Skip to content

Private container registry with Harbor

Harbor is an open-source registry that secures artifacts with policies and role-based access control, ensuring images are scanned and free of vulnerabilities.[400-devops-06-kubernetes-k8s-paas-02-k8s.md][400-devops__06-Kubernetes__k8s-paas__02.企业部署实战_K8S.md] In the context of enterprise Kubernetes Deployment, Harbor serves as a local private registry that allows teams to store and manage container images efficiently.[400-devops-06-kubernetes-k8s-paas-02-k8s.md][400-devops__06-Kubernetes__k8s-paas__02.企业部署实战_K8S.md]

Benefits

Deploying a private registry like Harbor addresses two primary concerns compared to using public registries:

  1. Speed: It enables rapid image downloads within the local network.[400-devops-06-kubernetes-k8s-paas-02-k8s.md][400-devops__06-Kubernetes__k8s-paas__02.企业部署实战_K8S.md]
  2. Stability: It mitigates risks associated with external image changes, such as version modification or removal.[400-devops-06-kubernetes-k8s-paas-02-k8s.md][400-devops__06-Kubernetes__k8s-paas__02.企业部署实战_K8S.md]

Deployment Architecture

In a typical enterprise deployment, Harbor is installed on a dedicated运维主机 (Operations Host) rather than the Kubernetes master or worker nodes.[400-devops-06-kubernetes-k8s-paas-02-k8s.md][400-devops__06-Kubernetes__k8s-paas__02.企业部署实战_K8S.md]

  • Storage: Docker data and images are stored in a specific data volume (e.g., /data/harbor), separate from the system disk.[400-devops-06-kubernetes-k8s-paas-02-k8s.md][400-devops__06-Kubernetes__k8s-paas__02.企业部署实战_K8S.md]
  • Proxy Configuration: To facilitate access and separation of concerns, an Nginx reverse proxy is often configured in front of Harbor.[400-devops-06-kubernetes-k8s-paas-02-k8s.md][400-devops__06-Kubernetes__k8s-paas__02.企业部署实战_K8S.md]
    • Harbor listens on a non-standard port (e.g., 180) internally.[400-devops-06-kubernetes-k8s-paas-02-k8s.md][400-devops__06-Kubernetes__k8s-paas__02.企业部署实战_K8S.md]
    • Nginx listens on port 80 and proxies traffic to Harbor.[400-devops-06-kubernetes-k8s-paas-02-k8s.md][400-devops__06-Kubernetes__k8s-paas__02.企业部署实战_K8S.md]
  • DNS Resolution: A dedicated DNS entry (e.g., harbor.od.com) is created to resolve to the registry's IP address.[400-devops-06-kubernetes-k8s-paas-02-k8s.md][400-devops__06-Kubernetes__k8s-paas__02.企业部署实战_K8S.md]

Configuration

Docker daemon configuration

To allow Docker on the Kubernetes nodes to trust and push/pull from the private registry, the Docker daemon must be configured to recognize the registry.

  • Insecure Registries: The registry URL must be added to the insecure-registries list in /etc/docker/daemon.json.[400-devops-06-kubernetes-k8s-paas-02-k8s.md][400-devops__06-Kubernetes__k8s-paas__02.企业部署实战_K8S.md]
  • Mirror Sources: Public mirrors (e.g., Aliyun) are often configured to speed up the initial download of base images.[400-devops-06-kubernetes-k8s-paas-02-k8s.md][400-devops__06-Kubernetes__k8s-paas__02.企业部署实战_K8S.md]

Usage

Once deployed, Harbor can be accessed via the configured domain URL.[400-devops-06-kubernetes-k8s-paas-02-k8s.md][400-devops__06-Kubernetes__k8s-paas__02.企业部署实战_K8S.md]

  1. Authentication: Users log in using docker login harbor.od.com with the configured credentials (default: admin / Harbor12345).[400-devops-06-kubernetes-k8s-paas-02-k8s.md][400-devops__06-Kubernetes__k8s-paas__02.企业部署实战_K8S.md]
  2. Projects: Users can create "Projects" to organize images. A "public" project allows pull access without authentication, while private projects require login.[400-devops-06-kubernetes-k8s-paas-02-k8s.md][400-devops__06-Kubernetes__k8s-paas__02.企业部署实战_K8S.md]
  3. Image Operations:
    • Pull: Download an image (e.g., nginx:1.7.9).[400-devops-06-kubernetes-k8s-paas-02-k8s.md][400-devops__06-Kubernetes__k8s-paas__02.企业部署实战_K8S.md]
    • Tag: Re-tag the image with the private registry's address (e.g., harbor.od.com/public/nginx:v1.7.9).[400-devops-06-kubernetes-k8s-paas-02-k8s.md][400-devops__06-Kubernetes__k8s-paas__02.企业部署实战_K8S.md]
    • Push: Upload the tagged image to the registry.[400-devops-06-kubernetes-k8s-paas-02-k8s.md][400-devops__06-Kubernetes__k8s-paas__02.企业部署实战_K8S.md]

Sources

  • 400-devops-06-kubernetes-k8s-paas-02-k8s.md
  • 400-devops__06-Kubernetes__k8s-paas__02.企业部署实战_K8S.md