feat: predefined docker image blacklist, avoid proxing service backends, refactor

2026-04-23 08:48:32 +02:00 · 2025-03-28 08:05:23 +08:00
parent c6f65ba69f
commit 3c515b0258
6 changed files with 166 additions and 141 deletions
--- a/internal/docker/image_blacklist.go
+++ b/internal/docker/image_blacklist.go
@@ -0,0 +1,59 @@
+package docker
+
+var imageBlacklist = map[string]struct{}{
+	// pure databases without UI
+	"postgres":  {},
+	"mysql":     {},
+	"mariadb":   {},
+	"redis":     {},
+	"memcached": {},
+	"mongo":     {},
+	"rabbitmq":  {},
+	"couchdb":   {},
+	"neo4j":     {},
+	"telegraf":  {},
+
+	// search engines, usually used for internal services
+	"elasticsearch": {},
+	"meilisearch":   {},
+	"kibana":        {},
+	"solr":          {},
+}
+
+var imageBlacklistFullname = map[string]struct{}{
+	// headless browsers
+	"gcr.io/zenika-hub/alpine-chrome":      {},
+	"eu.gcr.io/zenika-hub/alpine-chrome":   {},
+	"us.gcr.io/zenika-hub/alpine-chrome":   {},
+	"asia.gcr.io/zenika-hub/alpine-chrome": {},
+
+	// image update watchers
+	"watchtower": {},
+	"getwud/wud": {},
+}
+
+var authorBlacklist = map[string]struct{}{
+	// headless browsers
+	"selenium":    {},
+	"browserless": {},
+	"zenika":      {},
+
+	"zabbix": {},
+
+	// docker
+	"moby":   {},
+	"docker": {},
+}
+
+func (image *ContainerImage) IsBlacklisted() bool {
+	_, ok := imageBlacklist[image.Name]
+	if ok {
+		return true
+	}
+	_, ok = imageBlacklistFullname[image.Author+":"+image.Name]
+	if ok {
+		return true
+	}
+	_, ok = authorBlacklist[image.Author]
+	return ok
+}