Inferensys

Glossary

Harbor

An open-source, cloud-native container registry that extends the Docker Distribution with security scanning, identity management, and policy-based image replication.
Stylish WeWork-like workspace with hot desks and document wall, professional searching through enterprise knowledge base on a mounted ultrawide display, warm industrial pendants overhead.
CLOUD-NATIVE REGISTRY

What is Harbor?

Harbor is an open-source, cloud-native container registry that extends the Docker Distribution with integrated security scanning, identity federation, and policy-driven replication.

Harbor is an open-source, cloud-native container registry that extends the open-source Docker Distribution with enterprise-grade features. It provides integrated vulnerability scanning, identity management via LDAP/OIDC, and policy-based image replication across geographically distributed instances, serving as a secure, compliant artifact repository for container images and OCI artifacts like Helm charts.

Operating as a private registry, Harbor enforces content trust through integration with Notary and Cosign, cryptographically validating image signatures before deployment. Its built-in garbage collection and retention policies manage storage quotas, while geo-replication ensures high availability. Harbor's admission controller integrations enable Kubernetes-native enforcement, preventing unsigned or vulnerable images from being instantiated in production clusters.

ENTERPRISE CONTAINER REGISTRY

Core Capabilities of Harbor

Harbor extends the open-source Docker Distribution with security scanning, identity management, and policy-based replication, providing a production-grade private registry for cloud-native AI workloads.

02

Identity Federation and RBAC

Harbor decouples authentication from the registry itself, supporting integration with LDAP, Active Directory, and OIDC providers. Once authenticated, fine-grained role-based access control governs every operation:

  • Project-level isolation: Each project is a namespace with its own user, robot account, and role assignments
  • Robot accounts: Machine identities with narrowly scoped permissions for CI/CD pipelines
  • Audit logging: Every pull, push, and delete action is recorded for compliance
04

OCI-Compliant Artifact Storage

Beyond container images, Harbor functions as a generic OCI-compliant artifact repository. It can store and serve any content type that adheres to the OCI distribution specification, including:

  • Helm charts: Versioned Kubernetes application packages
  • Cosign signatures: Cryptographic attestations stored alongside images
  • SBOMs and provenance: Supply chain metadata attached as referrer artifacts This unified storage model eliminates the need for separate artifact registries.
05

Garbage Collection and Retention

Harbor provides automated storage reclamation through garbage collection and tag retention policies. These mechanisms prevent unbounded storage growth in production registries:

  • Garbage collection: Removes untagged manifests and unreferenced layer blobs
  • Retention policies: Automatically delete images based on tag count, age, or vulnerability severity
  • Quota management: Enforce per-project storage limits to prevent resource exhaustion
06

Proxy Cache for Air-Gapped Environments

Harbor can operate as a pull-through proxy cache, mirroring upstream registries like Docker Hub or Quay.io. This capability is essential for air-gapped or bandwidth-constrained deployments:

  • Local caching: First pull fetches from upstream; subsequent pulls serve from local cache
  • Offline operation: Pre-populate the cache before disconnecting from external networks
  • Bandwidth reduction: Eliminate redundant external downloads across large node fleets
HARBOR REGISTRY

Frequently Asked Questions

Clear answers to common questions about Harbor, the open-source cloud-native registry for securely storing, scanning, and signing container images and OCI artifacts within sovereign infrastructure.

Harbor is an open-source, cloud-native container registry that extends the open-source Docker Distribution with enterprise-grade features including vulnerability scanning, identity management, and policy-based image replication. It functions as a private artifact repository that stores, signs, and scans container images and OCI-compliant artifacts. Harbor deploys as a set of Docker containers orchestrated by Docker Compose or Kubernetes, with a PostgreSQL database for metadata, Redis for job queuing, and a Trivy or Clair scanner for vulnerability analysis. It proxies the upstream Docker Distribution API while adding a robust authentication layer, a web portal for management, and a comprehensive REST API for automation. When an image is pushed, Harbor automatically triggers a vulnerability scan against known CVE databases, enforces image signing policies via Notary or Cosign integration, and can replicate the artifact to remote registry instances based on configured replication rules. This architecture ensures that only trusted, scanned, and compliant artifacts enter production environments.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.