I have experience in working on a twistlock module for container breakout - mitigations
Classic container - No mounts/secrets
● Default container profile (no additional LINUX capabilities + seccomp)
● Container optimized OS - read only root partition (CVE-2019-5736 mitigation)
● User namespaces
I can certainly have a look and give it a try based on your requirement
Thank you