This no-shell policy is far too draconian.

The same restriction also comes with "distroless" images. The benefits are clear in reduced size + improved security.

A common pattern to debug these type of images is to attach a sidecar container:

• https://matthewsanabria.dev/posts/no-shell-for-you-container/#debugging-with-sidecar-containers
• https://tmp.bearblog.dev/minimal-containers-using-nix/#debugging-a-distroless-image

It seems simple enough (a single command) to attach an alpine container to get shell. I believe what we should for now is to document this practice.

Originally posted by @steve-chavez in #2243 (reply in thread)