Currently, docker containers that run within each Type-1 VM run in privileged mode. This isn't ideal from a Defense-in-Depth perspective. The plan is to implement the following guidance such that each application-level container runs in a non-root user namespace.
In the meantime, I need to implement user namespaces/UID/GUID mapping.
The current blocker for this is rootless and does not support overlay networks.