Ephemeral Containers and kubectl debug — Debugging Pods You Deliberately Locked Down

Day 14 hardened the webapp so thoroughly that conventional debugging mostly died there — no curl (Day 13 found that out), no package manager you're allowed to use, read-only filesystem, and the industry trend is distroless images with no shell at all. That hardening is correct, and Kubernetes built tooling for living with it: kubectl debug. Attach a fully-tooled ephemeral container to a running Pod without restarting it, copy a crash-looping Pod with its command swapped out for a shell, or drop onto the node itself through a host-namespace Pod — and watch Pod Security Admission referee every one of those moves.