🥂 kir (Kubernetes Image Retriever)

What

• Send it a k8s manifest file, and you get a (newline separated) list of the OCI images those pods would run.

Why

• Sometimes you want to do things for the list of images in a given set of kubernetes manifests
• ...like scanning them for vulnerabilities.

Alternatives considered

1. If one can pick Syft/Grype, this looks like it'll solve the same problem:
   • anchore/syft#2729
   • anchore/grype#1259
   • anchore/syft#562
2. But if one must use another image scanning tool (🙉), building this myself is the best I've found (yet?).

Usage

Get images for a manifest:

$ go run main.go examples/statefulset.yaml
registry.k8s.io/nginx-slim:0.8
gcr.io/google-containers/sidecar
kiwigrid/k8s-sidecar

Get images for all manifests in a folder:

$ go run main.go examples/* | sort -u
busybox:1.28
gcr.io/google-containers/busybox
gcr.io/google-containers/sidecar
kiwigrid/k8s-sidecar
nginx
perl
registry.k8s.io/nginx-slim:0.8

Get images from a running cluster:

$ kubectl -n kube-system get pod kube-proxy-mzp9j -o yaml | go run main.go -
registry.k8s.io/kube-proxy:v1.31.7

$ kubectl get pod -A -o yaml | go run main.go - | sort -u
# [...]

Scan images from a manifest:

# Syft:
$ go run main.go examples/job.yaml | xargs syft

# Snyk:
$ go run main.go examples/job.yaml | xargs snyk container test

# Docker Scout
$ go run main.go examples/job.yaml | xargs docker scout cves