diff --git a/docker/ironic/ironic-base/Dockerfile.j2 b/docker/ironic/ironic-base/Dockerfile.j2
index ddde46b80c..e192aba48c 100644
--- a/docker/ironic/ironic-base/Dockerfile.j2
+++ b/docker/ironic/ironic-base/Dockerfile.j2
@@ -31,12 +31,12 @@ RUN ln -s ironic-base-source/* ironic \
     && chown -R ironic: /etc/ironic \
     && sed -i 's|^exec_dirs.*|exec_dirs=/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g' /etc/ironic/rootwrap.conf
 
-{% endif %}
-
 ADD ironic_sudoers /etc/sudoers.d/kolla_ironic_sudoers
 RUN chmod 750 /etc/sudoers.d \
     && chmod 440 /etc/sudoers.d/kolla_ironic_sudoers
 
+{% endif %}
+
 COPY extend_start.sh /usr/local/bin/kolla_extend_start
 
 RUN touch /usr/local/bin/kolla_ironic_extend_start \
diff --git a/docker/ironic/ironic-base/ironic_sudoers b/docker/ironic/ironic-base/ironic_sudoers
index 573aa21948..3e7c843f39 100644
--- a/docker/ironic/ironic-base/ironic_sudoers
+++ b/docker/ironic/ironic-base/ironic_sudoers
@@ -1 +1 @@
-ironic ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/ironic-rootwrap /etc/ironic/rootwrap.conf *, /usr/sbin/modprobe iscsi_tcp, /sbin/modprobe iscsi_tcp
+ironic ALL = (root) NOPASSWD: /var/lib/kolla/venv/bin/ironic-rootwrap /etc/ironic/rootwrap.conf *
diff --git a/docker/ironic/ironic-conductor/Dockerfile.j2 b/docker/ironic/ironic-conductor/Dockerfile.j2
index ef309421c4..35a26cf1d0 100644
--- a/docker/ironic/ironic-conductor/Dockerfile.j2
+++ b/docker/ironic/ironic-conductor/Dockerfile.j2
@@ -90,7 +90,9 @@ RUN {{ macros.install_pip(ironic_conductor_pip_packages | customizable("pip_pack
 {{ macros.install_packages(ironic_conductor_packages | customizable("packages")) }}
 
 COPY extend_start.sh /usr/local/bin/kolla_ironic_extend_start
-RUN chmod 755 /usr/local/bin/kolla_ironic_extend_start
+COPY iscsi_tcp_sudoers /etc/sudoers.d/kolla_iscsi_tcp_sudoers
+RUN chmod 755 /usr/local/bin/kolla_ironic_extend_start \
+    && chmod 440 /etc/sudoers.d/kolla_iscsi_tcp_sudoers
 
 {% block ironic_conductor_footer %}{% endblock %}
 {% block footer %}{% endblock %}
diff --git a/docker/ironic/ironic-conductor/iscsi_tcp_sudoers b/docker/ironic/ironic-conductor/iscsi_tcp_sudoers
new file mode 100644
index 0000000000..75f5e34115
--- /dev/null
+++ b/docker/ironic/ironic-conductor/iscsi_tcp_sudoers
@@ -0,0 +1 @@
+ironic ALL = (root) NOPASSWD: /usr/sbin/modprobe iscsi_tcp, /sbin/modprobe iscsi_tcp