While detection and response are essential components of container runtime security, this reactive approach depends on the timely and accurate classification of threats to trigger mitigation. This dependency introduces unavoidable delays in the response path, creating a window of opportunity for adversaries to escalate privileges or pivot laterally across the cloud environment. These limitations underscore the need for a proactive hardening mechanism that reduces the container’s execution surface before it is compromised. While existing hardening mechanisms enforce security-relevant constraints, their effectiveness remains inherently tied to specific deployment configurations and does not generalize across diverse setups. Moreover, their dependence on prior knowledge of container behavior makes them ill-suited for dynamic microservices, where frequent rollouts invalidate baselines and introduce substantial maintenance overhead. In this work, we present ConLock, a hardening mechanism that generalizes across diverse deployment setups and requires no prior knowledge of container behavior. Our key insight is that containerized microservices, consistent with the single-concern principle, execute a single, task-specific binary throughout their lifetime. In contrast, adversaries violate this model by invoking additional executables—typically pre-packaged within the container image—to carry out malicious actions. At its core, ConLock identifies the main binary at startup and purges all non-essential executables from the container’s runtime filesystem, thereby preventing unauthorized code execution. We evaluate ConLock on five microservices-based applications maintained by major cloud vendors and 21 container attack scenarios derived from publicly available exploits. ConLock achieves a 99.57% attack prevention rate with zero false positives. Moreover, it operates without in-container instrumentation or system call hooking, incurring minimal performance overhead.