Hardening Kubernetes: Closing the kubectl debug node Loophole
kubectl debug node can bypass pod security restrictions, granting root access to a node. Learn how PSA, RBAC, and break-glass namespaces close this gap.
Even when workloads enforce strict pod-level controls like runAsNonRoot and readOnlyRootFilesystem, the kubectl debug node command can bypass all of it. It spins up a highly privileged debugger pod that hooks into the host's PID, network, and IPC namespaces and mounts the host's root filesystem — meaning a compromised credential can instantly erase container isolation.
The fix is layered: enable the restricted Pod Security Admission (PSA) profile at the namespace level, enforce it cluster-wide by default through an Admission Configuration so new namespaces inherit it automatically, and audit RBAC roles to restrict access to sensitive subresources such as nodes/proxy and pods/ephemeralcontainers. With these in place, the API server rejects the debugger pod outright because it requires hostPID and hostPath mounts that restricted forbids.
The source also walks through testing this locally using a k0s cluster running inside Docker, letting engineers verify that the restricted PSA policy actually blocks the debug command without touching a production environment.
For legitimate emergencies, the recommended pattern is a dedicated 'break-glass' namespace explicitly labeled with the privileged PSA level. Node debugging is only possible by targeting that namespace directly, so accidental privilege escalation is blocked in everyday use while an auditable emergency path remains available.