fluxcd · squaremo · Feb 17, 2020 · Feb 17, 2020 · Feb 17, 2020 · Feb 17, 2020
diff --git a/chart/flux/README.md b/chart/flux/README.md
@@ -241,6 +241,7 @@ The following tables lists the configurable parameters of the Flux chart and the
 | `registry.cacheExpiry`                            | `None`                                               | Duration to keep cached image info (deprecated)
 | `registry.disableScanning`                        | `false`                                              | Disable registry scanning completely. Flux will be deployed without memcached
 | `registry.excludeImage`                           | `None`                                               | Do not scan images that match these glob expressions; if empty, 'k8s.gcr.io/*' images are excluded
+| `registry.includeImage`                           | `None`                                               | Scan only images that match these glob expressions; if empty, all images are included
 | `registry.useTimestampLabels`                     | `None`                                               | Allow usage of (RFC3339) timestamp labels from (canonical) image refs that match these glob expressions; if empty, 'index.docker.io/{weaveworks,fluxcd}/*' images are allowed
 | `registry.ecr.region`                             | `None`                                               | Restrict ECR scanning to these AWS regions; if empty, only the cluster's region will be scanned
 | `registry.ecr.includeId`                          | `None`                                               | Restrict ECR scanning to these AWS account IDs; if empty, all account IDs that aren't excluded may be scanned

diff --git a/chart/flux/templates/deployment.yaml b/chart/flux/templates/deployment.yaml
@@ -245,6 +245,9 @@ spec:
           {{- if .Values.registry.excludeImage }}
           - --registry-exclude-image={{ .Values.registry.excludeImage }}
           {{- end }}
+          {{- if .Values.registry.includeImage }}
+          - --registry-include-image={{ .Values.registry.includeImage }}
+          {{- end }}
           {{- if .Values.registry.useTimestampLabels }}
           - --registry-use-labels={{ .Values.registry.useTimestampLabels }}
           {{- end }}

diff --git a/chart/flux/values.yaml b/chart/flux/values.yaml
@@ -155,6 +155,8 @@ registry:
   disableScanning: false
   # Do not scan images that match these glob expressions
   excludeImage:
+  # Only scan images that match these glob expressions
+  includeImage:
   # Allow usage of (RFC3339) timestamp labels from (canonical) image refs that match these glob expressions
   useTimestampLabels:
   # AWS ECR settings

diff --git a/docs/faq.md b/docs/faq.md
@@ -353,26 +353,36 @@ You can completely disable registry scanning by using the
  Memcached.
 
 
-If you only want to disable scanning for certain images, don't set
-`--registry-disable-scanning`. Instead, you can tell Flux what images to exclude
-by supplying a list of glob expressions to the `--registry-exclude-image` flag.
-
-To exclude images from Docker Hub and Quay.io, use:
+If you only want to scan certain images, don't set
+`--registry-disable-scanning`. Instead, you can tell Flux what images
+to include or exclude by supplying a list of glob expressions to the
+`--registry-include-image` and `--registry-exclude-image` flags:
+
+ * `--registry-exclude-image` takes patterns to be excluded; the
+   default is to exclude the Kubernetes base images (`k8s.gcr.io/*`);
+   and,
+ * `--registry-include-image` takes patterns to be included; no
+   patterns (the default) means "include everything". If you provide a
+   pattern, _only_ images matching the pattern will be included (less
+   any that are explicitly excluded).
+
+To restrict scanning to only images from organisations `example` and `example-dev`,
+you might use:
 
 ```
---registry-exclude-image=docker.io/*,quay.io/*
+--registry-include-image=*/example/*,*/example-dev/*
 ```
 
-Here is the Helm install equivalent (note the `\,` separator):
+To exclude images from quay.io, use:
 
 ```
---set registry.excludeImage="docker.io/*\,quay.io/*"
+--registry-exclude-image=quay.io/*
 ```
 
-To exclude images containing `test` in the FQN, use:
+Here are the Helm install equivalents (note the `\,` separator):
 
 ```
---registry-exclude-image=*test*
+--set registry.includeImage="*/example/*\,*/example-dev/*" --set registry.excludeImage="quay.io/*"
 ```
 
 ### Does Flux support Kustomize/Templating/My favorite manifest factorization technology?

diff --git a/docs/references/daemon.md b/docs/references/daemon.md
@@ -73,6 +73,7 @@ Version controlling of cluster manifests provides reproducibility and a historic
 | --registry-burst                                 | `125`                              | maximum number of warmer connections to remote and memcache
 | --registry-insecure-host                         | []                                 | registry hosts to use HTTP for (instead of HTTPS)
 | --registry-exclude-image                         | `["k8s.gcr.io/*"]`                 | do not scan images that match these glob expressions
+| --registry-include-image                         | `nil`                              | scan _only_ images that match these glob expressions (the default, `nil`, means include everything)
 | --registry-use-labels                            | `["index.docker.io/weaveworks/*", "index.docker.io/fluxcd/*"]` | use the timestamp (RFC3339) from labels for (canonical) image refs that match these glob expressions
 | --docker-config                                  | `""`                               | path to a Docker config file with default image registry credentials
 | --registry-ecr-region                            | `[]`                               | allow these AWS regions when scanning images from ECR (multiple values allowed); defaults to the detected cluster region