machine_webhook: Add validation for CPUOptions in AWSMachineProviderConfig

fangge1212 · fangge1212 · commit 4d91e07b364f · 2025-09-30T00:23:44.000-04:00
This change introduces webhook validation for the CPUOptions field in
AWSMachineProviderConfig. The validation ensures that if cpuOptions is
provided, its confidentialCompute value is either empty or one of the
supported policies:
- Disabled
- AMDEncryptedVirtualizationNestedPaging

Signed-off-by: Fangge Jin &lt;fjin@redhat.com&gt;
diff --git a/pkg/webhooks/machine_webhook.go b/pkg/webhooks/machine_webhook.go
@@ -868,6 +868,35 @@ func validateAWS(m *machinev1beta1.Machine, config *admissionConfig) (bool, []st
 		)
 	}
 
+	if providerSpec.CPUOptions != nil {
+		if *providerSpec.CPUOptions == (machinev1beta1.CPUOptions{}) {
+			errs = append(
+				errs,
+				field.Invalid(
+					field.NewPath("providerSpec", "CPUOptions"),
+					"{}",
+					"At least one field must be set if cpuOptions is provided",
+				),
+			)
+		}
+
+		if providerSpec.CPUOptions.ConfidentialCompute != nil {
+			switch *providerSpec.CPUOptions.ConfidentialCompute {
+			case machinev1beta1.AWSConfidentialComputePolicyDisabled, machinev1beta1.AWSConfidentialComputePolicySEVSNP:
+				// Valid values
+			default:
+				errs = append(
+					errs,
+					field.Invalid(
+						field.NewPath("providerSpec", "CPUOptions", "ConfidentialCompute"),
+						providerSpec.CPUOptions.ConfidentialCompute,
+						fmt.Sprintf("Allowed values are %s, %s and omitted", machinev1beta1.AWSConfidentialComputePolicyDisabled, machinev1beta1.AWSConfidentialComputePolicySEVSNP),
+					),
+				)
+			}
+		}
+	}
+
 	if len(errs) > 0 {
 		return false, warnings, errs
 	}
diff --git a/pkg/webhooks/machine_webhook_test.go b/pkg/webhooks/machine_webhook_test.go
@@ -2610,6 +2610,52 @@ func TestValidateAWSProviderSpec(t *testing.T) {
 			expectedOk:    false,
 			expectedError: "providerSpec.metadataServiceOptions.authentication: Invalid value: \"Boom\": Allowed values are either 'Optional' or 'Required'",
 		},
+		{
+			testCase: "with cpuOptions empty",
+			modifySpec: func(p *machinev1beta1.AWSMachineProviderConfig) {
+				p.CPUOptions = &machinev1beta1.CPUOptions{}
+			},
+			expectedOk:    false,
+			expectedError: "providerSpec.CPUOptions: Invalid value: \"{}\": At least one field must be set if cpuOptions is provided",
+		},
+		{
+			testCase: "with confidentialCompute set to AMD SEV-SNP",
+			modifySpec: func(p *machinev1beta1.AWSMachineProviderConfig) {
+				p.CPUOptions = &machinev1beta1.CPUOptions{
+					ConfidentialCompute: ptr.To(machinev1beta1.AWSConfidentialComputePolicySEVSNP),
+				}
+			},
+			expectedOk: true,
+		},
+		{
+			testCase: "with confidentialCompute disabled",
+			modifySpec: func(p *machinev1beta1.AWSMachineProviderConfig) {
+				p.CPUOptions = &machinev1beta1.CPUOptions{
+					ConfidentialCompute: ptr.To(machinev1beta1.AWSConfidentialComputePolicyDisabled),
+				}
+			},
+			expectedOk: true,
+		},
+		{
+			testCase: "with confidentialCompute set to invalid value",
+			modifySpec: func(p *machinev1beta1.AWSMachineProviderConfig) {
+				p.CPUOptions = &machinev1beta1.CPUOptions{
+					ConfidentialCompute: ptr.To(machinev1beta1.AWSConfidentialComputePolicy("invalid")),
+				}
+			},
+			expectedOk:    false,
+			expectedError: "providerSpec.CPUOptions.ConfidentialCompute: Invalid value: \"invalid\": Allowed values are Disabled, AMDEncryptedVirtualizationNestedPaging and omitted",
+		},
+		{
+			testCase: "with confidentialCompute empty",
+			modifySpec: func(p *machinev1beta1.AWSMachineProviderConfig) {
+				p.CPUOptions = &machinev1beta1.CPUOptions{
+					ConfidentialCompute: ptr.To(machinev1beta1.AWSConfidentialComputePolicy("")),
+				}
+			},
+			expectedOk:    false,
+			expectedError: "providerSpec.CPUOptions.ConfidentialCompute: Invalid value: \"\": Allowed values are Disabled, AMDEncryptedVirtualizationNestedPaging and omitted",
+		},
 		{
 			testCase: "with invalid GroupVersionKind",
 			modifySpec: func(p *machinev1beta1.AWSMachineProviderConfig) {
