C-0062 - Sudo in container entrypoint

Framework

ArmoBest, AllControls

Severity

Medium

Description of the the issue

Adding sudo to a container entry point command may escalate process privileges and allow access to forbidden resources. This control checks all the entry point commands in all containers in the pod to find those that have sudo command.

Related resources

CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet

What does this control test

Check that there is no 'sudo' in the container entrypoint

Remediation

Remove sudo from the command line and use Kubernetes native root and capabilities controls to provide necessary privileges where they are required.

Example

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
  - name: command-demo-container
    image: debian
    command: ["printenv"] 		   # finds if "sudo" is used here
    args: ["HOSTNAME", "KUBERNETES_PORT"]
  restartPolicy: OnFailure