<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Andriesh Rusnac</title>
    <description>The latest articles on DEV Community by Andriesh Rusnac (@andriesh).</description>
    <link>https://dev.to/andriesh</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1673650%2F925d62ce-a0cd-4908-90d4-5362efdb42b4.png</url>
      <title>DEV Community: Andriesh Rusnac</title>
      <link>https://dev.to/andriesh</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/andriesh"/>
    <language>en</language>
    <item>
      <title>Hardening Kubernetes: How to Block `kubectl debug node` from Breaking Your Cluster Matrix</title>
      <dc:creator>Andriesh Rusnac</dc:creator>
      <pubDate>Thu, 09 Jul 2026 11:47:03 +0000</pubDate>
      <link>https://dev.to/andriesh/hardening-kubernetes-how-to-block-kubectl-debug-node-from-breaking-your-cluster-matrix-49kb</link>
      <guid>https://dev.to/andriesh/hardening-kubernetes-how-to-block-kubectl-debug-node-from-breaking-your-cluster-matrix-49kb</guid>
      <description>&lt;p&gt;You've done everything right. You're hardening your Kubernetes cluster, meticulously setting &lt;code&gt;runAsNonRoot: true&lt;/code&gt;, and applying &lt;code&gt;readOnlyRootFilesystem: true&lt;/code&gt; across all your workloads. Your pods are locked down tight.&lt;/p&gt;

&lt;p&gt;And then, you run this one command:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;kubectl debug node/my-node-name &lt;span class="nt"&gt;-it&lt;/span&gt; &lt;span class="nt"&gt;--image&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;ubuntu
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Boom. Within seconds, you have a shell with full root access to the host machine's root filesystem.&lt;/p&gt;

&lt;p&gt;Wait... what? ## The Privilege Escalation Trapdoor&lt;/p&gt;

&lt;p&gt;When you run kubectl debug node, Kubernetes spawns a highly privileged "debugger" pod. This pod bypasses standard pod-level restrictions by design: it hooks directly into the host’s PID, network, and IPC namespaces, and mounts the host’s root directory (/).&lt;/p&gt;

&lt;p&gt;If an attacker compromises a service account or user credentials with sufficient permissions, your container isolation vanishes instantly.&lt;/p&gt;

&lt;p&gt;Here is how to completely close this loophole and build a bulletproof environment—including how to test it locally in a containerized k0s lab.&lt;/p&gt;

&lt;h2&gt;
  
  
  3 Layers of Defense to Block Node Debugging
&lt;/h2&gt;

&lt;h3&gt;
  
  
  1. The Quick Fix: Namespace-Level Pod Security Admission (PSA)
&lt;/h3&gt;

&lt;p&gt;&lt;code&gt;kubectl debug node&lt;/code&gt; spins up its helper pod inside your active namespace. If that namespace enforces the native Kubernetes Baseline or Restricted security standards, the API server will flat-out reject the debugger pod.&lt;/p&gt;

&lt;p&gt;To secure your working namespace (e.g., &lt;code&gt;default&lt;/code&gt;):&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;kubectl label &lt;span class="nt"&gt;--overwrite&lt;/span&gt; ns default pod-security.kubernetes.io/enforce&lt;span class="o"&gt;=&lt;/span&gt;restricted
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Why this works: The debug pod requires hostPID: true and hostPath mounts. The restricted profile strictly forbids these, causing the API server to kill the request before the pod is even born.&lt;/p&gt;

&lt;h3&gt;
  
  
  2. The Bulletproof Way: Cluster-Wide Automation
&lt;/h3&gt;

&lt;p&gt;Relying on manual namespace labels leaves room for human error. To make restricted the unyielding default for every new namespace, you can configure a cluster-wide Admission Configuration.&lt;/p&gt;

&lt;p&gt;Create an &lt;code&gt;admission-config.yaml&lt;/code&gt; file:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="na"&gt;apiVersion&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;apiserver.config.k8s.io/v1&lt;/span&gt;
&lt;span class="na"&gt;kind&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;AdmissionConfiguration&lt;/span&gt;
&lt;span class="na"&gt;plugins&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
&lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;PodSecurity&lt;/span&gt;
  &lt;span class="na"&gt;configuration&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;apiVersion&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;pod-security.admission.config.k8s.io/v1&lt;/span&gt;
    &lt;span class="na"&gt;kind&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;PodSecurityConfiguration&lt;/span&gt;
    &lt;span class="na"&gt;defaults&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="na"&gt;enforce&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;restricted"&lt;/span&gt;
      &lt;span class="na"&gt;enforce-version&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;latest"&lt;/span&gt;
    &lt;span class="na"&gt;exemptions&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="na"&gt;namespaces&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="pi"&gt;[&lt;/span&gt;&lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;kube-system"&lt;/span&gt;&lt;span class="pi"&gt;,&lt;/span&gt; &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;kube-public"&lt;/span&gt;&lt;span class="pi"&gt;,&lt;/span&gt; &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;k0s-system"&lt;/span&gt;&lt;span class="pi"&gt;]&lt;/span&gt; &lt;span class="c1"&gt;# &lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;System pods still need host access&lt;br&gt;
If you are using k0s, you can pass this configuration file straight to your API server by adding it to your /etc/k0s/k0s.yaml:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="na"&gt;spec&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;api&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;extraArgs&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="na"&gt;admission-control-config-file&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;/etc/k0s/admission-config.yaml&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;ol&gt;
&lt;li&gt;The Structural Fix: Tighten Your RBAC
&lt;code&gt;kubectl debug node&lt;/code&gt; relies on access to specific API subresources. To prevent non-admin users from utilizing it, audit your &lt;code&gt;ClusterRoles&lt;/code&gt; and ensure they do not have access to:&lt;/li&gt;
&lt;/ol&gt;

&lt;ul&gt;
&lt;li&gt;&lt;p&gt;&lt;code&gt;nodes/proxy&lt;/code&gt; (required for node debugging)&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;&lt;code&gt;pods/ephemeralcontainers&lt;/code&gt; (used for pod-level debugging)&lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;How to Test This Locally (The k0s Docker Playground)&lt;br&gt;
Want to see this in action without breaking a production cluster? You can spin up a lightweight k0s cluster right inside a local Docker container.&lt;/p&gt;

&lt;p&gt;&lt;em&gt;(Note: If you are running Docker Desktop on macOS/Windows, we must pass a flag to bypass strict host kernel checks).&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;Step 1: Fire up the container&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;docker run &lt;span class="nt"&gt;-d&lt;/span&gt; &lt;span class="nt"&gt;--name&lt;/span&gt; k0s-lab &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--hostname&lt;/span&gt; k0s-lab &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--privileged&lt;/span&gt; &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;-v&lt;/span&gt; /var/lib/k0s &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;-p&lt;/span&gt; 6443:6443 &lt;span class="se"&gt;\&lt;/span&gt;
  docker.io/k0sproject/k0s:v1.36.1-k0s.0 &lt;span class="se"&gt;\&lt;/span&gt;
  k0s controller &lt;span class="nt"&gt;--enable-worker&lt;/span&gt; &lt;span class="nt"&gt;--ignore-pre-flight-checks&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Step 2: Connect your local kubectl&lt;br&gt;
Wait about 15 seconds for the API server to bootstrap, then grab the kubeconfig:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;docker &lt;span class="nb"&gt;exec &lt;/span&gt;k0s-lab k0s kubeconfig admin &lt;span class="o"&gt;&amp;gt;&lt;/span&gt; ~/.kube/k0s-lab.config
&lt;span class="nb"&gt;export &lt;/span&gt;&lt;span class="nv"&gt;KUBECONFIG&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;~/.kube/k0s-lab.config

&lt;span class="c"&gt;# Check that it's alive!&lt;/span&gt;
kubectl get nodes
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Step 3: Trigger the Trap&lt;br&gt;
First, let's enforce our security profile on the default namespace:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;kubectl label &lt;span class="nt"&gt;--overwrite&lt;/span&gt; ns default pod-security.kubernetes.io/enforce&lt;span class="o"&gt;=&lt;/span&gt;restricted
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Now, try to break out of the container matrix using the debug command:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;kubectl debug node/k0s-lab &lt;span class="nt"&gt;-it&lt;/span&gt; &lt;span class="nt"&gt;--image&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;ubuntu
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The Result:&lt;br&gt;
Instead of a root prompt, the API server will instantly drop a massive rejection block:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Error from server (Forbidden): pods "node-debugger-..." is forbidden: violates PodSecurity "restricted:latest": hostNetwork: true, hostPID: true...
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Your playground is officially secure!&lt;/p&gt;

&lt;h2&gt;
  
  
  What About Real Emergencies? (The "Break-Glass" Solution)
&lt;/h2&gt;

&lt;p&gt;If you lock down your cluster so tightly that node debugging is completely blocked, how do you fix a node when things actually go wrong?&lt;/p&gt;

&lt;p&gt;The best practice is to design a dedicated Break-Glass Namespace:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Create a namespace called &lt;code&gt;break-glass&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;Explicitly label it as &lt;code&gt;privileged&lt;/code&gt;:
&lt;/li&gt;
&lt;/ol&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;kubectl create ns break-glass
kubectl label ns break-glass pod-security.kubernetes.io/enforce&lt;span class="o"&gt;=&lt;/span&gt;privileged
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;ol&gt;
&lt;li&gt;To debug a node, you must now explicitly invoke that namespace:
&lt;/li&gt;
&lt;/ol&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;kubectl debug node/k0s-lab &lt;span class="nt"&gt;-it&lt;/span&gt; &lt;span class="nt"&gt;--image&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;ubuntu &lt;span class="nt"&gt;-n&lt;/span&gt; break-glass
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This ensures your day-to-day environment blocks accidental slips, while keeping an audit-logged backdoor open only for intentional, emergency maintenance.&lt;/p&gt;

&lt;p&gt;How are you handling host-level security in your clusters? Let's talk in the comments below! 🛡️&lt;/p&gt;

</description>
      <category>devops</category>
      <category>kubernetes</category>
      <category>security</category>
      <category>tutorial</category>
    </item>
  </channel>
</rss>
