Also worth mentioning that while docker has been catching up by offering a rootless mode for years now, it insists on running a daemon process.
That daemon is a subtle but incomensurate burden when adopting the least privilege principle.
In environments running multiple hosts which themselves run multiple containers, typically: k8s, it forces your hand in either giving in and grant docker (the daemon) root privilege if any one of your container needs root, or to exclude that container from running in that environment altogether (since it would fail to execute if the docker daemon is in rootless mode). Of course the most secure and wise option would be to refractor that container and whatever it's doing to run rootlesssly, but sometimes this is simply not a reasonable or even possible option in order migrate massive complex platform of hundreds of micro services with its own history and justified security exceptions.
K8s (and Openshift, which adopts a stronger security by default configuration set) provides control over which service accounts is granted such exception.
tl-dr: use podman/buildah rather than docker, use openshift rather than vanilla k8s.
That daemon is a subtle but incomensurate burden when adopting the least privilege principle.
In environments running multiple hosts which themselves run multiple containers, typically: k8s, it forces your hand in either giving in and grant docker (the daemon) root privilege if any one of your container needs root, or to exclude that container from running in that environment altogether (since it would fail to execute if the docker daemon is in rootless mode). Of course the most secure and wise option would be to refractor that container and whatever it's doing to run rootlesssly, but sometimes this is simply not a reasonable or even possible option in order migrate massive complex platform of hundreds of micro services with its own history and justified security exceptions.
K8s (and Openshift, which adopts a stronger security by default configuration set) provides control over which service accounts is granted such exception.
tl-dr: use podman/buildah rather than docker, use openshift rather than vanilla k8s.