Harbor: Why robot account are scoped to the project ?

From the security perspective, Harbor doesn't store the password(jwt token) of the account, that means, the token cannot be modified once it created. In another word, the robot account cannot be added to another project.

Let's keep this issue open to get more thoughts.

Is it possible to treat the robot account as a normal account, but he has a robot tag. A project corresponds to a robot, which has a great impact on our succession. If we add items here, we need to add robots and then sync to the secret of K8S. It will be difficult to maintain this secret when there are more projects.

Scoped permissions become an issue when an image in one project is expected to extend an image from another project, which is a well used pattern in Docker. Consider the following which is currently not possible with robot accounts:

# Dockerfile for `example.com/my-project/my-image`.
FROM example.com/library/base-image

Running docker build will fail when using a robot account since it is scoped to my-project and will not have any access to library, even if the robot account has both pull and push access on my-project.

Hi, everyone. We are currently working through the IP whitelist. Add the network segment of the intranet IP to the ip whitelist, and he has the pull/push permission. This network segment can be set by itself. And you don't need to remember any passwords. But is there a risk in this? Is there a security risk when a machine invades?

I have started a topic about it, but it is not scoped to the project, the web UI allow only to set it per project. But with a command-line you can set a robot account for many projects.

@qiqizjl how do you map the jwt to secret, do you write code to re-inject it into k8s pull secret if we refresh the token?

we understand the requirement well enuf, tracking here https://github.com/goharbor/harbor/issues/10774