Harbor insecure default configuration when installed with Harbor-helm #security
Attention Harbor Users:
I want to make everyone aware of the default insecure configuration in Harbor that was reported to us recently.
When installing Harbor with Harbor-helm, there is an option named core.secretName in the values.yaml.
The insecure configuration is not present in:
The following Harbor-helm releases have a fix that removes the default insecure configuration possibility:
Harbor-helm: v1.3.18, v1.9.6, 1.10.4, and v1.11.1, In case Harbor is installed with these versions of Harbor-helm, the Harbor instance does not use the default insecure configuration.
Upgrading harbor-helm to a fixed version does NOT fix the issue in existing Harbor instances. The following workaround removes the insecure default configuration.
Note for users of Harbor robot accounts: Because robot accounts use the same key to generate a token, after applying the workaround or upgrading to the latest Harbor helm which fixes this issue, Harbor administrators need to regenerate the robot account token to allow them to log in to Harbor. If the robot account is marked as "Legacy" in the Web UI, administrators cannot rotate it, need to delete it and recreate a new robot account. The affected Harbor helm versions include 1.3.0 - 1.3.17, 1.4.x, 1.5.x, and 1.6.x.
For more information
If you have any questions or comments about this advisory:
Open an issue in the Harbor repository
Thanks to Sam Erb from Google for reporting this issue.
The Harbor Team
|1 - 1 of 1|