When operating a k8s cluster with an admission controller that limits the allowed registries, it's desirable to check manifests to verify they only refer to such images.
Is there a well established and correct way to process a Kubernetes manifest stream such as Kustomize output and list all container images it references? Including all Deployments, StatefulSets, Jobs, CRDs that embed PodTemplate, etc?
I landed up writing my own, then realised this must be a solved problem. kustomize has the images: transformer to rewrite images, but it doesn't seem to be able to list the candidates the transformer inspects. Surely there's something?
For example, if I have the kustomization.yaml:
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- "https://github.com/prometheus-operator/kube-prometheus"
I want to be able to run some getimages filter such that
kustomize build | getimages
returns the same list as this hacky shell pipeline example:
$ kustomize build|grep 'image:' | awk '$2 != "" { print $2}' | sort -u
grafana/grafana:8.4.6
jimmidyson/configmap-reload:v0.5.0
k8s.gcr.io/kube-state-metrics/kube-state-metrics:v2.4.2
k8s.gcr.io/prometheus-adapter/prometheus-adapter:v0.9.1
quay.io/brancz/kube-rbac-proxy:v0.12.0
quay.io/prometheus/alertmanager:v0.24.0
quay.io/prometheus/blackbox-exporter:v0.20.0
quay.io/prometheus/node-exporter:v1.3.1
quay.io/prometheus-operator/prometheus-operator:v0.55.1
quay.io/prometheus/prometheus:v2.34.0
... but in a robust and correct manner, unlike said hacky shell command.
I expected tools like kubeval or kustomize to be able to do this, but have drawn blanks in all searching.
Edit: There is kustomize cfg tree --image to list images, but:
- It doesn't integrate with the kustomize image transformer's configuration so it won't recognise images in CRDs. You have to add additional
--fieldspecs for each one manually. - Its output format is painful if you just want the image names.
