netobserv · jotak · Nov 21, 2025 · Nov 21, 2025 · Nov 25, 2025 · Nov 25, 2025
diff --git a/Makefile b/Makefile
@@ -279,6 +279,7 @@ endif
 doc: crdoc ## Generate markdown documentation
 	$(CRDOC) --resources config/crd/bases/flows.netobserv.io_flowcollectors.yaml --output docs/FlowCollector.md
 	$(CRDOC) --resources config/crd/bases/flows.netobserv.io_flowmetrics.yaml --output docs/FlowMetric.md
+	$(CRDOC) --resources config/crd/bases/flows.netobserv.io_flowcollectorslices.yaml --output docs/FlowCollectorSlice.md
 
 # Hack to reintroduce when the API stored version != latest version; see also envtest.go (CRD path config)
 # .PHONY: hack-crd-for-test
@@ -288,6 +289,7 @@ doc: crdoc ## Generate markdown documentation
 # 		'(.spec.versions.[]|select(.name != "v1beta2").storage) = false,(.spec.versions.[]|select(.name == "v1beta2").storage) = true' \
 # 		> ./hack/cloned.flows.netobserv.io_flowcollectors.yaml
 # 	cp ./config/crd/bases/flows.netobserv.io_flowmetrics.yaml ./hack/cloned.flows.netobserv.io_flowmetrics.yaml
+# 	cp ./config/crd/bases/flows.netobserv.io_flowcollectorslices.yaml ./hack/cloned.flows.netobserv.io_flowcollectorslices.yaml
 
 generate: gencode manifests doc ## Run all code/file generators
 

diff --git a/PROJECT b/PROJECT
@@ -38,4 +38,12 @@ resources:
   webhooks:
     validation: true
     webhookVersion: v1
+- api:
+    crdVersion: v1
+    namespaced: true
+  domain: netobserv.io
+  group: flows
+  kind: FlowCollectorSlice
+  path: github.com/netobserv/network-observability-operator/api/flowcollectorslice/v1alpha1
+  version: v1alpha1
 version: "3"
diff --git a/api/flowcollector/v1beta2/flowcollector_types.go b/api/flowcollector/v1beta2/flowcollector_types.go
@@ -697,6 +697,10 @@ type FlowCollectorFLP struct {
 	// but with a lesser improvement in performance.
 	Filters []FLPFilterSet `json:"filters"`
 
+	// Global configuration managing FlowCollectorSlices custom resources.
+	//+optional
+	SlicesConfig *SlicesConfig `json:"slicesConfig,omitempty"`
+
 	// `advanced` allows setting some aspects of the internal configuration of the flow processor.
 	// This section is aimed mostly for debugging and fine-grained performance optimizations,
 	// such as `GOGC` and `GOMAXPROCS` environment variables. Set these values at your own risk.
@@ -787,6 +791,33 @@ type FlowCollectorHPA struct {
 	Metrics []ascv2.MetricSpec `json:"metrics"`
 }
 
+type SliceCollectionMode string
+
+const (
+	CollectionAlwaysCollect SliceCollectionMode = "AlwaysCollect"
+	CollectionAllowList     SliceCollectionMode = "AllowList"
+)
+
+type SlicesConfig struct {
+	// `enable` determines if the FlowCollectorSlice feature is enabled. If not, all resources of kind FlowCollectorSlice are simply ignored.
+	//+kubebuilder:default:=false
+	//+kubebuilder:validation:Required
+	Enable bool `json:"enable,omitempty"`
+
+	// `collectionMode` determines how the FlowCollectorSlice custom resources impacts the flow collection process:<br>
+	// - When set to `AlwaysCollect`, all flows are collected regardless of the presence of FlowCollectorSlice.<br>
+	// - When set to `AllowList`, only the flows related to namespaces where a FlowCollectorSlice resource is present, or configured via the global `namespacesAllowList`, are collected.<br>
+	//+kubebuilder:validation:Enum=AlwaysCollect;AllowList
+	//+kubebuilder:default:="AlwaysCollect"
+	CollectionMode SliceCollectionMode `json:"collectionMode,omitempty"`
+
+	// `namespacesAllowList` is a list of namespaces for which flows are always collected, regardless of the presence of FlowCollectorSlice in those namespaces.
+	// An entry enclosed by slashes, such as `/openshift-.*/`, is matched as a regular expression.
+	// This setting is ignored if `collectionMode` is different from `AllowList`.
+	//+kubebuilder:validation:optional
+	NamespacesAllowList []string `json:"namespacesAllowList,omitempty"`
+}
+
 type LokiAuthToken string
 
 const (

diff --git a/api/flowcollector/v1beta2/helper.go b/api/flowcollector/v1beta2/helper.go
@@ -227,3 +227,7 @@ func (spec *FlowCollectorConsolePlugin) IsUnmanagedConsolePluginReplicas() bool
 	}
 	return spec.Autoscaler.IsHPAEnabled()
 }
+
+func (spec *FlowCollectorSpec) IsSliceEnabled() bool {
+	return spec.Processor.SlicesConfig != nil && spec.Processor.SlicesConfig.Enable
+}
diff --git a/api/flowcollector/v1beta2/zz_generated.deepcopy.go b/api/flowcollector/v1beta2/zz_generated.deepcopy.go
diff --git a/api/flowcollectorslice/v1alpha1/doc.go b/api/flowcollectorslice/v1alpha1/doc.go
@@ -0,0 +1,2 @@
+// Package v1aplha1 contains the v1alpha1 API implementation.
+package v1alpha1
diff --git a/api/flowcollectorslice/v1alpha1/flowcollectorslice_types.go b/api/flowcollectorslice/v1alpha1/flowcollectorslice_types.go
@@ -0,0 +1,65 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// FlowCollectorSliceSpec defines the desired state of FlowCollectorSlice
+type FlowCollectorSliceSpec struct {
+	// `subnetLabels` allows to customize subnets and IPs labelling, such as to identify cluster-external workloads or web services.
+	// Beware that the subnet labels configured in FlowCollectorSlice are not limited to the flows of the related namespace: any flow
+	// in the whole cluster can be labelled using this configuration. However, subnet labels defined in the cluster-scoped FlowCollector take
+	// precedence in case of conflicting rules.
+	//+optional
+	SubnetLabels []SubnetLabel `json:"subnetLabels,omitempty"`
+
+	// `sampling` is an optional sampling interval to apply to this slice. For example, a value of `50` means that 1 matching flow in 50 is sampled.
+	//+kubebuilder:validation:Minimum=0
+	// +optional
+	Sampling int32 `json:"sampling,omitempty"`
+}
+
+// SubnetLabel allows to label subnets and IPs, such as to identify cluster-external workloads or web services.
+type SubnetLabel struct {
+	// List of CIDRs, such as `["1.2.3.4/32"]`.
+	//+required
+	CIDRs []string `json:"cidrs,omitempty"` // Note, starting with k8s 1.31 / ocp 4.16 there's a new way to validate CIDR such as `+kubebuilder:validation:XValidation:rule="isCIDR(self)",message="field should be in CIDR notation format"`. But older versions would reject the CRD so we cannot implement it now to maintain compatibility.
+	// Label name, used to flag matching flows.
+	//+required
+	Name string `json:"name,omitempty"`
+}
+
+// FlowCollectorSliceStatus defines the observed state of FlowCollectorSlice
+type FlowCollectorSliceStatus struct {
+	// `conditions` represent the latest available observations of an object's state
+	Conditions []metav1.Condition `json:"conditions"`
+	// Filter that is applied for flow collection
+	// +optional
+	FilterApplied string `json:"filterApplied"`
+	// Number of subnet labels configured
+	// +optional
+	SubnetLabelsConfigured int `json:"subnetLabelsConfigured"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// FlowMetric is the API allowing to create custom metrics from the collected flow logs.
+type FlowCollectorSlice struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   FlowCollectorSliceSpec   `json:"spec,omitempty"`
+	Status FlowCollectorSliceStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// FlowCollectorSliceList contains a list of FlowCollectorSlice
+type FlowCollectorSliceList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []FlowCollectorSlice `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&FlowCollectorSlice{}, &FlowCollectorSliceList{})
+}
diff --git a/api/flowcollectorslice/v1alpha1/groupversion_info.go b/api/flowcollectorslice/v1alpha1/groupversion_info.go
@@ -0,0 +1,20 @@
+// Package v1alpha1 contains API Schema definitions for the flows v1alpha1 API group
+// +kubebuilder:object:generate=true
+// +groupName=flows.netobserv.io
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/scheme"
+)
+
+var (
+	// GroupVersion is group version used to register these objects
+	GroupVersion = schema.GroupVersion{Group: "flows.netobserv.io", Version: "v1alpha1"}
+
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
+	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
+
+	// AddToScheme adds the types in this group-version to the given scheme.
+	AddToScheme = SchemeBuilder.AddToScheme
+)
diff --git a/api/flowcollectorslice/v1alpha1/zz_generated.deepcopy.go b/api/flowcollectorslice/v1alpha1/zz_generated.deepcopy.go
diff --git a/bundle/manifests/flows.netobserv.io_flowcollectors.yaml b/bundle/manifests/flows.netobserv.io_flowcollectors.yaml
@@ -6108,6 +6108,37 @@ spec:
                           More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
                         type: object
                     type: object
+                  slicesConfig:
+                    description: Global configuration managing FlowCollectorSlices
+                      custom resources.
+                    properties:
+                      collectionMode:
+                        default: AlwaysCollect
+                        description: |-
+                          `collectionMode` determines how the FlowCollectorSlice custom resources impacts the flow collection process:<br>
+                          - When set to `AlwaysCollect`, all flows are collected regardless of the presence of FlowCollectorSlice.<br>
+                          - When set to `AllowList`, only the flows related to namespaces where a FlowCollectorSlice resource is present, or configured via the global `namespacesAllowList`, are collected.<br>
+                        enum:
+                        - AlwaysCollect
+                        - AllowList
+                        type: string
+                      enable:
+                        default: false
+                        description: '`enable` determines if the FlowCollectorSlice
+                          feature is enabled. If not, all resources of kind FlowCollectorSlice
+                          are simply ignored.'
+                        type: boolean
+                      namespacesAllowList:
+                        description: |-
+                          `namespacesAllowList` is a list of namespaces for which flows are always collected, regardless of the presence of FlowCollectorSlice in those namespaces.
+                          An entry enclosed by slashes, such as `/openshift-.*/`, is matched as a regular expression.
+                          This setting is ignored if `collectionMode` is different from `AllowList`.
+                        items:
+                          type: string
+                        type: array
+                    required:
+                    - enable
+                    type: object
                   subnetLabels:
                     description: |-
                       `subnetLabels` allows to define custom labels on subnets and IPs or to enable automatic labelling of recognized subnets in OpenShift, which is used to identify cluster external traffic.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		// Package v1aplha1 contains the v1alpha1 API implementation.
		package v1alpha1