If your application container is built from a distroless or scratch image, kubectl exec gives you nothing useful. There’s no shell to attach to.
kubectl debug solves this by injecting an ephemeral container into the running pod:
kubectl debug -it my-pod \
--image=busybox \
--target=my-app \
-- sh
The --target flag makes the ephemeral container share the process namespace of your app container, so you can inspect its processes, read its filesystem via /proc/<pid>/root, and check its network, all without modifying the original pod spec.
The ephemeral container disappears when the pod restarts. It’s not there permanently.