@paullaffitte Thanks for the documentation. I understand the order is similar to:

1. all pod matches by the objectSelector or all pods if the selector is empty
2. the image list is filtered with the ignored images regex
3. only the image matched the accepted images regex are kept

In practice, I want to only cache docker.io images, I should use the following:

    ignoredNamespaces: []
    ignoredImages:
      - ".+"
    acceptedImages: 
      - "^docker\\.io/.*"
    objectSelector:
      matchExpressions: []

Is that correct?

Almost, with the current ignoredImages setting you ignore all images.

@paullaffitte Indeed, thanks. How would you configure to only cache docker.io ones? In my understanding this needs currently explicit denial of the other patterns or namespace.

humm.. maybe I should add an example to the doc. I feel like it is not that easy to explain even though it is not very complicated. Something like:

Given a list of images and a image filtering configuration:

• docker.io/library/nginx:stable-alpine
• docker.io/library/nginx:1.27
• nixery.dev/curl/kubectl

controllers:
  webhook:
    ignoredImages:
      - "^.+:[\\w-]*alpine[\\w-]*$"
    acceptedImages: 
      - "^docker\\.io/.*"

Performing the "ignore" step will remove the matching docker.io/library/nginx:stable-alpine image. And performing the accept step will remove the not matching nixery.dev/curl/kubectl image. Leaving us with only the docker.io/library/nginx:1.27 image.

In the case of an empty acceptedImages, all images are accepted. In the case of an empty ignoredImages, none is ignored.

@paullaffitte Your explanation are clear. Can you precise how objectSelector.matchExpressions enter the mix?