apiVersion: v1
kind: Pod
metadata:
  name: test
  labels:
    app: test
  namespace: test
spec:
  containers:
  - name: test
    image: GOOD_REGISTRY/read-only-container:v0.0.1
    securityContext:  
      allowPrivilegeEscalation: false  
      runAsUser: 1000  
      readOnlyRootFilesystem: true  
    volumeMounts:
    - mountPath: /cache
      name: cache-volume
      readOnly: true
  volumes:
  - name: cache-volume
    hostPath:
      path: /tmp # directory location on host