diff --git a/chart/flux/README.md b/chart/flux/README.md index 17403b0e8..b7c0c09ce 100755 --- a/chart/flux/README.md +++ b/chart/flux/README.md @@ -241,6 +241,7 @@ The following tables lists the configurable parameters of the Flux chart and the | `registry.cacheExpiry` | `None` | Duration to keep cached image info (deprecated) | `registry.disableScanning` | `false` | Disable registry scanning completely. Flux will be deployed without memcached | `registry.excludeImage` | `None` | Do not scan images that match these glob expressions; if empty, 'k8s.gcr.io/*' images are excluded +| `registry.includeImage` | `None` | Scan only images that match these glob expressions; if empty, all images are included | `registry.useTimestampLabels` | `None` | Allow usage of (RFC3339) timestamp labels from (canonical) image refs that match these glob expressions; if empty, 'index.docker.io/{weaveworks,fluxcd}/*' images are allowed | `registry.ecr.region` | `None` | Restrict ECR scanning to these AWS regions; if empty, only the cluster's region will be scanned | `registry.ecr.includeId` | `None` | Restrict ECR scanning to these AWS account IDs; if empty, all account IDs that aren't excluded may be scanned diff --git a/chart/flux/templates/deployment.yaml b/chart/flux/templates/deployment.yaml index e262e2916..aa84f160f 100644 --- a/chart/flux/templates/deployment.yaml +++ b/chart/flux/templates/deployment.yaml @@ -245,6 +245,9 @@ spec: {{- if .Values.registry.excludeImage }} - --registry-exclude-image={{ .Values.registry.excludeImage }} {{- end }} + {{- if .Values.registry.includeImage }} + - --registry-include-image={{ .Values.registry.includeImage }} + {{- end }} {{- if .Values.registry.useTimestampLabels }} - --registry-use-labels={{ .Values.registry.useTimestampLabels }} {{- end }} diff --git a/chart/flux/values.yaml b/chart/flux/values.yaml index 5d5a88c27..4ac489643 100644 --- a/chart/flux/values.yaml +++ b/chart/flux/values.yaml @@ -155,6 +155,8 @@ registry: disableScanning: false # Do not scan images that match these glob expressions excludeImage: + # Only scan images that match these glob expressions + includeImage: # Allow usage of (RFC3339) timestamp labels from (canonical) image refs that match these glob expressions useTimestampLabels: # AWS ECR settings diff --git a/docs/faq.md b/docs/faq.md index fef989852..7affd90d4 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -353,26 +353,36 @@ You can completely disable registry scanning by using the Memcached. -If you only want to disable scanning for certain images, don't set -`--registry-disable-scanning`. Instead, you can tell Flux what images to exclude -by supplying a list of glob expressions to the `--registry-exclude-image` flag. - -To exclude images from Docker Hub and Quay.io, use: +If you only want to scan certain images, don't set +`--registry-disable-scanning`. Instead, you can tell Flux what images +to include or exclude by supplying a list of glob expressions to the +`--registry-include-image` and `--registry-exclude-image` flags: + + * `--registry-exclude-image` takes patterns to be excluded; the + default is to exclude the Kubernetes base images (`k8s.gcr.io/*`); + and, + * `--registry-include-image` takes patterns to be included; no + patterns (the default) means "include everything". If you provide a + pattern, _only_ images matching the pattern will be included (less + any that are explicitly excluded). + +To restrict scanning to only images from organisations `example` and `example-dev`, +you might use: ``` ---registry-exclude-image=docker.io/*,quay.io/* +--registry-include-image=*/example/*,*/example-dev/* ``` -Here is the Helm install equivalent (note the `\,` separator): +To exclude images from quay.io, use: ``` ---set registry.excludeImage="docker.io/*\,quay.io/*" +--registry-exclude-image=quay.io/* ``` -To exclude images containing `test` in the FQN, use: +Here are the Helm install equivalents (note the `\,` separator): ``` ---registry-exclude-image=*test* +--set registry.includeImage="*/example/*\,*/example-dev/*" --set registry.excludeImage="quay.io/*" ``` ### Does Flux support Kustomize/Templating/My favorite manifest factorization technology? diff --git a/docs/references/daemon.md b/docs/references/daemon.md index 104ecc691..cc7e67e63 100644 --- a/docs/references/daemon.md +++ b/docs/references/daemon.md @@ -73,6 +73,7 @@ Version controlling of cluster manifests provides reproducibility and a historic | --registry-burst | `125` | maximum number of warmer connections to remote and memcache | --registry-insecure-host | [] | registry hosts to use HTTP for (instead of HTTPS) | --registry-exclude-image | `["k8s.gcr.io/*"]` | do not scan images that match these glob expressions +| --registry-include-image | `nil` | scan _only_ images that match these glob expressions (the default, `nil`, means include everything) | --registry-use-labels | `["index.docker.io/weaveworks/*", "index.docker.io/fluxcd/*"]` | use the timestamp (RFC3339) from labels for (canonical) image refs that match these glob expressions | --docker-config | `""` | path to a Docker config file with default image registry credentials | --registry-ecr-region | `[]` | allow these AWS regions when scanning images from ECR (multiple values allowed); defaults to the detected cluster region