Adding sudo to a container entry point command may escalate process privileges and allow access to forbiden resources. This control checks all the entry point commands in all containers in the POD to find those that have sudo command.
CronJob, DaemonSet, Deployment, Job, Pod, ReplicaSet, StatefulSet
Check that there is no 'sudo' in the container entrypoint
Remove sudo from the command line and use Kubernetes native root and capabilities controls to provide necessary privileges where they are required.
apiVersion: v1 kind: Pod metadata: name: command-demo labels: purpose: demonstrate-command spec: containers: - name: command-demo-container image: debian command: ["printenv"] # finds if "sudo" is used here args: ["HOSTNAME", "KUBERNETES_PORT"] restartPolicy: OnFailure
Updated 22 days ago