Support SEV_SNP confidential type selection on GCP #2165
Conversation
openshift-ci
bot
added
the
size/S
openshift-ci
bot
added
the
needs-ok-to-test
|
Hello @bgartzi! Some important instructions when contributing to openshift/api: |
|
Hi @bgartzi. Thanks for your PR. I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: bgartzi The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
GCP compute API permits not only specifying whether a machine has to be confidential or not, but also determining the technology backing that up see [0]. This commit adds an api parameter into the GCPMachineProviderSpec to support that. That way, we should be able to configure SEV_SNP machines as well as SEV machines as before. [0] https://cloud.google.com/confidential-computing/confidential-vm/docs/supported-configurations
| @@ -146,9 +155,16 @@ type GCPMachineProviderSpec struct { | |||
| // confidentialCompute Defines whether the instance should have confidential compute enabled. | |||
| // If enabled OnHostMaintenance is required to be set to "Terminate". | |||
| // If omitted, the platform chooses a default, which is subject to change over time, currently that default is false. | |||
| // If confidentialInstanceType is configured, even if confidentialCompute is Disabled, a confidential compute instance will be configured. | |||
There was a problem hiding this comment.
This feels like it could be ripe for confusion. Would it make more sense to make it so you can only set confidentialInstanceType when confidentialCompute is set to Enabled?
There was a problem hiding this comment.
Yes, I agree with you: it would make more sense. I've been also told the same in the ongoing discussion on https://github.com/kubernetes-sigs/cluster-api-provider-gcp/pull/1410/files#r1931842698
I will change this soon.
| // confidentialInstanceType will preceed confidentialCompute. That is, if confidentialCompute is "Disabled" but a valid confidentialInstanceType is specified, a confidential instance will be configured. | ||
| // If confidentialInstanceType isn't set and confidentialCompute is "Enabled" the platform will set the default, which is subject to change over time. Currently the default is "sev" for "c2d", "c3d", and "n2d" machineTypes. For the other machine cases, a valid confidentialInstanceType must be specified. | ||
| // +kubebuilder:validation:Enum=sev;sev-snp; | ||
| // +optional |
There was a problem hiding this comment.
Mention that this field is optional in the godoc.
| // confidentialInstanceType determines the required type of confidential computing technology. | ||
| // confidentialInstanceType will preceed confidentialCompute. That is, if confidentialCompute is "Disabled" but a valid confidentialInstanceType is specified, a confidential instance will be configured. | ||
| // If confidentialInstanceType isn't set and confidentialCompute is "Enabled" the platform will set the default, which is subject to change over time. Currently the default is "sev" for "c2d", "c3d", and "n2d" machineTypes. For the other machine cases, a valid confidentialInstanceType must be specified. | ||
| // +kubebuilder:validation:Enum=sev;sev-snp; |
There was a problem hiding this comment.
Include some information in the godoc about the allowed values and what they represent.
There was a problem hiding this comment.
Hi @everettraven, thanks for the quick reply. I will work on the updates and try to send an updated proposal soon!
| @@ -146,9 +155,16 @@ type GCPMachineProviderSpec struct { | |||
| // confidentialCompute Defines whether the instance should have confidential compute enabled. | |||
| // If enabled OnHostMaintenance is required to be set to "Terminate". | |||
| // If omitted, the platform chooses a default, which is subject to change over time, currently that default is false. | |||
| // If confidentialInstanceType is configured, even if confidentialCompute is Disabled, a confidential compute instance will be configured. | |||
There was a problem hiding this comment.
Yes, I agree with you: it would make more sense. I've been also told the same in the ongoing discussion on https://github.com/kubernetes-sigs/cluster-api-provider-gcp/pull/1410/files#r1931842698
I will change this soon.
| // confidentialInstanceType determines the required type of confidential computing technology. | ||
| // confidentialInstanceType will preceed confidentialCompute. That is, if confidentialCompute is "Disabled" but a valid confidentialInstanceType is specified, a confidential instance will be configured. | ||
| // If confidentialInstanceType isn't set and confidentialCompute is "Enabled" the platform will set the default, which is subject to change over time. Currently the default is "sev" for "c2d", "c3d", and "n2d" machineTypes. For the other machine cases, a valid confidentialInstanceType must be specified. | ||
| // +kubebuilder:validation:Enum=sev;sev-snp; |
| // confidentialInstanceType will preceed confidentialCompute. That is, if confidentialCompute is "Disabled" but a valid confidentialInstanceType is specified, a confidential instance will be configured. | ||
| // If confidentialInstanceType isn't set and confidentialCompute is "Enabled" the platform will set the default, which is subject to change over time. Currently the default is "sev" for "c2d", "c3d", and "n2d" machineTypes. For the other machine cases, a valid confidentialInstanceType must be specified. | ||
| // +kubebuilder:validation:Enum=sev;sev-snp; | ||
| // +optional |
| @@ -65,6 +65,15 @@ const ( | |||
| ConfidentialComputePolicyDisabled ConfidentialComputePolicy = "Disabled" | |||
| ) | |||
|
|
|||
| type ConfidentialVMTechnology string | |||
There was a problem hiding this comment.
ConfidentialComputePolicy was added as an enum for the case that GCP will add another potential value, see upstream discussion:
kubernetes-sigs/cluster-api-provider-gcp#809 (comment)
Consider adding the new options ("sev", "sev-snp") to the ConfidentialComputePolicy, in case the user set it to "Enabled" - use the default.
There was a problem hiding this comment.
Thanks for pointing this out @eranco74, I think it's worth considering. I've just brought this discussion topic into the upstream patch as well (see kubernetes-sigs/cluster-api-provider-gcp#1410 (comment)).
GCP compute API permits not only specifying whether a machine has to be confidential or not, but also determining the technology backing that up see [0]. This commit adds an api parameter into the GCPMachineProviderSpec to support that.
That way, we should be able to configure SEV_SNP machines as well as SEV machines as before.
[0] https://cloud.google.com/confidential-computing/confidential-vm/docs/supported-configurations
Upstream/CAPG PR: kubernetes-sigs/cluster-api-provider-gcp#1410