Support AMD SEV-SNP on AWS #2424
Conversation
|
Hello @fangge1212! Some important instructions when contributing to openshift/api: |
openshift-ci
bot
added
the
size/M
fangge1212
force-pushed
the
aws_amd_sev_snp
branch
2 times, most recently
from
1271931 to
a6478c1
Compare
fangge1212
force-pushed
the
aws_amd_sev_snp
branch
3 times, most recently
from
82e877d to
1df992a
Compare
| // instanceType is the type of instance to create. Example: m4.xlarge | ||
| InstanceType string `json:"instanceType"` | ||
| // cpuOptions is the set of cpu options for the instance. | ||
| // +optional |
There was a problem hiding this comment.
What happens if this field is not specified by a user?
There was a problem hiding this comment.
If unset, no CPU options are passed to the AWS platform and AWS default values are used.
There was a problem hiding this comment.
Do we know what the default values are currently on AWS?
There was a problem hiding this comment.
Even if we don't have concrete defaults we can point to, it would be nice to include guidance on how an end-user could identify what the defaults for their configuration would be.
There was a problem hiding this comment.
The CpuOptions in AWS consists of three fields:
- amdSevSnp - default value is Disabled.
- coreCount - default value depends on the instance type.
- threadsPerCore - default value depends on the instance type.
Refer to: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/cpu-options-supported-instances-values.html
In this PR, only amdSevSnp is exposed to users. I'm not entirely sure how best to describe this in the API documentation — should we include a link to the AWS documentation?
There was a problem hiding this comment.
Added the link to AWS website
fangge1212
force-pushed
the
aws_amd_sev_snp
branch
5 times, most recently
from
bbef962 to
e48669f
Compare
|
/retest-required |
|
/retest |
fangge1212
force-pushed
the
aws_amd_sev_snp
branch
3 times, most recently
from
f28b17a to
520141d
Compare
machine/v1beta1/types_awsprovider.go
Outdated
| // cpuOptions defines CPU-related settings for the instance, including the confidential computing policy. | ||
| // If unset, no CPU options will be passed to the AWS platform and AWS default CPU options will be applied. |
There was a problem hiding this comment.
How do I know what the "AWS default CPU options" that will be applied are? Are these literally defaults AWS imposes on requests that don't specify these options, or are these defaulted elsewhere?
There was a problem hiding this comment.
Thanks for the comment! To clarify: OpenShift does not set defaults for cpuOptions. If the field is unset, the RunInstances request is sent without a CpuOptions block, and AWS applies its own defaults for the chosen instance type.
I’ll update the field description to make that clear.
There was a problem hiding this comment.
Updated the description, please take a look again.
There was a problem hiding this comment.
Updated the description again to make it more concise:
When omitted, this means no opinion and the AWS platform is left to choose a reasonable default.
fangge1212
force-pushed
the
aws_amd_sev_snp
branch
from
520141d to
d34306b
Compare
machine/v1beta1/types_awsprovider.go
Outdated
| // cpuOptions defines CPU-related settings for the instance, including the confidential computing policy. | ||
| // If unset, no cpuOptions will be included in the API request to AWS, and the instance will use the default CPU options | ||
| // applied by AWS for the selected intance type. | ||
| // +kubebuilder:validation:MinProperties=1 |
There was a problem hiding this comment.
Pop this one on the struct rather than the field please
machine/v1beta1/types_awsprovider.go
Outdated
| // More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html | ||
| // When omitted, this means no opinion and the AWS platform is left to choose a reasonable default, | ||
| // which is subject to change without notice. The current default is Disabled. | ||
| // +kubebuilder:validation:Enum=Disabled;AMDEncrytedVirtualizationNestedPaging |
There was a problem hiding this comment.
Any reason to put this here, vs on the type definition on L119?
There was a problem hiding this comment.
The placement of this line differs between AWSNetworkInterfaceType (within the struct) and MarketType (on the type definition). I was unsure which pattern to follow, so I selected one approach arbitrarily.
fangge1212
force-pushed
the
aws_amd_sev_snp
branch
2 times, most recently
from
89d92a1 to
f5ba092
Compare
|
/test remaining-required Overriding unmatched contexts: |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: everettraven The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
@openshift-ci-robot: The specified target(s) for The following commands are available to trigger optional jobs: Use In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@openshift-ci-robot: Overrode contexts on behalf of openshift-ci-robot: ci/prow/e2e-aws-ovn, ci/prow/e2e-aws-ovn-hypershift, ci/prow/e2e-aws-ovn-hypershift-conformance, ci/prow/e2e-aws-ovn-techpreview, ci/prow/e2e-aws-serial-1of2, ci/prow/e2e-aws-serial-2of2, ci/prow/e2e-aws-serial-techpreview-1of2, ci/prow/e2e-aws-serial-techpreview-2of2, ci/prow/e2e-azure, ci/prow/e2e-gcp, ci/prow/e2e-upgrade, ci/prow/e2e-upgrade-out-of-change In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@everettraven: Overrode contexts on behalf of everettraven: ci/prow/lint In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@fangge1212 over to you for getting the |
|
/verified later @yalzhang |
openshift-ci-robot
added
verified-later
verified
|
@fangge1212: This PR has been marked to be verified later by In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/retest-required |
|
/hold Revision 5f65881 was retested 3 times: holding |
openshift-ci
bot
added
the
do-not-merge/hold
|
/override ci/prow/lint |
openshift-ci
bot
removed
the
do-not-merge/hold
|
@fangge1212: fangge1212 unauthorized: /override is restricted to Repo administrators, approvers in top level OWNERS file, and the following github teams:openshift: openshift-release-oversight openshift-staff-engineers openshift-sustaining-engineers. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/override ci/prow/lint Go validated type, not openapi which is how the current configuration is configured |
|
@JoelSpeed: Overrode contexts on behalf of JoelSpeed: ci/prow/lint In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@fangge1212: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
6 participants
AMD SEV-SNP is one of the confidential computing technologies. This commit adds support for AMD SEV-SNP on AWS, so users can utilize the confidential computing on the cluster nodes.
Upstream CAPA PR: kubernetes-sigs/cluster-api-provider-aws#5605