Hi,
The basic question is: is host networking in rootless Podman any less secure than just running the same services uncontainerized, directly on the host OS, as a non-root user? Even if we exposed a rootless containerized service port directly to the outside world without reverse proxying, I don't see how this would be any riskier with host networking than it would be with bare metal. If the risk profile is the same or very nearly the same as that, I consider that sufficient.
It is not less secure than running directly on the host,
generally if a option says it is insecure it refers to the ability
to potentially escape the container sandbox.
If the container was started as rootless user the application is
still limited to the users permissions. As mentioned in your
linked blog post the biggest risk is access
to abstract sockets but that totally depends on what you have
running on your system.
-- Paul Holzinger Software Engineer Red Hat pholzing@redhat.com Red Hat GmbH, Registered seat: Werner-von-Siemens-Ring 12, D-85630 Grasbrunn, Germany Commercial register: Amtsgericht München/Munich, HRB 153243, Managing Directors: Ryan Barnhart, Charles Cachera, Michael O'Neill, Amy Ross