Harbor: The Reference Architecture for Secure and Sovereign Container Registries

TL;DR

The Container Registry is the heart of your software supply chain. Trusting cloud services like AWS ECR blindly treats your images merely as files in a bucket. Harbor, on the other hand, is an active security platform. As a CNCF-graduated solution, it offers integrated vulnerability scanning, image signing, and replication across cloud boundaries. It ensures that only secure, verified software reaches your clusters—and that you retain sovereignty over your artifacts.

1. The Architectural Principle: Gatekeeper Instead of File Storage

Proprietary registries like AWS ECR are essentially just dumb data stores (“Blob Storage”). They accept images and serve them. Security checks are often optional or paid add-ons.

Harbor acts as an active gatekeeper.

• Policy Enforcement: You can define rules such as: “Prevent pull if the image has critical vulnerabilities (CVEs)” or “Allow only images signed by the QA department.”
• RBAC & Projects: Harbor offers an extremely granular permission system. You create projects (analogous to namespaces), assign users via OIDC/AD, and control exactly who can push, pull, or scan.

2. Core Feature: Proxy Cache & Performance

An often underestimated problem in Kubernetes clusters is the dependency on public registries (Docker Hub, Quay).

• Rate Limits: Docker Hub blocks IP addresses that pull too many images.
• Bandwidth: Every time a pod starts on a new node, the image is reloaded from the internet. This is slow and costly.

Harbor acts as a Proxy Cache. The cluster queries Harbor, Harbor retrieves the image once from Docker Hub and stores it locally. All subsequent pulls come with LAN speed directly from Harbor. This bypasses rate limits and saves massive bandwidth.

3. Security: Vulnerability Scanning & Signing

In times of supply chain attacks (like SolarWinds), software must be trustworthy.

• Trivy Integration: Harbor automatically scans images on push and (optionally) on a scheduled basis. It matches packages against current CVE databases and proactively warns.
• Notary / Cosign: Harbor supports image signing. This cryptographically ensures that the image running in the cluster is exactly the image your CI pipeline built—unchanged and unaltered.

4. Operating Models Compared: AWS ECR vs. ayedo Managed Harbor

Here it is decided whether your images are trapped or remain free to move.

Scenario A: AWS ECR (The Egress Cost Driver)

ECR is deeply integrated into AWS but inflexible for hybrid environments.

• The Egress Trap: ECR is cheap as long as you stay within the same AWS region. As soon as you pull images to another region, another cloud provider, or your local data center, you incur massive Data Transfer Fees.
• No True Replication: ECR can replicate between AWS regions but not to Azure or Google. A multi-cloud deployment becomes an administrative nightmare (juggling auth tokens).
• Limited Lifecycle: The options for cleaning up old images (Garbage Collection) are rudimentary in ECR and often hard to debug.

Scenario B: Harbor with Managed Kubernetes by ayedo

In the ayedo app catalog, Harbor is the central hub for artifacts.

• Multi-Cloud Replication: Harbor has a powerful replication engine. It can actively push and pull images to AWS ECR, Azure ACR, Google GCR, or other Harbor instances. Harbor becomes the central hub serving all satellites.
• Data Sovereignty: The images reside on your storage (PVCs or S3 bucket of your choice). You have full control.
• Robot Accounts: Harbor offers an excellent system for machine users (CI/CD), providing tokens with expiration dates and narrow scopes without needing to create real IAM users.

Technical Comparison of Operating Models

FAQ: Harbor & Supply Chain Strategy

Is Harbor only for Docker images?

No. Harbor is an OCI-compatible registry. This means it can store anything that conforms to the OCI standard: Docker images, Helm charts, Singularity containers, and even other artifacts (via ORAS). Thus, it serves as a central repository for all Kubernetes deployments.

Why should I use Harbor if I’m only on AWS?

Even then, it’s worth it for the security features. ECR offers scans via AWS Inspector, but Harbor allows you to enforce deployment policies (“Don’t start the pod if CVE > High”). This active blocking feature is largely missing in ECR or must be complexly built via admission controllers.

How do I handle large data volumes?

Container registries grow quickly. Harbor has aggressive garbage collection. You can define rules like “Keep only the last 5 tags matching ‘prod-’ and delete anything not pulled in 30 days.” This keeps storage usage and costs low.

Can Harbor also mirror images?

Yes. This is a classic use case for “air-gapped” or enterprise environments. Harbor can be configured to automatically pull images from an external source at night and provide them locally, so your developers don’t need to access the public internet.

Conclusion

Software security doesn’t start in the cluster; it starts with the image. AWS ECR is a good storage, but not a good guardian. Harbor fills this gap. It combines storage with governance, security scanning, and intelligent distribution. With the ayedo Managed Stack, companies get an enterprise-grade registry that ensures the software supply chain remains transparent, secure, and independent of a single cloud provider.