The policy is calculated into a PCR with the Confidential VM's vTPM (that is matched in The real key launch coverage on the KMS Along with the envisioned coverage hash with the deployment) and enforced by a hardened container runtime hosted inside Each and every occasion. The runtime screens instructions with the Kubernetes Manage airplane, and m