openshift · fangge1212 · Sep 23, 2025
diff --git a/pkg/webhooks/machine_webhook.go b/pkg/webhooks/machine_webhook.go
@@ -868,6 +868,35 @@ func validateAWS(m *machinev1beta1.Machine, config *admissionConfig) (bool, []st
 		)
 	}
 
+	if providerSpec.CPUOptions != nil {
+		if *providerSpec.CPUOptions == (machinev1beta1.CPUOptions{}) {
+			errs = append(
+				errs,
+				field.Invalid(
+					field.NewPath("providerSpec", "CPUOptions"),
+					"{}",
+					"At least one field must be set if cpuOptions is provided",
+				),
+			)
+		}
+
+		if providerSpec.CPUOptions.ConfidentialCompute != nil {
+			switch *providerSpec.CPUOptions.ConfidentialCompute {
+			case machinev1beta1.AWSConfidentialComputePolicyDisabled, machinev1beta1.AWSConfidentialComputePolicySEVSNP:
+				// Valid values
+			default:
+				errs = append(
+					errs,
+					field.Invalid(
+						field.NewPath("providerSpec", "CPUOptions", "ConfidentialCompute"),
+						providerSpec.CPUOptions.ConfidentialCompute,
+						fmt.Sprintf("Allowed values are %s, %s and omitted", machinev1beta1.AWSConfidentialComputePolicyDisabled, machinev1beta1.AWSConfidentialComputePolicySEVSNP),
+					),
+				)
+			}
+		}
+	}
+
 	if len(errs) > 0 {
 		return false, warnings, errs
 	}

diff --git a/pkg/webhooks/machine_webhook_test.go b/pkg/webhooks/machine_webhook_test.go
@@ -2610,6 +2610,52 @@ func TestValidateAWSProviderSpec(t *testing.T) {
 			expectedOk:    false,
 			expectedError: "providerSpec.metadataServiceOptions.authentication: Invalid value: \"Boom\": Allowed values are either 'Optional' or 'Required'",
 		},
+		{
+			testCase: "with cpuOptions empty",
+			modifySpec: func(p *machinev1beta1.AWSMachineProviderConfig) {
+				p.CPUOptions = &machinev1beta1.CPUOptions{}
+			},
+			expectedOk:    false,
+			expectedError: "providerSpec.CPUOptions: Invalid value: \"{}\": At least one field must be set if cpuOptions is provided",
+		},
+		{
+			testCase: "with confidentialCompute set to AMD SEV-SNP",
+			modifySpec: func(p *machinev1beta1.AWSMachineProviderConfig) {
+				p.CPUOptions = &machinev1beta1.CPUOptions{
+					ConfidentialCompute: ptr.To(machinev1beta1.AWSConfidentialComputePolicySEVSNP),
+				}
+			},
+			expectedOk: true,
+		},
+		{
+			testCase: "with confidentialCompute disabled",
+			modifySpec: func(p *machinev1beta1.AWSMachineProviderConfig) {
+				p.CPUOptions = &machinev1beta1.CPUOptions{
+					ConfidentialCompute: ptr.To(machinev1beta1.AWSConfidentialComputePolicyDisabled),
+				}
+			},
+			expectedOk: true,
+		},
+		{
+			testCase: "with confidentialCompute set to invalid value",
+			modifySpec: func(p *machinev1beta1.AWSMachineProviderConfig) {
+				p.CPUOptions = &machinev1beta1.CPUOptions{
+					ConfidentialCompute: ptr.To(machinev1beta1.AWSConfidentialComputePolicy("invalid")),
+				}
+			},
+			expectedOk:    false,
+			expectedError: "providerSpec.CPUOptions.ConfidentialCompute: Invalid value: \"invalid\": Allowed values are Disabled, AMDEncryptedVirtualizationNestedPaging and omitted",
+		},
+		{
+			testCase: "with confidentialCompute empty",
+			modifySpec: func(p *machinev1beta1.AWSMachineProviderConfig) {
+				p.CPUOptions = &machinev1beta1.CPUOptions{
+					ConfidentialCompute: ptr.To(machinev1beta1.AWSConfidentialComputePolicy("")),
+				}
+			},
+			expectedOk:    false,
+			expectedError: "providerSpec.CPUOptions.ConfidentialCompute: Invalid value: \"\": Allowed values are Disabled, AMDEncryptedVirtualizationNestedPaging and omitted",
+		},
 		{
 			testCase: "with invalid GroupVersionKind",
 			modifySpec: func(p *machinev1beta1.AWSMachineProviderConfig) {