Harbor Operator is capable of managing the projects of a Harbor instance.
The following operations involving projects are currently supported:
- Create, update and delete projects
- Manage group and user memberships of projects
- Update a projects storage quota
By default, the operator reconciles all HarborProject resources every 5 minutes. Changes applied manually to operator-managed projects will be overwritten. The reconciliation interval can be configured using the key controllers.harborProject.requeueAfterMinutes in the operator's values.yaml.
Harbor projects can be managed by deploying a HarborProject resource to your Kubernetes cluster.
cveAllowList: List of CVE-strings. This sets the CVE allow list of the project.harborServerConfig: Name of aHarborServerConfigresource containing the reference and configurations for the harbor instance to manage.memberships: List of members. Members are defined as follows:name: Name of the member. Has to match with a existing user or group in the harbor instance.role: Role of the member in the project. This controls the member's permissions on the project. Can be eitherprojectAdmin,developer,guestormaintainer. See the Harbor Docs for further info on member permissions.type: Type of the member, can begrouporuser.
metadata: Miscellaneous project metadata.autoScan: Boolean. Whether to scan images automatically after pushing.enableContentTrust: Boolean. Whether content trust is enabled or not. If enabled, user can't pull unsigned images from this project.enableContentTrustCosign: Boolean. Whether cosign content trust is enabled or not. Similar to enableContentTrust, but using cosign.preventVulnerable: Boolean. Whether to prevent vulnerable images from running.public: Boolean. Whether the project should be public or not.reuseSysCveAllowlist: Boolean. Whether this project reuses the system level CVE allowlist for itself. If this is set totrue, the actual allowlist associated with this project will be ignored.severity: If an image's vulnerablilities are higher than the severity defined here, the image can't be pulled. Can be eithernone,low,medium,highorcritical.
projectName: The name of the harbor project. Has to match harbor's naming rules.storageQuota: The project's storage quota in human-readable format, like in Kubernetes memory requests/limits (Ti, Gi, Mi, Ki). The Harbor's default value is used if empty.
apiVersion: goharbor.io/v1beta1
kind: HarborProject
metadata:
name: metadata-enabled
spec:
harborServerConfig: harborcluster
metadata:
autoScan: true
enableContentTrust: true
enableContentTrustCosign: true
preventVulnerable: true
public: true
reuseSysCveAllowlist: true
severity: "critical"
projectName: metadata-enabled
storageQuota: 10GiapiVersion: goharbor.io/v1beta1
kind: HarborProject
metadata:
name: users-and-groups
spec:
harborServerConfig: harborcluster
memberships:
- name: admin
role: projectAdmin
type: user
- name: testgroupA
role: maintainer
type: group
- name: testgroupB
role: developer
type: group
- name: testgroupC
role: guest
type: group
projectName: users-and-groups
storageQuota: 10GiapiVersion: goharbor.io/v1beta1
kind: HarborProject
metadata:
name: cve-allowlist
spec:
cveAllowList:
- CVE-2021-3121
- CVE-2021-43816
- CVE-2022-31836
- CVE-2023-25173
harborServerConfig: harborcluster
metadata:
reuseSysCveAllowlist: false
projectName: cve-allowlist
storageQuota: 10GiapiVersion: goharbor.io/v1beta1
kind: HarborProject
metadata:
name: cve-allowlist-syscve
spec:
cveAllowList:
- CVE-2021-3121
- CVE-2021-43816
- CVE-2022-31836
- CVE-2023-25173
harborServerConfig: harborcluster
metadata:
reuseSysCveAllowlist: true # will overwrite project cveAllowlist if set
projectName: cve-allowlist-syscve
storageQuota: 10Gi