Enable execution of steps within Ephemeral Containers. Ephemeral containers are added to the build agent Pod using the withEphemeralContainer step. The newly created container will share the same workspace volume and network as other containers in the Pod and so behave similar to the container step. The difference is withEphemeralContainer will terminated the container when the withEphemeralContainer block exits. 

podTemplate {
    node(POD_LABEL) {
        stage('Build a Maven project') {
            git 'https://github.com/jenkinsci/kubernetes-plugin.git'
            withEphemeralContainer(image: 'maven') {
                sh 'mvn -B -ntp clean package -DskipTests'
            }
        }
        stage('Build a Golang project') {
            git url: 'https://github.com/hashicorp/terraform.git', branch: 'main'
            withEphemeralContainer(image: 'golang') {
                sh '''
                mkdir -p /go/src/github.com/hashicorp
                ln -s `pwd` /go/src/github.com/hashicorp/terraform
                cd /go/src/github.com/hashicorp/terraform && make
                '''
            }
        }
    }
}

The Ephemeral Container spec does not allow for specifying resources, but will still be subject to the Pod overall resource limits. The kubelet may evict a Pod if an ephemeral container causes the Pod to exceed its resource allocation. To avoid eviction it is advisable to increase the limits of the primary container to account for potential ephemeral container resource requirements.

In Kubernetes, the size limit for objects stored in etcd, including pod specs, is 1.5MB per key-value pair. This means there is a finite number of ephemeral containers that may be added to a build agent. This is usually not much of an issue for most pipelines, but could become an issue for long-running Pods. For this reason it is not recommended to re-use agent nodes for multiple builds. Setting the Pod Template idle minutes property ("Time in minutes to retain agent when idle") to 0 is a good practice.

Because pipelines are able to run arbitrary images, some clouds may choose to disable this feature or limit the allowed images (i.e. Container Image Rule) for security reasons.

When enabled the build environment variable KUBERNETES_CLOUD_EPHEMERAL_CONTAINERS_ENABLED=true will be added to signal to pipeline scripts the withEphemeralContainer step is available for use.

Note: Ephemeral Containers are GA in Kubernetes 1.25+. Prior versions may require a feature gate to enable.