What is different between root with sudo?

From the best practice, the container should be run as non root to prevent malicious code from gaining permissions. but in our base image, we have grant the istio-proxy user to have sudo privilege - https://github.com/istio/istio/blob/20a7a7f0cc072b2aa23ba919a9e6acdc587e4823/docker/Dockerfile.base that means the user can access istio-proxy container to sudo as root user to execute some privilege things. What is different between run as root with root as non root /w sudo in container context?

Root container has the following capabilities:

  • To modify the container system, allowing the user to do things like edit the host filesystem, install system packages at runtime, etc.
  • Allow containers to bind ports under 1024.

If non-root container can be able to sudo as root, it seems still have the above capablilities.

What is benefit to drop root if we give the sudo privilege?