EphemeralContainers via kubectl debug bypass Zarf webhook

[mjnagel]

Environment

Device and OS: macOS App version: 0.31.1 Kubernetes distro being used: k3d

Steps to reproduce

1. Zarf init
2. Deploy some things with zarf
3. kubectl debug -it -n test test-pod --image busybox (with some pod in cluster)

Expected result

Zarf would mutate the image to be one from zarf's registry.

Actual Result

The update to the pod bypasses zarf's webhook.

Severity/Priority

Not critical, user can always specify the zarf image registry directly.

Additional Context

There are two issues at play:

• Zarf's webhook needs pods/ephemeralcontainers added as a resource (see https://www.github.com/kyverno/kyverno/issues/2821 as an example of this)
• Even with ^ added kubectl debug call would not get patched because the pod itself already went through the patching lifecycle - https://github.com/defenseunicorns/zarf/blob/06c8e53e6a88ced00f1d8bc769e3d3f8efe7751a/src/internal/agent/hooks/pods.go#L50

[bburky]

This issue came up in discussion recently.

Another reason this is important is to support kubectl debug in an air gapped environment. If a user has included a debug image in a Zarf package, they can get it loaded into their Zarf registry. This webhook rewrite is needed to actually start the ephemeral debug container using an image from the registry.

[mjnagel]

@bburky would note it's still possible, albeit not ideal, to use kubectl debug in airgap. The pull secrets will already be on the pod so as long as they debug with the zarf registry image name it would work. Not a great user experience though since they would have to figure out the registry address, name, and tag that is pushed to zarf vs just being able to use the upstream image name/tag.