Skip to main content
What We Do
Software,
Engineered End-to-End
AI, blockchain, mobile apps, and custom platforms — built for teams that care about the outcome, not the tech stack.
View all services
AI Solutions
AI-integrated software, automation & autonomous agents.
Web & SaaS Platforms
Custom web apps, SaaS products & admin platforms.
Blockchain Solutions
Smart contracts, tokenization & enterprise integrations.
Mobile App Development
Native & cross-platform iOS and Android apps.
Integrations & APIs
Payment gateways, third-party APIs & enterprise sync.
All Services
See every capability — AI, blockchain, software, and integrations.
Read to Decide
Honest
Engineering Content
Industry playbooks, honest comparisons, and real cost guides — the resources we wish existed before we built this company.
Read the blog
Blog
Engineering essays and industry perspectives from the team.
Industries
How we work across healthcare, fintech, logistics, and more.
Compare
Honest A-vs-B frames for product and build-vs-buy decisions.
Cost Guides
Real budget tiers for AI, blockchain, and custom builds.
Our Work
Real Projects.
Real Results.
Explore live demos of platforms we built — from AI-powered experiences to Web3 platforms.
View all demos
Zybo AI
Live
Zybo AI
AI support chatbot with a human safety net & smart escalation.
OperationsHub CRM
1-click Live
OperationsHub CRM
Complete CRM with leads, deals, invoicing, expenses & approvals.
AI Blockchain Explorer
Live
AI Blockchain Explorer
Wallet analysis, risk intelligence & natural language queries.
AI Virtual Try-On
Live
AI Virtual Try-On
Upload a photo, instantly visualise outfits with AI generation.
Web3 Dapps
Live
Web3 Dapps
Blockchain smart contracts with trustless reward distribution.
Scalable eCommerce Platform
1-click Live
Scalable eCommerce Platform
Full-featured store with optional referral integration.
Back to Blog
automationkubernetessrekubectl-debugephemeral-containersincident-responsedevops

The kubectl debug Blind Spot Every SRE Should Know About

Kubernetes loses kubectl debug exit codes the moment a pod shifts state. Learn the EphemeralContainerStatus API flaw silently breaking SRE incident response.

Zyfolks Team ·

Your on-call engineer just spent 12 minutes inside a failing pod, found the root cause, and exited with a meaningful code. Six minutes later, the next engineer on rotation can’t see any of it — not the exit code, not the duration, not even which container was targeted. The Kubernetes API never recorded it, and it’s not coming back. This isn’t a kubectl bug. It’s a deliberate API design choice from 2019 that’s breaking incident response workflows.

The Silent Evidence Gap in Ephemeral Containers

According to the original report from opscart, once a kubectl debug session ends and the pod state shifts, Kubernetes drops the termination context of that session from its API. The EphemeralContainerStatus type in Kubernetes v1.32 has no lastState field and no restartCount — both present on the regular ContainerStatus. The moment another container restarts, a second debug session attaches, or the pod is rescheduled, the previous session’s State.Terminated block gets overwritten and the exit code disappears with it.

Why it matters: ephemeral containers were introduced in Kubernetes v1.16 as an alpha feature specifically to avoid touching pod lifecycle guarantees. The spec explicitly says they are “not restarted on failure,” which is why the restart and last-state tracking machinery was excluded. That was a reasonable scoping decision when ephemeral containers were experimental. It doesn’t hold once kubectl debug is in everyone’s runbook.

If you’re running any cluster on Kubernetes 1.25 or later, you can reproduce this in three commands. Spin up an nginx pod, attach a debug container that exits with code 42, then immediately query .status.ephemeralContainerStatuses — the exit code is right there. Wait for any pod modification, query again, and it’s gone. kubectl logs for the debug container returns NotFound.

Our take: this gap will get fixed in the next 18 months, but probably not because of an internal Kubernetes initiative — it’ll be forced by compliance auditors who finally notice it.

Why ContainerStatus and EphemeralContainerStatus Diverge

The asymmetry between the two API types explains the whole problem. A regular ContainerStatus preserves lastState across restarts, so you can always answer “what was the previous termination reason?” An EphemeralContainerStatus only carries the current state — when that gets replaced, the record is gone. There is no lastState to fall back on, by design.

Why it matters: SRE teams have built entire conventions around exit codes — exit 42 for connection pool exhaustion, exit 1 for missing config, custom codes that encode findings into a single integer. The original report notes these conventions are “particularly common in SRE workflows.” When the API discards that signal, the convention loses its receiving end. The signal is sent, but no one can read it afterward.

Imagine you run an internal platform that hosts production microservices and your incident response process leans on exit codes as machine-readable findings. Today, a debug session that exits with code 42 generates exactly zero durable artifacts in the API. Your audit pipeline won’t see it, your post-incident automation can’t react to it, and your next on-call engineer has to start from scratch.

Our take: exit codes as a diagnostic protocol are too useful to abandon — Kubernetes is the layer that needs to catch up, not the SRE convention.

The Handoff That Breaks Mid-Incident

The operational pain shows up most clearly in handoffs. The original report walks through a realistic scenario: an on-call engineer attaches kubectl debug, investigates for 12 minutes, exits with code 42, scribbles “connection pool exhaustion” into the incident channel, and rolls off. The next engineer queries the pod and gets nothing useful back. Duration: not available. Target container: not recorded as an API field (it’s a kubectl CLI flag, not a pod field). Logs: container not found.

Why it matters: every handoff now depends entirely on the quality of human-written notes captured under pressure. The API contributes nothing. For teams running AI-assisted operational agents that read cluster state to triage incidents, this is a direct blind spot — the agent can’t learn from prior debug sessions because the evidence was never persisted.

There’s a compliance angle too. Frameworks like PCI-DSS requirement 10.3 on audit logging and SOC 2 access activity requirements expect traceability of operational actions. According to the report, the Kubernetes API alone currently cannot answer “who looked at what container, and for how long” for ephemeral container sessions. That’s not a soft gap — that’s a control failure waiting to be flagged in an audit.

Our take: the first major Kubernetes platform vendor to ship a managed ephemeral-container audit trail as a built-in feature will turn this gap into a competitive selling point.

Workarounds That Actually Hold Up Under Incident Pressure

There are three practical paths today, and none of them are clean. The first is application-level logging: pipe findings to a shared volume or external system before exiting. Simple, but it depends on engineers remembering discipline at 3 AM. The second is kubectl logs -f in a parallel terminal — works if you started it before the session ended, which isn’t always realistic during a live incident.

The third is the most robust: an event-driven capture system that watches pod modifications and snapshots the State.Terminated block at the moment of transition, before any subsequent update overwrites it. The opscart team published a reference implementation at GitHub.com/opscart/k8s-causal-memory, with a reproducible scenario under scenarios/05-ephemeral-exit/. Their captured record for a 10-second session preserves everything the API throws away: container_name, target_container, exit_code, exit_class, duration_seconds, and node_name.

Why it matters: this approach is a controller pattern, not a Kubernetes patch. Any platform team can build it today. The catch is that the watch must win the race against other controllers that might update the pod first — so it’s most reliable on clusters with predictable controller behavior. Teams operating specialized workloads, such as OCPP charging management platforms or other regulated infrastructure, will want this kind of audit fidelity baked in from day one rather than retrofitted after a compliance review.

Our take: within a year, at least one observability vendor will package this exact watch-based capture as a turnkey feature, and it’ll become the de facto answer until upstream Kubernetes ships lastState on EphemeralContainerStatus.

FAQ

Q: What is the kubectl debug evidence gap? A: When a kubectl debug session ends, the Kubernetes API only briefly exposes the termination context — exit code, finish time — through .status.ephemeralContainerStatuses. Any subsequent pod modification replaces that block, and unlike regular containers, ephemeral containers have no lastState field to preserve the previous record. The diagnostic signal is lost.

Q: Why don’t ephemeral containers have a lastState field? A: The Kubernetes spec defines ephemeral containers as “not restarted on failure,” so when they were introduced in alpha in Kubernetes v1.16, the restart-tracking and last-state preservation fields were excluded by design. That scoping made sense when ephemeral containers were experimental, but it predates kubectl debug becoming a mainstream incident response tool.

Q: Can Kubernetes audit logs fill the gap? A: Not for the data the report focuses on. Because the --target container name and session duration are not stored as API fields, standard Kubernetes audit logs cannot answer “who debugged which container, and for how long” for ephemeral container sessions. You need application-level logging or an external capture system.

Key Takeaways

  • Treat kubectl debug exit codes as ephemeral signals — capture them externally at exit time, or assume they’ll be gone in five minutes.
  • Teams in regulated environments should audit their ephemeral container coverage now, before a PCI-DSS or SOC 2 review surfaces the gap.
  • A watch-based controller that snapshots State.Terminated at the transition moment is the most robust workaround available today without upstream changes.
  • Expect SIG Node or SIG Instrumentation to receive a KEP proposing minimal lastState support on EphemeralContainerStatus — and expect compliance pressure, not engineering preference, to drive its acceptance.
  • Until that lands, every debug session handoff is only as reliable as the human notes attached to it; build that assumption into your incident response runbooks.

Build With Zyfolks

AI Automation

Automate workflows, documents, reports, and data pipelines with AI — eliminate manual busywork and scale operations without scaling headcount.

Learn more

AI Agents

Autonomous agents that handle customer support, research, sales qualification, and internal knowledge — running 24/7 with human oversight.

Learn more

AI-Integrated Software

Custom software with AI capabilities baked in — ML, NLP, predictive analytics, and real-time intelligence built into your product.

Learn more

Have a project in mind?

Tell us what you're building — we reply within 24 hours.

LET'S TALK