Scenario: Mature server application from vendor running inside a Windows container. Vendor's app is built (Dockerfile) and shipped to customer (to customer's container registry via docker push ...). No vendor software updates are expected in the near future.
Question: How does the customer's ops team patch the underlying OS without direct access to vendor's source or app? Is it possible to peel-off and swap the base OS layers for a new image that can we deployed (statelessly)?
Reading this doesn't seem positive.
Edit: This is a future scenario we’re planning for; not something from the past
