How create your network using rootless podman with multiple user accounts?

I’m using podman in rootless mode. So I think that the assumption is, if there is a container escape, an attacker at least does not have root access, but only permissions of that user account it is running on.

Now, given that if you run every service (part of your setup like web server or so), I want to compartmentalize the services. As such, I guess one user account for some things is a good idea, is not it?
It should be another layer of protection, as one user only has access to their own stuff, and not to other users / and thus their potential inner containers etc.

However, now I of course want to forward some network traffic and access some ports e.g. as a reverse proxy. How can I best do this?

So, …

  • does that make sense, security-wise?
  • is there a way with podman to create a network, whcih different users can access? So you expose your usual network(s) in your pod, but also the exposed port should be in a network, only another container with another user can access?
  • as far as I see Docker uses overlay networks for that purpose. Does podman have support for that, too?

My current approach is just to expose the ports and forward the traffic to hostname:port from the container. Then if we wanted to block incoming traffic from the outside at other ports, I would just add a local firewall. :thinking: