►
From YouTube: CNCF Harbor's Community Zoom Meeting - 17 Nov, 2021
Description
CNCF Harbor's Community Zoom Meeting
A
C
A
D
D
D
We
also
have
the
cloud
native
network
protection,
as
well
as
the
cloud
native
application
protections,
and
on
top
of
that,
we
also
extend
the
cloud
workload
protection
to
the
mobile
service
edge.
This
is
due
to
the
popularity
and
the
fast
adoption
of
5g
in
china
and
in
addition
to
that,
the
supply
chain
security
is
part
of
our
product
portfolios,
and
that
is
the
reason
why
we
added
the
scan
adapter
support
for
hardware
registry
and
by
the
way
we
got
android
financing
support.
So
we
are
expanding
our
business
across
china,
regions.
D
D
Actually,
we
will
receive
the
api
call
from
harbor
and
do
the
proper
translation
and
make
the
proper
api
call
to
the
backend
scanner
engines
and
set
up
the
credential
and
so
on
and
so
forth,
and
then,
finally,
we
instruct
the
scanner
engine
to
pull
images
from
harbor
and
do
the
analysis
and
got
the
results
and
return.
The
reports
back
to
the
hardware
registry
does
the
scan
engine
support
the
vulnerability
scan
for
both
the
os
packages
and
the
application
packages.
D
D
These
are
bunch
of
the
environmental
available
for
you
to
set
up
the
the
scan
adapter
and
finally,
we
do
the
hem
install
to
finish
the
setup,
and
basically
this
is
the
the
github
link
is
with
the
manual.
But
for
now
the
menu
is
written
in
chinese,
but
we
will
translate
it
into
english
as
soon
as
we
ga
the
version.
E
D
E
We
currently
are
a
commercial
products,
but
we
are
going
through
like
the
open
source
procedures.
We
were
starting,
publish
some
like
open
source
projects.
We
are
currently
working
on
that,
including
some
network
monitoring
projects
and
all
these
all
these,
like
projects
that
we
publish
on
our
github
page,
we'll
be
using
the
apache
open
source
license
yeah.
E
This
is
just
a
standard
way
that
how
we
add
on
our
adapters
onto
the
current
hardware
registry.
Basically,
you
need
to
have
a
name
and
put
on
address
that
can
directly
connect
to
our
image
scanner
servers.
So
this
deployment
is
in
our
local
servers.
So
that's
why
we
only
have
a
ip
address
set
up
over
here
and
yes,
it's
a
and
then
you
you
click
and
add
into
the
your
scanner
pages.
E
E
Okay,
yeah,
that's
a
just
a
quick
demo
say
how
we
get
this
adapter
work
and
how
we
integrate
with
the
current
hardware
registry.
So
harry.
Probably,
let's
go
back
to
the
powerpoint
and
I
can
introduce
some
like
some
features
that,
in
the
back
in
the
in
the
back
like
how
we
actually
support
our
image
scanner
and
how
we
different
differentiate
ourselves
from
the
current
mainstream
scanner.
D
E
Yeah
and
yeah
next
page,
so
the
the
current
we
we
consider
about
the
image
scanner
is
how
we
get
the
vulnerabilities
and
then
the
key
parts
is
actually
how
we
make
the
scores
for
each
individual
vulnerabilities.
So
the
current
like
mainstream
for
the
when
the
for
the
vulnerability
is
the
cbss
scores.
So
the
phone
name
is
like
a
common
vulnerability
scrolling
system
and
they
currently
have
two
versions,
like
version
2.0
and
version
3.0.
E
They
have
a
little
bit
the
difference
about
the
different
severities
of
vulnerabilities,
and
if-
and
you
can
refer
at
the
like
the
the
right
right
corners,
you
can
see
how
they
define
different
similarities
of
their
vulnerabilities.
But
when
we
consider
at
a
container
image
scanning,
a
lot
of
image
is
using
compressed
waves.
So
we
need
to
extract
this
package
in
and
extract
the
package
installation
list
from
the
container
arctic
files,
and
then
we
use
the
software
name
and
with
the
version
to
get
what
kind
of
vulnerabilities
that
exist
in
the
container
image.
E
That's
this
basic
mechanisms
that
how
we
get
the
vulnerabilities
of
image,
even
how
how
we
get
to
the
video
of
image
you
have
here.
Next
page,
so
the
problems
here
is
when
we
put
this
kind
of
scanners.
In
practice,
we
encounter
like
too
many
vulnerabilities
that
we
can
find
for
each
individual
image.
So
we
we
talked
to
a
lot
of
customers
both
in
china
and
americans.
They
all
complained
said
like.
E
If
we
install
like
open
source
vulnerability
scanners,
we
get
so
many
vulnerabilities,
and
that
makes
our
lives
horrible,
because
there's
no
way
that
we
can
actually
can
fix
this
kind
of
vulnerabilities.
So
so
the
reason
why
there
are
too
many
visibilities
we
we
summarize
is
that
the
four
points.
The
first
is
that
we
find
a
lot
of
base
image
into
in
introduce
a
lot
of
vulnerabilities
and
a
good
way
that
you
change
your
base.
E
Image
can
solve
a
lot
of
problems
about
these
vulnerabilities
and
also
we
find
that
most
of
the
detected
availability
is
not
relating
to
the
running
software.
Basically,
it's
some
software
already
in
the
base
image
or
maybe
install
it
through
other
ways
that
actually
not
not
directly
relating
to
the
running
softwares.
We
don't
want
this
kind
of
an
ability
to
display
to
the
customers,
because
they
think
this
kind
of
vulnerability
may
may
not
be
very
useful
to
them,
and
the
next
is
when
they
build
his
score.
E
It's
just
isolated
running
and
you
probably
don't
need
to
worry
so
much
about
responsibilities,
because
the
hackers
or
maybe
hackers
have
no
ways
actually
directly
exploiting
those
vulnerabilities
and
the
last
one
is,
we
think,
actually
lack
of
a
state-of-the-art
standard
to
define
what
the
vulnerabilities
is
actually
meaningful
for
the
customer.
So
so
that's
why
we
think
we
want
to
find
a
better
solution
to
define
the
vulnerability
score
and
actually
make
our
scanning
result
a
little
bit
different
for
others.
So
yeah
next
page,
please.
E
E
So
the
second
key
inside
this
thing,
like
some
base
image,
we
should
put
a
lot
of
efforts
to
keep
monetary
them.
So
so
that's
why
we
can
give
a
customer
another
kind
of
alert,
saying
like
your
a
base,
image
that
you're
currently
using
may
expose
some
like
reasons
vulnerabilities,
and
you
need
to
take
care
about
that
this.
The
third
key
insight
is,
we
want
to
take.
Consider
the
the
cloud
native
environment
is
actually
running
and
make
that
actually
be
meaningful.
E
E
The
first
is:
we
have
a
led
monitor
that
this
monitor
is
not
only
monitoring
the
led,
but
also
monitoring,
most
like
a
mainstream
like
vulnerability
bulletins
to
get
the
most
together
information
about
the
most
recent
vulnerabilities
and
then
using
these
vulnerabilities
to
compare
with
the
docker
image
a
docker-based
image
that
we
use.
You
know
in
the
customer's
environments,
and
then
we
can
tell
the
customers
like
what
is
the
like.
What's
their
vulnerability,
you
need
to
take
care
of.
E
Maybe
you
need
to
upgrade
your
current
base
image
to
fix
some
visibilities,
the
second,
the
second
type
of
monitor.
We
call
the
system
library
monitor,
so
how
we
achieve
that
we're
using
three
kind
of
techniques
to
to
detect
like
whether
there
are
some
new
libraries
or
new
packages
has
been
loaded
into
the
system.
So
our
I
will
explain
more
details
in
the
following
pages
about
how
we
actually
capture
the
the
loading
and
unloading
of
the
system.
Libraries.
E
You
are
currently
running
so
this
kind
of
environment
will
monitor
these
kind
of
things
and
writes
the
severities
about
the
certain
vulnerabilities
based
on
the
usage
about
about
your
vulnerable
images
and
also,
we
also
monitor
the
image
and
the
usage
of
this
image
to
see
whether
they
will
be
different
to
adjusting
the
data
scoring
and
that
that's
all
this
kind
of
monitoring
system
to
help
you
to
decide
the
the
adaptive
score.
And
then
this
kind
of
identity
score
will
directly
publish
into
our
dashboards.
E
And
then
the
hardware
can
directly
call
call
our
adapter
to
retrieve
the
most
relevant
scores
that
we
provide
to
adjust
to
to
sorry
to
state
the
severity
of
the
the
vulnerabilities.
So
in
in
our
proposal,
we
hope
that
we
can
give
customers
like
accept
the
cv
access
scores.
We
can
give
them
another
kind
of
called
adaptive
score
to
help
them
to
better
understand
the
the
severity
of
the
reliability.
The
risk
of
this
image.
We
are
using
yeah.
E
So
this
is
our
scoring
framework
yeah
next
page,
so
we
have
some
details
put
it
here.
I
don't
want
to
because
of
time
limits.
We
don't
like
explain
every
details
about
that,
so
I
just
want
to
say
we
have
multiple
monitoring.
So,
for
example,
we
will
predict
periodically
to
monitor
other
availability
trends
through
different
kinds
of
vulnerability
feeds
and
get
the
most
up-to-date
information
about
the
abilities
and
also
we
were
periodically
to
monitor
the
basic
base
image.
E
So
when
the
base
image
has
been
involving
any
kind
of
new
abilities,
we
were
right
search
to
help
the
to
get
help
the
customer
together,
alert
and
experience,
please
so
for
the
library,
loading
and
unloading
we're
currently
using
two
ways
to
to
detect
this
kind
of
thing.
The
first
is
a
static
library
monitoring,
so
basically,
from
the
container
image,
we
will
find
the
other
files
that
have
been
have
been
loaded
into
the
image,
and
then
we
were
using
ldd
tools
to
get
their
dependency
to
to
verify.
E
Actually,
this
kind
of
software
that
the
customer
is
building
that
has
some
specific
dependency
on
the
libraries,
and
this
is
static
way
that
we
determine
whether
some
some
binary
has
using
some
dependency
dependency,
library
and
package.
Also,
we
we
have
another
system
called
hooking
ways,
because
our
our
product
actually
using
system
hooking
to
fi,
to
capture
all
the
system-
cars
that
have
been
running
in
the
customer
environments,
so
we
will
hope,
like
open,
close
idea,
open
this
kind
of
system
and
the
library
course
whenever
they
have
been
called.
E
We
consider
that
this
software
actually
loading
some
specific
library
and
package
so
through
that
we
can
also
tell
the
customer
that
the
certain
library
and
the
package,
a
certain
vulnerable
library
or
package,
has
been
loading
so
help
them
to
make
a
better
better
understanding
about
their
risk.
Yep.
E
Next,
please
so
for
the
environment
of
that
factors
we
want
to
tell
the
customers
like
this
image
has
been
used
in
your
environment
may
be
easier
to
be
exploited.
So,
for
example,
like
we
were,
whenever
some
vulnerable
package
vulnerable
image
has
been
using
in
some
container,
has
some
network
exposures.
For
example,
it
has
been
using
behind
ingress
controllers
that
provide
like
a
service
to
the
to
the
outside
world.
E
We
will
raise
the
availability
scores
for
certain
vulnerabilities
and
when
some
like
container
have
the
system
privilege,
we
will
authorize
the
the
score
for
them
and
also
some
network.
Some,
like
port
or
containers,
has
network
capabilities.
For
example,
network
admins
will
authorize
the
severity
scores
and
also
we
will
count
the
number
of
usage
in
the
general
environments
and
also
the
number
of
usage
in
the
production
environment.
All
these
kind
of
numbers
will
help
us
to
adjust
the
adaptive
scores
for
our
when
they
build
his
scoring
system.
E
So
that's
a
brief
introduction
about
how
we
actually
produce
this
kind
of
adaptive
scores
and
we
think
that
can
help
help
customers
to
actually
determine
the
risk
about
each
individual
vulnerabilities,
and
we
have
some
customers
actually
started
study
using
that
and
hopefully
hopefully
we
we
will
hopefully
want
to
contribute
these
parts
of
the
scoring
system
as
open
source
projects
in
the
near
futures
and
making
this
publicly
available.
That
will
probably
help
a
customer
to
better
understand
their
risk
in
their
customized
environments.
That's
all
the
sharing
I
want
to
have.
H
Yeah
I
have,
I
have
a
question.
Thank
you
for
the
presentation,
so
you
you
said
that
you
know
you
know
just
doing
the
vulnerability
scanner,
but
you
also
gather
the
metrics
from
from
the
running
systems
and
also
if,
if
this
loading
is
there
a
way
how
you
fit
this
information
back
into
the
harbor
or
is
the
harbor
adapter
just
doing
the
vulnerabilities
scanning
and
how?
How
do
you
adjust
the
score
of
a
previously
scanned
image,
so
is?
Is
it
synchronized
or
is
it
static.
E
Yeah,
currently
it's
like
we
build
a
server
that
actually,
when
they're,
like
the
buildup
server
and
behind
the
servers,
we
have
a
database
to
record
the
the
this
kind
of
score
and
also
record
the
change
of
this
kind
of
scores
based
on
the
customer's
usage
about
each
individual
of
each
individual
container
image.
So
so
currently,
I
think
the
hardware
don't
support
like
periodically
synchronizing
mechanisms
to
sync
these
kind
of
adaptive
scores.
E
So
so
that's
why
we
want
to
propose
this
is
like
if,
when
we
provide
this
product
to
the
customer,
we
have
our
own
dashboards
and
the
customer
can
easily
to
get
this
trends
about.
The
score
also
gather
the
most
up-to-date
adaptive
scores
from
our
dashboard,
but
we
hope,
like
in
the
future,
maybe
harvard
can
support
this
kind
of
periodically
synchronizing
mechanisms.
E
H
But
can
you
not
calculate
the
score
dynamically
based
on
the
data
that
you
already
have,
because
you
know
when
you
get
when
you
get
the
image
already
from
when,
when
you
get
the
order
from
from
harbor
to
scan
this
image?
You
know
where
this
comes
from
so
which
is
the
source
and
what's
the
image
name,
and
then
you
can
based
on
the
same
image
which
is
running
in
maybe
in
on
an
environment.
H
E
B
E
Right
right,
yes,
we
currently
it's
a
deploying-
is
in
the
way
that
you
just
described
so
every
time
when
you're,
using
our
scanner
to
scan
the
same
image,
you
will
maybe
get
different
scores,
because
we
are
calculating
based
on
the
accumulated
data
that
we
get
from
the
cust
from
the
environments.
Yes,.
E
H
E
E
E
Yes,
so
just
as
a
previous
I
just
described,
we
hope,
like
a
harbor
may
gather,
may
have
like
a
periodically
refreshed
mechanism
so
like
to
periodically
refresh
the
score
or
also
the
information
about
availabilities
so
because
most
of
the
valuability
have
like
it's
changing,
even
though,
without
our,
like
this
kind
of
adaptive,
score
a
lot
of
vulnerability,
changing
its
scores
in
the
long
term.
So
that's
why
we
hope
harvard
also
have
some
mechanics
and
actually
can
support
this
kind
of
adaptive
like
apis.
E
E
A
E
A
E
Yeah,
I
I
hope,
like
we
can
have
some,
maybe
maybe
we
were
starting
an
open
source
part
of
our
algorithm,
and
maybe
maybe
the
community
can
refer
our
open
source
project
to
see
how
that
part
can
possibly,
I
will
not
say
integrate,
but
how
we
actually
changing
the
interactions
between
the
scanners
and
the
hardware.
So,
for
example,
the
scoring
display
may
have
could
be
a
independent
component
that
actually
can
support
like
a
periodically
refreshing.
A
I
A
E
C
A
A
A
G
H
Well,
it's
basically
in
summary:
it's
it's
a
q,
a
bot,
so
it
will
scrape,
I
think
it
scrapes
github
github
discussions,
github
issues
and
also
the
slack
history,
and
if
someone
asking
questions
will
propose
similar
questions
or
similar
answers
to
the
same
similar
questions,
and
it
will
also-
maybe
you
know
hint
people
who
might
be
knowledgeable
in
this
in
this
topic
you
know
so
it
will
scan
the
codes.
Can
the
issues
can
the
the
his
like
history
and
I
think
what
else
does
it
do?
I,
I
think,
also
documentation.
H
Exactly
and
even
I
think,
even
stack
overflow,
so
it
you
know
it,
it
does
scan
a
few
sources
and
then
it
will
provide.
You
hints
about
your
questions
of
you
know
from
different
channels
and
for
for
the
haber
project.
There
is
no
effort
in
integrating
or
kind
of
a
maintaining
it.
You
know
and
it's
an
optional,
it's
a
kind
of
a
opt-in.
So
this
means
like,
if
we're
not
happy,
we
can
just
disable
it.
There's.
B
H
Limits
you
know
kind
of
yeah
limited,
because
you
need
to
actively
ask
ask
the
the
the
bot
for
help
or
the
bot
it's
kind
of
integrated
in
the
way
that
you
can
say
it.
It's
active
where
the
bots
reacts
to
a
question
after
trigger
time,
or
you
can
say
you
need
to
explicitly
ask
the
bot
for
help.
Then
it
will
try
to
search
so
there
are
different
ways
how
we
could.
B
G
A
B
A
A
A
So
please
everyone
drop
a
line
and
I'll
contact
the
the
right
person,
so
we
can
drive
this
one
and
to
get
it
into
our
channel
and
we
can
give
a
try
cool
next.
One
upcoming
conferences
I
want
to
discuss.
Qcon
china,
eu
and
fosdem
are
like
the
the
next
big
things
in
my
in
my
rather
the
china
one.
We
missed
the
time
period
to
submit
the
maintainers
track
application
I'm
currently
waiting
for
cncf
if
they
can
open
that
only
for
us,
so
we
can
get
a
slot.
A
H
H
Okay
yeah,
so
my
idea
was
to
to
maybe
do
something
regarding
harbor
on
on
cube
coney.
U
I
was
planning
to
go
there.
I
was,
I
was
living
in
valencia,
so
I
I'm
really
looking
forward
to
go
there
again
and
I
was
thinking
about
proposing,
especially
like
harbor
and
kubernetes,
how
how
they
may
work
together.
So
maybe
yeah
some
some
talk
about
this,
this
in
this
area,
so
so
mainly
like
synchronizing
between
harbor
and
kubernetes.
H
Like
this
automated,
there
is
like
an
open
source
project
which
synchronizes
harbor
with
kubernetes,
so
that
namespace
and
and
the
secret
synchronizing,
so
we
have
a
kind
of
a
seamless
integration
of
of
harbor
into
into
kubernetes,
and
I
would
like
to
make
a
talk.
I
was
thinking
about
making
a
talk
about
this
and
share
a
few
use
cases
how
to
have
a
seamless,
kubernetes
integration
with
harbor.
H
H
H
H
If
you,
if
you
scroll
down
a
bit,
then
you'll
see
there's
a
diagram,
how
how
is
working.
So
this
is
basically
quite
a
simple
operator
for
kubernetes,
which
is
working
nicely
with
with
harbor,
and
it
makes
the
developer
lives
a
bit
easier,
and
I
would
like
maybe
to
talk
with
with
the
author
of
this
two.
I
know
him
and
if,
if
he
wants
to
join
on
the
presentation
about
that,
I'm
open
to
that
and
yeah.
H
A
I
was
thinking
about
keep
con
eu
and
fosdem
I'll
try
to
submit
like
a
harbor
101
talk,
so
I
want
to
combine
something
from
community
to
the
technical
part
in
in
between
a
little
demo
of
harbor,
what
it's
doing
and
how
people
can
join
our
community
and
how
can
start
contributing
so
I'm
open
for
collabs.
If
someone
wants
to
join
me
in
this
one
yeah
on
the.
B
A
C
C
A
C
A
C
C
C
C
A
A
C
A
H
B
B
Some
of
them
may
be.
You
know,
it'll,
just
we'll
just
get
a
design
in
for
2.5,
but
I
think
you
know
the
ones
like
supporting
six
story
cosine.
This
is
pretty
well
discussed.
Already.
We've
had
a
lot
of
discussions,
there's
a
bunch
of
pr's
going
on.
This
is
one
like
the
core
anchor
features
for
2.5
that
we
want
to
support.
C
B
And
see
if
you
have
any
comments
on
these
and
then
I
think
over
you
know
the
course,
the
next
few
community
meetings
we
can
deep
dive
a
few
of
these.
The
define,
live,
backstory,
backup,
restore
this
is
a
story
centered
around
using
valero
for
for
backup
and
restore,
and
you
know
we
already
decided
on
valero
as
a
as
a
backup
solution
and
then
we're
adding.
B
G
B
B
This
is
a
performance
enhancement.
That's
pretty
important
around
the
pgc
goal
within
harbor.
I
think
I'm
going
to
take
this
one
out,
there's
not
much
to
do
so.
This
is
this
is
not
part
of
2.5
yeah
and
then
we're
adding
you
know
enhancements
to
to
capture
audit
logs
right.
So
who
did
what,
when
these
are
things
that
are
not
being
captured
in
harvard
today?
B
This
is
more
of
a
design.
I
think,
there's
quite
a
bit
of
you
know
touches
on
a
lot
of
things
in
in
the
in
the
back
end,
but
this
important
feature
to
have,
I
think,
yeah
and
the
vulnerabilities
export,
as
well
as
supported,
unsupported
os
and
scan
results.
These
are
things
that
that
you
know
we
started
in
2.4
and
didn't
quite
finish
and
we're
trying
to
get
those
into
2.5
as
well.
So
please
take
a
look.
You
know
this.
B
This
will
be
the
time
to
to
raise
things
that
you
feel
are
important,
because
2.4
is
out
2.5.
You
know,
we've
started
already
gotten
started
on
some
of
these
things
and
we're
just
consolidating
this
list,
and
you
know
finalizing
the
2.5
I'm
going
to
change
this
to
you
know
from
suggestions
to
commitments
at
some
point,
probably
within
the
next
week
or
two
so.
H
H
F
F
B
J
Yeah,
this
is
what
I
just
went
through
all
the
gc
issues,
so
I
I
have
already
created
a
apex
for
2.5.
So
me
we
probably
can
do
some
enhancements
about
the
competition
like
improve
some
performance
and
introduce
the
feeder
tolerance,
and
things
like
that.
So
I
I
just
put
all
the
things
that
about
the
cabbage
cushion
in
that
app
you
can.
You
can
refer
to
that
for
more
details.
J
B
H
B
G
B
B
C
B
Has
gotten
to
the
point
where
it's
not
about
you
know:
people
are
not
expecting
us
to
have
x
number
releases
per
year.
They're
expecting
quality
releases
with
incrementally
better
features,
because
you
know
harvard
is,
is
really
strong
in
the
community
and
now
we're
you
know
we're
delivering
on
things
that
would
really
make
an
impact
right
things
like
import
performance
enhancements
that
you
see
performance
enhancements
to
the
you
know
the
database
query
in
the
background
and
then
yeah,
you
know
it's
not
it's
not
about
rolling
out
features
that
we
can
demo
anymore.
It's
about.
B
Yeah
and
we
have
more,
we
have
more
people
right,
we
have
tienen
joining
us,
we
have
vadim
and
we
have
you
know
other
contributors,
so
I
think
over
time
you
know
it's
gonna,
it's
gonna
get
better
only,
but
it's
gonna
get
better
organically
and
so
three
releases
a
year.
That's
that's
what
we
promise.
A
Thank
you
anyone
else.
If
not,
I
have
last
request
from
you
for
you.
Can
you
go
over
all
the
proposals
at
the
community
repository?
There
are
some
old
proposals
or
issues
I'd
try
to
attack
some
of
you.
There
are
two
three
years
old
discussions
that
are
definitely
definitely
out
of
date
needs
either
closing
or
yeah
closing
so
yeah.