Users using multi-tenancy have shown interest in being able to do some configuration per-tenant, and not as cluster admins. In particular, being able to enable/disable netobserv on their namespace, or to open the subnets labelling config to project admins.

A new namespace-based CRD should be created to complement FlowCollector config on a per-tenant basis.

Project admins should be able to deploy a custom resource for enabling or disabling flow collection on their namespaces. Via this CR, they should also be able to define subnet labels, so they can identify their own external workloads.

Cluster admins should be able to enable or disable per-tenant config globally, and to define a default behaviour when it's enabled: flow collection for unconfigured tenants can be globally enabled or disabled. Also, cluster admins should be able to define a list of non-tenant namespaces (e.g. openshift-*) for which collection is always enabled.

This CRD may also include per-tenant quick filters.