how to access the rootless pod (podman play kube) from host?

[braindevices]

podman play kube following yaml:

apiVersion: v1
kind: Pod
metadata:
  name: mariadb-pod-nopub
  labels:
    app: mariadb
spec:
  containers:
    - name: test-mariadb
      image: mariadb:latest
      env:
        - name: MARIADB_ALLOW_EMPTY_ROOT_PASSWORD
          value: 1

$ podman network inspect podman-default-kube-network 
[
     {
          "name": "podman-default-kube-network",
          "id": ...,
          "driver": "bridge",
          "network_interface": "podman1",
          "created": "2024-10-08T03:34:21.16301841+02:00",
          "subnets": [
               {
                    "subnet": "10.89.0.0/24",
                    "gateway": "10.89.0.1"
               }
          ],
          "ipv6_enabled": false,
          "internal": false,
          "dns_enabled": true,
          "ipam_options": {
               "driver": "host-local"
          }
     }
]

I cannot even ping the 10.89.0.1 from host. I guess there is namespace thing, but I wonder what is the canonical way to allow me to access the container in the pod via ip or container name? I do not want to publish the port. Because this is user owned rootless pods, publish port can result lots of conflict between users.

Can somehow configure the rootless pod to connect to some macvlan like stuff to giving the rootless container an ip?

How should I configure the pod to allow access from the host system without port publishing?

[Luap99]

The short answer you don't you always need published ports.

As rootless we simply no permissions to modify the host networking so there is absolutely no way to add any routing rules that could reach a rootless container, in particular as rootless everything has to happen inside rootless network namespaces which are then connected to the host via pasta or slirp4netns, see #22943 (comment)

Now you could join the namespace and then connect via ip there, e.g. podman unshare --rootless-netns curl <containerip>