Project Harbor Introduction Open source trusted cloud native registry Henry Zhang, Chief Architect, VMware R&D China Steven Zou, Staff Engineer, VMware R&D China Nov. 2018 2 Confidential � ©2018 Agenda 7 Confidential � ©2018 VMware, Inc. • Isolation • Access Control • Vulnerability • Content Trust • Replication • Control Policy SECURITY DISTRIBUTION RELIABILITY DEPLOYMENT OVERVIEW • Chart�� ������������� Harbor�� API Routing Core Service (API/Auth/GUI) Image Registry Trusted Content Vulnerability Scanning Job Service Admin Service Harbor components 3rd party components

Project Harbor Introduction Open source trusted cloud native registry Henry Zhang, Chief Architect, VMware R&D China Steven Zou, Staff Engineer, VMware R&D China Nov. 2018 2 Confidential � ©2018 Agenda 7 Confidential � ©2018 VMware, Inc. • Isolation • Access Control • Vulnerability • Content Trust • Replication • Control Policy SECURITY DISTRIBUTION RELIABILITY DEPLOYMENT OVERVIEW • Chart�� ������������� Harbor�� API Routing Core Service (API/Auth/GUI) Image Registry Trusted Content Vulnerability Scanning Job Service Admin Service Harbor components 3rd party components

Harbor Deep Dive Open source trusted cloud native registry Henry Zhang, Chief Architect, VMware R&D China Steven Zou, Staff Engineer, VMware R&D China Nov. 2018 goharbor.io Initiated by VMware and PKS GitHub Repo: https://github.com/go harbor/harbor/ Apache 2.0 license An open source trusted cloud native registry project HARBOR More integrations in future Harbor Project History Harbor Policy • Based on content trust • Based on vulnerability • Based on RBAC Main Features （ Cont. ） 7 Vulnerability Scanning • Kinds of scanning policies • Elaborate scanning report Content Trust • Digital

Python 3.11, 3.12 and PyPy 3.9, 3.10. See https://github.com/Pylons/waitress/pull/412 Document that trusted_proxy may be set to a wildcard value to trust all proxies. See https://github.com/Pylons/waitress/pull/431 36 Waitress now validates that the Content-Length sent by a remote contains only digits in accordance with RFC7230 and will return a 400 Bad Request when the Content-Length header contains invalid data ff-3wj3-8ph4 CVE-ID: CVE-2019-16789 Bugfixes Updated the regex used to validate header-field content to match the errata that was published for RFC7230. See: https://www.rfc-editor.org/errata_search

and update the Procfile as following: web: waitress-serve \ --listen "*:$PORT" \ --trusted-proxy '*' \ --trusted-proxy-headers 'x-forwarded-for x-forwarded-proto x-forwarded-port' \ --log-untrusted-proxy-headers output to the console when we request a page: 00:50:53,694 INFO [wsgiapp] Returning: Hello World! (content-type: text/plain) 00:50:53,695 INFO [wsgi] 192.168.1.111 - - [11/Aug/2011:20:09:33 -0700] "GET /hello function. 2. You can pass certain well known proxy headers from your proxy server and use waitress's trusted_proxy support to automatically configure the WSGI environment. 1.3.1 Using url_scheme to set wsgi

6 Waitress now validates that the Content-Length sent by a remote contains only digits in accordance with RFC7230 and will return a 400 Bad Request when the Content-Length header contains invalid data ff-3wj3-8ph4 CVE-ID: CVE-2019-16789 Bugfixes Updated the regex used to validate header-field content to match the errata that was published for RFC7230. See: https://www.rfc-editor.org/errata_search ignoring the Content- Length) and Waitress using the Content-Length as it was looking for the single value chunked and did not support comma seperated values. Waitress used to explicitly set the Content-Length

ff-3wj3-8ph4 CVE-ID: CVE-2019-16789 Bugfixes Updated the regex used to validate header-field content to match the errata that was published for RFC7230. See: https://www.rfc-editor.org/errata_search ignoring the Content- Length) and Waitress using the Content-Length as it was looking for the single value chunked and did not support comma seperated values. Waitress used to explicitly set the Content-Length Content-Length header to 0 if it was unable to parse it as an integer (for example if the Content-Length header was sent twice (and thus folded together), or was invalid) thereby allowing for a potential request to

file a update the Procfile as following: web: waitress-serve \ --listen "*:$PORT" \ --trusted-proxy '*' \ --trusted-proxy-headers 'x-forwarded-for x-forwarded-proto x-forwarded-port' \ --log-untrusted-proxy-headers output to the console when we request a page: 00:50:53,694 INFO [wsgiapp] Returning: Hello World! (content-type: text/plain) 00:50:53,695 INFO [wsgi] 192.168.1.111 - - [11/Aug/2011:20:09:33 -0700] "GET /hello function. 2. You can pass certain well known proxy headers from your proxy server and use waitress’s trusted_proxy support to automatically configure the WSGI environment. 1.3.1 Using url_scheme to set wsgi

file a update the Procfile as following: web: waitress-serve \ --listen "*:$PORT" \ --trusted-proxy '*' \ --trusted-proxy-headers 'x-forwarded-for x-forwarded-proto x-forwarded-port' \ --log-untrusted-proxy-headers output to the console when we request a page: 00:50:53,694 INFO [wsgiapp] Returning: Hello World! (content-type: text/plain) 00:50:53,695 INFO [wsgi] 192.168.1.111 - - [11/Aug/2011:20:09:33 -0700] "GET /hello function. 2. You can pass certain well known proxy headers from your proxy server and use waitress’s trusted_proxy support to automatically configure the WSGI environment. 1.3.1 Using url_scheme to set wsgi

the Content- Length) and Waitress using the Content-Length as it was looking for the single value chunked and did not support comma seperated values. Waitress used to explicitly set the Content-Length Content-Length header to 0 if it was unable to parse it as an integer (for example if the Content-Length header was sent twice (and thus folded together), or was invalid) thereby allowing for a potential request to treated as two requests by HTTP pipelining support in Waitress. If Waitress is now unable to parse the Content-Length header, a 400 Bad Request is sent back to the client. 1.3.1 (2019-08-27) Bugfixes Waitress