Launch policies override the VM metadata variables set by workload operators to restrict malicious actions. A workload author can set policies with a label as part of building their container image.
For example, in a Dockerfile
:
LABEL "tee.launch_policy.allow_cmd_override"="true"
In a Bazel BUILD file:
container_image(
...
labels={"tee.launch_policy.allow_cmd_override":"true"}
...
)
The available launch policies are in the following table:
Policy | Type | Description |
---|---|---|
Interacts with:
|
Boolean (default is false ) |
Determines if the
CMD
specified in the workload container's Dockerfile can be
overridden by a workload operator with the
tee-cmd
metadata value.
|
Interacts with:
|
Comma-separated string |
A comma-separated string of permitted environment variable names that
are allowed to be set by a workload operator with
tee-env-ENVIRONMENT_VARIABLE_NAME
metadata values.
|
Interacts with:
|
Colon-separated string |
A colon-separated string of permitted mount directories the workload
operator is allowed to mount to using For example: |
Interacts with:
|
Defined string |
Determines how logging works if
The valid values are:
|
Interacts with:
|
Defined string |
Determines how workload memory usage monitoring works if
The valid values are:
|