While running the Layer7 Container Gateway in Azure Kubernetes Services (AKS) using the Gateway:10.1.00 image, Microsoft Defender and Azure Built-in Policies reported some vulnerabilities issues:

. Running containers as root user should be avoided
. Immutable (read-only) root filesystem should be enforced for containers

API Gateway 10.1, 11.0

Our container gateway runs as a non-root user called 'runner' unless you have specified the container to run as root via a Security Context. If you navigate inside the container, the directories are not read-only but they are owned by root. Since you cannot access the container as the root user, the filesystem will remain immutable. This is the default behavior of the container gateway. 

$ kubectl get pods -n <namespace>
NAME                                  READY   STATUS    RESTARTS      AGE
gateway11-pm-tagger-9f5575486-xxxxx   1/1     Running   1 (81d ago)   81d
gateway11-mysql-0                     1/1     Running   1 (81d ago)   81d
gateway11-6f745dbc86-xxxxx            1/1     Running   1 (81d ago)   81d
$ kubectl exec --stdin --tty -n <namespace> gateway11-6f745dbc86-xxxxx -- /bin/sh
sh-4.2$ whoami
runner

NOTE: This example is from an 11.0 GW container but the same steps work for 10.1.