Why do you want to do it? What are you trying to protect against?
It’s certainly possible to build an image by creating a static binary and adding only that binary to a FROM scratch image, and then it won’t have a shell at all. Many images based on Go programs are built this way. If you have an image like that, then you can’t really docker exec into it, because there’s nothing to exec.
But, if I have that image, I can write a Dockerfile that starts from that image, adds a copy of Busybox to it, and now I have an image with the binary and a shell. Once I have that I can also do things like docker cp the binary out, and mine whatever I want from it. For that matter, a dedicated attacker can probably find the container’s actual content in /var/lib/docker pretty easily.
@dmaze is correct. If an attacker has Docker access you’re already hosed. You certainly could remove the shells from your images, but it’d arguably be more useful to simply limit what they are capable of, e.g., by ensuring your containers are run as unprivileged users.
I would also like to achieve something similar to that. Basically I would like to have an image and then run a container based on that image somewhere on a host but nobody will be able to access it (not even the host as root) .
Did you solve this problem somehow?