Ephemeral containers also have a spec.securityContext, hence we can set capabilities for them (and an attacker can use it for privilege escalation). This policy predates their inclusion in Kubernetes, and this policy mirrors the analogous capabilities PSP, which also predates their inclusion in Kubernetes. The PSP was never updated because as it was deprecated instead.
This doesn't mean we shouldn't check ephemeral containers too.
Ephemeral containers also have a spec.securityContext, hence we can set capabilities for them (and an attacker can use it for privilege escalation). This policy predates their inclusion in Kubernetes, and this policy mirrors the analogous capabilities PSP, which also predates their inclusion in Kubernetes. The PSP was never updated because as it was deprecated instead. This doesn't mean we shouldn't check ephemeral containers too.
Acceptance criteria
Validate ephemeral containers too.