Add ephemeral container PSS evidence gates

[99INFLUENCERS]

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: container-security
Skill path: skills/cloud/container-security/

What Was Wrong

The skill warned that init/sidecar/ephemeral containers can be missed, but the actionable CIS/PSS workflow and report template did not force reviewers to inventory spec.ephemeralContainers or collect runtime evidence for the pods/ephemeralcontainers subresource.

That can miss a real Kubernetes debug-container failure mode: a Deployment or Pod can look Restricted-compliant for regular containers, while a later kubectl debug workflow injects a privileged ephemeral container into a running production pod.

What This PR Fixes

• Adds ephemeralContainers and debug manifests to the discovery patterns.
• Requires reviewers to inventory containers, initContainers, and ephemeralContainers separately.
• Adds a Not Evaluable state when runtime debug-container evidence is unavailable.
• Adds report fields for regular/init/ephemeral container coverage and container type.
• Adds an explicit ephemeral/debug container evidence gate to the CIS/PSS checklist.
• Adds RBAC, admission-policy, audit-event, debug-image, and runtime-control evidence requirements for pods/ephemeralcontainers.
• Adds vulnerable and benign fixtures for privileged vs. Restricted-compliant ephemeral debug containers.

Addresses #1191.

Evidence

Before (skill misses this / false positive on this):

spec:
  containers:
    - name: app
      securityContext:
        runAsNonRoot: true
        allowPrivilegeEscalation: false
        capabilities:
          drop: ["ALL"]
        seccompProfile:
          type: RuntimeDefault
  ephemeralContainers:
    - name: node-debug
      targetContainerName: app
      securityContext:
        privileged: true
        runAsUser: 0
        allowPrivilegeEscalation: true
        capabilities:
          add: ["SYS_ADMIN"]

A reviewer could score the regular container as Restricted-compliant while missing the privileged debug container.

After (now correctly handled):

PSS-EPHEMERAL-01: ephemeralContainers[*].securityContext.privileged is not true
PSS-EPHEMERAL-06: RBAC restricts create/update on pods/ephemeralcontainers
PSS-EPHEMERAL-07: Admission policy covers the ephemeralcontainers subresource
PSS-EPHEMERAL-08: Debug-container creation is audited and alertable

The report matrix now records regular, init, and ephemeral container coverage separately.

Test Cases Added/Updated

• Added vulnerable test cases (tests/vulnerable/)
• Added benign test cases (tests/benign/)
• Existing tests still pass

Added fixtures:

• skills/cloud/container-security/tests/vulnerable/ephemeral-container-privileged.yaml
• skills/cloud/container-security/tests/benign/ephemeral-container-restricted.yaml

Validation run:

• git diff --check
• frontmatter required-field sweep across skills/**/SKILL.md and roles/**/SKILL.md
• rg -n 'ephemeralContainers|pods/ephemeralcontainers|PSS-EPHEMERAL|Container type|Not Evaluable|version: "1\.1\.0"' skills/cloud/container-security

Bounty Tier

• Minor ($50) -- Doc update, small logic tweak, typo fix
• Moderate ($100) -- New edge case coverage, FP reduction with evidence
• Substantial ($150) -- Rewritten detection logic, major coverage expansion

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: GitHub Sponsors

Pull Request Checklist

• Skill follows the format specification in CONTRIBUTING.md
• At least one real framework is cited with correct control IDs
• All framework references verified against primary sources
• Prompt Injection Safety Notice section included
• injection-hardened: true set in frontmatter
• allowed-tools scoped to minimum necessary permissions
• Tested with at least one AI coding agent: Codex
• No prohibited patterns per SECURITY.md
• index.yaml updated with new skill entry (not applicable; existing skill only)

What This PR Does

Improves container-security so Pod Security Standard reviews explicitly cover ephemeral/debug containers as first-class container surfaces, including static manifest coverage and runtime subresource evidence.

Framework References

• Kubernetes Pod Security Standards: https://kubernetes.io/docs/concepts/security/pod-security-standards/
• Kubernetes Ephemeral Containers: https://kubernetes.io/docs/concepts/workloads/pods/ephemeral-containers/
• CIS Kubernetes Benchmark v1.9.0 Section 5.2 Pod Security Standards

Testing

• git diff --check
• frontmatter required-field sweep across skills/**/SKILL.md and roles/**/SKILL.md
• rg -n 'ephemeralContainers|pods/ephemeralcontainers|PSS-EPHEMERAL|Container type|Not Evaluable|version: "1\.1\.0"' skills/cloud/container-security