The coverage is measured into a PCR with the Confidential VM's vTPM (and that is matched in The important thing release plan to the KMS With all the anticipated coverage hash for your deployment) and enforced by a hardened container runtime hosted in just Each and every occasion. The runtime screens commands with the Kubernetes control airplane,