Native Scheduler: Docker Read-only Container Filesystem

I know mounted volumes can be mounted with flags like ro, per Container Volumes, but is there a way to ensure the container’s entire internal root filesystem is mounted as read-only? Is there any workaround to do this via a Dockerfile directive?

There is not, as far I know. The only way to make the filesystem read-only is at run time, and that option is not supported via Replicated spec.