What Kubectl Debug Doesn’t Tell You: The Silent Evidence Gap

Kubernetes treats ephemeral containers as throw-away debugging aids, deliberately omitting restart semantics and a `lastState` field from the `EphemeralContainerStatus` object. This design choice means that once a debug session terminates, the API only retains the `State.Terminated` block while the pod remains unchanged. Any subsequent pod modification—such as a container restart, a new debug attachment, or a reschedule—overwrites that block, erasing the exit code, finish timestamp, and even the container name used with the `--target` flag. As a result, the most granular evidence of a failure investigation disappears from the cluster’s native audit surface.

For SRE teams that rely on exit codes and session duration to triage incidents, the loss of this data creates a fragile hand-off process. Engineers must depend on manual notes or ad-hoc log captures, which are prone to omission during high-pressure outages. In regulated environments, the absence of a verifiable record of who inspected which container conflicts with audit requirements such as PCI-DSS 10.3 or SOC 2 controls that demand traceability of operational actions. Without a persistent termination record, Kubernetes alone cannot satisfy these compliance mandates.

Practitioners can mitigate the gap by streaming findings to a shared volume, pushing structured events to an external SIEM, or implementing a watch on pod updates to snapshot the `State.Terminated` payload before it is replaced. A more permanent fix would be a KEP that adds a minimal `lastState` field to `EphemeralContainerStatus`, mirroring the behavior of regular containers while preserving backward compatibility. Such an enhancement, likely owned by SIG Node or SIG Instrumentation, would give teams a reliable audit trail for debug sessions without altering the core ephemerality promise.