Harbor integration

Integration of Kaspersky Container Security with the external Harbor registry can be performed in two ways:

• In the same way as integration with other external registries
• Upon the request of the external Harbor registry

Harbor views the solution as an additional external scanner to scan objects for vulnerabilities. Integration with Kaspersky Container Security is configured using the Harbor scanner plugin. The solution names this automatically created image registry as Harbor External Integration and marks the repository in which it is located with the Harbor icon ().

This integration remains the only automatically created integration with Harbor, and the name assigned to the image registry cannot be changed.

To start the Harbor scan process, you need to know the endpoint of the Kaspersky Container Security API.

To create an integration by Harbor request it is required to have rights to view and configure scanning in CI/CD. If these rights are absent, Harbor will not be able to connect the solution as a scanner and scan objects as part of the CI/CD process.

Creating an integration upon Harbor request

To create registry integration by Harbor request, you must have a Harbor account with administrator rights, as well as rights to view and configure scanning in CI/CD in Kaspersky Container Security. If these rights are not available, Harbor will not be able to connect the solution as a scanner.

To create a Harbor integration upon Harbor request:

1. From the main menu in the left pane of the Harbor web interface, select Administration → Interrogation Services.
2. Click the New Scanner button.
3. Enter the following information:
   • The unique name of the solution integration to be displayed in the Harbor interface.
   • If necessary, a description of the external scanner that is being added.
   • The address of the Kaspersky Container Security API endpoint displayed by Harbor.
4. In the Authorization drop-down list, select APIKey as the authorization method when connecting the registry to the solution.
5. In the APIKey field, enter the value of the API token.

   If the API token changes, you must specify its new value before starting the Harbor scan. If a new API token is not added to the external scanner settings in Harbor, the scan fails.

6. Select the Skip certificate verification check box to skip certificate verification.
7. If necessary, click Test Connection to verify that Harbor can connect to the solution.
8. Click Add to create the integration.

In the list of available scanners under Administration → Interrogation Services → Scanners, Harbor shows the name assigned to the solution in the Harbor.

The new scanner is used for scanning objects if it is specified as the default scanner in Harbor or assigned to the project. Both options require additional configuration in Harbor.

After scanning is started, an integration with the solution upon Harbor request is created in the external registry. Kaspersky Container Security displays the created Harbor External Integration registry in the list of image registries in the Administration → Integrations → Image registries section. The repository containing images from the external registry is marked with the Harbor icon (). Harbor External Integration is updated after starting and running another scan in the external registry.

You cannot add an image to an automatically created registry of images from Harbor by using the Add images button in the management console.

Harbor External Integration scans can be manually initiated or automatically started from the external registry. You cannot start scanning or rescanning images from the Harbor automatically created image registry in Kaspersky Container Security.

The Harbor External Integration registry (as well as the registry created as part of the standard integration with Harbor) is scanned in line with the applicable scanner policy.

At the end of the scan, the solution generates a report on vulnerabilities found during scanning of selected objects and sends it to Harbor. If sending a report takes more than five seconds (for example, because of the quality of the network connection), an error in receiving scan results is displayed in the external registry interface.

Viewing and editing the Harbor External Integration settings

The Harbor External Integration image registry is displayed in the list of registries integrated with Kaspersky Container Security in the Administration → Integrations → Image registries section.

To change the Harbor External Integration settings:

1. Select the Harbor External Integration registry in the list of image registries in the Administration → Integrations → Image registries section.
2. Specify the values of the following configurable settings:
   • Description on the Registry details tab.
   • Scan timeout on the Image scan details tab.

   You cannot change other Harbor External Integration registry details.

3. Click Save.

Rescanning

After receiving the scan results, objects from the Harbor External Integration registry cannot be sent for rescanning from Kaspersky Container Security. Rescanning can only be initiated from Harbor.

If you create an integration with Harbor from Kaspersky Container Security and the created image registry is similar to Harbor External Integration, the following rules are applied to rescanning:

• Scanning objects in the registry created in the solution does not trigger a rescan in Harbor External Integration.
• Scanning objects in Harbor External Integration does not trigger a rescan in the registry created in the solution.