netobserv · jpinsonneau · Jan 22, 2026 · Jan 26, 2026 · Feb 27, 2026 · Mar 9, 2026
diff --git a/api/flowcollector/v1beta2/flowcollector_types.go b/api/flowcollector/v1beta2/flowcollector_types.go
@@ -91,6 +91,9 @@ type FlowCollectorSpec struct {
 
 	// `networkPolicy` defines network policy settings for NetObserv components isolation.
 	NetworkPolicy NetworkPolicy `json:"networkPolicy,omitempty"`
+
+	// `execution` defines configuration related to the execution of the flow collection process.
+	Execution FlowCollectorExecution `json:"execution,omitempty"`
 }
 
 type NetworkPolicy struct {
@@ -1542,6 +1545,25 @@ type FlowCollectorExporter struct {
 	OpenTelemetry FlowCollectorOpenTelemetry `json:"openTelemetry,omitempty"`
 }
 
+type ExecutionMode string
+
+const (
+	Running ExecutionMode = "Running"
+	OnHold  ExecutionMode = "OnHold"
+)
+
+// `FlowCollectorExecution` defines the flow collection process execution desired state.
+type FlowCollectorExecution struct {
+	// `mode` is the flow collection process execution desired mode: `Running` or `OnHold`.
+	// When `OnHold`, the operator deletes all managed services and workloads, with the exception
+	// of the static console plugin, and the operator itself.
+	// It allows to use minimal cluster resources without losing configuration.
+	// +kubebuilder:validation:Enum:="";"Running";"OnHold"
+	// +kubebuilder:default:=Running
+	// +optional
+	Mode ExecutionMode `json:"mode"`
+}
+
 // `FlowCollectorStatus` defines the observed state of FlowCollector
 type FlowCollectorStatus struct {
 	// Important: Run "make" to regenerate code after modifying this file

diff --git a/api/flowcollector/v1beta2/helper.go b/api/flowcollector/v1beta2/helper.go
@@ -13,6 +13,10 @@ func (spec *FlowCollectorSpec) GetNamespace() string {
 	return constants.DefaultOperatorNamespace
 }
 
+func (spec *FlowCollectorSpec) OnHold() bool {
+	return spec.Execution.Mode == OnHold
+}
+
 func (spec *FlowCollectorSpec) GetSampling() int {
 	if spec.Agent.EBPF.Sampling == nil {
 		return 50

diff --git a/api/flowcollector/v1beta2/zz_generated.deepcopy.go b/api/flowcollector/v1beta2/zz_generated.deepcopy.go
diff --git a/bundle/manifests/flows.netobserv.io_flowcollectors.yaml b/bundle/manifests/flows.netobserv.io_flowcollectors.yaml
@@ -3245,6 +3245,23 @@ spec:
                 - Direct
                 - Kafka
                 type: string
+              execution:
+                description: '`execution` defines configuration related to the execution
+                  of the flow collection process.'
+                properties:
+                  mode:
+                    default: Running
+                    description: |-
+                      `mode` is the flow collection process execution desired mode: `Running` or `OnHold`.
+                      When `OnHold`, the operator deletes all managed services and workloads, with the exception
+                      of the static console plugin, and the operator itself.
+                      It allows to use minimal cluster resources without losing configuration.
+                    enum:
+                    - ""
+                    - Running
+                    - OnHold
+                    type: string
+                type: object
               exporters:
                 description: '`exporters` defines additional optional exporters for
                   custom consumption or storage.'

diff --git a/bundle/manifests/netobserv-operator.clusterserviceversion.yaml b/bundle/manifests/netobserv-operator.clusterserviceversion.yaml
@@ -410,6 +410,10 @@ spec:
         path: consolePlugin.standalone
       - displayName: Unmanaged replicas
         path: consolePlugin.unmanagedReplicas
+      - displayName: Execution
+        path: execution
+      - displayName: Mode
+        path: execution.mode
       - displayName: Address
         path: kafka.address
       - displayName: Topic

diff --git a/config/crd/bases/flows.netobserv.io_flowcollectors.yaml b/config/crd/bases/flows.netobserv.io_flowcollectors.yaml
@@ -3040,6 +3040,22 @@ spec:
                     - Direct
                     - Kafka
                   type: string
+                execution:
+                  description: '`execution` defines configuration related to the execution of the flow collection process.'
+                  properties:
+                    mode:
+                      default: Running
+                      description: |-
+                        `mode` is the flow collection process execution desired mode: `Running` or `OnHold`.
+                        When `OnHold`, the operator deletes all managed services and workloads, with the exception
+                        of the static console plugin, and the operator itself.
+                        It allows to use minimal cluster resources without losing configuration.
+                      enum:
+                        - ""
+                        - Running
+                        - OnHold
+                      type: string
+                  type: object
                 exporters:
                   description: '`exporters` defines additional optional exporters for custom consumption or storage.'
                   items:

diff --git a/docs/FlowCollector.md b/docs/FlowCollector.md
@@ -122,6 +122,13 @@ Kafka can provide better scalability, resiliency, and high availability (for mor
             <i>Default</i>: Service<br/>
         </td>
         <td>false</td>
+      </tr><tr>
+        <td><b><a href="#flowcollectorspecexecution">execution</a></b></td>
+        <td>object</td>
+        <td>
+          `execution` defines configuration related to the execution of the flow collection process.<br/>
+        </td>
+        <td>false</td>
       </tr><tr>
         <td><b><a href="#flowcollectorspecexportersindex">exporters</a></b></td>
         <td>[]object</td>
@@ -6008,6 +6015,39 @@ only the result of this request.<br/>
 </table>
 
 
+### FlowCollector.spec.execution
+<sup><sup>[↩ Parent](#flowcollectorspec)</sup></sup>
+
+
+
+`execution` defines configuration related to the execution of the flow collection process.
+
+<table>
+    <thead>
+        <tr>
+            <th>Name</th>
+            <th>Type</th>
+            <th>Description</th>
+            <th>Required</th>
+        </tr>
+    </thead>
+    <tbody><tr>
+        <td><b>mode</b></td>
+        <td>enum</td>
+        <td>
+          `mode` is the flow collection process execution desired mode: `Running` or `OnHold`.
+When `OnHold`, the operator deletes all managed services and workloads, with the exception
+of the static console plugin, and the operator itself.
+It allows to use minimal cluster resources without losing configuration.<br/>
+          <br/>
+            <i>Enum</i>: , Running, OnHold<br/>
+            <i>Default</i>: Running<br/>
+        </td>
+        <td>false</td>
+      </tr></tbody>
+</table>
+
+
 ### FlowCollector.spec.exporters[index]
 <sup><sup>[↩ Parent](#flowcollectorspec)</sup></sup>
 

diff --git a/helm/crds/flows.netobserv.io_flowcollectors.yaml b/helm/crds/flows.netobserv.io_flowcollectors.yaml
@@ -3044,6 +3044,22 @@ spec:
                     - Direct
                     - Kafka
                   type: string
+                execution:
+                  description: '`execution` defines configuration related to the execution of the flow collection process.'
+                  properties:
+                    mode:
+                      default: Running
+                      description: |-
+                        `mode` is the flow collection process execution desired mode: `Running` or `OnHold`.
+                        When `OnHold`, the operator deletes all managed services and workloads, with the exception
+                        of the static console plugin, and the operator itself.
+                        It allows to use minimal cluster resources without losing configuration.
+                      enum:
+                        - ""
+                        - Running
+                        - OnHold
+                      type: string
+                  type: object
                 exporters:
                   description: '`exporters` defines additional optional exporters for custom consumption or storage.'
                   items:

diff --git a/internal/controller/consoleplugin/consoleplugin_reconciler.go b/internal/controller/consoleplugin/consoleplugin_reconciler.go
@@ -70,7 +70,7 @@ func (r *CPReconciler) Reconcile(ctx context.Context, desired *flowslatest.FlowC
 		}
 	}
 
-	if desired.Spec.UseConsolePlugin() && (r.ClusterInfo.HasConsolePlugin() || desired.Spec.ConsolePlugin.Standalone) {
+	if desired.Spec.UseConsolePlugin() && (r.ClusterInfo.HasConsolePlugin() || desired.Spec.ConsolePlugin.Standalone) && !desired.Spec.OnHold() {
 		// Create object builder
 		builder := newBuilder(r.Instance, &desired.Spec, constants.PluginName)
 

diff --git a/internal/controller/ebpf/agent_controller.go b/internal/controller/ebpf/agent_controller.go
@@ -145,10 +145,24 @@ func (c *AgentController) Reconcile(ctx context.Context, target *flowslatest.Flo
 		return err
 	}
 
-	if err := c.permissions.Reconcile(ctx, &target.Spec.Agent.EBPF); err != nil {
+	if err := c.permissions.Reconcile(ctx, target); err != nil {
 		return fmt.Errorf("reconciling permissions: %w", err)
 	}
 
+	if target.Spec.OnHold() {
+		c.Status.SetUnused("FlowCollector is on hold")
+		rlog.Info("action: delete agent")
+		err = c.DeleteIfOwned(ctx, current)
+		if err != nil {
+			return err
+		}
+		err = c.DeleteIfOwned(ctx, c.promSvc)
+		if err != nil {
+			return err
+		}
+		return nil
+	}
+
 	err = c.reconcileMetricsService(ctx, &target.Spec.Agent.EBPF)
 	if err != nil {
 		return fmt.Errorf("reconciling prometheus service: %w", err)

diff --git a/internal/controller/ebpf/internal/permissions/permissions.go b/internal/controller/ebpf/internal/permissions/permissions.go
@@ -31,16 +31,16 @@ func NewReconciler(cmn *reconcilers.Instance) Reconciler {
 	return Reconciler{Instance: cmn}
 }
 
-func (c *Reconciler) Reconcile(ctx context.Context, desired *flowslatest.FlowCollectorEBPF) error {
+func (c *Reconciler) Reconcile(ctx context.Context, desired *flowslatest.FlowCollector) error {
 	log.IntoContext(ctx, log.FromContext(ctx).WithName("permissions"))
 
 	if err := c.reconcileNamespace(ctx); err != nil {
 		return fmt.Errorf("reconciling namespace: %w", err)
 	}
-	if err := c.reconcileServiceAccount(ctx); err != nil {
+	if err := c.reconcileServiceAccount(ctx, desired); err != nil {
 		return fmt.Errorf("reconciling service account: %w", err)
 	}
-	if err := c.reconcileVendorPermissions(ctx, desired); err != nil {
+	if err := c.reconcileVendorPermissions(ctx, &desired.Spec.Agent.EBPF); err != nil {
 		return fmt.Errorf("reconciling vendor permissions: %w", err)
 	}
 	return nil
@@ -99,7 +99,7 @@ func namespaceLabels(includeAudit, isDownstream bool) map[string]string {
 	return l
 }
 
-func (c *Reconciler) reconcileServiceAccount(ctx context.Context) error {
+func (c *Reconciler) reconcileServiceAccount(ctx context.Context, desired *flowslatest.FlowCollector) error {
 	rlog := log.FromContext(ctx, "serviceAccount", constants.EBPFServiceAccount)
 
 	sAcc := &v1.ServiceAccount{
@@ -108,6 +108,7 @@ func (c *Reconciler) reconcileServiceAccount(ctx context.Context) error {
 			Namespace: c.PrivilegedNamespace(),
 		},
 	}
+
 	actual := &v1.ServiceAccount{}
 	if err := c.Get(ctx, client.ObjectKeyFromObject(sAcc), actual); err != nil {
 		if errors.IsNotFound(err) {
@@ -116,6 +117,11 @@ func (c *Reconciler) reconcileServiceAccount(ctx context.Context) error {
 			return fmt.Errorf("can't retrieve current namespace: %w", err)
 		}
 	}
+
+	if desired.Spec.OnHold() {
+		return c.DeleteIfOwned(ctx, actual)
+	}
+
 	if actual == nil {
 		rlog.Info("creating service account")
 		return c.CreateOwned(ctx, sAcc)