Add support for AMD SEV-SNP instances

fangge1212 · fangge1212 · commit 26158f125948 · 2025-08-10T22:19:51.000-04:00
This commit adds support for AMD SEV-SNP instances, so users can
utilize confidential computing technology on cluster nodes.

Signed-off-by: Fangge Jin &lt;fjin@redhat.com&gt;
diff --git a/api/v1beta1/awscluster_conversion.go b/api/v1beta1/awscluster_conversion.go
@@ -65,6 +65,7 @@ func (src *AWSCluster) ConvertTo(dstRaw conversion.Hub) error {
 		dst.Status.Bastion.MarketType = restored.Status.Bastion.MarketType
 		dst.Status.Bastion.HostAffinity = restored.Status.Bastion.HostAffinity
 		dst.Status.Bastion.HostID = restored.Status.Bastion.HostID
+		dst.Status.Bastion.CPUOptions = restored.Status.Bastion.CPUOptions
 	}
 	dst.Spec.Partition = restored.Spec.Partition
 
diff --git a/api/v1beta1/awsmachine_conversion.go b/api/v1beta1/awsmachine_conversion.go
@@ -47,6 +47,7 @@ func (src *AWSMachine) ConvertTo(dstRaw conversion.Hub) error {
 	dst.Spec.HostID = restored.Spec.HostID
 	dst.Spec.HostAffinity = restored.Spec.HostAffinity
 	dst.Spec.NetworkInterfaceType = restored.Spec.NetworkInterfaceType
+	dst.Spec.CPUOptions = restored.Spec.CPUOptions
 	if restored.Spec.ElasticIPPool != nil {
 		if dst.Spec.ElasticIPPool == nil {
 			dst.Spec.ElasticIPPool = &infrav1.ElasticIPPool{}
@@ -113,6 +114,7 @@ func (r *AWSMachineTemplate) ConvertTo(dstRaw conversion.Hub) error {
 	dst.Spec.Template.Spec.HostID = restored.Spec.Template.Spec.HostID
 	dst.Spec.Template.Spec.HostAffinity = restored.Spec.Template.Spec.HostAffinity
 	dst.Spec.Template.Spec.NetworkInterfaceType = restored.Spec.Template.Spec.NetworkInterfaceType
+	dst.Spec.Template.Spec.CPUOptions = restored.Spec.Template.Spec.CPUOptions
 	if restored.Spec.Template.Spec.ElasticIPPool != nil {
 		if dst.Spec.Template.Spec.ElasticIPPool == nil {
 			dst.Spec.Template.Spec.ElasticIPPool = &infrav1.ElasticIPPool{}
diff --git a/api/v1beta1/zz_generated.conversion.go b/api/v1beta1/zz_generated.conversion.go
diff --git a/api/v1beta2/awsmachine_types.go b/api/v1beta2/awsmachine_types.go
@@ -73,6 +73,35 @@ const (
 	NetworkInterfaceTypeEFAWithENAInterface NetworkInterfaceType = NetworkInterfaceType("efa")
 )
 
+// AWSConfidentialComputePolicy represents the confidential compute configuration for the instance.
+// +kubebuilder:validation:Enum=None;AmdSevSnp
+type AWSConfidentialComputePolicy string
+
+const (
+	// AWSConfidentialComputePolicyNone disables confidential computing for the instance.
+	AWSConfidentialComputePolicyNone AWSConfidentialComputePolicy = "None"
+	// AWSConfidentialComputePolicySEVSNP enables AMD SEV-SNP as the confidential computing technology for the instance.
+	AWSConfidentialComputePolicySEVSNP AWSConfidentialComputePolicy = "AmdSevSnp"
+)
+
+// CPUOptions defines CPU-related settings for the instance, including the confidential computing policy.
+// +kubebuilder:validation:MinProperties=1
+type CPUOptions struct {
+	// confidentialCompute specifies whether confidential computing should be enabled for the instance,
+	// and, if so, which confidential computing technology to use.
+	// Valid values are: None, AmdSevSnp
+	// When set to None, confidential computing will be disabled for the instance.
+	// When set to AmdSevSnp, AMD SEV-SNP will be used as the confidential computing technology for the instance.
+	// In this case, ensure the following conditions are met:
+	// 1) The selected instance type supports AMD SEV-SNP.
+	// 2) The selected AWS region supports AMD SEV-SNP.
+	// 3) The selected AMI supports AMD SEV-SNP.
+	// More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html
+	// When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change without notice. The current default is Disabled.
+	// +optional
+	ConfidentialCompute AWSConfidentialComputePolicy `json:"confidentialCompute,omitempty"`
+}
+
 // AWSMachineSpec defines the desired state of an Amazon EC2 instance.
 // +kubebuilder:validation:XValidation:rule="!has(self.capacityReservationId) || !has(self.marketType) || self.marketType != 'Spot'",message="capacityReservationId may not be set when marketType is Spot"
 // +kubebuilder:validation:XValidation:rule="!has(self.capacityReservationId) || !has(self.spotMarketOptions)",message="capacityReservationId cannot be set when spotMarketOptions is specified"
@@ -245,6 +274,11 @@ type AWSMachineSpec struct {
 	// +optional
 	// +kubebuilder:validation:Enum:=default;host
 	HostAffinity *string `json:"hostAffinity,omitempty"`
+
+	// cpuOptions defines CPU-related settings for the instance, including the confidential computing policy.
+	// If unset, no CPU options will be passed to the AWS platform and AWS default CPU options will be applied.
+	// +optional
+	CPUOptions CPUOptions `json:"cpuOptions,omitempty,omitzero"`
 }
 
 // CloudInit defines options related to the bootstrapping systems where
diff --git a/api/v1beta2/types.go b/api/v1beta2/types.go
@@ -285,6 +285,9 @@ type Instance struct {
 	// HostID specifies the dedicated host on which the instance should be started.
 	// +optional
 	HostID *string `json:"hostID,omitempty"`
+	
+	// The cpu options of the instance.
+	CPUOptions CPUOptions `json:"cpuOptions,omitempty,omitzero"`
 }
 
 // MarketType describes the market type of an Instance
diff --git a/api/v1beta2/zz_generated.deepcopy.go b/api/v1beta2/zz_generated.deepcopy.go
diff --git a/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml b/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml
@@ -1214,6 +1214,28 @@ spec:
                     description: CapacityReservationID specifies the target Capacity
                       Reservation into which the instance should be launched.
                     type: string
+                  cpuOptions:
+                    description: The cpu options of the instance.
+                    minProperties: 1
+                    properties:
+                      confidentialCompute:
+                        description: |-
+                          confidentialCompute specifies whether confidential computing should be enabled for the instance,
+                          and, if so, which confidential computing technology to use.
+                          Valid values are: None, AmdSevSnp
+                          When set to None, confidential computing will be disabled for the instance.
+                          When set to AmdSevSnp, AMD SEV-SNP will be used as the confidential computing technology for the instance.
+                          In this case, ensure the following conditions are met:
+                          1) The selected instance type supports AMD SEV-SNP.
+                          2) The selected AWS region supports AMD SEV-SNP.
+                          3) The selected AMI supports AMD SEV-SNP.
+                          More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html
+                          When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change without notice. The current default is Disabled.
+                        enum:
+                        - None
+                        - AmdSevSnp
+                        type: string
+                    type: object
                   ebsOptimized:
                     description: Indicates whether the instance is optimized for Amazon
                       EBS I/O.
@@ -3410,6 +3432,28 @@ spec:
                     description: CapacityReservationID specifies the target Capacity
                       Reservation into which the instance should be launched.
                     type: string
+                  cpuOptions:
+                    description: The cpu options of the instance.
+                    minProperties: 1
+                    properties:
+                      confidentialCompute:
+                        description: |-
+                          confidentialCompute specifies whether confidential computing should be enabled for the instance,
+                          and, if so, which confidential computing technology to use.
+                          Valid values are: None, AmdSevSnp
+                          When set to None, confidential computing will be disabled for the instance.
+                          When set to AmdSevSnp, AMD SEV-SNP will be used as the confidential computing technology for the instance.
+                          In this case, ensure the following conditions are met:
+                          1) The selected instance type supports AMD SEV-SNP.
+                          2) The selected AWS region supports AMD SEV-SNP.
+                          3) The selected AMI supports AMD SEV-SNP.
+                          More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html
+                          When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change without notice. The current default is Disabled.
+                        enum:
+                        - None
+                        - AmdSevSnp
+                        type: string
+                    type: object
                   ebsOptimized:
                     description: Indicates whether the instance is optimized for Amazon
                       EBS I/O.
diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml
@@ -2197,6 +2197,28 @@ spec:
                     description: CapacityReservationID specifies the target Capacity
                       Reservation into which the instance should be launched.
                     type: string
+                  cpuOptions:
+                    description: The cpu options of the instance.
+                    minProperties: 1
+                    properties:
+                      confidentialCompute:
+                        description: |-
+                          confidentialCompute specifies whether confidential computing should be enabled for the instance,
+                          and, if so, which confidential computing technology to use.
+                          Valid values are: None, AmdSevSnp
+                          When set to None, confidential computing will be disabled for the instance.
+                          When set to AmdSevSnp, AMD SEV-SNP will be used as the confidential computing technology for the instance.
+                          In this case, ensure the following conditions are met:
+                          1) The selected instance type supports AMD SEV-SNP.
+                          2) The selected AWS region supports AMD SEV-SNP.
+                          3) The selected AMI supports AMD SEV-SNP.
+                          More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html
+                          When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change without notice. The current default is Disabled.
+                        enum:
+                        - None
+                        - AmdSevSnp
+                        type: string
+                    type: object
                   ebsOptimized:
                     description: Indicates whether the instance is optimized for Amazon
                       EBS I/O.
diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachines.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachines.yaml
@@ -674,6 +674,30 @@ spec:
                     - ssm-parameter-store
                     type: string
                 type: object
+              cpuOptions:
+                description: |-
+                  cpuOptions defines CPU-related settings for the instance, including the confidential computing policy.
+                  If unset, no CPU options will be passed to the AWS platform and AWS default CPU options will be applied.
+                minProperties: 1
+                properties:
+                  confidentialCompute:
+                    description: |-
+                      confidentialCompute specifies whether confidential computing should be enabled for the instance,
+                      and, if so, which confidential computing technology to use.
+                      Valid values are: None, AmdSevSnp
+                      When set to None, confidential computing will be disabled for the instance.
+                      When set to AmdSevSnp, AMD SEV-SNP will be used as the confidential computing technology for the instance.
+                      In this case, ensure the following conditions are met:
+                      1) The selected instance type supports AMD SEV-SNP.
+                      2) The selected AWS region supports AMD SEV-SNP.
+                      3) The selected AMI supports AMD SEV-SNP.
+                      More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html
+                      When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change without notice. The current default is Disabled.
+                    enum:
+                    - None
+                    - AmdSevSnp
+                    type: string
+                type: object
               elasticIpPool:
                 description: ElasticIPPool is the configuration to allocate Public
                   IPv4 address (Elastic IP/EIP) from user-defined pool.
diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachinetemplates.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachinetemplates.yaml
@@ -593,6 +593,30 @@ spec:
                             - ssm-parameter-store
                             type: string
                         type: object
+                      cpuOptions:
+                        description: |-
+                          cpuOptions defines CPU-related settings for the instance, including the confidential computing policy.
+                          If unset, no CPU options will be passed to the AWS platform and AWS default CPU options will be applied.
+                        minProperties: 1
+                        properties:
+                          confidentialCompute:
+                            description: |-
+                              confidentialCompute specifies whether confidential computing should be enabled for the instance,
+                              and, if so, which confidential computing technology to use.
+                              Valid values are: None, AmdSevSnp
+                              When set to None, confidential computing will be disabled for the instance.
+                              When set to AmdSevSnp, AMD SEV-SNP will be used as the confidential computing technology for the instance.
+                              In this case, ensure the following conditions are met:
+                              1) The selected instance type supports AMD SEV-SNP.
+                              2) The selected AWS region supports AMD SEV-SNP.
+                              3) The selected AMI supports AMD SEV-SNP.
+                              More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html
+                              When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change without notice. The current default is Disabled.
+                            enum:
+                            - None
+                            - AmdSevSnp
+                            type: string
+                        type: object
                       elasticIpPool:
                         description: ElasticIPPool is the configuration to allocate
                           Public IPv4 address (Elastic IP/EIP) from user-defined pool.
diff --git a/pkg/cloud/services/ec2/instances.go b/pkg/cloud/services/ec2/instances.go
@@ -261,6 +261,8 @@ func (s *Service) CreateInstance(ctx context.Context, scope *scope.MachineScope,
 	input.HostID = scope.AWSMachine.Spec.HostID
 
 	input.HostAffinity = scope.AWSMachine.Spec.HostAffinity
+	
+	input.CPUOptions = scope.AWSMachine.Spec.CPUOptions
 
 	s.scope.Debug("Running instance", "machine-role", scope.Role())
 	s.scope.Debug("Running instance with instance metadata options", "metadata options", input.InstanceMetadataOptions)
@@ -660,6 +662,7 @@ func (s *Service) runInstance(role string, i *infrav1.Instance) (*infrav1.Instan
 	input.MetadataOptions = getInstanceMetadataOptionsRequest(i.InstanceMetadataOptions)
 	input.PrivateDnsNameOptions = getPrivateDNSNameOptionsRequest(i.PrivateDNSName)
 	input.CapacityReservationSpecification = getCapacityReservationSpecification(i.CapacityReservationID)
+	input.CpuOptions = getInstanceCPUOptionsRequest(&i.CPUOptions)
 
 	if i.Tenancy != "" {
 		input.Placement = &types.Placement{
@@ -1279,3 +1282,16 @@ func getPrivateDNSNameOptionsRequest(privateDNSName *infrav1.PrivateDNSName) *ty
 		HostnameType:                    types.HostnameType(aws.ToString(privateDNSName.HostnameType)),
 	}
 }
+
+func getInstanceCPUOptionsRequest(cpuOptions *infrav1.CPUOptions) *types.CpuOptionsRequest {
+	request := &types.CpuOptionsRequest{}
+	switch cpuOptions.ConfidentialCompute {
+	case infrav1.AWSConfidentialComputePolicySEVSNP:
+		request.AmdSevSnp = types.AmdSevSnpSpecificationEnabled
+	case infrav1.AWSConfidentialComputePolicyNone:
+		request.AmdSevSnp = types.AmdSevSnpSpecificationDisabled
+	default:
+	}
+
+	return request
+}
diff --git a/pkg/cloud/services/ec2/instances_test.go b/pkg/cloud/services/ec2/instances_test.go

Original file line number	Diff line number	Diff line change
`@@ -65,6 +65,7 @@ func (src *AWSCluster) ConvertTo(dstRaw conversion.Hub) error {`
`65`	`65`	`dst.Status.Bastion.MarketType = restored.Status.Bastion.MarketType`
`66`	`66`	`dst.Status.Bastion.HostAffinity = restored.Status.Bastion.HostAffinity`
`67`	`67`	`dst.Status.Bastion.HostID = restored.Status.Bastion.HostID`
	`68`	`+ dst.Status.Bastion.CPUOptions = restored.Status.Bastion.CPUOptions`
`68`	`69`	`}`
`69`	`70`	`dst.Spec.Partition = restored.Spec.Partition`
`70`	`71`
Original file line number	Diff line number	Diff line change
`@@ -285,6 +285,9 @@ type Instance struct {`
`285`	`285`	`// HostID specifies the dedicated host on which the instance should be started.`
`286`	`286`	`// +optional`
`287`	`287`	HostID *string `json:"hostID,omitempty"`
	`288`	`+`
	`289`	`+ // The cpu options of the instance.`
	`290`	+ CPUOptions CPUOptions `json:"cpuOptions,omitempty,omitzero"`
`288`	`291`	`}`
`289`	`292`
`290`	`293`	`// MarketType describes the market type of an Instance`