Secure AI Workflow Artifacts with Harbor Vulnerability Scanning

Question

Pulumi · Accepted Answer

Securing AI workflow artifacts involves ensuring that your container images are free from known vulnerabilities before they are deployed. Using Harbor with Pulumi, you can automate vulnerability scanning for your container images. Harbor is an open-source container image registry that secures images with policies and vulnerability scanning.

The Pulumi program below demonstrates how to set up a project in Harbor to store your AI workflow artifacts (like container images) and automatically scan them for vulnerabilities. The program includes the following steps:

1. **Create a Harbor Registry**: The registry is where your container images will be stored. This requires specifying an endpoint URL and other details to connect to your Harbor instance.

2. **Configure Vulnerability Scanning**: We set up a task for vulnerability scanning using the `harbor.Tasks` resource and configure the vulnerability scanning policies with the `harbor.ConfigSecurity` and `harbor.InterrogationServices` resources.

3. **Create a Harbor Project**: The project stores all the configuration and images. It's also where we will set up webhooks for events related to the images stored, such as pushing new images or completing a vulnerability scan.

4. **Set up Immutable Tag Rules**: This ensures that once an image with a specific tag is pushed to the registry, it cannot be overridden by subsequent pushes, which helps to maintain the integrity of your artifacts.

Every Pulumi program follows this basic structure: you'll import the necessary packages, set up resources, and then export any important values at the end. The exported values typically include URLs, identifiers, or access points for your infrastructure.

Here is how you would use Pulumi to set up Harbor for your AI workflow artifacts:

```python
import pulumi
import pulumi_harbor as harbor

# Create a Registry in Harbor
my_registry = harbor.Registry("myRegistry",
    access_id="ACCESS_ID",               # Replace with your access ID.
    access_secret=pulumi.Output.secret("ACCESS_SECRET"),  # Replace with your access secret.
    description="Registry for AI artifacts",
    endpoint_url="https://my-harbor-registry.endpoint",   # Replace with your Harbor endpoint URL.
    provider_name="REGISTRY_PROVIDER_NAME"                # Replace with your provider name (e.g., 'docker-registry')
)

# Configure the vulnerability scanning policies
security_config = harbor.ConfigSecurity("securityConfig",
    cve_allowlists=["CVE-ALLOWLIST"],    # Replace with your CVE allowlist.
    expires_at=123456789                 # Replace with your expiration time in POSIX time.
)

# Create a scanning task in Harbor
scan_task = harbor.Tasks("scanTask",
    vulnerability_scan_policy="DAILY"
)

# Create a Harbor project for AI artifacts
ai_project = harbor.Project("aiProject",
    name="ai-workflow-artifacts",
    vulnerability_scan_at_creation=True,
    public=False  # Set to `True` if you want the project to be accessible publicly
)

# Create an immutable tag rule to protect certain image tags from being overwritten
immutable_tag_rule = harbor.ImmutableTagRule("immutableTagRule",
    project_id=ai_project.id,
    repo_matching="**",
    tag_matching="release-*"
)

# Export the Harbor project name
pulumi.export("harbor_project_name", ai_project.name)
```

In the code above, replace the placeholders such as `ACCESS_ID`, `ACCESS_SECRET`, `CVE-ALLOWLIST`, and the `endpoint_url` with your actual Harbor registry's credentials and information.

This Pulumi program sets up a Harbor registry and project using the `harbor.Registry` and `harbor.Project` resources. It configures a CVE allowlist and an expiry policy using the `harbor.ConfigSecurity` resource and sets up a scan task with `harbor.Tasks`. Finally, it exports the Harbor project's name for use in other programs or outputs.

For your actual setup, you would fill in each of these resources with the appropriate details specific to your Harbor instance and your AI workflow needs. Remember that any sensitive information, such as `access_secret`, should be handled as secrets within Pulumi to prevent them from being exposed in plaintext.

You can obtain more information about each resource from the Pulumi Harbor provider documentation:
- [harbor.Registry](https://www.pulumi.com/registry/packages/harbor/api-docs/registry/)
- [harbor.ConfigSecurity](https://www.pulumi.com/registry/packages/harbor/api-docs/configsecurity/)
- [harbor.Tasks](https://www.pulumi.com/registry/packages/harbor/api-docs/tasks/)
- [harbor.Project](https://www.pulumi.com/registry/packages/harbor/api-docs/project/)
- [harbor.ImmutableTagRule](https://www.pulumi.com/registry/packages/harbor/api-docs/immutabletagrule/)

Setting up Harbor with vulnerability scanning in this way helps ensure that the AI artifacts are secure before they are used, complying with the desired security policies.