What is the purpose of filewatcher in confluent-init-container image?


We are using Confluent for Kubernetes in an internal project; however, the confluent-init-container:7.4.1 image that gets used in Kafka and zookeeper and etc. pod had failed image security scanning.

The failure reason was due to the go stdlib that was compiled in the filewatcher binary in the image.

  1. The vulnerability had to do with the go compilation process, which should not be relevant here as filewatcher is just an executable file.

  2. Vulnerability in interacting with JS files, which I suspect may also not be relevant here as I don’t believe Kafka, zookeeper, or Kraft controller should have much to do with JS file.

So, my question is are my observations correct? And, also, can anyone please provide some insights into the purpose of filewatch in the confluent-init-container? Well, as the image name suggested, it is just a short live init container.

Thanks so much for your help as we are in the process of requesting for exemption for the image!

Best Regards,


I am also using cp-kafka: latest images and while scanning using the vulnerability scan tool we are getting a critical vulnerability with certifi package. Does any one has any input on this or pointer to an image that has fixed this .