fluxcd · squaremo · Feb 17, 2020 · Feb 17, 2020 · Feb 17, 2020 · Feb 17, 2020
diff --git a/chart/flux/README.md b/chart/flux/README.md
@@ -241,6 +241,7 @@ The following tables lists the configurable parameters of the Flux chart and the
 | `registry.cacheExpiry`                            | `None`                                               | Duration to keep cached image info (deprecated)
 | `registry.disableScanning`                        | `false`                                              | Disable registry scanning completely. Flux will be deployed without memcached
 | `registry.excludeImage`                           | `None`                                               | Do not scan images that match these glob expressions; if empty, 'k8s.gcr.io/*' images are excluded
+| `registry.includeImage`                           | `None`                                               | Scan only images that match these glob expressions; if empty, all images are included
 | `registry.useTimestampLabels`                     | `None`                                               | Allow usage of (RFC3339) timestamp labels from (canonical) image refs that match these glob expressions; if empty, 'index.docker.io/{weaveworks,fluxcd}/*' images are allowed
 | `registry.ecr.region`                             | `None`                                               | Restrict ECR scanning to these AWS regions; if empty, only the cluster's region will be scanned
 | `registry.ecr.includeId`                          | `None`                                               | Restrict ECR scanning to these AWS account IDs; if empty, all account IDs that aren't excluded may be scanned

diff --git a/chart/flux/templates/deployment.yaml b/chart/flux/templates/deployment.yaml
@@ -245,6 +245,9 @@ spec:
           {{- if .Values.registry.excludeImage }}
           - --registry-exclude-image={{ .Values.registry.excludeImage }}
           {{- end }}
+          {{- if .Values.registry.includeImage }}
+          - --registry-include-image={{ .Values.registry.includeImage }}
+          {{- end }}
           {{- if .Values.registry.useTimestampLabels }}
           - --registry-use-labels={{ .Values.registry.useTimestampLabels }}
           {{- end }}

diff --git a/chart/flux/values.yaml b/chart/flux/values.yaml
@@ -155,6 +155,8 @@ registry:
   disableScanning: false
   # Do not scan images that match these glob expressions
   excludeImage:
+  # Only scan images that match these glob expressions
+  includeImage:
   # Allow usage of (RFC3339) timestamp labels from (canonical) image refs that match these glob expressions
   useTimestampLabels:
   # AWS ECR settings

diff --git a/docs/faq.md b/docs/faq.md
@@ -354,10 +354,25 @@ You can completely disable registry scanning by using the
 
 
 If you only want to disable scanning for certain images, don't set
-`--registry-disable-scanning`. Instead, you can tell Flux what images to exclude
-by supplying a list of glob expressions to the `--registry-exclude-image` flag.
+`--registry-disable-scanning`. Instead, you can tell Flux what images
+to include or exclude by supplying a list of glob expressions to the
+`--registry-include-image` and `--registry-exclude-image` flags.
 
-To exclude images from Docker Hub and Quay.io, use:
+ * `--registry-include-image` takes patterns to be included; no values
+   (the default) means "include everything". If you provide a pattern,
+   _only_ images matching the pattern will be included (less any that
+   are explicitly excluded); and,
+ * `--registry-exclude-image` takes patterns to be excludes; the
+   default is to exclude the Kubernetes base images (`k8s.gcr.io/*`).
+
+To include only images from Docker Hub organisation `exampledotcom`,
+use:
+
+```
+--registry-include-image=docker.io/exampledotcom/*
+```
+
+To **exclude** images from Docker Hub and Quay.io, use:
 
 ```
 --registry-exclude-image=docker.io/*,quay.io/*
@@ -369,6 +384,12 @@ Here is the Helm install equivalent (note the `\,` separator):
 --set registry.excludeImage="docker.io/*\,quay.io/*"
 ```
 
+... and similarly for `--registry-include-image`:
+
+```
+--set registry.includeImage="docker.io/exampledotcom/*"
+```
+
 To exclude images containing `test` in the FQN, use:
 
 ```

diff --git a/docs/references/daemon.md b/docs/references/daemon.md
@@ -73,6 +73,7 @@ Version controlling of cluster manifests provides reproducibility and a historic
 | --registry-burst                                 | `125`                              | maximum number of warmer connections to remote and memcache
 | --registry-insecure-host                         | []                                 | registry hosts to use HTTP for (instead of HTTPS)
 | --registry-exclude-image                         | `["k8s.gcr.io/*"]`                 | do not scan images that match these glob expressions
+| --registry-include-image                         | `nil`                              | scan _only_ images that match these glob expressions (the default, `nil`, means include everything)
 | --registry-use-labels                            | `["index.docker.io/weaveworks/*", "index.docker.io/fluxcd/*"]` | use the timestamp (RFC3339) from labels for (canonical) image refs that match these glob expressions
 | --docker-config                                  | `""`                               | path to a Docker config file with default image registry credentials
 | --registry-ecr-region                            | `[]`                               | allow these AWS regions when scanning images from ECR (multiple values allowed); defaults to the detected cluster region