The fact that container processes are visible from the host is one of the fundamental differences between container and virtual machines.

An attacker who gets access to the host can observe and affect all the containers running on that host, especially if they have root access.

Don't include anything in any layer of image that you aren't prepared to be seen by anyone who has access to the image.

Because tags can be moved from image to image, there is no guarantee that specifying an image by tag today will give you exactly the same result as it does tomorrow. In contrast, using the hash reference will give you the identical image, because the hash is defined from the contents of the image. Any change to the image results in a different hash.

switchport mode access
switchport access vlan <VLAN_ID>
switchport port-security

Use multi-stage builds

The multi-stage build is a way of eliminating unnecessary contents in the final image. An initial stage can include all the packages and toolchain required to build an image, but a lot of these tools are not needed at runtime. As an example, if you write an executable in Go, it needs the Go compiler in order to create an executable program. The container that runs the program doesn't need to have access to the Go compiler. In this example, it would be a good idea to break the build into a multi-stage build: one stage does the compilation and creates a binary executable; the next stage just has access to the standalone executable. The image that gets deployed has a much smaller attack surface; a nonsecurity benefit is that the image itself will also be smaller, so the time to pull the image is reduced.

Avoid unnecessary code

The smaller the amount of code in a container, the smaller the attack surface. Avoid adding packages, libraries, and executables into an image unless they are absolutely necessary.

GitOps is a methodology in which all the configuration information about the state of a system is held under source control, just as the application source code is. When a user wants to make an operational change to the system, they don't apply commands directly but instead check in the desired state in code form (for example, in YAML files for Kubernetes). An automated system called the GitOps operator makes sure that the system is updated to reflect the latest state as defined under code control.
This impacts security in significantly beneficial ways. Users no longer need direct access to the running system because everything is done at arm's length via the source code control system (typically Git, as the name implies).