Skip to content

Support AMD SEV-SNP on AWS #1420

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Support AMD SEV-SNP on AWS #1420

wants to merge 1 commit into from

Conversation

fangge1212
Copy link

This change introduces webhook validation for the CPUOptions field in AWSMachineProviderConfig. The validation ensures that if cpuOptions is provided, its confidentialCompute value is either empty or one of the supported policies:

  • Disabled
  • AMDEncryptedVirtualizationNestedPaging

@fangge1212 fangge1212 marked this pull request as draft September 23, 2025 04:52
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 23, 2025
@openshift-ci openshift-ci bot requested review from nrb and RadekManak September 23, 2025 04:52
@fangge1212 fangge1212 changed the title machine_webhook: Add validation for CPUOptions in AWSMachineProviderConfig Support AMD SEV-SNP on AWS Sep 23, 2025
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Sep 23, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign theobarberbany for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Sep 23, 2025

@fangge1212: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-vsphere-ovn-upgrade 9c2bda0 link false /test e2e-vsphere-ovn-upgrade
ci/prow/e2e-metal-ipi-virtualmedia 9c2bda0 link true /test e2e-metal-ipi-virtualmedia
ci/prow/golint 9c2bda0 link true /test golint
ci/prow/govet 9c2bda0 link true /test govet
ci/prow/e2e-nutanix 9c2bda0 link false /test e2e-nutanix
ci/prow/e2e-vsphere-static-ovn 9c2bda0 link false /test e2e-vsphere-static-ovn
ci/prow/goimports 9c2bda0 link true /test goimports
ci/prow/e2e-vsphere-ovn-techpreview-serial 9c2bda0 link false /test e2e-vsphere-ovn-techpreview-serial
ci/prow/images 9c2bda0 link true /test images

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@fangge1212 fangge1212 force-pushed the amd_sev_snp branch 3 times, most recently from f2bdae6 to d90c629 Compare September 28, 2025 07:48
everettraven
everettraven reviewed Sep 29, 2025
View reviewed changes
pkg/webhooks/machine_webhook_test.go
Comment on lines 2649 to 2658
{
testCase: "with confidentialCompute empty",
modifySpec: func(p *machinev1beta1.AWSMachineProviderConfig) {
p.CPUOptions = &machinev1beta1.CPUOptions{
ConfidentialCompute: ptr.To(machinev1beta1.AWSConfidentialComputePolicy("")),
}
},
expectedOk: true,
},
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would not have expected this to be a valid case.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you mean this should be a negative scenario?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct. Because the set of allowed values in the API definition do not allow this to be explicitly set to the empty string ("") this should not be an allowed configuration.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated.

@fangge1212
machine_webhook: Add validation for CPUOptions in AWSMachineProviderC…
4d91e07 
…onfig

This change introduces webhook validation for the CPUOptions field in
AWSMachineProviderConfig. The validation ensures that if cpuOptions is
provided, its confidentialCompute value is either empty or one of the
supported policies:
- Disabled
- AMDEncryptedVirtualizationNestedPaging

Signed-off-by: Fangge Jin <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nrb nrb Awaiting requested review from nrb

@RadekManak RadekManak Awaiting requested review from RadekManak

1 more reviewer

@everettraven everettraven everettraven left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@fangge1212 @everettraven