Container Images Inventory¶
This document provides a complete inventory of all container images used in Platform-Mesh, organized by Kubernetes namespace.
Overview¶
The Platform-Mesh deployment consists of:
- Infrastructure Components: Core Kubernetes services, cert-manager, Flux CD, storage provisioners
- Platform-Mesh Components: Custom operators and services specific to the Platform-Mesh ecosystem
- Dependencies: Databases (PostgreSQL), identity management (Keycloak), authorization (OpenFGA)
Analysis Scope
This analysis is based on Local-Setup version 0.1.1 in running state. Images are sorted by namespace for easy reference.
Version Status Summary¶
| Status | Count | Description |
|---|---|---|
| 🔴 Outdated | 27 | Images behind upstream by 1+ minor versions |
| 🟡 Patch Behind | 8 | Images behind upstream by patch version only |
| 🟢 Up-to-date | 2 | Images matching latest upstream |
Image Inventory by Namespace¶
crossplane-system¶
| Image | Version | Upstream | Status |
|---|---|---|---|
| xpkg.crossplane.io/crossplane/crossplane | v1.20.1 | v2.1.3 | 🔴 Major version behind |
| xpkg.upbound.io/crossplane-contrib/provider-keycloak | v2.7.2 | v2.14.0 | 🔴 7 minor versions behind |
Deprecation Notice
Crossplane will be removed in future Platform-Mesh releases.
default¶
| Image | Version | Upstream | Status |
|---|---|---|---|
| quay.io/jetstack/cert-manager-controller | v1.19.1 | v1.19.2 | 🟡 Patch behind |
| quay.io/jetstack/cert-manager-cainjector | v1.19.1 | v1.19.2 | 🟡 Patch behind |
| quay.io/jetstack/cert-manager-webhook | v1.19.1 | v1.19.2 | 🟡 Patch behind |
| docker.io/traefik | v3.6.0 | v3.6.7 | 🟡 Patch behind |
Certificate Management
Cert-manager handles TLS certificate provisioning and management. Traefik serves as the ingress controller for external traffic routing.
etcd-druid-system¶
| Image | Version | Upstream | Status |
|---|---|---|---|
| europe-docker.pkg.dev/gardener-project/public/gardener/etcd-druid | latest | v0.34.0 | 🔴 Using latest tag (unsafe) |
Version Pinning Issue
This image uses the latest tag instead of a specific version, which can lead to
unpredictable behavior and deployment issues. Should be pinned to v0.34.0.
flux-system¶
| Image | Version | Upstream | Status |
|---|---|---|---|
| ghcr.io/fluxcd/helm-controller | v1.4.2 | v1.4.5 | 🟡 3 patches behind |
| ghcr.io/fluxcd/kustomize-controller | v1.7.1 | v1.7.3 | 🟡 2 patches behind |
| ghcr.io/fluxcd/source-controller | v1.7.2 | v1.7.4 | 🟡 2 patches behind |
GitOps Continuous Delivery
Flux CD provides GitOps-based continuous delivery capabilities for Platform-Mesh. These controllers manage Helm releases and Kustomize deployments from Git repositories.
kcp-operator¶
| Image | Version | Upstream | Status |
|---|---|---|---|
| ghcr.io/kcp-dev/kcp-operator | v0.3.0 | v0.4.0 | 🔴 1 minor version behind |
kro-system¶
| Image | Version | Upstream | Status |
|---|---|---|---|
| registry.k8s.io/kro/kro | v0.6.3 | v0.8.1 ?! | 🔴 2 minor versions behind |
kube-system¶
| Image | Version | Upstream | Status |
|---|---|---|---|
| registry.k8s.io/coredns/coredns | v1.12.1 | v1.14.1 | 🔴 2 minor versions behind |
| registry.k8s.io/etcd | 3.6.4-0 | v3.6.7 | 🟡 3 patches behind |
| docker.io/kindest/kindnetd | v20250512-df8de77b | N/A | ℹ️ Development build |
| registry.k8s.io/kube-apiserver | v1.34.0 | N/A | ℹ️ Cluster version |
| registry.k8s.io/kube-controller-manager | v1.34.0 | N/A | ℹ️ Cluster version |
| registry.k8s.io/kube-proxy | v1.34.0 | N/A | ℹ️ Cluster version |
| registry.k8s.io/kube-scheduler | v1.34.0 | N/A | ℹ️ Cluster version |
Kubernetes Core Components
These are the core Kubernetes control plane and infrastructure components.
The kindest/* images are specific to the KIND (Kubernetes in Docker) local development setup.
local-path-storage¶
| Image | Version | Upstream | Status |
|---|---|---|---|
| docker.io/kindest/local-path-provisioner | v20250512-acbabc1a | N/A | ℹ️ Development build |
ocm-system¶
| Image | Version | Upstream | Status |
|---|---|---|---|
| ghcr.io/open-component-model/kubernetes/controller | sha256:5e790dad020adcfd0793f249d177a28429ef22446def39c9286eab90c52175c1 | v0.28.0 | 🔴 Digest pinned, version behind |
Open Component Model
OCM controller manages component descriptors and software supply chain metadata. Currently pinned by digest rather than semantic version tag.
platform-mesh-system¶
| Image | Version | Upstream | Status |
|---|---|---|---|
| ghcr.io/platform-mesh/account-operator | v0.5.32 | v0.9.1 | 🔴 4 minor versions behind |
| europe-docker.pkg.dev/gardener-project/public/gardener/etcd-wrapper | v0.6.0 | v0.6.0 | 🟢 Up-to-date |
| europe-docker.pkg.dev/gardener-project/public/gardener/etcdbrctl | v0.40.0 | v0.40.0 | 🟢 Up-to-date |
| ghcr.io/platform-mesh/extension-manager-operator | v0.2.151 | v0.4.128 | 🔴 2 minor versions behind |
| ghcr.io/kcp-dev/kcp | v0.29.0 | v0.29.0 | 🟢 Up-to-date |
| ghcr.io/platform-mesh/upstream-images/keycloak | 26.3.3-debian-12-r0 | 26.5.2-debian-12-r0 | 🟡 Patch behind |
| ghcr.io/platform-mesh/upstream-images/postgresql | 17.6.0-debian-12-r4 | 17.6.0-debian-12-r4 | 🟢 Up-to-date |
| ghcr.io/platform-mesh/kubernetes-graphql-gateway | v0.3.4 | v0.7.5 | 🔴 4 minor versions behind |
| axllent/mailpit | v1.27.9 | v1.28.4 | 🟡 Patch behind |
| ghcr.io/platform-mesh/marketplace-ui | v0.6.2 | ??? | ⚠️ Unknown upstream |
| openfga/openfga | v1.9.0 | v1.11.3 | 🔴 2 minor versions behind |
| ghcr.io/platform-mesh/images/postgresql | 15.4.0-debian-11-r45 | 17.6.0-debian-12-r4 | 🔴 Major version behind (2 versions) |
| ghcr.io/platform-mesh/platform-mesh-operator | v0.26.3 | v0.47.1 | 🔴 21 minor versions behind |
| ghcr.io/platform-mesh/portal | v0.16.132 | v0.16.174 | 🟡 Patches behind |
| ghcr.io/platform-mesh/rebac-authz-webhook | v0.2.94 | v0.2.142 | 🔴 Patches significantly behind |
| ghcr.io/platform-mesh/security-operator | v0.10.9 | v0.18.2 | 🔴 8 minor versions behind |
| ghcr.io/platform-mesh/virtual-workspaces | v0.8.0 | v0.8.24 | 🟡 Patches behind |
!!! warning "Critical Findings" - PostgreSQL version mismatch: Two different PostgreSQL versions in use (15.4.0 vs 17.6.0) - Significant lag: Several core operators are 4-21 minor versions behind upstream - Platform-mesh-operator: 21 minor versions behind (v0.26.3 → v0.47.1) - Security concern: Many outdated images have known CVEs (see security-scan.md)
!!! tip "Recommendations" 1. Standardize on PostgreSQL 17.6.0 across all components 2. Prioritize updating platform-mesh-operator, security-operator, and account-operator 3. Update OpenFGA to v1.11.3 (upstream has 0 CVEs vs current 30 High)
Analysis Metadata¶
- Source: Local-Setup version 0.1.1 (Running State)
- Analysis Date: 2026-01-29
- Total Images: 37
- Unique Registries: 6 (ghcr.io, docker.io, registry.k8s.io, quay.io, europe-docker.pkg.dev, xpkg.*)
Related Documentation¶
- Security Scan Results - Detailed CVE analysis for all images
- Findings & Recommendations - Strategic analysis and action items