Container Registry project¶
A project is a collection of repositories. Each repository contains all the images pushed into it. When you launch Container Registry, the "Projects" screen is displayed. On this screen, the project with the name same as your tenant name is displayed. The following screenshot shows the "Projects" screen:
① Navigation pane.
② Option to add new projects.
③ Table displays the details of the project.
④ Information area showing the number of private and public projects and repositories.
⑤ Provides tabs to view a list of all the local events, running events, and failed events.
Click on a project to view/configure it further. The following sections describe important navigation tabs on this screen.
Creating New projects¶
- Click the “+ New Project“ button in the “Projects” menu. The following pop-up window appears.
- Enter an appropriate project name.
- If the “Access level” “Public” checkbox is enabled, any Harbor user will have read permission to the repositories under this project.
- Define the number of artifacts using the "Count quota" option. For unlimited quota, enter '-1'.
- Define the storage consumption quota and select the storage unit using the “Storage quota” option. For unlimited quota, enter '-1'.
- Click “Ok” to create a new project.
Administrators can delete any project available within the tenant. A developer can delete a project if the access level is "Project Admin" for that project.
The summary tab shows information such as the number of repositories, Helm Charts, members, and the Quotas allocated for a selected project.
In this tab, a table of repositories within a selected project is displayed.
- To download the registry certification, click "REGISTRY CERTIFICATE".
- To copy the syntax to tag or push an image, use the "PUSH IMAGE DOCKER COMMAND" list.
- To display the details of repositories as cards, click on the icon.
Helm is a package manager for Kubernetes, and it uses a packaging format called charts. This tab shows information on all existing helm charts within a selected project.
To upload a new Chart, click "UPLOAD", browse the chart file and provenance file from your file system, and click "UPLOAD".
You can download an existing Chart using the "DOWNLOAD" button. You can also remove a selected Chart file using the "DELETE" button.
This tab shows all the members of a project and their roles.
To add a member, click "USER", enter the member name, select the required role, and then click "OK". You can only add users on the same tenant with the role
mdsp:core:mcradvanced.developerto the project. By default, the
mdsp:core:mcradvanced.adminwill have access to the project.
To update role(s), select the member(s), click "ACTIONS", and then select the required role.
Similarly, you can remove the selected member(s).
Harbor provides two types of labels to isolate different types of resources:
- Global Level Label: Managed by Harbor system administrators and used to manage the images of the whole system. They can be added to images under any project. For more information on Global level label, see Section Configuration.
Project Level Label: Managed by project administrators under a project and can only be added to the images of the project. You can "EDIT" or "DELETE" a selected label using the corresponding options available in the "Labels" tab.
This tab shows all the recorded logs. It shows username, repository name, version number, type of operation, and the time when the operation was performed.
You can filter the logs based on operations and dates using the "ADVANCED" search option.
Container Registry Admins can create Robot Accounts and these accounts are intended to perform docker push/pull operations using a token.
To create a robot account, click "NEW ROBOT ACCOUNT", enter a name and a description, select permission(s), and then click "SAVE".
The "pull" permission for Image is enabled by default.
You can disable or delete a robot account using the "ACTION" list.
Using this feature, you can define rules that govern how many artifacts of a given repository to retain, or for how long to retain certain artifacts.
For more information such as add new rule, edit schedule, test rules, refer to the Harbor documentation.
The Tag Immutability feature allows you to configure tag immutability at the project level so that artifacts with certain tags cannot be pushed into Harbor if their tags match existing tags. This feature ensures that an immutable tagged image can neither be deleted nor be altered by re-pushing, re-tagging, or replicating.
For more details such as add a new rule, refer to the Harbor documentation.
Within this tab, you can configure webhooks so that the Harbor notifies the webhook endpoint of certain events that occur in a project, including push, pull, deletion of images and Helm charts, image scanning, and vulnerability discoveries.
This tab shows the available Scanners within a selected project.
You can configure projects so that the images with vulnerabilities cannot be run, and automatically scan images as soon as they are pushed into the project.
- To make all repositories under the project accessible to everyone, select the “Public” checkbox.
- To prevent un-signed images under the project from being pulled, select the “Enable content trust” checkbox.
- To prevent vulnerable images under the project from being pulled, select the “Prevent vulnerable images from running” checkbox and change the severity level of vulnerabilities.
Images cannot be pulled if their level equals to or higher than the currently selected level.
- To activate an immediate vulnerability scan on new images that are pushed to the project, select the “Automatically scan images on push” check box.
If the “Automatically scan images on push” feature is enabled, new internal robot accounts will be created and their activities are tracked under "Projects" > "Logs".
- To ignore certain Common Vulnerabilities and Exposures (CVE), create a whitelist of CVEs at the project level or copy from the system. You can also define the expiry of the whitelist item.
Any questions left?
Except where otherwise noted, content on this site is licensed under the MindSphere Development License Agreement.