Docker Kubernetes Entrypoint & Security Hardening

Taking a look at the documentation on running vault on kubernetes / docker, it says that for the best security, the container should be run with non-root privileges and a read-only root filesystem. In practice, I’m having trouble seeing how that is possible. The default docker entrypoint runs in dev mode meaning the entrypoint needs to be hijacked to provide the correct arguments. If the container is run with read only root fs and as a non-root user, the container errors out because the commands trying to be run, need root permissions.

Is there something I’m missing? Or is running a production hardened vault docker impossible?