search

goharbor / harbor-helm

The helm chart to deploy Harbor
Apache License 2.0
1.17k stars 758 forks source link

Add architecture/service map with ports #1795

Open snakebyte91 opened 1 month ago

snakebyte91 commented 1 month ago

After upgrading from helm chart v1.14.0 to v1.15.0 we noticed in our test environment that the trivy pod sends requests to the core pod now.

v1.14.0 Trivy -> registry

v1.15.0 Trivy -> core

Is there any service/architecture map with ports? That would help us to write/optimize the network policies and we could also contribute the network policies to the helm chart.

zyyw commented 1 month ago

@snakebyte91 could you please provide us with details showing that trivy pod sends requests to registry in Harbor helm v1.14.0 while trivy pod sends requests to core in Harbor helm v1.15.0?

We do introduced SBOM generation in harbor helm v1.15.0, in addition to vulnerability scan in v1.14.0, but these two features follow the same request-response process as defined in this pluggable-scanner-spec. There should be no changes regarding the request-response between harbor component and trivy pod.

snakebyte91 commented 1 week ago

Sorry for the delay I was on parental leave. I compared the network policies from our dev and prod environment and I saw that in our prod environment the trivy pod was already able to send requests to the core pod. That rule was missing in our dev environment. So there is no change between 1.14 and 1.15.

It would be great to have a service map with ports so it would be much easier to write the right network policies.