Container escape attacks break isolation boundaries, granting threat actors code execution on the underlying host and potentially full control over the entire cluster. Existing runtime defenses exhibit an inherent trade-off. Anomaly- and provenance-based detection mechanisms achieve broad escape detection, yet incur substantial operational costs due to model retraining requirements or systemwide provenance capture. In contrast, industry rule-based detectors avoid these costs but offer limited detection coverage. We introduce a container escape detection approach that breaks this trade-off, offering broad detection coverage without operational costs. Our key insight is that container escape attacks commonly involve filesystem writes, violating the immutable state expected in microservices. While enforcing strict immutability can expose such behavior, microservices sometimes perform legitimate writes for ephemeral operations (e.g., logging), making blanket immutability impractical. Our system, ImmuCheck, instead applies selective immutability, automatically inferring legitimate write regions during initialization and flagging subsequent writes outside these regions as potential escape attempts. We evaluate our approach across 12 escape scenarios spanning five microservices-based applications from major cloud providers. ImmuCheck achieves 99.22% precision and 100% recall, with low overhead, no retraining requirements, and timely detection