C-0062 - Sudo in container entrypoint
Framework
ArmoBest, AllControls
Severity
Medium
Description of the the issue
Adding sudo to a container entry point command may escalate process privileges and allow access to forbidden resources. This control checks all the entry point commands in all containers in the pod to find those that have sudo command.
Related resources
CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet
What does this control test
Check that there is no 'sudo' in the container entrypoint
Remediation
Remove sudo from the command line and use Kubernetes native root and capabilities controls to provide necessary privileges where they are required.
Example
apiVersion: v1
kind: Pod
metadata:
name: command-demo
labels:
purpose: demonstrate-command
spec:
containers:
- name: command-demo-container
image: debian
command: ["printenv"] # finds if "sudo" is used here
args: ["HOSTNAME", "KUBERNETES_PORT"]
restartPolicy: OnFailure
Updated 9 days ago