Skip to content

KollectClusterScope¶

Cluster-scoped tenancy ceiling for platform operators (ADR-0207).

Spec¶

Field	Role
`allowedGVKs`	Cap on GVKs cluster targets may collect
`allowedNamespaces`	Cap on workload namespaces
`deniedNamespaces`	Platform blacklist — not overridable by Targets
`sinkRefs`	Permitted namespaced family-sink names for export

Static config only — no status subresource (ADR-0202).

Example¶

A cluster-wide ceiling that caps platform collection to Deployment/Service, blocks kube-system, and allows export only to a named namespaced family sink:

apiVersion: kollect.dev/v1alpha1
kind: KollectClusterScope
metadata:
  name: platform-ceiling   # cluster-scoped — no namespace
spec:
  allowedGVKs:
    - group: apps
      version: v1
      kind: Deployment
    - group: ""
      version: v1
      kind: Service
  deniedNamespaces:
    - kube-system           # platform blacklist — targets cannot override
  sinkRefs:
    - platform-warehouse

The namespaced KollectScope sample (config/samples/kollect_v1alpha1_kollectscope_team-a.yaml) shows the same fields scoped to a single namespace.

See also¶

KollectScope — namespaced ceiling
KollectClusterTarget — collection intent