Privileged Docker containers—do you really need them?

Running a container in a rootless configuration with Podman does not necessarily require the `--privileged` flag, as user namespaces allow unprivileged users to create new user namespaces and gain most of the privileges required to spawn a functioning container. However, using the `--privileged` flag can grant all capabilities to the process, breaking the paradigms of least privilege and zero trust. A rootless configuration allows for reduced attack surface for vulnerabilities. To fix issues with containers running in unprivileged mode, it is possible to disable labels entirely or use the `Z` switch to re-label mounts. Running containers with the absolute minimum of capabilities enabled is also a good option. The rule of Least Privilege should always be followed.