Launch policies

Launch policies override the VM metadata variables set by workload operators to restrict malicious actions. A workload author can set policies with a label as part of building their container image.

For example, in a Dockerfile:

LABEL "tee.launch_policy.allow_cmd_override"="true"

In a Bazel BUILD file:

container_image(
    ...
    labels={"tee.launch_policy.allow_cmd_override":"true"}
    ...
)

The available launch policies are in the following table:

Policy Type Description

tee.launch_policy.allow_cmd_override

Interacts with:

 Boolean (default is false) Determines if the CMD specified in the workload container's Dockerfile can be overridden by a workload operator with the tee-cmd metadata value.

tee.launch_policy.allow_env_override

Interacts with:

 Comma separated string A comma separated string of permitted environment variable names that are allowed to be set by a workload operator with tee-env-ENVIRONMENT_VARIABLE_NAME metadata values.

tee.launch_policy.log_redirect

Interacts with:

 Defined string

Determines how logging works if tee-container-log-redirect is set to true by a workload operator.

The valid values are:

  • debugonly (default): Only allow stdout and stderr redirects when using a debug image.
  • always: Always allow stdout and stderr redirects.
  • never: Never allow stdout and stderr redirects.

tee.launch_policy.monitoring_memory_allow

Interacts with:

 Defined string

Determines how workload memory usage monitoring works if tee-memory-monitoring-enable is set to true by a workload operator.

The valid values are:

  • debugonly (default): Only allow memory usage monitoring when using a debug image.
  • always: Always allow memory usage monitoring.
  • never: Never allow memory usage monitoring.