Container Immutability at Runtime

Containers are supposed to be immutable. Build once, ship the image, run it everywhere with the same bytes. That's the theory. In practice, nothing stops someone from running kubectl exec -it nginx -- apt update and installing whatever they want inside a running container. Nothing stops an attacker who gains code execution from dropping a reverse shell binary into /tmp and establishing persistence.

The CKS exam tests this directly under "Monitoring, Logging and Runtime Security" (20% of the exam): "Ensure immutability of containers at runtime." But this isn't just an exam topic. Mutable containers in production are persistence vectors. Every writable path inside a container is a place an attacker can store tools, modify configurations, or hide malware.