machine_webhook: Add validation for CPUOptions in AWSMachineProviderConfig

fangge1212 · fangge1212 · commit 9c2bda001809 · 2025-09-23T00:40:51.000-04:00
This change introduces webhook validation for the CPUOptions field in
AWSMachineProviderConfig. The validation ensures that if cpuOptions is
provided, its confidentialCompute value is either empty or one of the
supported policies:
- Disabled
- AMDEncryptedVirtualizationNestedPaging

Signed-off-by: Fangge Jin &lt;fjin@redhat.com&gt;
diff --git a/pkg/webhooks/machine_webhook.go b/pkg/webhooks/machine_webhook.go
@@ -868,6 +868,20 @@ func validateAWS(m *machinev1beta1.Machine, config *admissionConfig) (bool, []st
 		)
 	}
 
+	switch providerSpec.CPUOptions.ConfidentialCompute {
+	case "", machinev1beta1.AWSConfidentialComputePolicyDisabled, machinev1beta1.AWSConfidentialComputePolicySEVSNP:
+		// Valid values
+	default:
+		errs = append(
+			errs,
+			field.Invalid(
+				field.NewPath("providerSpec", "CPUOptions", "ConfidentialCompute"),
+				providerSpec.CPUOptions.ConfidentialCompute,
+				fmt.Sprintf("Allowed values are %s, %s and omitted", machinev1beta1.AWSConfidentialComputePolicyDisabled, machinev1beta1.AWSConfidentialComputePolicySEVSNP),
+			),
+		)
+	}
+
 	if len(errs) > 0 {
 		return false, warnings, errs
 	}
diff --git a/pkg/webhooks/machine_webhook_test.go b/pkg/webhooks/machine_webhook_test.go
@@ -2610,6 +2610,21 @@ func TestValidateAWSProviderSpec(t *testing.T) {
 			expectedOk:    false,
 			expectedError: "providerSpec.metadataServiceOptions.authentication: Invalid value: \"Boom\": Allowed values are either 'Optional' or 'Required'",
 		},
+		{
+			testCase: "with valid cpuOptions",
+			modifySpec: func(p *machinev1beta1.AWSMachineProviderConfig) {
+				p.CPUOptions.ConfidentialCompute = "AMDEncryptedVirtualizationNestedPaging"
+			},
+			expectedOk: true,
+		},
+		{
+			testCase: "with invalid cpuOptions",
+			modifySpec: func(p *machinev1beta1.AWSMachineProviderConfig) {
+				p.CPUOptions.ConfidentialCompute = "invalid"
+			},
+			expectedOk: false,
+			expectedError: "providerSpec.CPUOptions.ConfidentialCompute: Invalid value: \"invalid\": Allowed values are Disabled, AMDEncryptedVirtualizationNestedPaging and omitted",
+		},
 		{
 			testCase: "with invalid GroupVersionKind",
 			modifySpec: func(p *machinev1beta1.AWSMachineProviderConfig) {
