Support AMD SEV-SNP on AWS #2424
Conversation
|
Hello @fangge1212! Some important instructions when contributing to openshift/api: |
openshift-ci
bot
added
the
size/M
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: fangge1212 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
fangge1212
force-pushed
the
aws_amd_sev_snp
branch
2 times, most recently
from
1271931 to
a6478c1
Compare
machine/v1beta1/types_awsprovider.go
Outdated
| ) | ||
|
|
||
| // CpuOptions defines the cpu options for the instance. | ||
| type CpuOptions struct { |
There was a problem hiding this comment.
A couple questions to help me better understand the direction this should take:
- Because all fields are optional here, what happens if this is set to the zero value of the struct
{}? - Because there is no constraints here as to how many properties can be specified at once, what would it mean if in the future there are multiple options to configure and I configure more than one of them?
There was a problem hiding this comment.
- If it is an empty struct, cpuOptions=nil will be passed to the AWS API
- I don't get your question. If there are multiple options to configure in the future, then we can configure multiple options.
There was a problem hiding this comment.
I don't get your question. If there are multiple options to configure in the future, then we can configure multiple options
What I was trying to get at is similar to this question upstream: kubernetes-sigs/cluster-api-provider-aws#5598 (comment)
If you are only ever going to have mutually exclusive CPU options then using an enum for those options likely makes sense.
If you are going to have a subset of mutually exclusive options but the rest can be specified together, then this structure is generally OK, but I'd think an enum is still reasonable for a single mutual exclusivity field.
Looking at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-specify-cpu-options.html I'd expect something like:
cpuOptions:
cores: 4
threadsPerCore: 1
confidentialComputing: AmdSevSnpto be reasonable (assuming that something like confidentialComputing would be mutually exclusive so you can't set something like AmdSevSnp and TDX if it were to be added in the future)
There was a problem hiding this comment.
Updated to:
cpuOptions:
confidentialComputing: AMDSevSnp
82e877d to
1df992a
Compare
machine/v1beta1/types_awsprovider.go
Outdated
| type CPUOptions struct { | ||
| // confidentialCompute specifies whether confidential computing should be enabled for the instance, | ||
| // and, if so, which confidential computing technology to use. | ||
| // If set to Disabled, the instance will not use confidential computing. |
There was a problem hiding this comment.
"Disabled" is often times an overloaded term and we generally try to avoid using it where we can.
For scenarios like this, I generally go for "None" and would encourage that usage here as well.
IMO, confidentialCompute: None reads more intuitively than confidentialCompute: Disabled.
There was a problem hiding this comment.
Updated back to "Disabled" to align with GCP
machine/v1beta1/types_awsprovider.go
Outdated
| // If set to Disabled, the instance will not use confidential computing. | ||
| // If set to AMDSevSnp, the instance will be configured with AMD SEV-SNP. | ||
| // In this case, ensure the following conditions are met: | ||
| // 1) The selected instance type supports AMD SEV-SNP. | ||
| // 2) The selected AWS region supports AMD SEV-SNP. | ||
| // 3) The selected AMI supports AMD SEV-SNP. | ||
| // More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html | ||
| // If omitted, the platform will apply a default value — currently Disabled, but this may change over time. |
There was a problem hiding this comment.
| // If set to Disabled, the instance will not use confidential computing. | |
| // If set to AMDSevSnp, the instance will be configured with AMD SEV-SNP. | |
| // In this case, ensure the following conditions are met: | |
| // 1) The selected instance type supports AMD SEV-SNP. | |
| // 2) The selected AWS region supports AMD SEV-SNP. | |
| // 3) The selected AMI supports AMD SEV-SNP. | |
| // More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html | |
| // If omitted, the platform will apply a default value — currently Disabled, but this may change over time. | |
| // When set to Disabled, the instance will not use confidential computing. | |
| // When set to AMDSevSnp, the instance will be configured with AMD SEV-SNP. | |
| // In this case, ensure the following conditions are met: | |
| // 1) The selected instance type supports AMD SEV-SNP. | |
| // 2) The selected AWS region supports AMD SEV-SNP. | |
| // 3) The selected AMI supports AMD SEV-SNP. | |
| // More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html | |
| // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change without notice. The current default is Disabled. |
| ) | ||
|
|
||
| // CPUOptions defines the cpu options for the instance. | ||
| type CPUOptions struct { |
There was a problem hiding this comment.
We try to avoid things like cpuOptions: {} being valid inputs because it is usually semantically the same as just not specifying the field altogether.
Add the +kubebuilder:validation:MinProperties=1 marker so that it is required for at least one property to be specified, making {} an invalid input.
There was a problem hiding this comment.
When I add +kubebuilder:validation:MinProperties=1, kubeapilinter asked me to add tag omitzero and don't use make CPUOptions a pointer. I followed its prompt, but this makes many tests in cluster-api-provider-aws failed:
--- FAIL: TestSSHKeyName/SSH_key_name_is_nil_is_valid (0.01s)
sshkeyname_test.go:89: ValidateCreate() error = AWSMachine.infrastructure.cluster.x-k8
"machine-9zsqb" is invalid: spec.cpuOptions: Invalid value: 0: spec.cpuOptions in body should have at least 1 properties, wantErr false
There was a problem hiding this comment.
I see. I just took a look and it looks like cluster-api-provider-aws is on Go 1.23.1 which does not contain the omitzero behavior that kube-api-linter is asking you to add. That support was added in Go 1.24.0
There was a problem hiding this comment.
Is it possible for you to bump to Go 1.24.z in cluster-api-provider-aws?
There was a problem hiding this comment.
Looks like that is in progress here: kubernetes-sigs/cluster-api-provider-aws#5624
| @@ -17,6 +17,9 @@ type AWSMachineProviderConfig struct { | |||
| AMI AWSResourceReference `json:"ami"` | |||
| // instanceType is the type of instance to create. Example: m4.xlarge | |||
| InstanceType string `json:"instanceType"` | |||
| // cpuOptions is the set of cpu options for the instance. | |||
| // +optional | |||
There was a problem hiding this comment.
What happens if this field is not specified by a user?
There was a problem hiding this comment.
If unset, no CPU options are passed to the AWS platform and AWS default values are used.
machine/v1beta1/types_awsprovider.go
Outdated
| @@ -17,6 +17,9 @@ type AWSMachineProviderConfig struct { | |||
| AMI AWSResourceReference `json:"ami"` | |||
| // instanceType is the type of instance to create. Example: m4.xlarge | |||
| InstanceType string `json:"instanceType"` | |||
| // cpuOptions is the set of cpu options for the instance. | |||
There was a problem hiding this comment.
I think we could improve the GoDoc here to be more descriptive.
https://github.com/openshift/enhancements/blob/master/dev-guide/api-conventions.md#write-user-readable-documentation-in-godoc is a good starting point for the things that you should take into consideration and include in the documentation for a field.
There was a problem hiding this comment.
Thanks. I updated the doc, please have a look again.
fangge1212
force-pushed
the
aws_amd_sev_snp
branch
5 times, most recently
from
bbef962 to
e48669f
Compare
|
/retest-required |
|
/retest |
machine/v1beta1/types_awsprovider.go
Outdated
| const ( | ||
| // AWSConfidentialComputePolicyNone disables confidential computing for the instance. | ||
| AWSConfidentialComputePolicyNone AWSConfidentialComputePolicy = "None" | ||
| // AWSConfidentialComputePolicySEVSNP enables AMD SEV-SNP as the confidential computing technology for the instance. | ||
| AWSConfidentialComputePolicySEVSNP AWSConfidentialComputePolicy = "AmdSevSnp" | ||
| ) |
There was a problem hiding this comment.
Let's follow the same approach we took for the GCP types: https://github.com/openshift/api/pull/2165/files#diff-9bd66f01f63b7ce0455fe993aa03dfe93964ac62b31278a6dbf3db2fcb7f792eR66-R71
In detail:
- Let's use
Enabled/Disabled(rather thanNone) - Let's fully spell out the
AmdSevSnptoAMDEncryptedVirtualizationNestedPaging
There was a problem hiding this comment.
I updated to Disabled;AMDEncryptedVirtualizationNestedPaging
I don't think Enabled is a meaningfull value, because all the other values than Disabled implies Enabled
There was a problem hiding this comment.
Enabled is normally for the default value (so in this case OpenShift engineers choose the default for the user) as you can see here on the GCP one:
// When set to Enabled, the machine will be configured as a confidential computing instance with no preference on the confidential compute policy used. In this mode, the platform chooses a default that is subject to change over time. Currently, the default is to use AMD Secure Encrypted Virtualization.
Ideally we should try and keep consistency across providers for the same feature, so I'd be happy to see it added
There was a problem hiding this comment.
Hi @damdo, @fangge1212!
The problem I see in the AWS case is that AFAICT, it doesn't support the default GCP case: AMD SEV. It only supports AMD SEV-SNP. In that case, we would end up defining Enabled as a valid case for AWS, but would have a different behavior than the one from GCP, configuring AMD SEV-SNP machines instead. In my opinion this would be misleading.
This is another discussion, but at the moment the Enabled option for GCP is redundant, as AMDEncryptedVirtualization achieves the same result. In my opinion, Deprecating Enabled in the GCP provider in the future would help getting rid of that redundancy and also having consistency across providers for the same feature, as you mention.
There was a problem hiding this comment.
If we are thinking about deprecating Enabled then it is probably ok to leave it out from this one.
cc. @JoelSpeed
There was a problem hiding this comment.
We can also use the omission of the parent field to do defaulting behavior as well, so just omitting the cpuOptions field altogether could mean "no opinion on CPU options, platform defaults", which is the path I would prefer if that is semantically equivalent to either of the examples above.
There was a problem hiding this comment.
The omission of the cpuOptions field or confidentialCompute field will be equivalent to ConfidentialComputeDisabled.
The current code doesn't support this option: "I don't care, I just want confidential computing to be enabled, I'll let OpenShift default it to something". Do we need this?
There was a problem hiding this comment.
The current code doesn't support this option: "I don't care, I just want confidential computing to be enabled, I'll let OpenShift default it to something". Do we need this?
Is that behavior you want your users to be able to do? I wouldn't say this is a requirement on my end, but I do think that we should be clear on the intended user workflows to be able to design this API appropriately.
There was a problem hiding this comment.
I don’t think PlatformDefault is very useful in practice. When a user installs a cluster, they already choose the instance type and region, which directly constrains the available confidential computing technologies. That means the platform can’t meaningfully pick a “default” technology on the user’s behalf.
There was a problem hiding this comment.
Enabled was likely a mistake in the previous API. I'm ok with the following states for this API
- Omitted - means its disabled
Disabled- I've explicitly disabled this as I don't want anyone else defaulting it for meAMDEncryptedVirtualizationNestedPaging- I specifically want this kind of option
fangge1212
force-pushed
the
aws_amd_sev_snp
branch
3 times, most recently
from
f28b17a to
520141d
Compare
machine/v1beta1/types_awsprovider.go
Outdated
| // cpuOptions defines CPU-related settings for the instance, including the confidential computing policy. | ||
| // If unset, no CPU options will be passed to the AWS platform and AWS default CPU options will be applied. |
There was a problem hiding this comment.
How do I know what the "AWS default CPU options" that will be applied are? Are these literally defaults AWS imposes on requests that don't specify these options, or are these defaulted elsewhere?
There was a problem hiding this comment.
Thanks for the comment! To clarify: OpenShift does not set defaults for cpuOptions. If the field is unset, the RunInstances request is sent without a CpuOptions block, and AWS applies its own defaults for the chosen instance type.
I’ll update the field description to make that clear.
There was a problem hiding this comment.
Updated the description, please take a look again.
AMD SEV-SNP is one of the confidential computing technologies. This commit adds support for AMD SEV-SNP on AWS, so users can utilize the confidential computing on the cluster nodes. Signed-off-by: Fangge Jin <[email protected]>
fangge1212
force-pushed
the
aws_amd_sev_snp
branch
from
520141d to
d34306b
Compare
|
@fangge1212: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
| // cpuOptions defines CPU-related settings for the instance, including the confidential computing policy. | ||
| // If unset, no cpuOptions will be included in the API request to AWS, and the instance will use the default CPU options | ||
| // applied by AWS for the selected intance type. | ||
| // +kubebuilder:validation:MinProperties=1 |
There was a problem hiding this comment.
Pop this one on the struct rather than the field please
| // More details can be checked at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html | ||
| // When omitted, this means no opinion and the AWS platform is left to choose a reasonable default, | ||
| // which is subject to change without notice. The current default is Disabled. | ||
| // +kubebuilder:validation:Enum=Disabled;AMDEncrytedVirtualizationNestedPaging |
There was a problem hiding this comment.
Any reason to put this here, vs on the type definition on L119?
AMD SEV-SNP is one of the confidential computing technologies. This commit adds support for AMD SEV-SNP on AWS, so users can utilize the confidential computing on the cluster nodes.
Upstream CAPA PR: kubernetes-sigs/cluster-api-provider-aws#5598