cilium
1# This file contains the list of tests that should be included and excluded.
2#
3# To provide a better UX, the 'cliFocus' defined on each element from the
4# "include" is expanded to the specific defined 'focus'. This way we can map
5# which regex should be used on ginkgo --focus to an element from the "focus"
6# list.
7#
8# Further down is a list of tests that can be excluded because they are ignored
9# by our constraints defined in the ginkgo tests. There is a justification, in
10# form of a comment, explaining why each test is excluded.
11#
12# More info: https://docs.github.com/en/actions/using-jobs/using-a-matrix-for-your-jobs#expanding-or-adding-matrix-configurations
13---
14focus:15- "f01-agent-chaos"16- "f02-agent-fqdn"17- "f03-agent-policy"18- "f04-agent-policy-multi-node-1"19- "f05-agent-policy-multi-node-2"20- "f06-agent-policy-basic"21- "f07-datapath-host"22- "f08-datapath-misc-1"23- "f09-datapath-misc-2"24- "f10-agent-hubble-bandwidth"25- "f11-datapath-service-ns-tc"26- "f12-datapath-service-ns-misc"27- "f13-datapath-service-ns-xdp-1"28- "f14-datapath-service-ns-xdp-2"29- "f15-datapath-service-ew-1"30- "f16-datapath-service-ew-2"31- "f17-datapath-service-ew-kube-proxy"32- "f18-datapath-bgp-lrp"33- "f19-update"34- "f20-kafka"35include:36###37# K8sAgentChaosTest Connectivity demo application Endpoint can still connect while Cilium is not running38# K8sAgentChaosTest Restart with long lived connections L3/L4 policies still work while Cilium is restarted39# K8sAgentChaosTest Restart with long lived connections TCP connection is not dropped when cilium restarts40- focus: "f01-agent-chaos"41cliFocus: "K8sAgentChaosTest"42
43###44# K8sAgentFQDNTest Restart Cilium validate that FQDN is still working45# K8sAgentFQDNTest Validate that FQDN policy continues to work after being updated46# K8sAgentFQDNTest Validate that multiple specs are working correctly47# K8sAgentPerNodeConfigTest Correctly computes config overrides48- focus: "f02-agent-fqdn"49cliFocus: "K8sAgentFQDNTest|K8sAgentPerNodeConfigTest"50
51###52# K8sAgentPolicyTest Clusterwide policies Test clusterwide connectivity with policies53# K8sAgentPolicyTest External services To Services first endpoint creation54# K8sAgentPolicyTest External services To Services first endpoint creation match service by labels55# K8sAgentPolicyTest External services To Services first policy56# K8sAgentPolicyTest External services To Services first policy, match service by labels57# K8sAgentPolicyTest Namespaces policies Cilium Network policy using namespace label and L758# K8sAgentPolicyTest Namespaces policies Kubernetes Network Policy by namespace selector59# K8sAgentPolicyTest Namespaces policies Tests the same Policy in different namespaces60- focus: "f03-agent-policy"61cliFocus: "K8sAgentPolicyTest Clusterwide|K8sAgentPolicyTest External|K8sAgentPolicyTest Namespaces"62
63###64# K8sAgentPolicyTest Multi-node policy test validates fromEntities policies Validates fromEntities all policy65# K8sAgentPolicyTest Multi-node policy test validates fromEntities policies Validates fromEntities cluster policy66# K8sAgentPolicyTest Multi-node policy test validates fromEntities policies with remote-node identity disabled Allows from all hosts with cnp fromEntities host policy67# K8sAgentPolicyTest Multi-node policy test validates fromEntities policies with remote-node identity enabled Validates fromEntities remote-node policy68# K8sAgentPolicyTest Multi-node policy test with L7 policy using connectivity-check to check datapath69- focus: "f04-agent-policy-multi-node-1"70cliFocus: "K8sAgentPolicyTest Multi-node policy test validates fromEntities|K8sAgentPolicyTest Multi-node policy test with"71
72###73# K8sAgentPolicyTest Multi-node policy test validates ingress CIDR-dependent L4 connectivity is blocked after denying ingress74# K8sAgentPolicyTest Multi-node policy test validates ingress CIDR-dependent L4 connectivity is restored after importing ingress policy75# K8sAgentPolicyTest Multi-node policy test validates ingress CIDR-dependent L4 connectivity works from the outside before any policies76# K8sAgentPolicyTest Multi-node policy test validates ingress CIDR-dependent L4 With host policy Connectivity is restored after importing ingress policy77# K8sAgentPolicyTest Multi-node policy test validates ingress CIDR-dependent L4 With host policy Connectivity to hostns is blocked after denying ingress78- focus: "f05-agent-policy-multi-node-2"79cliFocus: "K8sAgentPolicyTest Multi-node policy test validates ingress"80
81###82# K8sAgentPolicyTest Basic Test Traffic redirections to proxy Tests DNS proxy visibility without policy83# K8sAgentPolicyTest Basic Test Traffic redirections to proxy Tests HTTP proxy visibility without policy84# K8sAgentPolicyTest Basic Test Traffic redirections to proxy Tests proxy visibility interactions with policy lifecycle operations85# K8sPolicyTestExtended Validate toEntities KubeAPIServer Allows connection to KubeAPIServer86# K8sPolicyTestExtended Validate toEntities KubeAPIServer Denies connection to KubeAPIServer87# K8sPolicyTestExtended Validate toEntities KubeAPIServer Still allows connection to KubeAPIServer with a duplicate policy88- focus: "f06-agent-policy-basic"89cliFocus: "K8sAgentPolicyTest Basic|K8sPolicyTestExtended"90
91###92# K8sDatapathConfig Host firewall Check connectivity with IPv6 disabled93# K8sDatapathConfig Host firewall With native routing94# K8sDatapathConfig Host firewall With native routing and endpoint routes95# K8sDatapathConfig Host firewall With VXLAN96# K8sDatapathConfig Host firewall With VXLAN and endpoint routes97- focus: "f07-datapath-host"98cliFocus: "K8sDatapathConfig Host"99
100###101# K8sDatapathConfig Encapsulation Check iptables masquerading with random-fully102# K8sDatapathConfig Etcd Check connectivity103# K8sDatapathConfig MonitorAggregation Checks that monitor aggregation flags send notifications104# K8sDatapathConfig MonitorAggregation Checks that monitor aggregation restricts notifications105- focus: "f08-datapath-misc-1"106cliFocus: "K8sDatapathConfig Encapsulation|K8sDatapathConfig Etcd|K8sDatapathConfig Etcd|K8sDatapathConfig MonitorAggregation"107
108###109# K8sDatapathConfig WireGuard encryption strict mode Pod-to-pod traffic is encrypted in native routing mode with per-endpoint routes110# K8sDatapathConfig WireGuard encryption strict mode Pod-to-pod traffic is encrypted in native routing mode with per-endpoint routes and overlapping node and pod CIDRs111# K8sDatapathConfig Check BPF masquerading with ip-masq-agent DirectRouting112# K8sDatapathConfig Check BPF masquerading with ip-masq-agent DirectRouting, IPv4 only113# K8sDatapathConfig Check BPF masquerading with ip-masq-agent VXLAN114# K8sDatapathConfig High-scale IPcache Test ingress policy enforcement with GENEVE and endpoint routes115# K8sDatapathConfig High-scale IPcache Test ingress policy enforcement with VXLAN and no endpoint routes116# K8sDatapathConfig Iptables Skip conntrack for pod traffic117# K8sDatapathConfig IPv4Only Check connectivity with IPv6 disabled118# K8sDatapathConfig IPv6 masquerading across K8s nodes, skipped due to native routing CIDR119# K8sDatapathConfig Transparent encryption DirectRouting Check connectivity with transparent encryption and direct routing with bpf_host120- focus: "f09-datapath-misc-2"121cliFocus: "K8sDatapathConfig WireGuard encryption strict mode|K8sDatapathConfig Check|K8sDatapathConfig IPv4Only|K8sDatapathConfig High-scale|K8sDatapathConfig Iptables|K8sDatapathConfig IPv4Only|K8sDatapathConfig IPv6|K8sDatapathConfig Transparent"122
123###124# K8sAgentHubbleTest Hubble Observe Test FQDN Policy with Relay125# K8sAgentHubbleTest Hubble Observe Test L3/L4 Flow126# K8sAgentHubbleTest Hubble Observe Test L3/L4 Flow with hubble-relay127# K8sAgentHubbleTest Hubble Observe Test L7 Flow128# K8sAgentHubbleTest Hubble Observe Test L7 Flow with hubble-relay129# K8sAgentHubbleTest Hubble Observe Test TLS certificate130# K8sDatapathBandwidthTest Checks Bandwidth Rate-Limiting Checks Pod to Pod bandwidth, direct routing131# K8sDatapathBandwidthTest Checks Bandwidth Rate-Limiting Checks Pod to Pod bandwidth, geneve tunneling132# K8sDatapathBandwidthTest Checks Bandwidth Rate-Limiting Checks Pod to Pod bandwidth, vxlan tunneling133- focus: "f10-agent-hubble-bandwidth"134cliFocus: "K8sAgentHubbleTest|K8sDatapathBandwidthTest"135
136###137# K8sDatapathServicesTest Checks N/S loadbalancing ClusterIP cannot be accessed externally when access is disabled138# K8sDatapathServicesTest Checks N/S loadbalancing Supports IPv4 fragments139# K8sDatapathServicesTest Checks N/S loadbalancing Tests with TC, direct routing and dsr with geneve140# K8sDatapathServicesTest Checks N/S loadbalancing Tests with TC, direct routing and Hybrid-DSR with Geneve141# K8sDatapathServicesTest Checks N/S loadbalancing Tests with TC, geneve tunnel, and Hybrid-DSR with Geneve142# K8sDatapathServicesTest Checks N/S loadbalancing Tests with TC, direct routing and Hybrid143# K8sDatapathServicesTest Checks N/S loadbalancing Tests with TC, geneve tunnel, dsr and Maglev144- focus: "f11-datapath-service-ns-tc"145cliFocus: "K8sDatapathServicesTest Checks N/S loadbalancing ClusterIP|K8sDatapathServicesTest Checks N/S loadbalancing Supports|K8sDatapathServicesTest Checks N/S loadbalancing Tests with TC"146
147###148# K8sDatapathServicesTest Checks N/S loadbalancing Tests externalIPs149# K8sDatapathServicesTest Checks N/S loadbalancing Tests GH#10983150# K8sDatapathServicesTest Checks N/S loadbalancing Tests NodePort with sessionAffinity from outside151# K8sDatapathServicesTest Checks N/S loadbalancing Tests security id propagation in N/S LB requests fwd-ed over tunnel152# K8sDatapathServicesTest Checks N/S loadbalancing Tests with direct routing and DSR153- focus: "f12-datapath-service-ns-misc"154cliFocus: "K8sDatapathServicesTest Checks N/S loadbalancing Tests externalIPs|K8sDatapathServicesTest Checks N/S loadbalancing Tests GH|K8sDatapathServicesTest Checks N/S loadbalancing Tests NodePort|K8sDatapathServicesTest Checks N/S loadbalancing Tests security|K8sDatapathServicesTest Checks N/S loadbalancing Tests with direct|K8sDatapathServicesTest Checks N/S loadbalancing with"155
156###157# K8sDatapathServicesTest Checks N/S loadbalancing Tests with XDP, direct routing, DSR and Maglev158# K8sDatapathServicesTest Checks N/S loadbalancing Tests with XDP, direct routing, DSR and Random159# K8sDatapathServicesTest Checks N/S loadbalancing Tests with XDP, direct routing, DSR with Geneve and Maglev160# K8sDatapathServicesTest Checks N/S loadbalancing Tests with XDP, direct routing, Hybrid and Maglev161# K8sDatapathServicesTest Checks N/S loadbalancing Tests with XDP, direct routing, Hybrid and Random162- focus: "f13-datapath-service-ns-xdp-1"163cliFocus: "K8sDatapathServicesTest Checks N/S loadbalancing Tests with XDP, direct routing, DSR|K8sDatapathServicesTest Checks N/S loadbalancing Tests with XDP, direct routing, Hybrid"164
165###166# K8sDatapathServicesTest Checks N/S loadbalancing Tests with XDP, direct routing, SNAT and Maglev167# K8sDatapathServicesTest Checks N/S loadbalancing Tests with XDP, direct routing, SNAT and Random168# K8sDatapathServicesTest Checks N/S loadbalancing Tests with XDP, vxlan tunnel, SNAT and Random169# K8sDatapathServicesTest Checks N/S loadbalancing With ClusterIP external access ClusterIP can be accessed when external access is enabled170# K8sDatapathServicesTest Checks N/S loadbalancing With host policy Tests NodePort171- focus: "f14-datapath-service-ns-xdp-2"172cliFocus: "K8sDatapathServicesTest Checks N/S loadbalancing Tests with XDP, direct routing, SNAT|K8sDatapathServicesTest Checks N/S loadbalancing Tests with XDP, vxlan|K8sDatapathServicesTest Checks N/S loadbalancing With"173
174###175# K8sDatapathServicesTest Checks device reconfiguration Detects newly added device and reloads datapath176# K8sDatapathServicesTest Checks E/W loadbalancing (ClusterIP, NodePort from inside cluster, etc) Checks in-cluster KPR Tests HealthCheckNodePort177# K8sDatapathServicesTest Checks E/W loadbalancing (ClusterIP, NodePort from inside cluster, etc) Checks in-cluster KPR Tests that binding to NodePort port fails178# K8sDatapathServicesTest Checks E/W loadbalancing (ClusterIP, NodePort from inside cluster, etc) Checks in-cluster KPR with L7 policy Tests NodePort with L7 Policy179# K8sDatapathServicesTest Checks E/W loadbalancing (ClusterIP, NodePort from inside cluster, etc) Checks service accessing itself (hairpin flow)180- focus: "f15-datapath-service-ew-1"181cliFocus: 'K8sDatapathServicesTest Checks device|K8sDatapathServicesTest Checks E/W loadbalancing \\(ClusterIP, NodePort from inside cluster, etc\\) Checks'182
183###184# K8sDatapathServicesTest Checks E/W loadbalancing (ClusterIP, NodePort from inside cluster, etc) TFTP with DNS Proxy port collision Tests TFTP from DNS Proxy Port185# K8sDatapathServicesTest Checks E/W loadbalancing (ClusterIP, NodePort from inside cluster, etc) with L4 policy Tests NodePort with L4 Policy186# K8sDatapathServicesTest Checks E/W loadbalancing (ClusterIP, NodePort from inside cluster, etc) with L7 policy Tests NodePort with L7 Policy187- focus: "f16-datapath-service-ew-2"188cliFocus: 'K8sDatapathServicesTest Checks E/W loadbalancing \\(ClusterIP, NodePort from inside cluster, etc\\) TFTP|K8sDatapathServicesTest Checks E/W loadbalancing \\(ClusterIP, NodePort from inside cluster, etc\\) with'189
190###191# K8sDatapathServicesTest Checks E/W loadbalancing (ClusterIP, NodePort from inside cluster, etc) Tests NodePort inside cluster (kube-proxy)192# K8sDatapathServicesTest Checks E/W loadbalancing (ClusterIP, NodePort from inside cluster, etc) Tests NodePort inside cluster (kube-proxy) with externalTrafficPolicy=Local193# K8sDatapathServicesTest Checks E/W loadbalancing (ClusterIP, NodePort from inside cluster, etc) Tests NodePort inside cluster (kube-proxy) with IPSec and externalTrafficPolicy=Local194# K8sDatapathServicesTest Checks E/W loadbalancing (ClusterIP, NodePort from inside cluster, etc) Tests NodePort inside cluster (kube-proxy) with the host firewall and externalTrafficPolicy=Local195- focus: "f17-datapath-service-ew-kube-proxy"196cliFocus: 'K8sDatapathServicesTest Checks E/W loadbalancing \\(ClusterIP, NodePort from inside cluster, etc\\) Tests'197
198###199# K8sDatapathBGPTests Tests LoadBalancer Connectivity to endpoint via LB200# K8sDatapathLRPTests Checks local redirect policy LRP connectivity201# K8sDatapathLRPTests Checks local redirect policy LRP restores service when removed202- focus: "f18-datapath-bgp-lrp"203cliFocus: "K8sDatapathBGPTests|K8sDatapathLRPTests"204
205###206# K8sUpdates Tests upgrade and downgrade from a Cilium stable image to master207- focus: "f19-update"208cliFocus: "K8sUpdates"209
210###211# K8sKafkaPolicyTest Kafka Policy Tests KafkaPolicies212# K8sSpecificMACAddressTests Check whether the pod is created Checks the pod's mac address213- focus: "f20-kafka"214cliFocus: "K8sKafkaPolicyTest|K8sSpecificMACAddressTests"215
216exclude:217# The bandwidth test is disabled and hubble tests are not meant218# to run on net-next.219- k8s-version: "1.29"220focus: "f10-agent-hubble-bandwidth"221
222# These tests are meant to run with kube-proxy which is not available223# with net-next224- k8s-version: "1.29"225focus: "f16-datapath-service-ew-2"226
227# These tests are meant to run with kube-proxy which is not available228# with net-next229- k8s-version: "1.29"230focus: "f17-datapath-service-ew-kube-proxy"231
232# These tests require an external node which is only available on 1.28233# / net-next so there's no point on running them234- k8s-version: "1.28"235focus: "f05-agent-policy-multi-node-2"236
237# These tests require kernel net-next so there's no point on running them238- k8s-version: "1.28"239focus: "f11-datapath-service-ns-tc"240
241- k8s-version: "1.28"242focus: "f12-datapath-service-ns-misc"243
244- k8s-version: "1.28"245focus: "f13-datapath-service-ns-xdp-1"246
247- k8s-version: "1.28"248focus: "f14-datapath-service-ns-xdp-2"249
250# These tests require an external node which is only available on 1.28251# / net-next so there's no point on running them252- k8s-version: "1.27"253focus: "f05-agent-policy-multi-node-2"254
255# These tests require kernel net-next so there's no point on running them256- k8s-version: "1.27"257focus: "f11-datapath-service-ns-tc"258
259- k8s-version: "1.27"260focus: "f12-datapath-service-ns-misc"261
262- k8s-version: "1.27"263focus: "f13-datapath-service-ns-xdp-1"264
265- k8s-version: "1.27"266focus: "f14-datapath-service-ns-xdp-2"267
268# These tests require are not intended to run on kernel 5.4, thus we can ignore them269- k8s-version: "1.26"270focus: "f01-agent-chaos"271
272- k8s-version: "1.26"273focus: "f03-agent-policy"274
275- k8s-version: "1.26"276focus: "f04-agent-policy-multi-node-1"277
278- k8s-version: "1.26"279focus: "f05-agent-policy-multi-node-2"280
281- k8s-version: "1.26"282focus: "f11-datapath-service-ns-tc"283
284- k8s-version: "1.26"285focus: "f12-datapath-service-ns-misc"286
287- k8s-version: "1.26"288focus: "f13-datapath-service-ns-xdp-1"289
290- k8s-version: "1.26"291focus: "f14-datapath-service-ns-xdp-2"292
293- k8s-version: "1.26"294focus: "f15-datapath-service-ew-1"295
296- k8s-version: "1.26"297focus: "f16-datapath-service-ew-2"298
299- k8s-version: "1.26"300focus: "f17-datapath-service-ew-kube-proxy"301
302- k8s-version: "1.26"303focus: "f18-datapath-bgp-lrp"304
305- k8s-version: "1.26"306focus: "f20-kafka"307