/audit-outdated

The /audit-outdated skill looks for version drift across every layer of the cluster: control plane, nodes, container images, Helm charts, CRDs, operators, and the API surface your manifests target. Each layer has its own notion of “latest” and its own drift tolerances.

Run it without arguments for a full sweep, or name a workflow to scope the report.

/audit-outdated            # full sweep
/audit-outdated images     # single workflow
/audit-outdated cves in kube-system

Natural-language scoping (namespaces, label selectors, severity thresholds) is supported on every workflow (see Overview).

---

Workflows

1. Kubernetes version skew

Checks

• Control-plane minor vs. the latest patch on that minor
• kubelet version on each node vs. the control-plane minor
• Distance from EOL per the upstream Kubernetes support matrix

Sources: the published Kubernetes release schedule.

2. Deprecated & removed API versions

Checks

• Live objects using API versions deprecated in the current minor or removed in the next one
• Admission webhooks and CRDs registered against deprecated apiextensions.k8s.io versions

Sources: pluto and kubent when available, with the published Kubernetes API deprecation schedule as a fallback.

3. Container image freshness

Checks

• Tags pinned below the highest semver available in the source registry
• Floating tags (:latest, unversioned), reported separately since “outdated” is undefined
• Digest drift — same tag, newer digest upstream
• Base-image age when the image has an SBOM attached

Sources: Docker Hub, GHCR, quay.io, and gcr.io. Currently, private registries are not supported.

4. Helm charts & releases

Checks

• Installed chart versions vs. latest in the configured repo
• Subchart dependencies declared in Chart.yaml vs. upstream versions
• Charts marked deprecated: true upstream

Sources: the configured Helm repo indexes. OCI-hosted charts are read directly from the OCI registry.

5. Operators, CRDs, and their controllers

Checks

• Operator versions vs. upstream releases
• Flag CRDs mapped to outdated controllers

Sources: reuses the registry and Helm repo data from workflows 3 and 4.

6. Known vulnerabilities

Checks

• CVEs in running container images
• CVEs in the Kubernetes version itself

Sources: Trivy and the official Kubernetes CVE feed.

7. Node OS & kernel

Checks

• Node OS image vs. the distro’s current release (e.g. Ubuntu, Amazon Linux)
• Kernel version against published CVEs

Sources: distro release feeds for the latest published OS and kernel versions, and the CISA KEV catalog for escalating actively exploited kernel CVEs.

---

Data freshness

Every report includes a “data age” footer: when each index (Trivy DB, Helm repos, registry tag lists, Kubernetes release schedule) was last refreshed.

---

What the agent is told

Beyond the workflows, the skill briefs the agent on how to report:

• Always include the data-age footer — stale indexes produce stale findings, and the reader needs to know.
• De-duplicate by image digest so one outdated image shared across many pods doesn’t dominate the report.
• Include severity and CISA KEV status for CVE entries when available; rank KEV hits above CVSS-high findings without known exploitation.
• Distinguish “drift within the supported window” from “EOL” explicitly — the first is routine, the second is urgent.
• For registries not in the supported list (workflow 3), say so rather than silently skipping the image.
• Hand off to /investigate when a single workload’s outdated image is the focus.