Skill Being Reviewed
skills/cloud/container-security
Review Focus
The skill covers container images, registries, Kubernetes, runtime configuration, secrets, network policy, admission control, and CIS/Kubernetes review areas. The gap I found is debug-time access: ephemeral containers, kubectl debug, break-glass shell sessions, and temporary admission bypasses can create privileged runtime access without changing the original workload spec.
False Positive Analysis
Debug tooling is not automatically a vulnerability. Benign evidence includes:
- Ephemeral containers restricted by RBAC to a small incident-response group.
- Admission policies that apply to ephemeral containers as well as normal containers.
- Audit logs showing who launched a debug session, why, and for how long.
- Debug images pinned by digest and pulled from an approved registry.
The skill should avoid flagging all debug access, but should require controls matching its privilege.
Coverage Gaps
Please add a check for ephemeral/debug container pathways:
- Kubernetes RBAC verbs on
pods/ephemeralcontainers, pods/exec, pods/attach, and pods/portforward.
- Whether admission policies inspect ephemeral containers for privileged mode, host namespaces, capabilities, volume mounts, and image source.
- Whether runtime policies and network policies apply to debug containers.
- Whether debug sessions are time-bounded, approved, and audited.
- Whether break-glass debug images bypass normal image signing, SBOM, or vulnerability gates.
This matters because a hardened deployment manifest can still be bypassed by a privileged ephemeral container injected during an incident or troubleshooting session.
Edge Cases
- Some clusters disable ephemeral containers but still allow
exec into privileged pods; both paths should be reviewed.
- Emergency incident response may require debug access, but should have explicit approval, TTL, and after-action review.
- Admission controllers may validate normal
containers and initContainers but forget ephemeralContainers.
- Debug images often contain tools and package managers that production images intentionally omit.
Remediation Quality
Good remediation should include:
- RBAC tightening for debug-related verbs.
- Admission policy coverage for ephemeral containers.
- Approved debug image list with digest pinning.
- Audit query examples for debug session launch and duration.
- Exception process with owner, reason, and expiry.
Comparison To Existing Tools
CIS checks and image scanners usually focus on deployed workloads and image contents. They may miss an operator injecting a privileged debug container after deployment. This skill can add value by reviewing the runtime access path that exists outside the normal CI/CD manifest.
Overall Assessment
The skill is strong for standard container posture review. Adding explicit ephemeral/debug container gates would improve coverage for a realistic Kubernetes privilege-escalation and incident-response failure mode.
Suggested Acceptance Criteria
- Add checks for
pods/ephemeralcontainers, exec, attach, and portforward privileges.
- Require admission policy coverage for ephemeral containers.
- Add audit and TTL requirements for debug sessions.
- Distinguish controlled emergency debug access from unbounded privileged bypass.
Bounty Info
This is submitted as a skill review bounty claim. Preferred payout: PayPal samik4184@gmail.com.
Skill Being Reviewed
skills/cloud/container-securityReview Focus
The skill covers container images, registries, Kubernetes, runtime configuration, secrets, network policy, admission control, and CIS/Kubernetes review areas. The gap I found is debug-time access: ephemeral containers,
kubectl debug, break-glass shell sessions, and temporary admission bypasses can create privileged runtime access without changing the original workload spec.False Positive Analysis
Debug tooling is not automatically a vulnerability. Benign evidence includes:
The skill should avoid flagging all debug access, but should require controls matching its privilege.
Coverage Gaps
Please add a check for ephemeral/debug container pathways:
pods/ephemeralcontainers,pods/exec,pods/attach, andpods/portforward.This matters because a hardened deployment manifest can still be bypassed by a privileged ephemeral container injected during an incident or troubleshooting session.
Edge Cases
execinto privileged pods; both paths should be reviewed.containersandinitContainersbut forgetephemeralContainers.Remediation Quality
Good remediation should include:
Comparison To Existing Tools
CIS checks and image scanners usually focus on deployed workloads and image contents. They may miss an operator injecting a privileged debug container after deployment. This skill can add value by reviewing the runtime access path that exists outside the normal CI/CD manifest.
Overall Assessment
The skill is strong for standard container posture review. Adding explicit ephemeral/debug container gates would improve coverage for a realistic Kubernetes privilege-escalation and incident-response failure mode.
Suggested Acceptance Criteria
pods/ephemeralcontainers,exec,attach, andportforwardprivileges.Bounty Info
This is submitted as a skill review bounty claim. Preferred payout: PayPal
samik4184@gmail.com.