Outdated Container Images in Production

[AI-God-Dev]

Severity: High
Files Affected: Multiple deployment YAMLs in apps/slack-infra/
Impact: Known security vulnerabilities, missing security patches

Issue:
Critical applications are running images from 2021-2023 without updates:

# apps/slack-infra/resources/slack-moderator/deployment.yaml:19
image: gcr.io/k8s-staging-slack-infra/slack-moderator:v20210223-8525eb3

# apps/slack-infra/resources/slack-event-log/deployment.yaml:19
image: gcr.io/k8s-staging-slack-infra/slack-event-log:v20210223-8525eb3

Security Analysis:

• Images are 3-5 years old (as of Jan 2026)
• Likely contain critical CVEs in base images and dependencies
• No automated image scanning or update process evident
• No SBOMs or vulnerability tracking

Known Risk Categories:

• Base OS vulnerabilities (if using Alpine/Ubuntu/Debian from 2021)
• Outdated Go/Node.js runtime vulnerabilities
• Unpatched OpenSSL/glibc vulnerabilities
• Missing security backports

Recommendation:

• Immediate: Security scan all images with Trivy/Grype
• Deploy: Automated image rebuild pipeline (monthly at minimum)
• Implement: Image admission controller (e.g., Kyverno) to block old images
• Create: SLA for security patch deployment (critical: 7 days, high: 30 days)
• Enable: Runtime security monitoring (Falco, Tetragon)

[BenTheElder]

/sig contributor-experience k8s-infra

FYI @kubernetes/sig-k8s-infra-leads we have a problem again with the state of slack-infra

x-ref kubernetes-sigs/slack-infra#66

Likely contain critical CVEs in base images and dependencies

These images should be extremely minimal distroless with a static go binary. So only changes to the actual binary should impact rebuilding meaningfully.

If not, we should move them to that, these tools have no need for any shell utils etc.

Unpatched OpenSSL/glibc vulnerabilities

Is this the case? These images shouldn't need either of those things.

Implement: Image admission controller (e.g., Kyverno) to block old images

I don't think that would be a good idea in this case, we're not an enterprise company and the continuity of keeping services running for the community is more imprtant.

[BenTheElder]

These are in fact based on distroless:base but they should probably be based on distroless static.

That said, the openSSL vulns shouldn't actually be exploitable since the binaries are not loading the library ...

https://github.com/kubernetes-sigs/slack-infra/blob/95239f1f01fa4b231fe81b85e84c0b3589fbfd24/slack-moderator/Dockerfile#L1