Skip to main content

Harbor: The Secure and Efficient Container Registry for Kubernetes

harbor

Documentation

Harbor is an open-source container registry, graduated from the CNCF, that does exactly what it promises in a very well-executed manner.

In addition to hosting images, which is its main function, we have:

  • Image vulnerability scanning: Images can be scanned within Harbor itself, showing a report with vulnerabilities and generating alerts. Trivy is the default scanner, but Clair, Sysdig, Cyberwatch, Dosec, and others can also be used.

  • Image replication: You can push and pull images to another registry based on rules. This can be useful when you want to have different image registries and keep them synchronized. It's also useful for migrating from an old Docker registry to a new one. Compatible with Docker Hub, Distribution, GCR, ECR, ACR, AliCR, Artifactory, Quay, GitLab Registry, etc.

  • Image signing: Uses Cosign and Notation internally to automatically sign an image.

  • Project quotas: It's possible to set a quota on any project to manage disk usage.

  • User management: User authentication can be done in different ways and protects artifacts with policies and role-based access control.

Many companies prefer to keep their images on-premise with granular access control even when using the cloud, preventing developers from having direct access to the cloud, and use Harbor for this purpose.

For on-premise environments, Harbor is currently the best choice as an Image Registry.

Alternatives to Harbor​

Cloud providers typically offer registries that are quite affordable, but they don't provide the same features as Harbor (replication, scanning), doing only what's necessary with authentication and quotas configurable through the cloud itself with more centralized control.

  • Amazon Elastic Container Registry (ECR)
  • Azure Container Registry (ACR)
  • Google Container Registry (GCR)
  • Alibaba Container Registry
  • Oracle Cloud Infrastructure Registry

Docker Hub is the most popular registry, but it ends up being an additional cost for the company and isn't very cheap.

Compatibility​

Harbor vs Nexus​

A comparison of some features that are available in Harbor but not in Nexus:

  • Generality: Nexus is a universal repository manager that can handle different types of technologies, such as Maven, NPM, Ruby Gems, Python Eggs, etc. Harbor is a pure Docker registry that manages only Docker images.

  • Image scanning: Harbor has some features that Nexus doesn't have, such as image vulnerability scanning, image replication, image signing, and project quotas.

  • Replication: Nexus doesn't replicate images across different repositories. We could have 2 Harbor instances, one for dev and another for staging/production, and synchronize between them. We can use this feature in Harbor to migrate from Nexus to Harbor without needing to create scripts.

  • Garbage collection: In Harbor, unlike Nexus, you can define a rule to automatically collect orphaned image layers that aren't used by any other image and remove them from the repository.

  • Project quota: You can set a quota on any project to manage disk usage in Harbor; in Nexus you cannot.