jetstack · achuchev · Jan 12, 2026 · Jan 21, 2026 · Jan 21, 2026 · Jan 21, 2026
diff --git a/deploy/charts/disco-agent/templates/configmap.yaml b/deploy/charts/disco-agent/templates/configmap.yaml
@@ -107,3 +107,11 @@ data:
         resource-type:
           version: v1
           resource: pods
+    - kind: k8s-dynamic
+      name: ark/configmaps
+      include-resources-by-labels:
+        conjur.org/name: "conjur-connect-configmap"
+      config:
+        resource-type:
+          version: v1
+          resource: configmaps
diff --git a/deploy/charts/disco-agent/tests/__snapshot__/configmap_test.yaml.snap b/deploy/charts/disco-agent/tests/__snapshot__/configmap_test.yaml.snap
@@ -95,6 +95,12 @@ custom-cluster-description:
             resource-type:
               version: v1
               resource: pods
+        - kind: k8s-dynamic
+          name: ark/configmaps
+          config:
+            resource-type:
+              version: v1
+              resource: configmaps
     kind: ConfigMap
     metadata:
       labels:
@@ -202,6 +208,12 @@ custom-cluster-name:
             resource-type:
               version: v1
               resource: pods
+        - kind: k8s-dynamic
+          name: ark/configmaps
+          config:
+            resource-type:
+              version: v1
+              resource: configmaps
     kind: ConfigMap
     metadata:
       labels:
@@ -309,6 +321,12 @@ custom-period:
             resource-type:
               version: v1
               resource: pods
+        - kind: k8s-dynamic
+          name: ark/configmaps
+          config:
+            resource-type:
+              version: v1
+              resource: configmaps
     kind: ConfigMap
     metadata:
       labels:
@@ -416,6 +434,12 @@ defaults:
             resource-type:
               version: v1
               resource: pods
+        - kind: k8s-dynamic
+          name: ark/configmaps
+          config:
+            resource-type:
+              version: v1
+              resource: configmaps
     kind: ConfigMap
     metadata:
       labels:

diff --git a/examples/machinehub.yaml b/examples/machinehub.yaml
@@ -125,3 +125,11 @@ data-gatherers:
     resource-type:
       version: v1
       resource: pods
+
+# Gather Kubernetes configmaps
+- name: ark/configmaps
+  kind: "k8s-dynamic"
+  config:
+    resource-type:
+      version: v1
+      resource: configmaps
diff --git a/examples/machinehub/input.json b/examples/machinehub/input.json
@@ -118,6 +118,12 @@
             "items": []
         }
     },
+    {
+        "data-gatherer": "ark/configmaps",
+        "data": {
+            "items": []
+        }
+    },
     {
         "data-gatherer": "ark/serviceaccounts",
         "data": {

diff --git a/internal/cyberark/dataupload/dataupload.go b/internal/cyberark/dataupload/dataupload.go
@@ -82,6 +82,8 @@ type Snapshot struct {
 	Daemonsets []runtime.Object `json:"daemonsets"`
 	// Pods is a list of Pod resources in the cluster.
 	Pods []runtime.Object `json:"pods"`
+	// ConfigMaps is a list of ConfigMap resources in the cluster.
+	ConfigMaps []runtime.Object `json:"configmaps"`
 }
 
 // PutSnapshot PUTs the supplied snapshot to an [AWS presigned URL] which it obtains via the CyberArk inventory API.

diff --git a/pkg/client/client_cyberark.go b/pkg/client/client_cyberark.go
@@ -186,6 +186,9 @@ var defaultExtractorFunctions = map[string]func(*api.DataReading, *dataupload.Sn
 	"ark/pods": func(r *api.DataReading, s *dataupload.Snapshot) error {
 		return extractResourceListFromReading(r, &s.Pods)
 	},
+	"ark/configmaps": func(r *api.DataReading, s *dataupload.Snapshot) error {
+		return extractResourceListFromReading(r, &s.ConfigMaps)
+	},
 }
 
 // convertDataReadings processes a list of DataReadings using the provided

diff --git a/pkg/client/client_cyberark_test.go b/pkg/client/client_cyberark_test.go
@@ -89,6 +89,7 @@ var defaultDynamicDatagathererNames = []string{
 	"ark/statefulsets",
 	"ark/daemonsets",
 	"ark/pods",
+	"ark/configmaps",
 }
 
 // fakeReadings returns a set of fake readings that includes a discovery reading

diff --git a/pkg/datagatherer/k8sdynamic/cache.go b/pkg/datagatherer/k8sdynamic/cache.go
@@ -29,6 +29,8 @@ func (*realTime) now() time.Time {
 type cacheResource interface {
 	GetUID() types.UID
 	GetNamespace() string
+	GetLabels() map[string]string
+	GetAnnotations() map[string]string
 }
 
 func logCacheUpdateFailure(log logr.Logger, obj any, operation string) {

diff --git a/pkg/datagatherer/k8sdynamic/dynamic.go b/pkg/datagatherer/k8sdynamic/dynamic.go
@@ -77,6 +77,18 @@ type ConfigDynamic struct {
 	IncludeNamespaces []string `yaml:"include-namespaces"`
 	// FieldSelectors is a list of field selectors to use when listing this resource
 	FieldSelectors []string `yaml:"field-selectors"`
+	// IncludeResourcesByLabels filters to include only resources that have all of the specified labels.
+	// This controls which resources are collected, not which labels are included.
+	IncludeResourcesByLabels map[string]string `yaml:"include-resources-by-labels"`
+	// ExcludeResourcesByLabels filters to exclude resources that have any of the specified labels.
+	// This controls which resources are collected, not which labels are excluded.
+	ExcludeResourcesByLabels map[string]string `yaml:"exclude-resources-by-labels"`
+	// IncludeResourcesByAnnotations filters to include only resources that have all of the specified annotations.
+	// This controls which resources are collected, not which annotations are included.
+	IncludeResourcesByAnnotations map[string]string `yaml:"include-resources-by-annotations"`
+	// ExcludeResourcesByAnnotations filters to exclude resources that have any of the specified annotations.
+	// This controls which resources are collected, not which annotations are excluded.
+	ExcludeResourcesByAnnotations map[string]string `yaml:"exclude-resources-by-annotations"`
 }
 
 // UnmarshalYAML unmarshals the ConfigDynamic resolving GroupVersionResource.
@@ -88,9 +100,13 @@ func (c *ConfigDynamic) UnmarshalYAML(unmarshal func(any) error) error {
 			Version  string `yaml:"version"`
 			Resource string `yaml:"resource"`
 		} `yaml:"resource-type"`
-		ExcludeNamespaces []string `yaml:"exclude-namespaces"`
-		IncludeNamespaces []string `yaml:"include-namespaces"`
-		FieldSelectors    []string `yaml:"field-selectors"`
+		ExcludeNamespaces             []string          `yaml:"exclude-namespaces"`
+		IncludeNamespaces             []string          `yaml:"include-namespaces"`
+		FieldSelectors                []string          `yaml:"field-selectors"`
+		IncludeResourcesByLabels      map[string]string `yaml:"include-resources-by-labels"`
+		ExcludeResourcesByLabels      map[string]string `yaml:"exclude-resources-by-labels"`
+		IncludeResourcesByAnnotations map[string]string `yaml:"include-resources-by-annotations"`
+		ExcludeResourcesByAnnotations map[string]string `yaml:"exclude-resources-by-annotations"`
 	}{}
 	err := unmarshal(&aux)
 	if err != nil {
@@ -104,6 +120,10 @@ func (c *ConfigDynamic) UnmarshalYAML(unmarshal func(any) error) error {
 	c.ExcludeNamespaces = aux.ExcludeNamespaces
 	c.IncludeNamespaces = aux.IncludeNamespaces
 	c.FieldSelectors = aux.FieldSelectors
+	c.IncludeResourcesByLabels = aux.IncludeResourcesByLabels
+	c.ExcludeResourcesByLabels = aux.ExcludeResourcesByLabels
+	c.IncludeResourcesByAnnotations = aux.IncludeResourcesByAnnotations
+	c.ExcludeResourcesByAnnotations = aux.ExcludeResourcesByAnnotations
 
 	return nil
 }
@@ -115,6 +135,14 @@ func (c *ConfigDynamic) validate() error {
 		errs = append(errs, "cannot set excluded and included namespaces")
 	}
 
+	if len(c.ExcludeResourcesByLabels) > 0 && len(c.IncludeResourcesByLabels) > 0 {
+		errs = append(errs, "cannot use both include-resources-by-labels and exclude-resources-by-labels")
+	}
+
+	if len(c.ExcludeResourcesByAnnotations) > 0 && len(c.IncludeResourcesByAnnotations) > 0 {
+		errs = append(errs, "cannot use both include-resources-by-annotations and exclude-resources-by-annotations")
+	}
+
 	if c.GroupVersionResource.Resource == "" {
 		errs = append(errs, "invalid configuration: GroupVersionResource.Resource cannot be empty")
 	}
@@ -145,6 +173,9 @@ var kubernetesNativeResources = map[schema.GroupVersionResource]sharedInformerFu
 	corev1.SchemeGroupVersion.WithResource("pods"): func(sharedFactory informers.SharedInformerFactory) k8scache.SharedIndexInformer {
 		return sharedFactory.Core().V1().Pods().Informer()
 	},
+	corev1.SchemeGroupVersion.WithResource("configmaps"): func(sharedFactory informers.SharedInformerFactory) k8scache.SharedIndexInformer {
+		return sharedFactory.Core().V1().ConfigMaps().Informer()
+	},
 	corev1.SchemeGroupVersion.WithResource("nodes"): func(sharedFactory informers.SharedInformerFactory) k8scache.SharedIndexInformer {
 		return sharedFactory.Core().V1().Nodes().Informer()
 	},
@@ -219,6 +250,10 @@ func (c *ConfigDynamic) newDataGathererWithClient(ctx context.Context, cl dynami
 		fieldSelector:        fieldSelector.String(),
 		namespaces:           c.IncludeNamespaces,
 		cache:                dgCache,
+		includeLabels:        c.IncludeResourcesByLabels,
+		excludeLabels:        c.ExcludeResourcesByLabels,
+		includeAnnotations:   c.IncludeResourcesByAnnotations,
+		excludeAnnotations:   c.ExcludeResourcesByAnnotations,
 	}
 
 	// In order to reduce memory usage that might come from using Dynamic Informers
@@ -302,6 +337,13 @@ type DataGathererDynamic struct {
 
 	ExcludeAnnotKeys []*regexp.Regexp
 	ExcludeLabelKeys []*regexp.Regexp
+
+	// includeLabels and excludeLabels filter resources based on their labels
+	includeLabels map[string]string
+	excludeLabels map[string]string
+	// includeAnnotations and excludeAnnotations filter resources based on their annotations
+	includeAnnotations map[string]string
+	excludeAnnotations map[string]string
 }
 
 // Run starts the dynamic data gatherer's informers for resource collection.
@@ -367,9 +409,23 @@ func (g *DataGathererDynamic) Fetch() (any, int, error) {
 		cacheObject := item.Object.(*api.GatheredResource)
 		if resource, ok := cacheObject.Resource.(cacheResource); ok {
 			namespace := resource.GetNamespace()
-			if isIncludedNamespace(namespace, fetchNamespaces) {
-				items = append(items, cacheObject)
+			if !isIncludedNamespace(namespace, fetchNamespaces) {
+				continue
+			}
+
+			// filter by labels
+			labels := resource.GetLabels()
+			if !matchesLabelFilter(labels, g.includeLabels, g.excludeLabels) {
+				continue
+			}
+
+			// filter by annotations
+			annotations := resource.GetAnnotations()
+			if !matchesAnnotationFilter(annotations, g.includeAnnotations, g.excludeAnnotations) {
+				continue
 			}
+
+			items = append(items, cacheObject)
 			continue
 		}
 		return nil, -1, fmt.Errorf("failed to parse cached resource")
@@ -563,6 +619,80 @@ func isIncludedNamespace(namespace string, namespaces []string) bool {
 	return slices.Contains(namespaces, namespace)
 }
 
+// matchesLabelFilter checks if the resource labels match the include/exclude filters.
+// If includeLabels is set, all key-value pairs must match for the resource to be included.
+// An empty string value means "match any value for this key" (key-only matching).
+// If excludeLabels is set, any matching key-value pair will exclude the resource.
+func matchesLabelFilter(resourceLabels, includeLabels, excludeLabels map[string]string) bool {
+	// Check exclude labels first
+	if len(excludeLabels) > 0 {
+		for key, value := range excludeLabels {
+			if resourceValue, exists := resourceLabels[key]; exists {
+				// If exclude value is empty, exclude any resource with this key
+				// Otherwise, only exclude if the value also matches
+				if value == "" || resourceValue == value {
+					return false
+				}
+			}
+		}
+	}
+
+	// Check include labels
+	if len(includeLabels) > 0 {
+		for key, value := range includeLabels {
+			resourceValue, exists := resourceLabels[key]
+			if !exists {
+				// Required label key is missing, filter it out
+				return false
+			}
+			// If include value is empty, we only care that the key exists
+			// Otherwise, the value must also match
+			if value != "" && resourceValue != value {
+				return false
+			}
+		}
+	}
+
+	return true
+}
+
+// matchesAnnotationFilter checks if the resource annotations match the include/exclude filters.
+// If includeAnnotations is set, all key-value pairs must match for the resource to be included.
+// An empty string value means "match any value for this key" (key-only matching).
+// If excludeAnnotations is set, any matching key-value pair will exclude the resource.
+func matchesAnnotationFilter(resourceAnnotations, includeAnnotations, excludeAnnotations map[string]string) bool {
+	// Check exclude annotations first
+	if len(excludeAnnotations) > 0 {
+		for key, value := range excludeAnnotations {
+			if resourceValue, exists := resourceAnnotations[key]; exists {
+				// If exclude value is empty, exclude any resource with this key
+				// Otherwise, only exclude if the value also matches
+				if value == "" || resourceValue == value {
+					return false
+				}
+			}
+		}
+	}
+
+	// Check include annotations
+	if len(includeAnnotations) > 0 {
+		for key, value := range includeAnnotations {
+			resourceValue, exists := resourceAnnotations[key]
+			if !exists {
+				// Required annotation key is missing, filter it out
+				return false
+			}
+			// If include value is empty, we only care that the key exists
+			// Otherwise, the value must also match
+			if value != "" && resourceValue != value {
+				return false
+			}
+		}
+	}
+
+	return true
+}
+
 func isNativeResource(gvr schema.GroupVersionResource) bool {
 	_, ok := kubernetesNativeResources[gvr]
 	return ok