The built-in policy for enforcing immutable root filesystems in containers offers granular control through native exclusions. This policy is implemented using the Azure Policy Add-on for Kubernetes, acting as a Gatekeeper constraint. Key exclusion parameters include specific container names, image prefixes, and entire namespaces. These parameters allow for precise configuration without needing a full policy exemption. For instance, excluding system namespaces like kube-system is possible. Configuration can be managed through Defender for Cloud's "Take action" tab or via Environment Settings within Security policies. If multiple containers are legitimately unable to run read-only, excluding specific container names is the recommended approach. This method ensures the policy remains enforced across the rest of the cluster. Full policy exemptions should be reserved for compliance and audit tracking. Parameter-based exclusions are presented as the more native and maintainable solution for operational exceptions.