[REVIEW] container-security: add ephemeral debug container PSS evidence gates

[99INFLUENCERS]

Skill Being Reviewed

Skill name: container-security
Skill path: skills/cloud/container-security/

False Positive Analysis

Benign code that could be over-flagged if every debug workflow is treated as privileged:

apiVersion: v1
kind: Pod
metadata:
  name: checkout-api
  namespace: production
spec:
  securityContext:
    runAsNonRoot: true
    seccompProfile:
      type: RuntimeDefault
  containers:
    - name: app
      image: registry.example.com/checkout-api@sha256:...
      securityContext:
        allowPrivilegeEscalation: false
        readOnlyRootFilesystem: true
        runAsNonRoot: true
        capabilities:
          drop: ["ALL"]
        seccompProfile:
          type: RuntimeDefault
  ephemeralContainers:
    - name: node-debug
      image: registry.example.com/debug-tools@sha256:...
      targetContainerName: app
      securityContext:
        allowPrivilegeEscalation: false
        readOnlyRootFilesystem: true
        runAsNonRoot: true
        runAsUser: 1000
        capabilities:
          drop: ["ALL"]
        seccompProfile:
          type: RuntimeDefault

Why this is a false positive:

Ephemeral containers are a legitimate Kubernetes troubleshooting mechanism. A review should not automatically flag the presence of an ephemeral/debug container when the debug image is pinned/approved and the ephemeral container follows the same Restricted Pod Security Standards controls as the app container.

Coverage Gaps

Missed variant 1: privileged ephemeral debug container on an otherwise hardened pod

apiVersion: v1
kind: Pod
metadata:
  name: checkout-api
spec:
  containers:
    - name: app
      image: registry.example.com/checkout-api@sha256:...
      securityContext:
        runAsNonRoot: true
        allowPrivilegeEscalation: false
        capabilities:
          drop: ["ALL"]
        seccompProfile:
          type: RuntimeDefault
  ephemeralContainers:
    - name: node-debug
      image: busybox:1.36
      targetContainerName: app
      securityContext:
        privileged: true
        runAsUser: 0
        allowPrivilegeEscalation: true
        capabilities:
          add: ["SYS_ADMIN"]

Why it should be caught:

The current skill mentions ephemeral containers only as a common pitfall, but the detailed CIS/PSS review steps and output matrix do not force reviewers to inventory spec.ephemeralContainers. Kubernetes Pod Security Standards explicitly list spec.ephemeralContainers[*] for controls such as privileged containers, capabilities, seccomp, and non-root execution. A review that only checks containers and initContainers can mark the pod Restricted-compliant while missing a privileged debug container.

Missed variant 2: runtime debug containers are added through a subresource after the workload manifest was reviewed

Deployment manifest: Restricted-compliant
Runtime action: kubectl debug adds an ephemeral container to a production pod
RBAC evidence: not reviewed for pods/ephemeralcontainers
Admission evidence: not reviewed for the ephemeralcontainers subresource
Audit evidence: not collected for patch/update of pods/ephemeralcontainers

Why it should be caught:

Ephemeral containers are commonly added through the ephemeralcontainers API handler rather than by editing the original workload manifest. If the skill only reviews static Deployment/Helm YAML, it can miss whether production debug-container creation is restricted by RBAC, covered by admission policy, and logged for incident review.

Edge Cases

• Distroless production images legitimately need a debug workflow; the review should request debug-container controls instead of treating distroless as a problem.
• Some organizations allow ephemeral containers only in non-production namespaces; this should be captured as policy evidence rather than a blanket fail.
• Admission policies may cover pod creation but not the pods/ephemeralcontainers subresource; the report should distinguish those paths.
• A cluster may have no current ephemeralContainers in manifests; the correct status is Not Evaluable unless RBAC/admission/audit evidence for runtime debug containers is available.
• Debug images should be pinned, approved, and scanned; arbitrary public debug image pull in production is a separate supply-chain and runtime risk.

Remediation Quality

• Fix resolves the vulnerability
• Fix doesn't introduce new security issues
• Fix doesn't break functionality
• Issues found: Add an explicit ephemeral/debug container evidence gate to the container-security skill and its CIS/PSS checklist. The output should record regular, init, and ephemeral container coverage separately, plus RBAC/admission/audit evidence for the pods/ephemeralcontainers subresource.

Comparison to Other Tools

Tool	Catches this?	Notes
Kubernetes Pod Security Admission	Yes	PSS controls explicitly include spec.ephemeralContainers[*] fields, but the review skill must ask for that evidence.
Kyverno / Gatekeeper	Partial	Can enforce policy on ephemeral container updates if rules cover the relevant subresource and container arrays.
kube-score / kube-linter	Partial	Static manifest tools may miss runtime debug containers unless pod objects or admission/audit evidence are reviewed.
Manual cluster audit	Yes	Can inspect RBAC for pods/ephemeralcontainers, admission coverage, and audit events for debug-container creation.

Overall Assessment

Strengths:

• Strong coverage of Dockerfile, Kubernetes manifest, RBAC, network policy, secrets, and core Pod Security Standards controls.
• Good warnings about init/sidecar containers, Helm overrides, default namespaces, and distroless debug workflows.

Needs improvement:

• Promote ephemeral containers from a pitfall note to a required evidence gate.
• Require the report to distinguish regular, init, and ephemeral container coverage.
• Require runtime evidence for pods/ephemeralcontainers RBAC, admission, and audit coverage when static manifests do not include ephemeral containers.

Priority recommendations:

1. Add spec.ephemeralContainers to the container inventory gate and PSS checklist.
2. Add an ephemeral/debug container evidence table covering RBAC, admission policy, audit logs, debug image policy, and runtime controls.
3. Add vulnerable and benign fixtures so reviewers can distinguish a privileged debug container from a Restricted-compliant debug workflow.

Sources Checked

• Kubernetes Pod Security Standards: https://kubernetes.io/docs/concepts/security/pod-security-standards/
• Kubernetes Ephemeral Containers: https://kubernetes.io/docs/concepts/workloads/pods/ephemeral-containers/
• Current skill reviewed: https://github.com/UnitOneAI/SecuritySkills/blob/main/skills/cloud/container-security/SKILL.md

Note: I created this through the GitHub API, so if the template labels are not applied automatically, please tag this with review and bounty if it is eligible under CONTRIBUTING.md.

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: GitHub Sponsors

[lcwLcw123]

/attempt #1191

[lcwLcw123]

Submitted PR: #1241

Implemented the ephemeral debug container evidence gate requested here:

• PSS coverage now explicitly includes containers, initContainers, and ephemeralContainers.
• Added RBAC, admission, audit, and debug image evidence requirements for pods/ephemeralcontainers.
• Added container coverage and ephemeral debug evidence output tables.
• Added CIS benchmark guidance and benign/vulnerable Kubernetes fixtures.

Validation performed:

• red-first marker check before edits confirmed this coverage was absent
• marker grep for ephemeral debug evidence and pods/ephemeralcontainers
• git diff --check
• frontmatter sweep across skills
• Markdown fence balance check
• ASCII scan
• prompt-injection phrase scan
• Kubernetes official reference link checks returned HTTP 200

Requested as an Improver Moderate / $100 bounty submission. Preferred payment method: GitHub Sponsors.