Rootless-First Container Policy

Beginner

Enforce rootless Podman as the default execution mode — require justification for root containers, mandate user namespace isolation, and prohibit unnecessary privilege escalation.

File Patterns

**/Containerfile**/Dockerfile**/*compose*.yml**/*compose*.yaml**/containers/systemd/*.container

This rule applies to files matching the patterns above.

Rule Content

rule-content.md

# Rootless-First Container Policy

## Rule
All containers MUST run in rootless mode by default. Root (sudo podman) requires documented justification and security review.

## Format
```bash
# Correct — rootless
podman run --rm -it alpine sh

# Requires approval — rootful
sudo podman run --rm -it --privileged alpine sh
```

## Requirements
1. **Default rootless** — never use `sudo podman` without documented need
2. **User namespace** — verify subuid/subgid configured for all container users
3. **No --privileged** — never use in production; break into specific capabilities
4. **Port mapping** — use ports > 1024 or configure `ip_unprivileged_port_start`
5. **Volume ownership** — use `--userns=keep-id` for bind mounts, not `chown 0:0`

## Examples

### Good
```bash
# Rootless with proper UID mapping
podman run --userns=keep-id -v ./data:/app/data:Z myapp:1.2.0

# Rootless with specific capabilities only
podman run --cap-add=NET_BIND_SERVICE myapp:1.2.0
```

### Bad
```bash
# Running as root without justification
sudo podman run myapp:latest

# Using --privileged (grants ALL capabilities)
podman run --privileged myapp:latest

# Running as root just for port 80
sudo podman run -p 80:80 myapp:latest
# Fix: sysctl net.ipv4.ip_unprivileged_port_start=80
```

## Exceptions (Require Documentation)
- Binding ports < 1024 on systems where sysctl cannot be changed
- Running NFS or FUSE-based storage drivers
- Host device access (--device) for hardware passthrough

## Enforcement
Use CI/CD pipeline checks to scan deployment scripts for `sudo podman` and `--privileged`. Flag for security review.

FAQ

Discussion

Loading comments...

# Rootless-First Container Policy ## Rule All containers MUST run in rootless mode by default. Root (sudo podman) requires documented justification and security review. ## Format ```bash # Correct — rootless podman run --rm -it alpine sh # Requires approval — rootful sudo podman run --rm -it --privileged alpine sh ``` ## Requirements 1. **Default rootless** — never use `sudo podman` without documented need 2. **User namespace** — verify subuid/subgid configured for all container users 3. **No --privileged** — never use in production; break into specific capabilities 4. **Port mapping** — use ports > 1024 or configure `ip_unprivileged_port_start` 5. **Volume ownership** — use `--userns=keep-id` for bind mounts, not `chown 0:0` ## Examples ### Good ```bash # Rootless with proper UID mapping podman run --userns=keep-id -v ./data:/app/data:Z myapp:1.2.0 # Rootless with specific capabilities only podman run --cap-add=NET_BIND_SERVICE myapp:1.2.0 ``` ### Bad ```bash # Running as root without justification sudo podman run myapp:latest # Using --privileged (grants ALL capabilities) podman run --privileged myapp:latest # Running as root just for port 80 sudo podman run -p 80:80 myapp:latest # Fix: sysctl net.ipv4.ip_unprivileged_port_start=80 ``` ## Exceptions (Require Documentation) - Binding ports < 1024 on systems where sysctl cannot be changed - Running NFS or FUSE-based storage drivers - Host device access (--device) for hardware passthrough ## Enforcement Use CI/CD pipeline checks to scan deployment scripts for `sudo podman` and `--privileged`. Flag for security review.