From c0f62fe40973d5acaebd0e6693e1bc12b41acca4 Mon Sep 17 00:00:00 2001 From: Paul Laffitte Date: Fri, 22 Nov 2024 16:01:21 +0100 Subject: [PATCH] docs: image filtering --- README.md | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 3cb5dcb3..38f22661 100644 --- a/README.md +++ b/README.md @@ -210,6 +210,27 @@ Keep in mind that kuik will ignore pods scheduled into its own namespace or in t > [...] > Accidentally mutating or rejecting requests in the kube-system namespace may cause the control plane components to stop functioning or introduce unknown behavior. +### Image filtering + +Once pods have been filtered, you can filter images present in those pods using `.controllers.webhook.ignoredImages` and `.controllers.webhook.acceptedImages` regexps. Images matching ignored patterns will be removed from the list, and then only images matching accepted patterns (if some are defined) will be rewritten. For instance, given a list of images and a image filtering configuration: + +- `docker.io/library/nginx:stable-alpine` +- `docker.io/library/nginx:1.27` +- `nixery.dev/curl/kubectl` + +```yaml +controllers: + webhook: + ignoredImages: + - "^.+:[\\w-]*alpine[\\w-]*$" + acceptedImages: + - "^docker\\.io/.*" +``` + +Performing the "ignore" step will remove the matching `docker.io/library/nginx:stable-alpine` image. And performing the accept step will remove the not matching `nixery.dev/curl/kubectl` image. Leaving us with only the `docker.io/library/nginx:1.27` image. + +In the case of an empty `acceptedImages`, all images are accepted. In the case of an empty `ignoredImages`, none is ignored. + #### Image pull policy In the case of a container configured with `imagePullPolicy: Never`, the container will always be filtered out as it makes no sense to cache an image that would never be cached and always read from the disk. @@ -344,4 +365,4 @@ We use Docker Distribution in Kuik, along with the integrated garbage collection ### Images with digest -As of today, there is no way to manage container images based on a digest. The rationale behind this limitation is that a digest is an image manifest hash, and the manifest contains the registry URL associated with the image. Thus, pushing the image to another registry (our cache registry) changes its digest and as a consequence, it is no longer referenced by its original digest. Digest validation prevents from pushing a manifest with an invalid digest. Therefore, we currently ignore all images based on a digest. Those images will not be rewritten nor put into the cache to prevent kuik from malfunctioning. \ No newline at end of file +As of today, there is no way to manage container images based on a digest. The rationale behind this limitation is that a digest is an image manifest hash, and the manifest contains the registry URL associated with the image. Thus, pushing the image to another registry (our cache registry) changes its digest and as a consequence, it is no longer referenced by its original digest. Digest validation prevents from pushing a manifest with an invalid digest. Therefore, we currently ignore all images based on a digest. Those images will not be rewritten nor put into the cache to prevent kuik from malfunctioning.