we
had
over
100
attendees
that
came
in
to
learn
about
what's
going
on
with
hardboard
and
was
our
next
set
of
investments
and
then
the
next
day
on
the
20th,
we
had
a
hardware
deep
dive
where
we
basically
outlined
our
product
roadmap
for
the
next
one.
Here
we
deep
dive
into
some
of
the
specific
capabilities
are
coming
in
with
the
1.10
release
and
again
a
little
bit
over
100,
and
these
were
also
at
this
event
as
well.
A
And
you
know
the
harbor,
maintainers
and
and
zack
and
daniel
from
agua,
which
were
the
part
of
the
team
that
brought
us
the
pluggable
scanner
framework
I
showed
up
at
at
the
event
and
they
were
all
able
to
to
go
to
lunch
one
day
and
they
took
a
nice
picture
of
that.
I
see
jonas
laughing,
hey,
I'm
sorry!
You
were
not
there
jonas
and
we
needed
the
hardware.
You
know
how
we
did
the
valero
and
the
contour
things
we
needed
the
hardware
one
as
well.
A
Well,
we'll
do
a
proper
one
for
for
next
cubecon.
That's
right!
So
we
have
a
couple
of
upcoming
community
events.
There's
a
cncf
webinar
on
december
11th.
That's
gonna
basically
be
in
chinese.
So
that's
gonna
be
one
of
the
first
webinars
that
sincere
is
running
in
that
region
using
the
local
language,
and
then
we
also
have
a
on
december
14th
harbor
meetup
in
in
china,
and
not
necessarily
a
harbor
sponsor,
but
an
uncore
sponsored
event
next
wednesday.
A
So,
a
little
bit
more
on
the
community,
we've
hit
10
000
stars.
This
is
an
incredible
milestone.
I
think
we
gained
about
1
000
stars
between
a
week
before
cubic
on
to
now.
So
it
shows
the
importance
of
hardware
in
the
community
how
much
it
is
valued
and
the
fact
that
we're
continuing
maintaining
this
level
of
cadence
from
both
releases
feedback,
as
well
as
our
ability
to
kind
of
execute
on
a
roadmap.
A
The
graduation
for
cncf
is
still
under
review,
so
we
don't
have
an
update
on
that,
but
things
are
slowing
down
as
after
cubicon
and
the
end
of
the
year
now,
and
we
are
ramping
up
on
the
peer-to-peer
working
group
to
enable
the
integration
between
hardware
and
p2p
providers
like
dragonfly
and
uber
kraken.
Our
our
goal
is
a
tentative
early
release
for
1.11.
A
A
A
No
questions
cool,
then
we've
had
a
few
patch
releases.
In
the
last
few
days
we
had
186
and
193
release
and
as
a
result
of
those
patch
releases,
we
also
made
public
the
security
vulnerability
report
that
cure53
basically
performed
against
harbor
qr53
is
a
security
vendor
out
of
europe.
Cncf
paid
them
to
do
security
and
penetration
testing
of
hardware,
a
set
of
40.
Well,
only
four
tickets
were
found
that
were
of
medium
or
above
severity.
A
The
hardware
team
fixed
them
in
these
two
releases.
They
will
also
be
available
in
one
to
10,
of
course,
and
then
we
issued
security
advisories,
which
are
linked
in
the
slides
as
well.
So
now,
not
only
is
the
vulnerability
report
public,
but
all
of
the
advisories
are
have
been
publicized
to
our
users,
advising
them
to
update
their
hardware
installations.
A
And
I
think
we
can
move
on
to
to
zach
if
he's
ready
now
to
talk
a
little
bit
about,
show
us
a
demo
of
encore
and
talk
about
the
integration
that
they
did
with
the
plugable
scanner
framework
in
harbor
and
hopefully
leave
a
few
minutes
up
then
to
to
do
some
q,
a
zack
you
good.
B
Yes,
yeah,
let
me
I've
got
I've
got
a
few
slides
I'll,
keep
it
pretty
short
kind
of,
since
we
have
the
webinar
and
some
other
things
for
it
for
a
deep
dive
I'll
try
to
keep
it
pretty
pretty
introductiony
for
this
one.
So
I'll
go
ahead
and
share
if
the
the
mouse
pointer
gets
all
jerky
and
weird,
that's
whatever
is
happening
on
my
machine
right
now,
so
bear
with
me
and
we'll
try
to
get
through
it.
Let
me
go
ahead
and
share
the
screen.
B
If
I
can
get
the
mouse
to
work
properly,
there
we
go
come
on
there.
We
go
excellent,
all
the
way
back
to
the
beginning.
Okay,
so
thank
you
very
much
michael.
So
my
name
is
zach
hill.
I
wanted
to
talk
real
quickly
kind
of
intro
to
the
anchor
scanner
adapter
that
we're
doing
for
harbor.
So
this
has
been.
B
With
the
team
at
harbor,
as
well
as
daniel
from
from
aqua
and
building
the
the
actual
adapter
interface
and
the
spec-
and
it's
been
a
really
great
experience-
end
to
end
kind
of
collaborating
with
the
folks
and
building
both
an
api
spec
to
enable
other
plugability
as
well
as
building
our
own,
so
that
we
can
kind
of
integrate.
Encore's
scanning.
A
B
Into
the
harbor
system
directly,
so
I'm
principal
architect
at
ancor,
I've
been
at
encore
since
the
very
first
release,
so
I
helped
kind
of
the
cto
and
I
wrote
anchor
v001,
I'm
also
a
helm
chart
maintainer
and
I
do
a
fair
bit
of
integration
work
as
well.
B
So
this
hardware
work
as
well
as
a
kubernetes
admission
controller
that
we
have
for
for
encore
to
allow
you
to
gate
execution
as
well
as
as
registry
entry
based
on
on
what
encore
can
do
so
I'll
give
a
really
quick
rundown
of
anchor
for
those
not
familiar
but
I'll.
Keep
it
really
fast.
B
So
at
a
high
level,
the
mission
of
ancor
is
enabling
container-based
workflows
so
that
you
can
get
security
without
compromising
velocity
right.
So
this
is
a
story.
We've
heard
lots
before,
so
I'm
not
going
to
go
too
far
into
it,
but
this
is
the
space
where
anchor
lives
and
we
specifically
are
focusing
on
the
content
of
containers
so
making
sure
that
everybody
understands
that
every
deep
level
what's
in
the
container
and
whether
container
images
are
acceptable
or
not,
and
building
automation,
tools
to
allow
you
to
do
that
very
quickly.
B
In
your
development
and
production
workflows
the
key
capabilities
of
anchor,
we
do
a
very
deep
image
analysis.
So,
while
some
scanners
focus
on
like
operating
system
packages
like
rpms
and
devs
of
encore,
will
actually
check
some
every
file
in
the
container.
We
we
mark
the
username.
You
know
uid
guide
file
system,
permissions
of
everything
in
the
container,
so
we're
looking
at
binaries.
B
We
look
at
the
the
container
metadata
itself,
so
the
steps
that
were
used
to
build
it
and
then
all
of
that
is
fed
into
the
security
scanning
layer
and
then
eventually
into
a
policy
engine,
so
angkor's
bread
and
butter
is.
Is
this
policy
based
approach
to
acceptance
of
of
container
content,
and
we
do
things
like
checks
for
against
cvss
v3
for
vulnerabilities,
blacklisting
and
whitelisting
of
packages
or
versions
of
packages,
checking
container
content
for
credentials?
B
You
know
making
sure
you
didn't
accidentally
just
push
something
to
harbor
that
that
has
your
amazon
secret
key
in
it.
You
know,
as
well
as
as
more
standard
kind
of
vulnerability
checks,
but
we
also
extend
those
from
from
os
vulnerability
into
application
level
stuff.
So
rpm
npms
rubygems
jar,
java
capabilities
things
like
that
as
well,
so
we
have
a
pretty
broad
spectrum
of
capabilities
and
policies
there
and
we're
able
to
introduce
some
of
that
into
into
harvard
directly
with
this
integration.
B
So,
as
I
said,
yeah
deep
inspection
is
our
is
our
main
driving
force
policy
on
top
of
it
and
then
a
very
api
centric
approach,
so
anchor
itself
is
a
service,
so
you
stand
it
up
and
you
run
the
anchor
engine
and
it
has
a
rest
api
and
you
can
there's
a
cli,
so
you
can
send
it
request.
You
know,
ask
it
to
analyze
a
container
from
from
your
ci
pipeline,
or
maybe
from
a
registry
already
or
you
know,
push
an
analysis
directly.
B
So
it's
meant
for
automation,
and
these
workflows
and
harbor
is
a
great
example
of
that.
So
as
an
example
of
the
kind
of
policy
capabilities
that
are
in
encore,
we
can
say
well
block
an
image
that
has
vulnerabilities.
But
specifically,
maybe
you
want
only
where
severity
is
high
or
greater,
so
higher
critical
or
maybe
you
also
want
to
use
a
cvs
v3
score.
B
If
your
organization,
you
know
requires
nothing,
goes
into
production
with
a
vulnerability
score
of
7.2
or
higher,
and
we
can
encode
that
oh
and
also
make
sure
that
the
image
has
been
vulnerable
for
at
least
30
days.
That
way
we
have.
We
give
our
development
developers
time
to
resolve
issues
as
they
come
up.
We
don't
want
to
block
things
right
out
of
the
gate.
Maybe
we
want
to
give
the
grace
period
and
then
maybe
also
that
that
we
want
to
ensure
that
the
fix
has
been
available
for
10
days.
B
So
how
do
we
hook
this
into
harbor
and
pleats?
I
I
won't
go
too
deep
into
the
the
anchor
stuff,
but
if
you
want
to
more
information
about
how
angkor
works,
what
it's
other
capabilities
you
know,
the
webinar
is
a
great
example.
Follow
up.
You
know,
hit
me
up
on
on
slack
or
on
github
or
whatever
I'm
happy
to
talk
more
about
that.
B
Generally,
I
don't
want
to
make
this
entire
talk
about
just
the
the
capabilities
of
ancor,
so
we
worked
with
the
team
and
we're
integrating
it
directly
into
harbor,
and
so
specifically
that
allows
harbor
to
consume
the
vulnerability
scan
results
from
anchor.
So
if
you
have
an
anchor
installation
now,
harbor
can
consume
that
information
both
consume
it
and
trigger
the
scans.
B
Things
like
blocking
image
polls
based
on
on
the
severity
of
vulnerabilities
and
scheduling,
scans
and
updates.
So
now
we
can
integrate
that
capability
of
harbor
with
with
the
analysis
and
vulnerability
scanning
capability
of
anchor,
and
that
brings
us
to
the
adapter,
which
is
how
this
is
all
built.
B
The
adapter,
at
its
highest
level,
is
effectively
just
an
api
translation
layer
between
harbor
and
anchor,
so
it
receives
the
harbor
scanner.
Adapter
api
request
translates
them
and
then
makes
api
calls
on
to
the
back
end
to
a
running,
encore
engine
service
or
anchor
enterprise.
The
adapter
supports
both
our
open
source
engine,
offering,
as
well
as
our
commercial
supported,
enterprise
offering
and
the
adapter
itself
is
stateless,
and
that
makes
it
pretty
simple
to
deploy,
because
it's
just
this
translation
layer,
so
there's
no
databases
or
persistence
or
dependent
services.
B
It
runs
as
a
single
container
and,
and
you
can
execute
it
pretty
simply
in
kubernetes
at
a
high
level.
The
flow
is
is
basically
this
diagram.
I
won't
go
into
details
here.
We
all
love
state
transition
and
call
chains.
This
is
also
in
the
readme
for
the
adapter.
If
you
want
to
dig
in
more
specifically,
but
basically
again,
it's
arbitrating
the
the
request
from
from
harbor.
B
B
So
getting
started
is
relatively
easy:
I'm
not
going
to
walk
through
the
whole
installation
like
in
a
live
demo,
because
that
involves
a
fair
bit
of
waiting
for
for
kubernetes
things
to
come
up
and
initialize
and
all
that
stuff.
So
we'll
save
that
for
another
time.
But
basically,
you
know
install
harbor
install
anchor
encore.
Is
it's
pretty
easy
to
install,
have
a
helm
chart
available
in
the
stable
repository?
B
So
it's
easy
as
easy
as
a
helm,
install
from
stable
and
core
engine
that
gets
to
the
open
source
engine
running
in
your
kubernetes
cluster,
then
you
can
install
the
adapter,
so
it
can
clone
our
repo
create
a
secret
that
will
give
you
that
gives
the
adapter
the
credentials
that
it
needs
to
talk
to
the
encore
api,
and
then
you
can
apply.
There's
a
yaml
and
file
included
in
the
github
repo
that
I'll
show
in
a
moment
that
actually
runs
the
adapter
image
pretty
simply
and
makes
it
available.
B
Oh
sorry,
my
mouse
is
not
responding
at
the
moment,
okay,
so
we'll,
hopefully
that
will
resolve
itself
shortly.
Okay,
so
I'll
come
back
to
that
in
a
moment,
if
I
can
get
the
mouse
to
work,
this
is
a
strange
occurrence,
so
the
adapter
itself
does
support
authentication.
So
you
can
set
an
api
key
so
that
the
interactions
between
harbor
and
the
adapter
itself
are
authenticated,
as
well
as
tls
supported.
B
The
adapter
also
features
the
ability
to
request
that
anchor
expose
or
filter
out
vulnerabilities
that
the
vendors
have
defined
as
as
being
ignored
or
that
they're
not
going
to
fix.
So
examples
of
this
are
debian
no
dsa.
So
there
are
lots
of
vulnerabilities
that
say:
debian
will
get
and
they'll
say
well.
B
If
you
want
the
really
verbose,
you
know
show
me
everything
that
matched.
Then
you
can
have
that
or
you
can
say,
filter
out
the
stuff.
That's
not
going
to
be
fixed.
You
know,
I
don't
want
to
see
that
extra
noise
and
then
because
anchor
supports
it.
The
scanner
also
supports
vulnerability
scans
against
both
the
operating
system
packages
and
the
application
packages,
so
you're
getting
all
the
results
for
both.
You
know
rpms
devs
apks,
as
well
as
python
files.
B
You
know
gems
jars,
that
kind
of
stuff,
so
the
current
status
of
the
adapter
is
in
beta.
We
should
be
gaying
by
the
end
of
the
week,
which
is
the
end
of
this
week,
coinciding
with
the
harbor
ga
there's
some
a
bit
of
road
map
stuff.
So
looking
at
how
we
could
do
policy
integration
stuff,
supporting
more
report
types,
for
example,
the
inspections
interrogation
service,
that
michael's
spoken
of
before
encore,
has
the
ability
to
supply
license
information
about
packages
that
it
finds
in
the
container.
B
We
have
information
about
the
layers
that
were
used
to
construct
the
container
etc.
If
there's
any
other
kind
of
specific
features
that
anybody
would
like
to
see
in
the
in
the
adapter
itself,
definitely
reach
out
directly
or
hit
me
on
github
file,
an
issue
and
again
the
webinar
on
the
11th
will
have
a
little
more
detail
on
those
workflows
specifically.
C
B
Yeah,
I
don't
know
it
was
work.
I
had
the
machine
was
responding
just
a
moment
ago
and
all
of
a
sudden
it
just
when
I
started
presenting
it
kind
of
froze
itself.
So
let
me
see
here
so
I
have.
I
just
want
to
get
to
the
harbor
tab
in
the
browser.
B
Okay,
my
apologies.
This
is
clearly
not
gonna
work.
That's
okay!
The
machine
does
not
the
not
being
cooperative
at
all
and
I'm
not
sure
why
I
can
either
hop
out
and
pop
back
in
and
like
reboot,
real,
quick
and
see,
I'm
sure
there's
just
something
going
crazy
in
the
kernel.
Yeah.
A
B
A
A
Is
anchor
open
source,
so
encore
engine
is
and
including
the
scanner
adapter
zac
showed
some
of
the
url
links
earlier,
where
some
of
their
code
is
on
github
anchor
enterprise
is
a
paid
product
that
gives
you
a
tremendous
amount,
more
capabilities,
which
is
what
we're
going
to
talk
about
in
the
anchor
webinar
on
december
11th.
A
A
Like
our
goal
from
a
hardware
perspective
was
when
we
added
additional
vulnerability
scanners
like
anchor
and
in
aqua,
was
that
there
is
an
open
source
component
to
them
that
aligns
with
the
open
source
vision
that
harbor
has
so
that
if
you
wanted
to
remain
100
in
the
open
source,
you
could
do
that.
But
if
you're
interested
in
creating
an
entire
end-to-end
security
and
compliance
posture
for
your
organization,
then
products
like
encore
enterprises
what's
gonna
satisfy
that
need.
C
Yeah,
I
think
that
makes
sense
anchor
anchor
engine
is,
is
open,
source
and
freely
available
to
everybody
and
is
a
lot
more
straightforward
than
enterprise
which
is
really
built,
for
you
know,
sophisticated
workflows
and,
and
that
sort
of
thing
and
processes
and
policies.
D
Okay,
I'm
back
all
right
go
ahead.
Chris
one
question
I
wanted
to
ask
was
around
openoff
support
in
1.10.
Is
that
going
to
be
finalized
in
1.10,
or
is
some
of
that
going
to
spill
over
to
1.11.
A
Did
you
say
open
us?
Yes,
oh
ydc,
so
the
oidc
support
was
completed
for
a
previous
release.
I
believe
we
introduced
it
in
1.8.
A
However,
we're
adding
group
support
for
ydc
in
1.10,
so
so
now
you'll
be
able
to
add
groups
as
the
unit
of
management
from
from
an
identity
standpoint,
so
that
your
role
base
access
control
is
tied
to
a
group
now
so
we're
adding
that
in
1.10
right
beyond
that,
there's
a
few
little
features
here
and
there
on
idc,
but
I
don't
have
a
specific
timeline
from
one
would
deliver
them.
If
there's
something
specific
you're
interested.
A
If
there's
a
github
ticket
go
ahead
and
comment
on
it
and
tag
us
or
create
a
new
one,
if
you
can
find
something
that
that
that
works
for
your
organization-
and
you
guys
need
it.
D
Sure
one
of
the
things
we
really
need
is
auto
onboarding
and
I
saw
that
that
didn't
make
it
into
1.10.
So
I
was
curious
what
the
schedule
was
for
that,
but
thanks
for
answering
my
question.
E
A
That
that's
interesting
to
hear,
if
you
don't
mind,
myelias
is
m2.
I'm
gonna
post
it
here
on
the
on
the
on
the
on
the
channel
chat.
Okay,
if
you
can
send
me
a
message
on
the
cmcf
slack
yeah
and
and
send
me
the
tickets
that
are
the
same
ones,
the
experience
you're
having
we'll
have
someone
from
the
team
look
at
it:
okay,
all
right,
awesome
and
then
follow
the
tickets.
That
way,
if
they
do
reply,
you
can
actually
get
their
responses
as
well.
Okay,
thank
you.
A
B
So
I
will
start
here
so
this
can
I
receive
this
project
on
github?
B
Yes,
you
can
perfect
okay
yeah.
So
this
is
the
scanner
adapter
project
again
open
source.
To
answer
his
question
earlier.
Yes,
encore
engine
is
open
source,
it's
apache,
v2
licensed
so
definitely
collaboration
and
contributions,
appreciated
and
encouraged,
so
make
like
actually
collaborating
on
the
adapter
itself
is
pretty
simple,
so
it
uses
some
make
stuff.
B
B
I
have
one
added
already
here,
so
you
can
kind
of
see
the
entry
and
you
know,
can
the
mime
types
consume
the
package,
vulnerability
data,
and
so
it's
pretty
straightforward.
This
is
all
deployed
in
in
kubernetes,
so
it's
going
to
be
using
service
service
names
that
are
related
to
kubernetes,
but
it's
pretty
straightforward,
and
so
this
is
just
running
that
that
little
container,
which
is
the
harbor
adapter
for
anchor
and
and
deploying
our
parsing
api
requests
back
and
forth.
B
So
we
can
see
here
I've
set
up
a
quick
little
test
project
with
the
repositories
you
can
see
again.
The
scanner
here
is
the
anchor
scanner
and
the
repositories
example.
So
here
we
actually
have
the
vulnerability
views
for
debian,
8
and
9
that
I've
pushed
here
so
by
default.
This
has
turned
off
the
the
filter.
So
we'll
see
a
lot
more
vulnerabilities
in
this
because
again
it's
ignoring
that
no
dsa
tag
that
debian
has
put
again
kind
of
showing
you
like.
B
B
B
There
we
go
yep,
I've
forgotten
the
shortcut,
so
this
is
the
the
view
of
the
same
image
in
the
anchor
ui.
So
this
is
the
enterprise
ui.
I
just
did
that
for
for
for
visualization
purposes,
but
we
can
see
the
kind
of
things
that
ancore
has
analyzed
about
this
project.
B
So
that's
it.
I'm
not
going
to
go
too
deep
into
the
the
guts
of
the
implementation,
but
feedback
definitely
appreciated
we'd
love
to
collaborate
with
folks
on
using
this.
If
there's
there's
different
ways
that
they
would
like
to
use
the
scanner
adapter
for
anchor
different
capabilities,
I'm
definitely
open
to
to
working
with
folks
on
improving
it
and
and
helping
that
iteration
again.
B
We
should
have
a
ga
out
at
the
end
of
this
week,
unless
some
really
bad
issue
occurs,
but
here's
so
you
can
find
the
the
link
for
the
actual
adapter
project
as
well
as
anchor
engine
the
cli
and
the
docs
for
anchor
itself
cool.
That's
it!
Thank
you.
Everybody
appreciate
it.
A
Thank
you
zach.
First
of
all,
thank
you
for
the
contributions
that
you
have
made
to
hardboard.
Thank
you
for
the
leadership
in
that
pluggable
scanner
work
so
and,
more
importantly,
thank
you
for
bringing
anchor
scanners
to
to
our
ecosystem.
So
this
is
awesome
and.