--- id: agent-kubernetes-ephemeral-containers-and-debugging title: 'Agent Kubernetes Ephemeral Containers and Debugging' schema_type: TechArticle category: ai language: en confidence: medium last_verified: '2026-06-03' created_date: '2026-06-03' generation_method: ai_structured derived_from_human_seed: true conflict_of_interest: none_declared is_live_document: false data_period: static atomic_facts: - id: fact-ai-agent-kubernetes-ephemeral-containers-and-debugging-1 statement: >- Kubernetes documentation says its Debug Running Pods page explains how to debug Pods that are running or crashing on a Node. source_title: Kubernetes Debug Running Pods source_url: https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/ confidence: medium - id: fact-ai-agent-kubernetes-ephemeral-containers-and-debugging-2 statement: >- Kubernetes kubectl debug documentation says the command can add an ephemeral container to an already running Pod without restarting it. source_title: Kubernetes kubectl debug source_url: https://kubernetes.io/docs/reference/kubectl/generated/kubectl_debug/ confidence: medium - id: fact-ai-agent-kubernetes-ephemeral-containers-and-debugging-3 statement: >- Kubernetes debugging documentation says kubectl debug can create a node debugging Pod whose root filesystem is mounted at /host. source_title: Kubernetes Debug Running Pods source_url: https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/ confidence: medium completeness: 0.82 known_gaps: - Debug safety depends on cluster policy, PodSecurity profile, RBAC, image trust, namespace targeting, process namespace sharing, cleanup, audit logs, and whether a copied Pod changes runtime behavior. disputed_statements: [] primary_sources: - title: Kubernetes Debug Running Pods type: documentation year: 2026 url: https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/ institution: Kubernetes - title: Kubernetes kubectl debug type: documentation year: 2026 url: https://kubernetes.io/docs/reference/kubectl/generated/kubectl_debug/ institution: Kubernetes secondary_sources: [] updated: '2026-06-03' ai_models: - gpt-5-codex --- ## TL;DR Ephemeral containers and kubectl debug evidence help agents investigate minimal or crashing Kubernetes workloads without rebuilding the production image first. ## Core Explanation Production containers often omit shells, package managers, and network tools. Agents that only ask for application logs may miss namespace, DNS, filesystem, or node-level evidence. Kubernetes debugging workflows provide ways to add a temporary debug container, copy a Pod with modified images, or inspect a node. The safe path is evidence-first. Agents should record the target Pod, namespace, debug image, profile, RBAC principal, node, cleanup plan, and exact commands before recommending a debug session. A debug container can change the security posture of a live workload, so the recommendation should name the diagnostic purpose and least-privilege profile. ## Source-Mapped Facts - Kubernetes documentation says its Debug Running Pods page explains how to debug Pods that are running or crashing on a Node. ([source](https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/)) - Kubernetes kubectl debug documentation says the command can add an ephemeral container to an already running Pod without restarting it. ([source](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_debug/)) - Kubernetes debugging documentation says kubectl debug can create a node debugging Pod whose root filesystem is mounted at /host. ([source](https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/)) ## Further Reading - [Kubernetes Debug Running Pods](https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/) - [Kubernetes kubectl debug](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_debug/)