K8s Image & Deployment Audit

Audit the K8s cluster for image and deployment issues: $ARGUMENTS

Checks to Perform

1. Image Freshness

# List all running images with their pull policies
kubectl get pods -n <namespace> -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{range .spec.containers[*]}{.image}{"\t"}{.imagePullPolicy}{"\n"}{end}{end}'

# Check image creation dates
for pod in $(kubectl get pods -n <namespace> -o name); do
  IMAGE=$(kubectl get $pod -n <namespace> -o jsonpath='{.spec.containers[0].image}')
  echo "$pod -> $IMAGE"
done

2. Caching Risk Detection

# Find pods using :latest with IfNotPresent (BAD)
kubectl get pods -n <namespace> -o json | jq -r '.items[] | .spec.containers[] | select(.imagePullPolicy == "IfNotPresent" and (.image | endswith(":latest"))) | "\(.name): \(.image) - CACHING RISK"'

# Find pods without explicit imagePullPolicy
kubectl get pods -n <namespace> -o json | jq -r '.items[] | .spec.containers[] | select(.imagePullPolicy == null) | "\(.name): \(.image) - NO PULL POLICY SET"'

3. Helm Release Verification

# List releases with their chart versions and app versions
helm list -n <namespace> -o json | jq -r '.[] | "\(.name)\t\(.chart)\t\(.app_version)\t\(.status)\t\(.updated)"'

# Get the actual image from a helm release
helm get values <release> -n <namespace> -o json | jq '.image'

4. Volume Health

# Check PV/PVC status
kubectl get pv,pvc -n <namespace>

# Find orphaned PVCs
kubectl get pvc -n <namespace> -o json | jq -r '.items[] | select(.status.phase != "Bound") | .metadata.name'

5. Build vs Deploy Cross-Reference

• Check .claude/logs/docker-builds.jsonl for the last build timestamp
• Compare with the running image's creation timestamp
• Flag if the deploy is older than the latest build

Output

• List of all running images with their tags and pull policies
• Flagged caching risks
• Stale image detections
• Volume health status
• Specific remediation steps for each issue found