You can change the Confidential Space workload VM behavior by passing variables
into the --metadata
option when you create the VM.
To pass in multiple variables, first set the delimiter by prefixing the
--metadata
value with ^~^
. This sets the delimiter to ~
, as ,
is used in
variable values.
For example:
metadata="^~^tee-restart-policy=Always~tee-image-reference=us-docker.pkg.dev/WORKLOAD_AUTHOR_PROJECT_ID/REPOSITORY_NAME/WORKLOAD_CONTAINER_NAME:latest"
The following table details the metadata variables you can set for your workload VM.
Metadata key | Type | Description and values |
---|---|---|
Interacts with:
|
String |
Required. This points to the location of the workload container. Example
|
Interacts with:
|
String array |
Overrides the
CMD
instructions specified in the workload container's
Example
|
Interacts with:
|
Defined string |
Outputs The valid values are:
A high log volume in the serial console might impact workload performance. Example
|
|
Integer |
Sets the size in kB of the Example
|
Interacts with:
|
String |
Sets environment variables in the workload container. The workload
author must also add the environment variable names to the
Example
|
Interacts with:
|
String |
A list of service accounts that can be impersonated by the workload operator. The workload operator must be allowed to impersonate the service accounts. Multiple service accounts can be listed, separated by commas. Example
|
Interacts with:
|
Boolean |
Defaults to Example
|
Interacts with:
|
String |
A list of semicolon-separated mount definitions. A mount
definition consists of a comma-separated list of key-value pairs,
requiring Example
|
Interacts with:
|
Defined string |
The restart policy of the container launcher when the workload stops The valid values are:
This variable is only supported by the production Confidential Space image. Example
|
Interacts with:
|
String |
A list of comma-separated container repositories that store the signatures that are generated by Sigstore Cosign. Example
|