docs: image filtering

[plaffitt]

What do you think @zifeo? Is it clearer?

closes #440

[zifeo]

@paullaffitte Thanks for the documentation. I understand the order is similar to:

1. all pod matches by the objectSelector or all pods if the selector is empty
2. the image list is filtered with the ignored images regex
3. only the image matched the accepted images regex are kept

In practice, I want to only cache docker.io images, I should use the following:

    ignoredNamespaces: []
    ignoredImages:
      - ".+"
    acceptedImages: 
      - "^docker\\.io/.*"
    objectSelector:
      matchExpressions: []

Is that correct?

[plaffitt]

Almost, with the current ignoredImages setting you ignore all images.

[zifeo]

@paullaffitte Indeed, thanks. How would you configure to only cache docker.io ones? In my understanding this needs currently explicit denial of the other patterns or namespace.

[plaffitt]

humm.. maybe I should add an example to the doc. I feel like it is not that easy to explain even though it is not very complicated. Something like:

---

Given a list of images and a image filtering configuration:

• docker.io/library/nginx:stable-alpine
• docker.io/library/nginx:1.27
• nixery.dev/curl/kubectl

controllers:
  webhook:
    ignoredImages:
      - "^.+:[\\w-]*alpine[\\w-]*$"
    acceptedImages: 
      - "^docker\\.io/.*"

Performing the "ignore" step will remove the matching docker.io/library/nginx:stable-alpine image. And performing the accept step will remove the not matching nixery.dev/curl/kubectl image. Leaving us with only the docker.io/library/nginx:1.27 image.

In the case of an empty acceptedImages, all images are accepted. In the case of an empty ignoredImages, none is ignored.

[zifeo]

@paullaffitte Your explanations are clear. Can you precise how objectSelector.matchExpressions enter the mix? Support for negating in the regex would also be beneficial, currently not supported.

[plaffitt]

From the documentation:

• Finally, kuik will only work on pods matching a specific selector. By default, the selector is empty, which means "match all the pods". The selector can be set with the Helm value controllers.webhook.objectSelector.matchExpressions.

This logic isn't implemented by the kuik controllers or webhook directly, but through Kubernetes' standard webhook object selectors. In other words, these parameters end up in the MutatingWebhookConfiguration template to filter which pods get presented to kuik's webhook.

Why do you want to negate in the regex? You already can already do it by using either ignoredImages or acceptedImages.

[zifeo]

@plaffitt Sorted out what was bugging me, the accept image feature is only available since the last helm release and the lack of coherence messed with my global understanding. This should be enough to complete my doc request.