- use USER in the Dockerfile to run the container as a non-root user.
- —cap-drop=ALL - This removes all capabilities from the container, which reduces it’s rights. Typically processes not running as root don’t need these rights anyway, so dropping them should be fine.
- —no-new-privileges - This helps prevent privilege escalation attacks
- reducing attack surface by removing the shell from the image for instance (image hardening) to gravitate towards rootless podman as you have already established.
- https://gvisor.dev/
https://www.reddit.com/r/selfhosted/comments/1akuoql/security_concerns_about_containers/