From the best practice, the container should be run as non root to prevent malicious code from gaining permissions. but in our base image, we have grant the istio-proxy user to have sudo privilege - https://github.com/istio/istio/blob/20a7a7f0cc072b2aa23ba919a9e6acdc587e4823/docker/Dockerfile.base that means the user can access istio-proxy container to sudo as root user to execute some privilege things. What is different between run as root with root as non root /w sudo in container context?
Root container has the following capabilities:
- To modify the container system, allowing the user to do things like edit the host filesystem, install system packages at runtime, etc.
- Allow containers to bind ports under 1024.
If non-root container can be able to sudo as root, it seems still have the above capablilities.
What is benefit to drop root if we give the sudo privilege?