kubernetes-sigs · fangge1212 · Jul 22, 2025 · nrb · Jul 29, 2025 · fangge1212
diff --git a/api/v1beta1/awscluster_conversion.go b/api/v1beta1/awscluster_conversion.go
@@ -63,6 +63,7 @@ func (src *AWSCluster) ConvertTo(dstRaw conversion.Hub) error {
 		dst.Status.Bastion.NetworkInterfaceType = restored.Status.Bastion.NetworkInterfaceType
 		dst.Status.Bastion.CapacityReservationID = restored.Status.Bastion.CapacityReservationID
 		dst.Status.Bastion.MarketType = restored.Status.Bastion.MarketType
+		dst.Status.Bastion.CPUOptions = restored.Status.Bastion.CPUOptions
 	}
 	dst.Spec.Partition = restored.Spec.Partition
 

diff --git a/api/v1beta1/awsmachine_conversion.go b/api/v1beta1/awsmachine_conversion.go
@@ -45,6 +45,7 @@ func (src *AWSMachine) ConvertTo(dstRaw conversion.Hub) error {
 	dst.Spec.CapacityReservationID = restored.Spec.CapacityReservationID
 	dst.Spec.MarketType = restored.Spec.MarketType
 	dst.Spec.NetworkInterfaceType = restored.Spec.NetworkInterfaceType
+	dst.Spec.CPUOptions = restored.Spec.CPUOptions
 	if restored.Spec.ElasticIPPool != nil {
 		if dst.Spec.ElasticIPPool == nil {
 			dst.Spec.ElasticIPPool = &infrav1.ElasticIPPool{}
@@ -109,6 +110,7 @@ func (r *AWSMachineTemplate) ConvertTo(dstRaw conversion.Hub) error {
 	dst.Spec.Template.Spec.CapacityReservationID = restored.Spec.Template.Spec.CapacityReservationID
 	dst.Spec.Template.Spec.MarketType = restored.Spec.Template.Spec.MarketType
 	dst.Spec.Template.Spec.NetworkInterfaceType = restored.Spec.Template.Spec.NetworkInterfaceType
+	dst.Spec.Template.Spec.CPUOptions = restored.Spec.Template.Spec.CPUOptions
 	if restored.Spec.Template.Spec.ElasticIPPool != nil {
 		if dst.Spec.Template.Spec.ElasticIPPool == nil {
 			dst.Spec.Template.Spec.ElasticIPPool = &infrav1.ElasticIPPool{}

diff --git a/api/v1beta1/zz_generated.conversion.go b/api/v1beta1/zz_generated.conversion.go
diff --git a/api/v1beta2/awsmachine_types.go b/api/v1beta2/awsmachine_types.go
@@ -73,6 +73,33 @@ const (
 	NetworkInterfaceTypeEFAWithENAInterface NetworkInterfaceType = NetworkInterfaceType("efa")
 )
 
+// AmdSevSnpSpecification defines the different values for AmdSevSnp
+type AmdSevSnpSpecification string
+
+const (
+	// AmdSevSnpSpecificationEnabled means AMD SEV SNP is enabled for the instance.
+	AmdSevSnpSpecificationEnabled AmdSevSnpSpecification = "enabled"
+
+	// AmdSevSnpSpecificationDisabled means AMD SEV SNP is disabled for the instance.
+	AmdSevSnpSpecificationDisabled AmdSevSnpSpecification = "disabled"
+)
+
+// CPUOptions defines the cpu options for the instance.
+type CPUOptions struct {
+	// amdSevSnp specifies AMD SEV-SNP for the instance.
+	// +kubebuilder:validation:Enum=enabled;disabled
+	// +optional
+	AmdSevSnp AmdSevSnpSpecification `json:"amdSevSnp,omitempty"`
+}
+
+// Confidential computing support depends on the instance type.
+// Only certain instance types in M6a, R6a and C6a series support AMD SEV-SNP. Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html
+var (
+	instanceTypesSupportingAmdSevsnp = []string{"m6a.large", "m6a.xlarge", "m6a.2xlarge", "m6a.4xlarge", "m6a.8xlarge",
+		"c6a.large", "c6a.xlarge", "c6a.2xlarge", "c6a.4xlarge", "c6a.8xlarge", "c6a.12xlarge", "c6a.16xlarge",
+		"r6a.large", "r6a.xlarge", "r6a.2xlarge", "r6a.4xlarge"}
+)
+
 // AWSMachineSpec defines the desired state of an Amazon EC2 instance.
 // +kubebuilder:validation:XValidation:rule="!has(self.capacityReservationId) || !has(self.marketType) || self.marketType != 'Spot'",message="capacityReservationId may not be set when marketType is Spot"
 // +kubebuilder:validation:XValidation:rule="!has(self.capacityReservationId) || !has(self.spotMarketOptions)",message="capacityReservationId cannot be set when spotMarketOptions is specified"
@@ -116,6 +143,10 @@ type AWSMachineSpec struct {
 	// +kubebuilder:validation:MinLength:=2
 	InstanceType string `json:"instanceType"`
 
+	// cpuOptions is the set of cpu options for the instance
+	// +optional
+	CPUOptions *CPUOptions `json:"cpuOptions,omitempty"`
+
 	// AdditionalTags is an optional set of tags to add to an instance, in addition to the ones added by default by the
 	// AWS provider. If both the AWSCluster and the AWSMachine specify the same tag name with different values, the
 	// AWSMachine's value takes precedence.

diff --git a/api/v1beta2/awsmachine_webhook.go b/api/v1beta2/awsmachine_webhook.go
@@ -31,6 +31,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/utils/ptr"
+	"k8s.io/utils/strings/slices"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
@@ -78,6 +79,7 @@ func (*awsMachineWebhook) ValidateCreate(_ context.Context, obj runtime.Object)
 	allErrs = append(allErrs, r.Spec.AdditionalTags.Validate()...)
 	allErrs = append(allErrs, r.validateNetworkElasticIPPool()...)
 	allErrs = append(allErrs, r.validateInstanceMarketType()...)
+	allErrs = append(allErrs, r.validateInstanceTypeForConfidentialCompute()...)
 
 	return nil, aggregateObjErrors(r.GroupVersionKind().GroupKind(), r.Name, allErrs)
 }
@@ -417,6 +419,17 @@ func (r *AWSMachine) validateNonRootVolumes() field.ErrorList {
 	return allErrs
 }
 
+func (r *AWSMachine) validateInstanceTypeForConfidentialCompute() field.ErrorList {
+	var allErrs field.ErrorList
+	if r.Spec.CPUOptions != nil {
+		if r.Spec.CPUOptions.AmdSevSnp == "enabled" && !slices.Contains(instanceTypesSupportingAmdSevsnp, r.Spec.InstanceType) {
+			allErrs = append(allErrs, field.Required(field.NewPath("spec.InstanceType"), "this instance type doesn't support AMD SEV-SNP"))
+		}
+	}
+
+	return allErrs
+}
+
 // ValidateDelete implements webhook.Validator so a webhook will be registered for the type.
 func (*awsMachineWebhook) ValidateDelete(_ context.Context, _ runtime.Object) (admission.Warnings, error) {
 	return nil, nil

diff --git a/api/v1beta2/awsmachine_webhook_test.go b/api/v1beta2/awsmachine_webhook_test.go
@@ -279,6 +279,30 @@ func TestAWSMachineCreate(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "invalid instance type for AMD SEV-SNP",
+			machine: &AWSMachine{
+				Spec: AWSMachineSpec{
+					InstanceType: "test",
+					CPUOptions: &CPUOptions{
+						AmdSevSnp: "enabled",
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "valid instance type for AMD SEV-SNP",
+			machine: &AWSMachine{
+				Spec: AWSMachineSpec{
+					InstanceType: "m6a.large",
+					CPUOptions: &CPUOptions{
+						AmdSevSnp: "enabled",
+					},
+				},
+			},
+			wantErr: false,
+		},
 		{
 			name: "invalid tags return error",
 			machine: &AWSMachine{

diff --git a/api/v1beta2/types.go b/api/v1beta2/types.go
@@ -172,6 +172,9 @@ type Instance struct {
 	// The instance type.
 	Type string `json:"type,omitempty"`
 
+	// The cpu options of the instance.
+	CPUOptions *CPUOptions `json:"cpuOptions,omitempty"`
+
 	// The ID of the subnet of the instance.
 	SubnetID string `json:"subnetId,omitempty"`
 

diff --git a/api/v1beta2/zz_generated.deepcopy.go b/api/v1beta2/zz_generated.deepcopy.go
diff --git a/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml b/config/crd/bases/controlplane.cluster.x-k8s.io_awsmanagedcontrolplanes.yaml
@@ -1214,6 +1214,16 @@ spec:
                     description: CapacityReservationID specifies the target Capacity
                       Reservation into which the instance should be launched.
                     type: string
+                  cpuOptions:
+                    description: The cpu options of the instance.
+                    properties:
+                      amdSevSnp:
+                        description: amdSevSnp specifies AMD SEV-SNP for the instance.
+                        enum:
+                        - enabled
+                        - disabled
+                        type: string
+                    type: object
                   ebsOptimized:
                     description: Indicates whether the instance is optimized for Amazon
                       EBS I/O.
@@ -3395,6 +3405,16 @@ spec:
                     description: CapacityReservationID specifies the target Capacity
                       Reservation into which the instance should be launched.
                     type: string
+                  cpuOptions:
+                    description: The cpu options of the instance.
+                    properties:
+                      amdSevSnp:
+                        description: amdSevSnp specifies AMD SEV-SNP for the instance.
+                        enum:
+                        - enabled
+                        - disabled
+                        type: string
+                    type: object
                   ebsOptimized:
                     description: Indicates whether the instance is optimized for Amazon
                       EBS I/O.

diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsclusters.yaml
@@ -2197,6 +2197,16 @@ spec:
                     description: CapacityReservationID specifies the target Capacity
                       Reservation into which the instance should be launched.
                     type: string
+                  cpuOptions:
+                    description: The cpu options of the instance.
+                    properties:
+                      amdSevSnp:
+                        description: amdSevSnp specifies AMD SEV-SNP for the instance.
+                        enum:
+                        - enabled
+                        - disabled
+                        type: string
+                    type: object
                   ebsOptimized:
                     description: Indicates whether the instance is optimized for Amazon
                       EBS I/O.

diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachines.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachines.yaml
@@ -674,6 +674,16 @@ spec:
                     - ssm-parameter-store
                     type: string
                 type: object
+              cpuOptions:
+                description: cpuOptions is the set of cpu options for the instance
+                properties:
+                  amdSevSnp:
+                    description: amdSevSnp specifies AMD SEV-SNP for the instance.
+                    enum:
+                    - enabled
+                    - disabled
+                    type: string
+                type: object
               elasticIpPool:
                 description: ElasticIPPool is the configuration to allocate Public
                   IPv4 address (Elastic IP/EIP) from user-defined pool.

diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachinetemplates.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_awsmachinetemplates.yaml
@@ -593,6 +593,17 @@ spec:
                             - ssm-parameter-store
                             type: string
                         type: object
+                      cpuOptions:
+                        description: cpuOptions is the set of cpu options for the
+                          instance
+                        properties:
+                          amdSevSnp:
+                            description: amdSevSnp specifies AMD SEV-SNP for the instance.
+                            enum:
+                            - enabled
+                            - disabled
+                            type: string
+                        type: object
                       elasticIpPool:
                         description: ElasticIPPool is the configuration to allocate
                           Public IPv4 address (Elastic IP/EIP) from user-defined pool.

diff --git a/pkg/cloud/services/ec2/instances.go b/pkg/cloud/services/ec2/instances.go
@@ -258,6 +258,8 @@ func (s *Service) CreateInstance(ctx context.Context, scope *scope.MachineScope,
 
 	input.MarketType = scope.AWSMachine.Spec.MarketType
 
+	input.CPUOptions = scope.AWSMachine.Spec.CPUOptions
+
 	s.scope.Debug("Running instance", "machine-role", scope.Role())
 	s.scope.Debug("Running instance with instance metadata options", "metadata options", input.InstanceMetadataOptions)
 	out, err := s.runInstance(scope.Role(), input)
@@ -656,6 +658,7 @@ func (s *Service) runInstance(role string, i *infrav1.Instance) (*infrav1.Instan
 	input.MetadataOptions = getInstanceMetadataOptionsRequest(i.InstanceMetadataOptions)
 	input.PrivateDnsNameOptions = getPrivateDNSNameOptionsRequest(i.PrivateDNSName)
 	input.CapacityReservationSpecification = getCapacityReservationSpecification(i.CapacityReservationID)
+	input.CpuOptions = getInstanceCPUOptionsRequest(i.CPUOptions)
 
 	if i.Tenancy != "" {
 		input.Placement = &types.Placement{
@@ -1251,3 +1254,24 @@ func getPrivateDNSNameOptionsRequest(privateDNSName *infrav1.PrivateDNSName) *ty
 		HostnameType:                    types.HostnameType(aws.ToString(privateDNSName.HostnameType)),
 	}
 }
+
+func getInstanceCPUOptionsRequest(cpuOptions *infrav1.CPUOptions) *types.CpuOptionsRequest {
+	if cpuOptions == nil {
+		return nil
+	}
+
+	request := &types.CpuOptionsRequest{}
+	switch cpuOptions.AmdSevSnp {
+	case infrav1.AmdSevSnpSpecificationEnabled:
+		request.AmdSevSnp = types.AmdSevSnpSpecificationEnabled
+	case infrav1.AmdSevSnpSpecificationDisabled:
+		request.AmdSevSnp = types.AmdSevSnpSpecificationDisabled
+	default:
+	}
+
+	if *request == (types.CpuOptionsRequest{}) {
+		return nil
+	}
+
+	return request
+}