TL;DR
- Rootful offers simpler networking but higher exposure risk.
- Rootless is safer but needs explicit forwarding and mTLS.
- For VPS and multi-user setups, host forwarder + mTLS is the best fit.
Rootful Patterns (CNI)
| Option |
Idea |
Strengths |
Weaknesses |
When |
| LAN bind + DNS |
Publish on NIC IP |
Simple, stable |
Exposed surface |
On-prem LAN |
| Shared bridge |
Container DNS access |
No host ports |
All apps share net |
Single domain |
| MACVLAN/IPVLAN |
Dedicated L2/L3 IP |
Strong isolation |
Complex |
Data center |
| Host network |
--network host |
No NAT |
Low isolation |
Special cases |
| L7 proxy |
Host NGINX/Envoy |
Central control |
More components |
Audited gateways |
Rootless Patterns
| Option |
Idea |
Strengths |
Weaknesses |
When |
| Host forwarder + DNS |
Forwarder on host to local service |
Safe, scalable |
Needs mTLS |
VPS/multi-user |
host.containers.internal |
Host alias inside container |
Zero setup |
Not always available |
When supported |
| Per-app forwarder |
Port per app |
Strong separation |
More ops |
Strict tenancy |
| Public bind + FW |
Expose on NIC |
Simple |
Public surface |
Only with mTLS |
| Overlay (WG/Tailscale) |
Private network |
No public surface |
Extra ops |
Zero-trust |
Auth and Secret Delivery
- mTLS for network gating.
- AppRole / JWT / OIDC for identity.
- Vault Agent sidecars for file-based secrets.
Recommendation
For rootless VPS setups with multiple users:
- Use a host forwarder and DNS name.
- Enforce mTLS.
- Keep apps behind sidecars with scoped policies.
