Skip to content

Support AMD SEV-SNP on AWS #2424

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Support AMD SEV-SNP on AWS #2424

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions machine/v1beta1/types_awsprovider.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,10 @@ type AWSMachineProviderConfig struct {
AMI AWSResourceReference `json:"ami"`
// instanceType is the type of instance to create. Example: m4.xlarge
InstanceType string `json:"instanceType"`
// cpuOptions defines CPU-related settings for the instance, including the confidential computing policy.
// If unset, no CPU options will be passed to the AWS platform and AWS default CPU options will be applied.
// +optional
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What happens if this field is not specified by a user?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If unset, no CPU options are passed to the AWS platform and AWS default values are used.

CPUOptions *CPUOptions `json:"cpuOptions,omitempty"`
// tags is the set of tags to add to apply to an instance, in addition to the ones
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @fangge1212, would it make sense to use a field named ConfidentialComputing (or something similar) that could be Disabled or AmdSevSnp instead?

In case AWS supports other confidential computing technologies in the future, that would be easier to extend than this approach IMO. As it would require adding another new field to the API instead of a new value to the enum.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as kubernetes-sigs/cluster-api-provider-aws#5598, waiting for more opinions before chaning it

// added by default by the actuator. These tags are additive. The actuator will ensure
// these tags are present, but will not remove any other tags that may exist on the
Expand Down Expand Up @@ -109,6 +113,34 @@ type AWSMachineProviderConfig struct {
MarketType MarketType `json:"marketType,omitempty"`
}

// AWSConfidentialComputePolicy represents the confidential compute configuration for the instance.
type AWSConfidentialComputePolicy string

const (
// AWSConfidentialComputePolicyDisabled disables confidential computing for the instance.
AWSConfidentialComputePolicyDisabled AWSConfidentialComputePolicy = "Disabled"
// AWSConfidentialComputePolicySEVSNP enables AMD SEV-SNP as the confidential computing technology for the instance.
AWSConfidentialComputePolicySEVSNP AWSConfidentialComputePolicy = "AMDEncrytedVirtualizationNestedPaging"
)

// CPUOptions defines CPU-related settings for the instance, including the confidential computing policy.
type CPUOptions struct {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We try to avoid things like cpuOptions: {} being valid inputs because it is usually semantically the same as just not specifying the field altogether.

Add the +kubebuilder:validation:MinProperties=1 marker so that it is required for at least one property to be specified, making {} an invalid input.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When I add +kubebuilder:validation:MinProperties=1, kubeapilinter asked me to add tag omitzero and don't use make CPUOptions a pointer. I followed its prompt, but this makes many tests in cluster-api-provider-aws failed:

    --- FAIL: TestSSHKeyName/SSH_key_name_is_nil_is_valid (0.01s)
        sshkeyname_test.go:89: ValidateCreate() error = AWSMachine.infrastructure.cluster.x-k8
       "machine-9zsqb" is invalid: spec.cpuOptions: Invalid value: 0: spec.cpuOptions in body should have at least 1 properties, wantErr false

// confidentialCompute specifies whether confidential computing should be enabled for the instance,
// and, if so, which confidential computing technology to use.
// Valid values are: Disabled, AMDEncrytedVirtualizationNestedPaging
// When set to Disabled, confidential computing will be disabled for the instance.
// When set to AMDEncrytedVirtualizationNestedPaging, AMD SEV-SNP will be used as the confidential computing technology for the instance.
// In this case, ensure the following conditions are met:
// 1) The selected instance type supports AMD SEV-SNP.
// 2) The selected AWS region supports AMD SEV-SNP.
// 3) The selected AMI supports AMD SEV-SNP.
// More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html
// When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change without notice. The current default is Disabled.
// +kubebuilder:validation:Enum=Disabled;AMDEncrytedVirtualizationNestedPaging
// +optional
ConfidentialCompute AWSConfidentialComputePolicy `json:"confidentialCompute,omitempty"`
}

// BlockDeviceMappingSpec describes a block device mapping
type BlockDeviceMappingSpec struct {
// The device name exposed to the machine (for example, /dev/sdh or xvdh).
Expand Down
21 changes: 21 additions & 0 deletions machine/v1beta1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 10 additions & 0 deletions machine/v1beta1/zz_generated.swagger_doc_generated.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

29 changes: 28 additions & 1 deletion openapi/generated_openapi/zz_generated.openapi.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

14 changes: 14 additions & 0 deletions openapi/openapi.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21960,6 +21960,10 @@
"type": "string",
"default": ""
},
"cpuOptions": {
"description": "cpuOptions defines CPU-related settings for the instance, including the confidential computing policy. If unset, no CPU options will be passed to the AWS platform and AWS default CPU options will be applied.",
"$ref": "#/definitions/com.github.openshift.api.machine.v1beta1.CPUOptions"
},
"credentialsSecret": {
"description": "credentialsSecret is a reference to the secret with AWS credentials. Otherwise, defaults to permissions provided by attached IAM role where the actuator is running.",
"$ref": "#/definitions/io.k8s.api.core.v1.LocalObjectReference"
Expand Down Expand Up @@ -22435,6 +22439,16 @@
}
}
},
"com.github.openshift.api.machine.v1beta1.CPUOptions": {
"description": "CPUOptions defines CPU-related settings for the instance, including the confidential computing policy.",
"type": "object",
"properties": {
"confidentialCompute": {
"description": "confidentialCompute specifies whether confidential computing should be enabled for the instance, and, if so, which confidential computing technology to use. Valid values are: Disabled, AMDEncrytedVirtualizationNestedPaging When set to Disabled, confidential computing will be disabled for the instance. When set to AMDEncrytedVirtualizationNestedPaging, AMD SEV-SNP will be used as the confidential computing technology for the instance. In this case, ensure the following conditions are met: 1) The selected instance type supports AMD SEV-SNP. 2) The selected AWS region supports AMD SEV-SNP. 3) The selected AMI supports AMD SEV-SNP. More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change without notice. The current default is Disabled.",
"type": "string"
}
}
},
"com.github.openshift.api.machine.v1beta1.Condition": {
"description": "Condition defines an observation of a Machine API resource operational state.",
"type": "object",
Expand Down