Support AMD SEV-SNP on AWS #2424
Conversation
|
Hello @fangge1212! Some important instructions when contributing to openshift/api: |
openshift-ci
bot
added
the
size/M
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: fangge1212 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
fangge1212
force-pushed
the
aws_amd_sev_snp
branch
2 times, most recently
from
1271931 to
a6478c1
Compare
| @@ -17,6 +17,9 @@ type AWSMachineProviderConfig struct { | |||
| AMI AWSResourceReference `json:"ami"` | |||
| // instanceType is the type of instance to create. Example: m4.xlarge | |||
| InstanceType string `json:"instanceType"` | |||
| // cpuOptions is the set of cpu options for the instance, where you can enable/disable AMD SEV-SNP on the instance. | |||
| // +optional | |||
| CpuOptions *CpuOptions `json:"cpuOptions,omitempty"` | |||
| // tags is the set of tags to add to apply to an instance, in addition to the ones | |||
There was a problem hiding this comment.
Hi @fangge1212, would it make sense to use a field named ConfidentialComputing (or something similar) that could be Disabled or AmdSevSnp instead?
In case AWS supports other confidential computing technologies in the future, that would be easier to extend than this approach IMO. As it would require adding another new field to the API instead of a new value to the enum.
There was a problem hiding this comment.
Same as kubernetes-sigs/cluster-api-provider-aws#5598, waiting for more opinions before chaning it
machine/v1beta1/types_awsprovider.go
Outdated
| ) | ||
|
|
||
| // CpuOptions defines the cpu options for the instance. | ||
| type CpuOptions struct { |
There was a problem hiding this comment.
A couple questions to help me better understand the direction this should take:
- Because all fields are optional here, what happens if this is set to the zero value of the struct
{}? - Because there is no constraints here as to how many properties can be specified at once, what would it mean if in the future there are multiple options to configure and I configure more than one of them?
There was a problem hiding this comment.
- If it is an empty struct, cpuOptions=nil will be passed to the AWS API
- I don't get your question. If there are multiple options to configure in the future, then we can configure multiple options.
There was a problem hiding this comment.
I don't get your question. If there are multiple options to configure in the future, then we can configure multiple options
What I was trying to get at is similar to this question upstream: kubernetes-sigs/cluster-api-provider-aws#5598 (comment)
If you are only ever going to have mutually exclusive CPU options then using an enum for those options likely makes sense.
If you are going to have a subset of mutually exclusive options but the rest can be specified together, then this structure is generally OK, but I'd think an enum is still reasonable for a single mutual exclusivity field.
Looking at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-specify-cpu-options.html I'd expect something like:
cpuOptions:
cores: 4
threadsPerCore: 1
confidentialComputing: AmdSevSnpto be reasonable (assuming that something like confidentialComputing would be mutually exclusive so you can't set something like AmdSevSnp and TDX if it were to be added in the future)
There was a problem hiding this comment.
Updated to:
cpuOptions:
confidentialComputing: AMDSevSnp
82e877d to
1df992a
Compare
machine/v1beta1/types_awsprovider.go
Outdated
| type CPUOptions struct { | ||
| // confidentialCompute specifies whether confidential computing should be enabled for the instance, | ||
| // and, if so, which confidential computing technology to use. | ||
| // If set to Disabled, the instance will not use confidential computing. |
There was a problem hiding this comment.
"Disabled" is often times an overloaded term and we generally try to avoid using it where we can.
For scenarios like this, I generally go for "None" and would encourage that usage here as well.
IMO, confidentialCompute: None reads more intuitively than confidentialCompute: Disabled.
machine/v1beta1/types_awsprovider.go
Outdated
| // If set to Disabled, the instance will not use confidential computing. | ||
| // If set to AMDSevSnp, the instance will be configured with AMD SEV-SNP. | ||
| // In this case, ensure the following conditions are met: | ||
| // 1) The selected instance type supports AMD SEV-SNP. | ||
| // 2) The selected AWS region supports AMD SEV-SNP. | ||
| // 3) The selected AMI supports AMD SEV-SNP. | ||
| // More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html | ||
| // If omitted, the platform will apply a default value — currently Disabled, but this may change over time. |
There was a problem hiding this comment.
| // If set to Disabled, the instance will not use confidential computing. | |
| // If set to AMDSevSnp, the instance will be configured with AMD SEV-SNP. | |
| // In this case, ensure the following conditions are met: | |
| // 1) The selected instance type supports AMD SEV-SNP. | |
| // 2) The selected AWS region supports AMD SEV-SNP. | |
| // 3) The selected AMI supports AMD SEV-SNP. | |
| // More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html | |
| // If omitted, the platform will apply a default value — currently Disabled, but this may change over time. | |
| // When set to Disabled, the instance will not use confidential computing. | |
| // When set to AMDSevSnp, the instance will be configured with AMD SEV-SNP. | |
| // In this case, ensure the following conditions are met: | |
| // 1) The selected instance type supports AMD SEV-SNP. | |
| // 2) The selected AWS region supports AMD SEV-SNP. | |
| // 3) The selected AMI supports AMD SEV-SNP. | |
| // More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html | |
| // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change without notice. The current default is Disabled. |
| ) | ||
|
|
||
| // CPUOptions defines the cpu options for the instance. | ||
| type CPUOptions struct { |
There was a problem hiding this comment.
We try to avoid things like cpuOptions: {} being valid inputs because it is usually semantically the same as just not specifying the field altogether.
Add the +kubebuilder:validation:MinProperties=1 marker so that it is required for at least one property to be specified, making {} an invalid input.
There was a problem hiding this comment.
When I add +kubebuilder:validation:MinProperties=1, kubeapilinter asked me to add tag omitzero and don't use make CPUOptions a pointer. I followed its prompt, but this makes many tests in cluster-api-provider-aws failed:
--- FAIL: TestSSHKeyName/SSH_key_name_is_nil_is_valid (0.01s)
sshkeyname_test.go:89: ValidateCreate() error = AWSMachine.infrastructure.cluster.x-k8
"machine-9zsqb" is invalid: spec.cpuOptions: Invalid value: 0: spec.cpuOptions in body should have at least 1 properties, wantErr false
| @@ -17,6 +17,9 @@ type AWSMachineProviderConfig struct { | |||
| AMI AWSResourceReference `json:"ami"` | |||
| // instanceType is the type of instance to create. Example: m4.xlarge | |||
| InstanceType string `json:"instanceType"` | |||
| // cpuOptions is the set of cpu options for the instance. | |||
| // +optional | |||
There was a problem hiding this comment.
What happens if this field is not specified by a user?
There was a problem hiding this comment.
If unset, no CPU options are passed to the AWS platform and AWS default values are used.
machine/v1beta1/types_awsprovider.go
Outdated
| @@ -17,6 +17,9 @@ type AWSMachineProviderConfig struct { | |||
| AMI AWSResourceReference `json:"ami"` | |||
| // instanceType is the type of instance to create. Example: m4.xlarge | |||
| InstanceType string `json:"instanceType"` | |||
| // cpuOptions is the set of cpu options for the instance. | |||
There was a problem hiding this comment.
I think we could improve the GoDoc here to be more descriptive.
https://github.com/openshift/enhancements/blob/master/dev-guide/api-conventions.md#write-user-readable-documentation-in-godoc is a good starting point for the things that you should take into consideration and include in the documentation for a field.
There was a problem hiding this comment.
Thanks. I updated the doc, please have a look again.
fangge1212
force-pushed
the
aws_amd_sev_snp
branch
5 times, most recently
from
bbef962 to
e48669f
Compare
|
/retest-required |
|
/retest |
machine/v1beta1/types_awsprovider.go
Outdated
| const ( | ||
| // AWSConfidentialComputePolicyNone disables confidential computing for the instance. | ||
| AWSConfidentialComputePolicyNone AWSConfidentialComputePolicy = "None" | ||
| // AWSConfidentialComputePolicySEVSNP enables AMD SEV-SNP as the confidential computing technology for the instance. | ||
| AWSConfidentialComputePolicySEVSNP AWSConfidentialComputePolicy = "AmdSevSnp" | ||
| ) |
There was a problem hiding this comment.
Let's follow the same approach we took for the GCP types: https://github.com/openshift/api/pull/2165/files#diff-9bd66f01f63b7ce0455fe993aa03dfe93964ac62b31278a6dbf3db2fcb7f792eR66-R71
In detail:
- Let's use
Enabled/Disabled(rather thanNone) - Let's fully spell out the
AmdSevSnptoAMDEncryptedVirtualizationNestedPaging
There was a problem hiding this comment.
I updated to Disabled;AMDEncryptedVirtualizationNestedPaging
I don't think Enabled is a meaningfull value, because all the other values than Disabled implies Enabled
There was a problem hiding this comment.
Enabled is normally for the default value (so in this case OpenShift engineers choose the default for the user) as you can see here on the GCP one:
// When set to Enabled, the machine will be configured as a confidential computing instance with no preference on the confidential compute policy used. In this mode, the platform chooses a default that is subject to change over time. Currently, the default is to use AMD Secure Encrypted Virtualization.
Ideally we should try and keep consistency across providers for the same feature, so I'd be happy to see it added
There was a problem hiding this comment.
Hi @damdo, @fangge1212!
The problem I see in the AWS case is that AFAICT, it doesn't support the default GCP case: AMD SEV. It only supports AMD SEV-SNP. In that case, we would end up defining Enabled as a valid case for AWS, but would have a different behavior than the one from GCP, configuring AMD SEV-SNP machines instead. In my opinion this would be misleading.
This is another discussion, but at the moment the Enabled option for GCP is redundant, as AMDEncryptedVirtualization achieves the same result. In my opinion, Deprecating Enabled in the GCP provider in the future would help getting rid of that redundancy and also having consistency across providers for the same feature, as you mention.
There was a problem hiding this comment.
If we are thinking about deprecating Enabled then it is probably ok to leave it out from this one.
cc. @JoelSpeed
fangge1212
force-pushed
the
aws_amd_sev_snp
branch
2 times, most recently
from
607be56 to
f28b17a
Compare
AMD SEV-SNP is one of the confidential computing technologies. This commit adds support for AMD SEV-SNP on AWS, so users can utilize the confidential computing on the cluster nodes. Signed-off-by: Fangge Jin <[email protected]>
fangge1212
force-pushed
the
aws_amd_sev_snp
branch
from
f28b17a to
520141d
Compare
|
@fangge1212: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
AMD SEV-SNP is one of the confidential computing technologies. This commit adds support for AMD SEV-SNP on AWS, so users can utilize the confidential computing on the cluster nodes.
Upstream CAPA PR: kubernetes-sigs/cluster-api-provider-aws#5598