kubectl debug sessions leave almost no forensic trace: by design, EphemeralContainerStatus has no lastState or restartCount, so the exit code, session duration, target container, and debugger logs disappear from the Kubernetes API the moment anything else updates the pod.
That breaks incident handoffs (the next engineer can't verify what the previous one did) and breaks audit requirements like PCI-DSS 10.3 and SOC 2, since you cannot answer "who looked at what container, for how long" from Kubernetes audit logs alone.
Workarounds today are application-level: write findings to a shared volume before exit, tail kubectl logs -f in parallel, or watch pod events and capture the Terminated transition externally; the author argues it's time for a KEP from SIG Node or SIG Instrumentation to add a minimal lastState to ephemeral containers.
