Vessel is a service that watches your kubernetes resources and runs several tools against them.
Vessel stores the results of tools that are run so that you can query them with a simple HTTP / json interface.
Run:
docker run --rm -p 127.0.0.1:8089:8089/tcp --env K8S_URL=http://KUBERNETSURL --env K8S_TOKEN=TOKEN sourcesense/vessel:latest
The official and supported way, go to Vessel Operator.
The query interface is easy, you can pass in querystring the field you want to filter.
The Model of the issue Vessel Collector stores is simple:
name: name of the resource
namespace: namespace of the resource
kind: kind of the resource
issue: the issue
issue_metadata: addintional metadata of the issue
tool: task that generated the issue
created_at: date of the issue
Retrieving issue of deployment
and job
:
GET http://localhost:8089/query?kind=deployment&kind=job
Retrieving critical CVE:
GET http://localhost:8089/query?issue=CRITICAL_CVE
Vessel is developed in python and built with poetry
git clone git@github.com:sourcesense/vessel.git
cd vessel
poetry install
poetry run vessel server --k8s-url $K8S_URL --k8s-token $K8S_TOKEN
poetry run vessel single RESOURCE.yaml
- Exit code implementation for CI integration
- Admission control for Kubernetes resources
- Unique web interface for all the Vessel resources
- Implement a scoring system
- Add grype tool
- Add kubelinter tool
- TLS support over Vessel service ingresses.
You are more than welcome to contribute adding new tools to vessel.
Take a look to the contributing guidelines.