diff --git a/definitions/install.yaml b/definitions/install.yaml index 6b979d87c4..b0f528a9c0 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -34,45 +34,90 @@ spec: type: object required: - name - - resource + - match properties: name: type: string - resource: + match: type: object required: - - kinds + - resources properties: - kinds: - type: array - items: - type: string - name: - type: string - namespace: - type: string - selector: + resources: + type: object + required: + - kinds properties: - matchLabels: - type: object - additionalProperties: - type: string - matchExpressions: + kinds: type: array items: - type: object - required: - - key - - operator - properties: - key: + type: string + name: + type: string + namespace: + type: string + selector: + properties: + matchLabels: + type: object + additionalProperties: type: string - operator: + matchExpressions: + type: array + items: + type: object + required: + - key + - operator + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + exclude: + type: object + required: + - resources + properties: + resources: + type: object + required: + - kinds + properties: + kinds: + type: array + items: + type: string + name: + type: string + namespace: + type: string + selector: + properties: + matchLabels: + type: object + additionalProperties: type: string - values: - type: array - items: - type: string + matchExpressions: + type: array + items: + type: object + required: + - key + - operator + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string mutate: type: object properties: diff --git a/pkg/apis/policy/v1alpha1/types.go b/pkg/apis/policy/v1alpha1/types.go index 9842d2c929..c68326dacd 100644 --- a/pkg/apis/policy/v1alpha1/types.go +++ b/pkg/apis/policy/v1alpha1/types.go @@ -25,11 +25,22 @@ type Spec struct { // Rule is set of mutation, validation and generation actions // for the single resource description type Rule struct { - Name string `json:"name"` - ResourceDescription `json:"resource"` - Mutation *Mutation `json:"mutate"` - Validation *Validation `json:"validate"` - Generation *Generation `json:"generate"` + Name string `json:"name"` + MatchResources MatchResources `json:"match"` + ExcludeResources ExcludeResources `json:"exclude,omitempty"` + Mutation *Mutation `json:"mutate"` + Validation *Validation `json:"validate"` + Generation *Generation `json:"generate"` +} + +//MatchResources contains resource description of the resources that the rule is to apply on +type MatchResources struct { + ResourceDescription `json:"resources"` +} + +//ExcludeResources container resource description of the resources that are to be excluded from the applying the policy rule +type ExcludeResources struct { + ResourceDescription `json:"resources"` } // ResourceDescription describes the resource to which the PolicyRule will be applied. diff --git a/pkg/apis/policy/v1alpha1/utils.go b/pkg/apis/policy/v1alpha1/utils.go index 0c2c8fa00e..5ae5e8cb07 100644 --- a/pkg/apis/policy/v1alpha1/utils.go +++ b/pkg/apis/policy/v1alpha1/utils.go @@ -9,7 +9,8 @@ import ( // Validate checks if rule is not empty and all substructures are valid func (r *Rule) Validate() error { - err := r.ResourceDescription.Validate() + // check matches Resoource Description of match resource + err := r.MatchResources.ResourceDescription.Validate() if err != nil { return err } diff --git a/pkg/apis/policy/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/policy/v1alpha1/zz_generated.deepcopy.go index 627535f830..2b2015a3c1 100644 --- a/pkg/apis/policy/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/policy/v1alpha1/zz_generated.deepcopy.go @@ -41,6 +41,23 @@ func (in *CloneFrom) DeepCopy() *CloneFrom { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ExcludeResources) DeepCopyInto(out *ExcludeResources) { + *out = *in + in.ResourceDescription.DeepCopyInto(&out.ResourceDescription) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExcludeResources. +func (in *ExcludeResources) DeepCopy() *ExcludeResources { + if in == nil { + return nil + } + out := new(ExcludeResources) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *FailedRule) DeepCopyInto(out *FailedRule) { *out = *in @@ -67,6 +84,23 @@ func (in *Generation) DeepCopy() *Generation { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MatchResources) DeepCopyInto(out *MatchResources) { + *out = *in + in.ResourceDescription.DeepCopyInto(&out.ResourceDescription) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MatchResources. +func (in *MatchResources) DeepCopy() *MatchResources { + if in == nil { + return nil + } + out := new(MatchResources) + in.DeepCopyInto(out) + return out +} + // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Mutation. func (in *Mutation) DeepCopy() *Mutation { if in == nil { @@ -177,7 +211,8 @@ func (in *ResourceDescription) DeepCopy() *ResourceDescription { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Rule) DeepCopyInto(out *Rule) { *out = *in - in.ResourceDescription.DeepCopyInto(&out.ResourceDescription) + in.MatchResources.DeepCopyInto(&out.MatchResources) + in.ExcludeResources.DeepCopyInto(&out.ExcludeResources) if in.Mutation != nil { in, out := &in.Mutation, &out.Mutation *out = (*in).DeepCopy() diff --git a/pkg/controller/cleanup.go b/pkg/controller/cleanup.go index 9d42fbc136..f78706321f 100644 --- a/pkg/controller/cleanup.go +++ b/pkg/controller/cleanup.go @@ -2,11 +2,10 @@ package controller import ( "github.com/golang/glog" - "github.com/minio/minio/pkg/wildcard" "github.com/nirmata/kyverno/pkg/annotations" v1alpha1 "github.com/nirmata/kyverno/pkg/apis/policy/v1alpha1" client "github.com/nirmata/kyverno/pkg/dclient" - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "github.com/nirmata/kyverno/pkg/engine" "k8s.io/apimachinery/pkg/runtime" ) @@ -24,43 +23,44 @@ func cleanAnnotations(client *client.Client, obj interface{}) { } // Get the resources that apply to the policy // key uid - resourceMap := map[string]unstructured.Unstructured{} - for _, rule := range policy.Spec.Rules { - for _, k := range rule.Kinds { - if k == "Namespace" { - continue - } - // kind -> resource - gvr := client.DiscoveryClient.GetGVRFromKind(k) - // label selectors - // namespace ? should it be default or allow policy to specify it - namespace := "default" - if rule.ResourceDescription.Namespace != nil { - namespace = *rule.ResourceDescription.Namespace - } - list, err := client.ListResource(k, namespace, rule.ResourceDescription.Selector) - if err != nil { - glog.Errorf("unable to list resource for %s with label selector %s", gvr.Resource, rule.Selector.String()) - glog.Errorf("unable to apply policy %s rule %s. err: %s", policy.Name, rule.Name, err) - continue - } - for _, res := range list.Items { - name := rule.ResourceDescription.Name - if name != nil { - // wild card matching - if !wildcard.Match(*name, res.GetName()) { - continue - } - } - resourceMap[string(res.GetUID())] = res - } - } - } + resourceMap := engine.ListResourcesThatApplyToPolicy(client, &policy) + // for _, rule := range policy.Spec.Rules { + // for _, k := range rule.Kinds { + // if k == "Namespace" { + // continue + // } + // // kind -> resource + // gvr := client.DiscoveryClient.GetGVRFromKind(k) + // // label selectors + // // namespace ? should it be default or allow policy to specify it + // namespace := "default" + // if rule.ResourceDescription.Namespace != nil { + // namespace = *rule.ResourceDescription.Namespace + // } + // list, err := client.ListResource(k, namespace, rule.ResourceDescription.Selector) + // if err != nil { + // glog.Errorf("unable to list resource for %s with label selector %s", gvr.Resource, rule.Selector.String()) + // glog.Errorf("unable to apply policy %s rule %s. err: %s", policy.Name, rule.Name, err) + // continue + // } + // for _, res := range list.Items { + // name := rule.ResourceDescription.Name + // if name != nil { + // // wild card matching + // if !wildcard.Match(*name, res.GetName()) { + // continue + // } + // } + // resourceMap[string(res.GetUID())] = res + // } + // } + // } // remove annotations for the resources for _, obj := range resourceMap { // get annotations - ann := obj.GetAnnotations() + + ann := obj.Resource.GetAnnotations() _, patch, err := annotations.RemovePolicyJSONPatch(ann, annotations.BuildKey(policy.Name)) if err != nil { @@ -68,7 +68,7 @@ func cleanAnnotations(client *client.Client, obj interface{}) { continue } // patch the resource - _, err = client.PatchResource(obj.GetKind(), obj.GetNamespace(), obj.GetName(), patch) + _, err = client.PatchResource(obj.Resource.GetKind(), obj.Resource.GetNamespace(), obj.Resource.GetName(), patch) if err != nil { glog.Error(err) continue diff --git a/pkg/engine/engine.go b/pkg/engine/engine.go index 82cc53d462..b077282082 100644 --- a/pkg/engine/engine.go +++ b/pkg/engine/engine.go @@ -8,44 +8,80 @@ import ( client "github.com/nirmata/kyverno/pkg/dclient" "github.com/nirmata/kyverno/pkg/info" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + v1helper "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/labels" ) -// ProcessExisting checks for mutation and validation violations of existing resources -func ProcessExisting(client *client.Client, policy *types.Policy) []*info.PolicyInfo { - glog.Infof("Applying policy %s on existing resources", policy.Name) +func ListResourcesThatApplyToPolicy(client *client.Client, policy *types.Policy) map[string]resourceInfo { // key uid resourceMap := map[string]resourceInfo{} - for _, rule := range policy.Spec.Rules { - for _, k := range rule.Kinds { + // Match + for _, k := range rule.MatchResources.Kinds { // kind -> resource gvr := client.DiscoveryClient.GetGVRFromKind(k) - // label selectors - // namespace ? should it be default or allow policy to specify it + // Namespace namespace := "default" - if rule.ResourceDescription.Namespace != nil { - namespace = *rule.ResourceDescription.Namespace + if rule.MatchResources.Namespace != nil { + namespace = *rule.MatchResources.Namespace } if k == "Namespace" { namespace = "" } + // Check if exclude namespace is not clashing + if rule.ExcludeResources.Namespace != nil && *rule.ExcludeResources.Namespace == namespace { + // as the namespace is excluded + continue + } - list, err := client.ListResource(k, namespace, rule.ResourceDescription.Selector) + // List resources + list, err := client.ListResource(k, namespace, rule.MatchResources.Selector) if err != nil { - glog.Errorf("unable to list resource for %s with label selector %s", gvr.Resource, rule.Selector.String()) + glog.Errorf("unable to list resource for %s with label selector %s", gvr.Resource, rule.MatchResources.Selector.String()) glog.Errorf("unable to apply policy %s rule %s. err: %s", policy.Name, rule.Name, err) continue } + var selector labels.Selector + // exclude label selector + if rule.ExcludeResources.Selector != nil { + selector, err = v1helper.LabelSelectorAsSelector(rule.ExcludeResources.Selector) + if err != nil { + glog.Error(err) + } + } for _, res := range list.Items { - name := rule.ResourceDescription.Name - gvk := res.GroupVersionKind() + // exclude label selectors + if selector != nil { + set := labels.Set(res.GetLabels()) + if selector.Matches(set) { + // if matches + continue + } + } + var name *string + // match + // name + // wild card matching + name = rule.MatchResources.Name if name != nil { - // wild card matching + // if does not match then we skip if !wildcard.Match(*name, res.GetName()) { continue } } - ri := resourceInfo{resource: res, gvk: &metav1.GroupVersionKind{Group: gvk.Group, + // exclude + // name + // wild card matching + name = rule.ExcludeResources.Name + if name != nil { + // if matches then we skip + if wildcard.Match(*name, res.GetName()) { + continue + } + } + gvk := res.GroupVersionKind() + + ri := resourceInfo{Resource: res, Gvk: &metav1.GroupVersionKind{Group: gvk.Group, Version: gvk.Version, Kind: gvk.Kind}} @@ -54,13 +90,60 @@ func ProcessExisting(client *client.Client, policy *types.Policy) []*info.Policy } } } + return resourceMap +} + +// ProcessExisting checks for mutation and validation violations of existing resources +func ProcessExisting(client *client.Client, policy *types.Policy) []*info.PolicyInfo { + glog.Infof("Applying policy %s on existing resources", policy.Name) + // key uid + resourceMap := ListResourcesThatApplyToPolicy(client, policy) + + // for _, rule := range policy.Spec.Rules { + // for _, k := range rule.Kinds { + // // kind -> resource + // gvr := client.DiscoveryClient.GetGVRFromKind(k) + // // label selectors + // // namespace ? should it be default or allow policy to specify it + // namespace := "default" + // if rule.ResourceDescription.Namespace != nil { + // namespace = *rule.ResourceDescription.Namespace + // } + // if k == "Namespace" { + // namespace = "" + // } + + // list, err := client.ListResource(k, namespace, rule.ResourceDescription.Selector) + // if err != nil { + // glog.Errorf("unable to list resource for %s with label selector %s", gvr.Resource, rule.Selector.String()) + // glog.Errorf("unable to apply policy %s rule %s. err: %s", policy.Name, rule.Name, err) + // continue + // } + // for _, res := range list.Items { + // name := rule.ResourceDescription.Name + // gvk := res.GroupVersionKind() + // if name != nil { + // // wild card matching + // if !wildcard.Match(*name, res.GetName()) { + // continue + // } + // } + // ri := resourceInfo{resource: res, gvk: &metav1.GroupVersionKind{Group: gvk.Group, + // Version: gvk.Version, + // Kind: gvk.Kind}} + + // resourceMap[string(res.GetUID())] = ri + + // } + // } + // } policyInfos := []*info.PolicyInfo{} // for the filtered resource apply policy for _, v := range resourceMap { policyInfo, err := applyPolicy(client, policy, v) if err != nil { - glog.Errorf("unable to apply policy %s on resource %s/%s", policy.Name, v.resource.GetName(), v.resource.GetNamespace()) + glog.Errorf("unable to apply policy %s on resource %s/%s", policy.Name, v.Resource.GetName(), v.Resource.GetNamespace()) glog.Error(err) continue } @@ -71,28 +154,28 @@ func ProcessExisting(client *client.Client, policy *types.Policy) []*info.Policy } func applyPolicy(client *client.Client, policy *types.Policy, res resourceInfo) (*info.PolicyInfo, error) { - policyInfo := info.NewPolicyInfo(policy.Name, res.gvk.Kind, res.resource.GetName(), res.resource.GetNamespace(), policy.Spec.ValidationFailureAction) + policyInfo := info.NewPolicyInfo(policy.Name, res.Gvk.Kind, res.Resource.GetName(), res.Resource.GetNamespace(), policy.Spec.ValidationFailureAction) glog.Infof("Applying policy %s with %d rules\n", policy.ObjectMeta.Name, len(policy.Spec.Rules)) - rawResource, err := res.resource.MarshalJSON() + rawResource, err := res.Resource.MarshalJSON() if err != nil { return nil, err } // Mutate - mruleInfos, err := mutation(policy, rawResource, res.gvk) + mruleInfos, err := mutation(policy, rawResource, res.Gvk) policyInfo.AddRuleInfos(mruleInfos) if err != nil { return nil, err } // Validation - vruleInfos, err := Validate(*policy, rawResource, *res.gvk) + vruleInfos, err := Validate(*policy, rawResource, *res.Gvk) policyInfo.AddRuleInfos(vruleInfos) if err != nil { return nil, err } - if res.gvk.Kind == "Namespace" { + if res.Gvk.Kind == "Namespace" { // Generation - gruleInfos := GenerateNew(client, policy, res.resource) + gruleInfos := GenerateNew(client, policy, res.Resource) policyInfo.AddRuleInfos(gruleInfos) } diff --git a/pkg/engine/generation.go b/pkg/engine/generation.go index 55dffe66db..a0531a8909 100644 --- a/pkg/engine/generation.go +++ b/pkg/engine/generation.go @@ -21,7 +21,7 @@ func Generate(client *client.Client, policy kubepolicy.Policy, rawResource []byt ri := info.NewRuleInfo(rule.Name, info.Generation) - ok := ResourceMeetsDescription(rawResource, rule.ResourceDescription, gvk) + ok := ResourceMeetsDescription(rawResource, rule.MatchResources.ResourceDescription, rule.ExcludeResources.ResourceDescription, gvk) if !ok { glog.Infof("Rule is not applicable to the request: rule name = %s in policy %s \n", rule.Name, policy.ObjectMeta.Name) continue diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go index 2721a4746e..a6ecebf635 100644 --- a/pkg/engine/mutation.go +++ b/pkg/engine/mutation.go @@ -19,7 +19,7 @@ func Mutate(policy kubepolicy.Policy, rawResource []byte, gvk metav1.GroupVersio } ri := info.NewRuleInfo(rule.Name, info.Mutation) - ok := ResourceMeetsDescription(rawResource, rule.ResourceDescription, gvk) + ok := ResourceMeetsDescription(rawResource, rule.MatchResources.ResourceDescription, rule.ExcludeResources.ResourceDescription, gvk) if !ok { glog.V(3).Infof("Not applicable on specified resource kind%s", gvk.Kind) continue diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go index 265ec93118..ba1a7716f6 100644 --- a/pkg/engine/utils.go +++ b/pkg/engine/utils.go @@ -6,8 +6,10 @@ import ( "strconv" "strings" + "github.com/golang/glog" + "github.com/minio/minio/pkg/wildcard" - kubepolicy "github.com/nirmata/kyverno/pkg/apis/policy/v1alpha1" + v1alpha1 "github.com/nirmata/kyverno/pkg/apis/policy/v1alpha1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -15,8 +17,8 @@ import ( ) // ResourceMeetsDescription checks requests kind, name and labels to fit the policy rule -func ResourceMeetsDescription(resourceRaw []byte, description kubepolicy.ResourceDescription, gvk metav1.GroupVersionKind) bool { - if !findKind(description.Kinds, gvk.Kind) { +func ResourceMeetsDescription(resourceRaw []byte, matches v1alpha1.ResourceDescription, exclude v1alpha1.ResourceDescription, gvk metav1.GroupVersionKind) bool { + if !findKind(matches.Kinds, gvk.Kind) { return false } @@ -25,31 +27,53 @@ func ResourceMeetsDescription(resourceRaw []byte, description kubepolicy.Resourc name := ParseNameFromObject(resourceRaw) namespace := ParseNamespaceFromObject(resourceRaw) - if description.Name != nil { - - if !wildcard.Match(*description.Name, name) { + if matches.Name != nil { + // Matches + if !wildcard.Match(*matches.Name, name) { return false } + // Exclude + // the resource name matches the exclude resource name then reject + if exclude.Name != nil { + if wildcard.Match(*exclude.Name, name) { + return false + } + } } - - if description.Namespace != nil && *description.Namespace != namespace { + // Matches + if matches.Namespace != nil && *matches.Namespace != namespace { return false } - - if description.Selector != nil { - selector, err := metav1.LabelSelectorAsSelector(description.Selector) - + // Exclude + if exclude.Namespace != nil && *exclude.Namespace == namespace { + return false + } + // Matches + if matches.Selector != nil { + selector, err := metav1.LabelSelectorAsSelector(matches.Selector) if err != nil { + glog.Error(err) return false } - labelMap := parseLabelsFromMetadata(meta) - if !selector.Matches(labelMap) { return false } - } + // Exclude + if exclude.Selector != nil { + selector, err := metav1.LabelSelectorAsSelector(exclude.Selector) + // if the label selector is incorrect, should be fail or + if err != nil { + glog.Error(err) + return false + } + labelMap := parseLabelsFromMetadata(meta) + if selector.Matches(labelMap) { + return false + } + } + } return true } @@ -253,6 +277,6 @@ func convertToFloat(value interface{}) (float64, error) { } type resourceInfo struct { - resource unstructured.Unstructured - gvk *metav1.GroupVersionKind + Resource unstructured.Unstructured + Gvk *metav1.GroupVersionKind } diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go index 8bc2df366b..92a98e2451 100644 --- a/pkg/engine/validation.go +++ b/pkg/engine/validation.go @@ -32,7 +32,7 @@ func Validate(policy kubepolicy.Policy, rawResource []byte, gvk metav1.GroupVers } ri := info.NewRuleInfo(rule.Name, info.Validation) - ok := ResourceMeetsDescription(rawResource, rule.ResourceDescription, gvk) + ok := ResourceMeetsDescription(rawResource, rule.MatchResources.ResourceDescription, rule.ExcludeResources.ResourceDescription, gvk) if !ok { glog.V(3).Infof("Not applicable on specified resource kind%s", gvk.Kind) continue diff --git a/pkg/gencontroller/generation.go b/pkg/gencontroller/generation.go index a0adf99cc6..8e212c389e 100644 --- a/pkg/gencontroller/generation.go +++ b/pkg/gencontroller/generation.go @@ -14,6 +14,7 @@ import ( "github.com/nirmata/kyverno/pkg/info" violation "github.com/nirmata/kyverno/pkg/violation" corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/runtime" ) @@ -44,7 +45,15 @@ func (c *Controller) listPolicies(ns *corev1.Namespace) ([]*v1alpha1.Policy, err for _, r := range p.Spec.Rules { if r.Generation != nil { // Check if the resource meets the description - if namespaceMeetsRuleDescription(ns, r.ResourceDescription) { + data, err := ns.Marshal() + if err != nil { + glog.Error(err) + continue + } + // convert types of GVK + nsGvk := ns.GroupVersionKind() + gvk := metav1.GroupVersionKind{Group: nsGvk.Group, Kind: nsGvk.Kind, Version: nsGvk.Version} + if engine.ResourceMeetsDescription(data, r.MatchResources.ResourceDescription, r.ExcludeResources.ResourceDescription, gvk) { fpolicies = append(fpolicies, p) break } diff --git a/pkg/webhooks/deleteresource.go b/pkg/webhooks/deleteresource.go index eb39e6df36..e1a5bfcb35 100644 --- a/pkg/webhooks/deleteresource.go +++ b/pkg/webhooks/deleteresource.go @@ -26,7 +26,7 @@ func (ws *WebhookServer) removePolicyViolation(request *v1beta1.AdmissionRequest rkind := request.Kind.Kind // check if the resource meets the policy Resource description for _, rule := range policy.Spec.Rules { - ok := engine.ResourceMeetsDescription(request.Object.Raw, rule.ResourceDescription, request.Kind) + ok := engine.ResourceMeetsDescription(request.Object.Raw, rule.MatchResources.ResourceDescription, rule.ExcludeResources.ResourceDescription, request.Kind) if ok { // Check if the policy has a violation for this resource err := ws.violationBuilder.ResourceRemoval(policy.Name, rkind, rns, rname) diff --git a/pkg/webhooks/utils.go b/pkg/webhooks/utils.go index f3ac818f58..83ca8944d7 100644 --- a/pkg/webhooks/utils.go +++ b/pkg/webhooks/utils.go @@ -77,10 +77,18 @@ func getApplicableKindsForPolicy(p *v1alpha1.Policy) []string { kindsMap := map[string]interface{}{} kinds := []string{} // iterate over the rules an identify all kinds + // Matching for _, rule := range p.Spec.Rules { - for _, k := range rule.ResourceDescription.Kinds { + for _, k := range rule.MatchResources.Kinds { kindsMap[k] = nil } + // remove excluded ones + for _, k := range rule.ExcludeResources.Kinds { + if _, ok := kindsMap[k]; ok { + // delete kind + delete(kindsMap, k) + } + } } // get the kinds