Outdated Container Images in Production

[AI-God-Dev]

Severity: High
Files Affected: Multiple deployment YAMLs in apps/slack-infra/
Impact: Known security vulnerabilities, missing security patches

Issue:
Critical applications are running images from 2021-2023 without updates:

# apps/slack-infra/resources/slack-moderator/deployment.yaml:19
image: gcr.io/k8s-staging-slack-infra/slack-moderator:v20210223-8525eb3

# apps/slack-infra/resources/slack-event-log/deployment.yaml:19
image: gcr.io/k8s-staging-slack-infra/slack-event-log:v20210223-8525eb3

Security Analysis:

• Images are 3-5 years old (as of Jan 2026)
• Likely contain critical CVEs in base images and dependencies
• No automated image scanning or update process evident
• No SBOMs or vulnerability tracking

Known Risk Categories:

• Base OS vulnerabilities (if using Alpine/Ubuntu/Debian from 2021)
• Outdated Go/Node.js runtime vulnerabilities
• Unpatched OpenSSL/glibc vulnerabilities
• Missing security backports

Recommendation:

• Immediate: Security scan all images with Trivy/Grype
• Deploy: Automated image rebuild pipeline (monthly at minimum)
• Implement: Image admission controller (e.g., Kyverno) to block old images
• Create: SLA for security patch deployment (critical: 7 days, high: 30 days)
• Enable: Runtime security monitoring (Falco, Tetragon)

[BenTheElder]

/sig contributor-experience k8s-infra

FYI @kubernetes/sig-k8s-infra-leads we have a problem again with the state of slack-infra

x-ref kubernetes-sigs/slack-infra#66

Likely contain critical CVEs in base images and dependencies

These images should be extremely minimal distroless with a static go binary. So only changes to the actual binary should impact rebuilding meaningfully.

If not, we should move them to that, these tools have no need for any shell utils etc.

Unpatched OpenSSL/glibc vulnerabilities

Is this the case? These images shouldn't need either of those things.

Implement: Image admission controller (e.g., Kyverno) to block old images

I don't think that would be a good idea in this case, we're not an enterprise company and the continuity of keeping services running for the community is more imprtant.

[BenTheElder]

These are in fact based on distroless:base but they should probably be based on distroless static.

That said, the openSSL vulns shouldn't actually be exploitable since the binaries are not loading the library ...

https://github.com/kubernetes-sigs/slack-infra/blob/95239f1f01fa4b231fe81b85e84c0b3589fbfd24/slack-moderator/Dockerfile#L1

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten