Skip to content

Commit 4958ac6

Browse files
committed
Add support for AMD SEV-SNP instances
This commit adds support for AMD SEV-SNP instances, so users can utilize confidential computing technology on cluster nodes. Signed-off-by: Fangge Jin <[email protected]>
1 parent 456f00d commit 4958ac6

12 files changed

+317
-0
lines changed

api/v1beta1/awscluster_conversion.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -66,6 +66,7 @@ func (src *AWSCluster) ConvertTo(dstRaw conversion.Hub) error {
6666
dst.Status.Bastion.HostAffinity = restored.Status.Bastion.HostAffinity
6767
dst.Status.Bastion.HostID = restored.Status.Bastion.HostID
6868
dst.Status.Bastion.CapacityReservationPreference = restored.Status.Bastion.CapacityReservationPreference
69+
dst.Status.Bastion.CPUOptions = restored.Status.Bastion.CPUOptions
6970
}
7071
dst.Spec.Partition = restored.Spec.Partition
7172

api/v1beta1/awsmachine_conversion.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,7 @@ func (src *AWSMachine) ConvertTo(dstRaw conversion.Hub) error {
4848
dst.Spec.HostAffinity = restored.Spec.HostAffinity
4949
dst.Spec.CapacityReservationPreference = restored.Spec.CapacityReservationPreference
5050
dst.Spec.NetworkInterfaceType = restored.Spec.NetworkInterfaceType
51+
dst.Spec.CPUOptions = restored.Spec.CPUOptions
5152
if restored.Spec.ElasticIPPool != nil {
5253
if dst.Spec.ElasticIPPool == nil {
5354
dst.Spec.ElasticIPPool = &infrav1.ElasticIPPool{}
@@ -115,6 +116,7 @@ func (r *AWSMachineTemplate) ConvertTo(dstRaw conversion.Hub) error {
115116
dst.Spec.Template.Spec.HostAffinity = restored.Spec.Template.Spec.HostAffinity
116117
dst.Spec.Template.Spec.CapacityReservationPreference = restored.Spec.Template.Spec.CapacityReservationPreference
117118
dst.Spec.Template.Spec.NetworkInterfaceType = restored.Spec.Template.Spec.NetworkInterfaceType
119+
dst.Spec.Template.Spec.CPUOptions = restored.Spec.Template.Spec.CPUOptions
118120
if restored.Spec.Template.Spec.ElasticIPPool != nil {
119121
if dst.Spec.Template.Spec.ElasticIPPool == nil {
120122
dst.Spec.Template.Spec.ElasticIPPool = &infrav1.ElasticIPPool{}

api/v1beta1/zz_generated.conversion.go

Lines changed: 2 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

api/v1beta2/awsmachine_types.go

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -73,6 +73,34 @@ const (
7373
NetworkInterfaceTypeEFAWithENAInterface NetworkInterfaceType = NetworkInterfaceType("efa")
7474
)
7575

76+
// AWSConfidentialComputePolicy represents the confidential compute configuration for the instance.
77+
type AWSConfidentialComputePolicy string
78+
79+
const (
80+
// AWSConfidentialComputePolicyDisabled disables confidential computing for the instance.
81+
AWSConfidentialComputePolicyDisabled AWSConfidentialComputePolicy = "Disabled"
82+
// AWSConfidentialComputePolicySEVSNP enables AMD SEV-SNP as the confidential computing technology for the instance.
83+
AWSConfidentialComputePolicySEVSNP AWSConfidentialComputePolicy = "AMDEncrytedVirtualizationNestedPaging"
84+
)
85+
86+
// CPUOptions defines CPU-related settings for the instance, including the confidential computing policy.
87+
type CPUOptions struct {
88+
// confidentialCompute specifies whether confidential computing should be enabled for the instance,
89+
// and, if so, which confidential computing technology to use.
90+
// Valid values are: Disabled, AMDEncrytedVirtualizationNestedPaging
91+
// When set to Disabled, confidential computing will be disabled for the instance.
92+
// When set to AMDEncrytedVirtualizationNestedPaging, AMD SEV-SNP will be used as the confidential computing technology for the instance.
93+
// In this case, ensure the following conditions are met:
94+
// 1) The selected instance type supports AMD SEV-SNP.
95+
// 2) The selected AWS region supports AMD SEV-SNP.
96+
// 3) The selected AMI supports AMD SEV-SNP.
97+
// More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html
98+
// When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change without notice. The current default is Disabled.
99+
// +kubebuilder:validation:Enum=Disabled;AMDEncrytedVirtualizationNestedPaging
100+
// +optional
101+
ConfidentialCompute AWSConfidentialComputePolicy `json:"confidentialCompute,omitempty"`
102+
}
103+
76104
// AWSMachineSpec defines the desired state of an Amazon EC2 instance.
77105
// +kubebuilder:validation:XValidation:rule="!has(self.capacityReservationId) || !has(self.marketType) || self.marketType != 'Spot'",message="capacityReservationId may not be set when marketType is Spot"
78106
// +kubebuilder:validation:XValidation:rule="!has(self.capacityReservationId) || !has(self.spotMarketOptions)",message="capacityReservationId cannot be set when spotMarketOptions is specified"
@@ -253,6 +281,11 @@ type AWSMachineSpec struct {
253281
// +kubebuilder:validation:Enum="";None;CapacityReservationsOnly;Open
254282
// +optional
255283
CapacityReservationPreference CapacityReservationPreference `json:"capacityReservationPreference,omitempty"`
284+
285+
// cpuOptions defines CPU-related settings for the instance, including the confidential computing policy.
286+
// If unset, no CPU options will be passed to the AWS platform and AWS default CPU options will be applied.
287+
// +optional
288+
CPUOptions *CPUOptions `json:"cpuOptions,omitempty"`
256289
}
257290

258291
// CloudInit defines options related to the bootstrapping systems where

api/v1beta2/types.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -293,6 +293,9 @@ type Instance struct {
293293
// +kubebuilder:validation:Enum="";None;CapacityReservationsOnly;Open
294294
// +optional
295295
CapacityReservationPreference CapacityReservationPreference `json:"capacityReservationPreference,omitempty"`
296+
297+
// The cpu options of the instance.
298+
CPUOptions *CPUOptions `json:"cpuOptions,omitempty"`
296299
}
297300

298301
// CapacityReservationPreference describes the preferred use of capacity reservations

api/v1beta2/zz_generated.deepcopy.go

Lines changed: 25 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1232,6 +1232,27 @@ spec:
12321232
"None": The instance may not make use of any Capacity Reservations. This is to conserve open reservations for desired workloads
12331233
"CapacityReservationsOnly": The instance will only run if matched or targeted to a Capacity Reservation
12341234
type: string
1235+
cpuOptions:
1236+
description: The cpu options of the instance.
1237+
properties:
1238+
confidentialCompute:
1239+
description: |-
1240+
confidentialCompute specifies whether confidential computing should be enabled for the instance,
1241+
and, if so, which confidential computing technology to use.
1242+
Valid values are: Disabled, AMDEncrytedVirtualizationNestedPaging
1243+
When set to Disabled, confidential computing will be disabled for the instance.
1244+
When set to AMDEncrytedVirtualizationNestedPaging, AMD SEV-SNP will be used as the confidential computing technology for the instance.
1245+
In this case, ensure the following conditions are met:
1246+
1) The selected instance type supports AMD SEV-SNP.
1247+
2) The selected AWS region supports AMD SEV-SNP.
1248+
3) The selected AMI supports AMD SEV-SNP.
1249+
More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html
1250+
When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change without notice. The current default is Disabled.
1251+
enum:
1252+
- Disabled
1253+
- AMDEncrytedVirtualizationNestedPaging
1254+
type: string
1255+
type: object
12351256
ebsOptimized:
12361257
description: Indicates whether the instance is optimized for Amazon
12371258
EBS I/O.
@@ -3446,6 +3467,27 @@ spec:
34463467
"None": The instance may not make use of any Capacity Reservations. This is to conserve open reservations for desired workloads
34473468
"CapacityReservationsOnly": The instance will only run if matched or targeted to a Capacity Reservation
34483469
type: string
3470+
cpuOptions:
3471+
description: The cpu options of the instance.
3472+
properties:
3473+
confidentialCompute:
3474+
description: |-
3475+
confidentialCompute specifies whether confidential computing should be enabled for the instance,
3476+
and, if so, which confidential computing technology to use.
3477+
Valid values are: Disabled, AMDEncrytedVirtualizationNestedPaging
3478+
When set to Disabled, confidential computing will be disabled for the instance.
3479+
When set to AMDEncrytedVirtualizationNestedPaging, AMD SEV-SNP will be used as the confidential computing technology for the instance.
3480+
In this case, ensure the following conditions are met:
3481+
1) The selected instance type supports AMD SEV-SNP.
3482+
2) The selected AWS region supports AMD SEV-SNP.
3483+
3) The selected AMI supports AMD SEV-SNP.
3484+
More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html
3485+
When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change without notice. The current default is Disabled.
3486+
enum:
3487+
- Disabled
3488+
- AMDEncrytedVirtualizationNestedPaging
3489+
type: string
3490+
type: object
34493491
ebsOptimized:
34503492
description: Indicates whether the instance is optimized for Amazon
34513493
EBS I/O.

config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2215,6 +2215,27 @@ spec:
22152215
"None": The instance may not make use of any Capacity Reservations. This is to conserve open reservations for desired workloads
22162216
"CapacityReservationsOnly": The instance will only run if matched or targeted to a Capacity Reservation
22172217
type: string
2218+
cpuOptions:
2219+
description: The cpu options of the instance.
2220+
properties:
2221+
confidentialCompute:
2222+
description: |-
2223+
confidentialCompute specifies whether confidential computing should be enabled for the instance,
2224+
and, if so, which confidential computing technology to use.
2225+
Valid values are: Disabled, AMDEncrytedVirtualizationNestedPaging
2226+
When set to Disabled, confidential computing will be disabled for the instance.
2227+
When set to AMDEncrytedVirtualizationNestedPaging, AMD SEV-SNP will be used as the confidential computing technology for the instance.
2228+
In this case, ensure the following conditions are met:
2229+
1) The selected instance type supports AMD SEV-SNP.
2230+
2) The selected AWS region supports AMD SEV-SNP.
2231+
3) The selected AMI supports AMD SEV-SNP.
2232+
More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html
2233+
When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change without notice. The current default is Disabled.
2234+
enum:
2235+
- Disabled
2236+
- AMDEncrytedVirtualizationNestedPaging
2237+
type: string
2238+
type: object
22182239
ebsOptimized:
22192240
description: Indicates whether the instance is optimized for Amazon
22202241
EBS I/O.

config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachines.yaml

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -692,6 +692,29 @@ spec:
692692
- ssm-parameter-store
693693
type: string
694694
type: object
695+
cpuOptions:
696+
description: |-
697+
cpuOptions defines CPU-related settings for the instance, including the confidential computing policy.
698+
If unset, no CPU options will be passed to the AWS platform and AWS default CPU options will be applied.
699+
properties:
700+
confidentialCompute:
701+
description: |-
702+
confidentialCompute specifies whether confidential computing should be enabled for the instance,
703+
and, if so, which confidential computing technology to use.
704+
Valid values are: Disabled, AMDEncrytedVirtualizationNestedPaging
705+
When set to Disabled, confidential computing will be disabled for the instance.
706+
When set to AMDEncrytedVirtualizationNestedPaging, AMD SEV-SNP will be used as the confidential computing technology for the instance.
707+
In this case, ensure the following conditions are met:
708+
1) The selected instance type supports AMD SEV-SNP.
709+
2) The selected AWS region supports AMD SEV-SNP.
710+
3) The selected AMI supports AMD SEV-SNP.
711+
More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html
712+
When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change without notice. The current default is Disabled.
713+
enum:
714+
- Disabled
715+
- AMDEncrytedVirtualizationNestedPaging
716+
type: string
717+
type: object
695718
elasticIpPool:
696719
description: ElasticIPPool is the configuration to allocate Public
697720
IPv4 address (Elastic IP/EIP) from user-defined pool.

config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachinetemplates.yaml

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -611,6 +611,29 @@ spec:
611611
- ssm-parameter-store
612612
type: string
613613
type: object
614+
cpuOptions:
615+
description: |-
616+
cpuOptions defines CPU-related settings for the instance, including the confidential computing policy.
617+
If unset, no CPU options will be passed to the AWS platform and AWS default CPU options will be applied.
618+
properties:
619+
confidentialCompute:
620+
description: |-
621+
confidentialCompute specifies whether confidential computing should be enabled for the instance,
622+
and, if so, which confidential computing technology to use.
623+
Valid values are: Disabled, AMDEncrytedVirtualizationNestedPaging
624+
When set to Disabled, confidential computing will be disabled for the instance.
625+
When set to AMDEncrytedVirtualizationNestedPaging, AMD SEV-SNP will be used as the confidential computing technology for the instance.
626+
In this case, ensure the following conditions are met:
627+
1) The selected instance type supports AMD SEV-SNP.
628+
2) The selected AWS region supports AMD SEV-SNP.
629+
3) The selected AMI supports AMD SEV-SNP.
630+
More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html
631+
When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change without notice. The current default is Disabled.
632+
enum:
633+
- Disabled
634+
- AMDEncrytedVirtualizationNestedPaging
635+
type: string
636+
type: object
614637
elasticIpPool:
615638
description: ElasticIPPool is the configuration to allocate
616639
Public IPv4 address (Elastic IP/EIP) from user-defined pool.

0 commit comments

Comments
 (0)