Running your own registry makes sense when you have cost pressures, compliance requirements that demand it, or complex enough infrastructure requirements to need a single source of images to use across different platforms – but you do need the organizational maturity to make a success of it.
Container registries are about much more than the container image storage provided in the free (and very popular) Docker Registry.
Enterprises need image management covering the entire lifecycle of Open Container Initiative (OCI) artefacts, complete with security features like granular access control polices, image signing and vulnerability scanning, clustering and replication for high availability and scalability and the flexibility of a registry that can be deployed in multiple environments.
Harbor offers all that: centralised management of container images across different infrastructure locations and multiple cloud providers, running on-premises, in the cloud or in hybrid environments to offer consistency with a single source of truth for images that connects to CI/CD pipelines, plus the auditing, policy enforcement and role-based access control (RBAC) organisations need for compliance.
See also: Aspire brings .NET the enterprise tooling it always needed
While it’s powerful enough for enterprises with thousands of developers storing tens of thousands of container images amounting to terabytes of data across multiple data centres, it’s still usable for small teams with a handful of coders.
“Our customers are seeking greater control, flexibility, and security in managing their container registries,” Mirantis product manager Robert Illing told us. “Container registries aren’t just a convenience—they’re a critical part of their software supply chain. They’re tasked with securely storing, scanning, and distributing container images across a mix of environments: on-premises data centres, private clouds, and public cloud providers like AWS, Azure and Google Cloud. Harbor provides a unique combination of open-source innovation and enterprise-grade features that directly address their challenges.”
Along with Kubernetes itself, Harbor is probably one of the most mature CNCF projects: fully graduated, it’s used by a wide range of organisations from Lockheed Martin, JD.com, SNCF and CERN to the Dutch government, as well as technology providers like TikTok owner Bytedance and European cloud provider OVH. It’s an open source project that’s included in multiple Kubernetes distributions like Tanzu, Rancher and Red Hat OpenShift and is also available as a supported offering from providers like Mirantis and 8gears.
It’s not certainly the only choice: there are alternatives like Red Hat Quay (available as both open source and a commercial enterprise solution) and every cloud provider and source code management platform offers a registry – many based on Docker Registry, although some like OVH’s Private Managed Registry and Vultr are Harbor underneath.
OVH even contributed the Harbor operator for Kubernetes to make it easier for large-scale providers to swap out the standard services used for Harbor dependencies (the storage backend, databases and cache default to familiar technologies like PostgreSQL, MySQL and Redis but can run on other services if you already have them deployed) and simplify choosing which optional Harbor modules to load.
Harbor is often seen as complementary to commercial registries from JFrog, Sonatype and Cloudsmith, Harbor maintainer Vadim Bauer from 8gears explained.
“These classical artefacts like Java don't have operational criticality, so it’s not always a problem if the artefact store is offline for a certain time. However, in a container environment, the registry is a crucial part of deployment but also crucial for the operational workflow, if there’s rescheduling and pods go down or clusters come up. The dynamic nature of these environments requires a registry that is always available, unlike traditional artefacts that only need to be there when there is a new release.”
While smaller organisations might replace a commercial artefact store like JFrog or Sonatype with Harbor, larger organisations often add Harbor alongside an existing tool for the flexibility of running it on their own hardware or in the cloud, where it’s easier to manage access.
“Harbor can be deployed on cloud native infrastructure: the artefact store they already have in place is somewhere in the cellar, it's not available accessible from the outside,” Bauer noted.
Harbor integrates with enterprise LDAP and Active Directory systems for user authentication and management but it’s also more flexible than cloud registries if you’re working with external partners or consultants. “It’s sometimes quite difficult to onboard them in the IAM systems of cloud providers because those are tied to employee enrolment systems.”
At the other extreme, it’s the obvious choice for regulated organisations that need to run air gapped environments.
Single source of truth
For many organisations, the appeal of Harbor is that it both acts a centralised hub for on-premise workloads, ensuring compliance with internal security policies across multiple locations, but also connects to OCI-compliant public cloud registries, replicating images for deployment based on policies and filters, which simplifies hybrid cloud operations.
“With Harbor, they get the best of both worlds,” Illing said. “It enables them to consolidate image management while maintaining the flexibility to push and pull images across diverse environments.”
That’s important for efficiency and consistency in ‘day two operations’ as well as deployment. “If you have all these little siloes, you might unintentionally get a fragmented security policy.”
Harbor works well for the increasingly complex infrastructures in many organisations, as teams make different choices or acquisitions bring applications and infrastructure with them: it handles load balancing, high availability, multi-data centre, hybrid and multi-cloud scenarios.
“The way many people use Harbor is to deploy a central Harbor registry where every artefact from across the organisation, all the teams, are in one place so they can apply the same policies, same rules and same workflows,” Bauer said. That can include caching images from popular project that use public registries, to avoid disruption from rate limiting.
From there, images can be deployed directly to clusters or replicated to and from other registries. For organisations needing a more distributed option, especially for intermittently connected environments, Harbor’s new Satellite feature will ship in 2025, adding high availability for defining subsets of images that will not just replicate but automatically sync from the centrally managed registry to local registries.
If you’re using cloud services for Kubernetes workloads, Harbor already replicates to cloud registries for easy deployment. Even if you only use a single cloud platform, you might choose Harbor because the convenience of tight integration with the cloud provider’s own registry can also tie you to that cloud.
“We use Azure, but we wanted to stay cloud agnostic,” explained Raúl Garcia Sanchez, application platform lead at German Internet exchange DE-CIX. Rather than using Azure Registry, running Harbor in an AKS cluster (with images stored in an S3 bucket) gives them flexibility to move to another cloud provider or even back to on-premises infrastructure if that makes sense in the future. “We could easily spin up a cluster here in house and just start exactly the same services in exactly the same way.”
Using Docker Registry would mean implementing authentication, cache functionality, vulnerability scanning and project management separately. “All of this just comes for free when you use Harbor and it’s free to use, so the decision was very easy.”
He described setup and maintenance as straightforward and the registry as easy for users to understand. “We use Terraform to configure all the Harbor parameters and it also integrates well with identity providers so you can easily use YDC (Yubico Directory Connector) for authentication, for instance). And the feature stack is exactly what we needed.” Harbor can be configured via API using Pulumi or even cloud CLIs, making it easy to integrate.
“If you compare Harbor with other solutions, there is no solution that includes all of this and that comes so well integrated, and with such a good community.” Taking Kubecon as a barometer of interest, he noted “there is basically no one talking about any other container registries.”
Open, supported and thriving
Originally a VMware project, Harbor is one of the more mature CNCF offerings and although Broadcom's plans aren’t entirely clear (historically, it hasn’t made any significant investments in open source and none of the VMware Harbor team attended the most recent Kubecon North America), the strong open source community with a wide range of contributors means there's no anxiety about the future; there are already significant new features on the roadmap.
It’s also reassuring that Harbor builds on other familiar open source components like Docker Distribution (the technology that powers Docker Registry), Cosign for signing container images (replacing Notary which was no longer in active development), Clair and Trivy for vulnerability scanning and NGINX for serving the portal.
Join peers following The Stack on LinkedIn
Organisations often choose Harbor specifically because it’s open source, to avoid vendor lock-in. SNCF previously used a closed source registry tool but a few years ago became unhappy with increases in licence costs, especially as it was missing important features like artefact replication and storing Helm chart and slow to respond to requests for improvements. “It was important to us that the product we were going to use was open source and the best thing was that it was at the CNCF,” Florian Blampey, platform engineer at SNCF and maintainer of the Terraform Harbor provider, told us.
Harbor already had the features they wanted and “we thought with a CNCF project, it should be easier to improve the software”. That’s proved true. “We’re happy users and when we ask for new features, most of the time they happen.” That includes not just minor bugs and general issues like performance but more significant new features like Security Hub where admins can see all CVEs and vulnerability artefacts across the registry.
“Harbor has the largest upstream community for cloud native registries,” Illing noted. “We contribute and so do many large enterprises; the upstream community includes [larger vendors like] Rackspace and SUSE, individuals, medium-sized businesses… That means when you look at CVEs, those are just quicker [to get dealt with]; when you look at bugs and general security challenges, those are just quicker, when you look at features, there’s a larger upstream ecosystem to help address all of that.”
Garcia Sanchez agrees. “The functionality is very nice and it’s very well integrated. It's actively developed, so there are new features coming every [release] and they keep everything up to date, so there aren’t a lot of vulnerabilities.”
Much more than containers
Harbor isn’t just for container images (or artefacts like Bicep modules and Radius recipes that can be stored in a container image): it can store other OCI artefacts. Helm charts are an extremely popular workload - putting application-related artefacts like documentation and configuration files close to the workload is efficient – but it also supports more niche options like WASM and OPA policies. Again, the appeal is obvious: running a distributed, highly available registry can be a significant commitment and no one wants to stand up a new registry for every new type of artefact they need to store.
“People are using Helm charts extensively with Harbor; it’s slowly taking over compared to the traditional Helm charts format and storage method because it has a few advantages,” Bauer noted but also highlighted a recent trend he expects to become more common: storing AI models in Harbor registries. “People who are running Harbor on premise tend to also run their own data models on premise, so this goes hand in hand.”
Harbor has supported storing machine learning models for Kubernetes workloads since 2020, using an OCI schema to handle them (which could also be used for other custom artefacts). This separates the model (which changes frequently) from the model server (which doesn’t) and uses Harbor’s webhooks to trigger notifications: as soon as a model is updated and pushed to Harbor, that new model can automatically be redeployed.
Some organisations also use Harbor to store training or evaluation data: a Swiss medical research institute stores test data, training data, X-rays and DNA models all as OCI artefacts. He predicted better support for AI models in future. “Hopefully there’s going to be some standardization for storing AI models in OCI: there's already some work in this space and we hope we will support this as first class [artefacts].”
There’s also interest in bringing more artefact types to OCI. Google Artefact Registry already stores Maven, npm, Python, Apt and Yum packages alongside container images but rather than adding new artefact types to Harbor, Bauer hopes to see artefacts adopt OCI schemas because of the larger benefits it offers for supply chain security with Harbor’s support for signing, vulnerability checking and SBOMs (creating a list of dependencies, versions and associated licences, on demand or automatically when an image is pushed).
“In Maven, there is no concept [of an SBOM] built in so it needs to be added on top: you need to have a specific thing to do it and then you cannot hook it up to your other processes, like you do with OCI. If you could do it the same way for Maven artefacts that you can with OCI, then you can sign them the same way, you can attach the SBOM in the same way at the same place, and you can really containerize those artefacts so they fit in the same workflow and ecosystem.”
The right place in the pipeline for security
Sitting close to the end of the delivery pipeline makes Harbor a good place bring everything together and visualize CVEs, vulnerabilities and other security issues. Image scanning detects and blocks vulnerabilities before they can reach production, while audit logging of image activity improves traceability and operational confidence.
“CISOs are really interested in this aspect because they want to have everything in one place, because then they can run analytics, they can run the export, they can run SBOMs, they can run the vulnerability checks in one central place,” Bauer explained.
Harbor replaces multiple other tools that used to be required to create, package and consume SBOMs, simplifying supply chain security by making it just another artefact to work with.
With hundreds of images used hourly, DE-CIX hasn’t turn on creating SBOMs by default but Garcia Sanchez noted he recently saw the first internal request for an image SBOM. “If people need an SBOM, they can easily produce it.”
So far, it seems to be mainly government and regulated organisations using Harbor’s SBOM support, but Bauer predicted this will become more significant, especially with the EU’s proposed Cyber Resilience Act requiring anyone selling into the European market to provide supply chain transparency via SBOMs. “This will become more mature and more usable, and I think it will also become more actionable. Currently we're just producing it to have it, and a lot of organization don't act on it, but in the future, this information will definitely be something organisations will act upon.”
More improvements like the Security Hub will simplify this “so that people can make better decisions before they deploy software”. That’s the kind of feature that means Harbor isn’t just an infrastructure tool, good as it is at that: it’s becoming increasingly strategic.
