Problem

When using the "Debug Pod" feature to attach an ephemeral container to a running pod, the created container has no securityContext configured. This causes the operation to fail with a PodSecurity admission error in namespaces enforcing the restricted policy:

pods "<pod-name>" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "headlamp-debug" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "headlamp-debug" must set securityContext.capabilities.drop=["ALL"])

The restricted PodSecurity Standard is the recommended baseline for production workloads and is widely enforced. This makes the debug container feature effectively unusable in most production and security-conscious environments.

Root Cause
addEphemeralContainer() in frontend/src/lib/k8s/pod.ts does not include a securityContext in the ephemeral container spec.

Expected Behavior
The debug container should either:

1. Expose security context fields in the Pod Debug Settings UI so users can configure them per cluster.
2. Default to a restricted-compatible security context.

Environment

• Namespace PodSecurity enforcement: restricted:latest
• Headlamp version: 0.40.1
• Kubernetes version: v1.33.4

Suggested Fix
Expose the securityContext as a configurable option in the cluster's Pod Debug Settings alongside the existing
debug image setting.