Authentication with JWT Tokens

[amitkumar2283]

For security reasons, we would like to use Harbor with JWT authentication. The K8s clients will use externally provided JWT tokens for authentication against Harbor.

flow:
k8sClient -> sends JWT token -> API gateway intercepts the communication and authenticates using the Token -> forwards the traffic to backend service (registry)

I have some questions:

1. Is this a general pattern? If yes, is there an existing API Gateway that we can utilize, or should we write our own?
2. how do we provide the JWT to the k8s deployments? Can we store the JWTs in a generic secret and use that for imagePullSecret
3. Are there any other pointers that may help us in designing the solution?

[MinerYang]

Hi @amitkumar2283
You could do so theoretically as long as:

• This token needs either generated by harbor token service or self-generated with proper claims.
• If it is self-generated claims, you need to mount the private_key in the harbor-core container
• If it is generated by harbor token service, you need to managed the rotation after it's expired.
• For clients that you push/pull image, you just need to make sure add the auth header with your request via proxy settings or clients settings)

[amitkumar2283]

Thanks @MinerYang
Before going this route, I was trying to validate the token-service functionality of Harbor. For this, Harbor was installed on a k8s cluster with an out-of-the-box configuration.

When I try to access the token service, I get the below:
curl https://habor-url/service/token

Output:

Unable to handle service:

Is there a missing configuration or did I not interact with the service correctly?
Also, I don't see any pointers in the logs.

[MinerYang]

Hi @amitkumar2283 ,

• Let me clarify that the JWT token is normally and only available for /v2 registry api call (which means harbor api other than push/pull function would not take effect.)
• Since harbor would evaluate the permissions and roles when generate jwt token and handle it internally, as known as Role-Based Access Control (RBAC) is applied to projects. So it might not be a best practice to manually do this process and using harbor auth by JWT token directly.
• One thing that I am curious why you need JWT token to be the credential for the cluster instead of username:password token as the credential? Could you give me more contexts on this?

[amitkumar2283]

Here is more context:
We have an existing harbor registry setup that serves images to our customers. The customer has thousands of k8s endpoints that pull images and helm charts from our registry across the globe, currently using shared basic auth creds.
There is a security concern raised that since this basic auth is shared across all the client endpoints, we would like short-lived credentials that can be self-generated by endpoints.

This is the workflow we are planning:

1. Receive a token request from the customer k8s endpoint.
2. Intercept and validate that the request (APIGateway?) is from a genuine customer (using PKI)
3. if genuine, contact the harbor token service and serve the JWT (expiry of around 2 hours) token back to the customer.
4. The customer uses the issued JWT for further operations

The endpoints WILL NOT be interacting with Registry API; they are only going to pull images/charts.
Right now I am validating Harbor's ability to generate tokens (step 3) manually

[amitkumar2283]

i think it will be containerd

[amitkumar2283]

right now we are looking at finding a way to request JWT Tokens from harbor, which is not working as explained in an earlier comment in this thread

[MinerYang]

You could try to issue one by using this call, make sure the user that you provide has permissions to push/pull on the repository that you expected. Only this token service can leverage the scope and permissions.

i.e: user A needs a token for push and pull permissions for repository library/hello-world
the default expiration time for each token would be 30 min

curl -k -u '<username A>:<password>'  'https://<harbor-hostname>/service/token?scope=repository:library/hello-world:push,pull&service=harbor-registry'

[amitkumar2283]

perfect. This generated the JWT.

can I use this token with docker/crictl to pull images? Below one failed for me. (Is this even possible):

command:

docker login -u jwt -p <generatedJWTtoken> <harbor-hostname>

output

Error response from daemon: Get "https://<harbor-hostname>/v2/": unauthorized:

[MinerYang]

The prerequisite by using JWT token directly is this bearer token sent as an Authorization header when requesting pushing as it mentioned above. So for either docker client or containerd , you need to figure out how to/ or is it supported to set auth by bearer token instead of basic auth. Otherwise, the client regard this still as username:password mode.