Fix compliance issues

README.md

@@ -44,3 +44,8 @@ To access through the Nullstone CLI, use `nullstone logs` CLI command. (See [`lo
 
 Nullstone automatically injects secrets into your GKE Service through environment variables.
 (They are stored in GCP Secrets Manager and injected by Kubernetes during launch.)
+
+## File system
+
+The root file system is configured to be read-only to prevent an attacker from making permanent local changes and prevents binaries from being written to the local filesystem.
+To create a persistent file system, add a `Datastore` to attach volumes or object storage.

deployment.tf

@@ -37,8 +37,10 @@ resource "kubernetes_deployment_v1" "this" {
           args  = local.command
 
           security_context {
+            read_only_root_filesystem = true
+
             capabilities {
-              drop = ["NET_RAW"]
+              drop = ["ALL"]
             }
           }