open-telemetry
diff --git a/‎.chloggen/namespace-ta.yaml
+3-2 b/‎.chloggen/namespace-ta.yaml
+3-2
diff --git a/‎apis/v1beta1/targetallocator_types.go
+5-2 b/‎apis/v1beta1/targetallocator_types.go
+5-2
diff --git a/‎bundle/community/manifests/opentelemetry.io_opentelemetrycollectors.yaml
+4-2 b/‎bundle/community/manifests/opentelemetry.io_opentelemetrycollectors.yaml
+4-2
diff --git a/‎bundle/community/manifests/opentelemetry.io_targetallocators.yaml
+4-2 b/‎bundle/community/manifests/opentelemetry.io_targetallocators.yaml
+4-2
diff --git a/‎bundle/openshift/manifests/opentelemetry.io_opentelemetrycollectors.yaml
+4-2 b/‎bundle/openshift/manifests/opentelemetry.io_opentelemetrycollectors.yaml
+4-2
diff --git a/‎bundle/openshift/manifests/opentelemetry.io_targetallocators.yaml
+4-2 b/‎bundle/openshift/manifests/opentelemetry.io_targetallocators.yaml
+4-2
diff --git a/‎cmd/otel-allocator/internal/config/config.go
+2-1 b/‎cmd/otel-allocator/internal/config/config.go
+2-1
diff --git a/‎cmd/otel-allocator/internal/watcher/promOperator.go
+20-8 b/‎cmd/otel-allocator/internal/watcher/promOperator.go
+20-8
diff --git a/‎config/crd/bases/opentelemetry.io_opentelemetrycollectors.yaml
+4-2 b/‎config/crd/bases/opentelemetry.io_opentelemetrycollectors.yaml
+4-2
diff --git a/‎config/crd/bases/opentelemetry.io_targetallocators.yaml
+4-2 b/‎config/crd/bases/opentelemetry.io_targetallocators.yaml
+4-2
@@ -6,7 +6,7 @@ component: target allocator
 
 # A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
 note: |
-  Add support for watch specific namespace(s) in the target allocator.
+  Add support for setting the allowNamespaces and denyNamespaces in the target allocator.
 
 # One or more tracking issues related to the change
 issues: [3086]
@@ -15,4 +15,5 @@ issues: [3086]
 # These lines will be padded with 2 spaces and then inserted directly into the document.
 # Use pipe (|) for multiline entries.
 subtext: |
-  This flag can be set to an empty string to watch all namespaces (default) or to a comma-separated list of namespaces to watch.
+  allowNamespaces can be set to an empty string to watch all namespaces (default) or to a comma-separated list of namespaces to watch.
+  denyNamespaces can be set to an empty string to deny watching any namespaces (default) or to a comma-separated list of namespaces to deny watching.
@@ -12,9 +12,12 @@ type TargetAllocatorPrometheusCR struct {
 	// Enabled indicates whether to use a PrometheusOperator custom resources as targets or not.
 	// +optional
 	Enabled bool `json:"enabled,omitempty"`
-	// WatchNamespace to look for Prometheus CRs. If not set, all namespaces are used which requires a ClusterRole for listing all namespaces.
+	// AllowNamespaces Namespaces to scope the interaction of the Target Allocator and the apiserver (allow list). This is mutually exclusive with DenyNamespaces.
 	// +optional
-	WatchNamespace string `json:"watchNamespace,omitempty"`
+	AllowNamespaces string `json:"allowNamespaces,omitempty"`
+	// DenyNamespaces Namespaces to scope the interaction of the Target Allocator and the apiserver (allow list). This is mutually exclusive with AllowNamespaces.
+	// +optional
+	DenyNamespaces string `json:"denyNamespaces,omitempty"`
 	// Default interval between consecutive scrapes. Intervals set in ServiceMonitors and PodMonitors override it.
 	//Equivalent to the same setting on the Prometheus CR.
 	//
 
@@ -7889,6 +7889,10 @@ spec:
                     type: object
                   prometheusCR:
                     properties:
+                      allowNamespaces:
+                        type: string
+                      denyNamespaces:
+                        type: string
                       enabled:
                         type: boolean
                       podMonitorSelector:
@@ -7999,8 +8003,6 @@ spec:
                             type: object
                         type: object
                         x-kubernetes-map-type: atomic
-                      watchNamespace:
-                        type: string
                     type: object
                   replicas:
                     format: int32
 
@@ -2257,6 +2257,10 @@ spec:
                 type: string
               prometheusCR:
                 properties:
+                  allowNamespaces:
+                    type: string
+                  denyNamespaces:
+                    type: string
                   enabled:
                     type: boolean
                   podMonitorSelector:
@@ -2367,8 +2371,6 @@ spec:
                         type: object
                     type: object
                     x-kubernetes-map-type: atomic
-                  watchNamespace:
-                    type: string
                 type: object
               replicas:
                 format: int32
 
@@ -7889,6 +7889,10 @@ spec:
                     type: object
                   prometheusCR:
                     properties:
+                      allowNamespaces:
+                        type: string
+                      denyNamespaces:
+                        type: string
                       enabled:
                         type: boolean
                       podMonitorSelector:
@@ -7999,8 +8003,6 @@ spec:
                             type: object
                         type: object
                         x-kubernetes-map-type: atomic
-                      watchNamespace:
-                        type: string
                     type: object
                   replicas:
                     format: int32
 
@@ -2257,6 +2257,10 @@ spec:
                 type: string
               prometheusCR:
                 properties:
+                  allowNamespaces:
+                    type: string
+                  denyNamespaces:
+                    type: string
                   enabled:
                     type: boolean
                   podMonitorSelector:
@@ -2367,8 +2371,6 @@ spec:
                         type: object
                     type: object
                     x-kubernetes-map-type: atomic
-                  watchNamespace:
-                    type: string
                 type: object
               replicas:
                 format: int32
 
@@ -52,7 +52,8 @@ type Config struct {
 
 type PrometheusCRConfig struct {
 	Enabled                         bool                  `yaml:"enabled,omitempty"`
-	WatchNamespace                  string                `yaml:"watch_namespace,omitempty"`
+	AllowNamespaces                 string                `yaml:"allow_namespaces,omitempty"`
+	DenyNamespaces                  string                `yaml:"deny_namespaces,omitempty"`
 	PodMonitorSelector              *metav1.LabelSelector `yaml:"pod_monitor_selector,omitempty"`
 	PodMonitorNamespaceSelector     *metav1.LabelSelector `yaml:"pod_monitor_namespace_selector,omitempty"`
 	ServiceMonitorSelector          *metav1.LabelSelector `yaml:"service_monitor_selector,omitempty"`
 
@@ -54,18 +54,30 @@ func NewPrometheusCRWatcher(ctx context.Context, logger logr.Logger, cfg allocat
 		return nil, err
 	}
 
+	if cfg.PrometheusCR.AllowNamespaces != "" && cfg.PrometheusCR.DenyNamespaces != "" {
+		return nil, fmt.Errorf("both allow and deny namespaces are set, only one should be set")
+	}
+
 	allowList := map[string]struct{}{}
-	if cfg.PrometheusCR.WatchNamespace != "" {
-		logger.Info("watching namespace(s)", "namespaces", cfg.PrometheusCR.WatchNamespace)
-		for _, ns := range strings.Split(cfg.PrometheusCR.WatchNamespace, ",") {
+	if cfg.PrometheusCR.AllowNamespaces != "" {
+		logger.Info("watching namespace(s)", "namespaces", cfg.PrometheusCR.AllowNamespaces)
+		for _, ns := range strings.Split(cfg.PrometheusCR.AllowNamespaces, ",") {
 			allowList[ns] = struct{}{}
 		}
 	} else {
-		logger.Info("cfg.PrometheusCR.WatchNamespace is unset, watching all namespaces")
+		logger.Info("cfg.PrometheusCR.AllowNamespaces is unset, watching all namespaces")
 		allowList = map[string]struct{}{v1.NamespaceAll: {}}
 	}
 
-	factory := informers.NewMonitoringInformerFactories(allowList, map[string]struct{}{}, mClient, allocatorconfig.DefaultResyncTime, nil) //TODO decide what strategy to use regarding namespaces
+	denyList := map[string]struct{}{}
+	if cfg.PrometheusCR.DenyNamespaces != "" {
+		logger.Info("excluding namespace(s)", "namespaces", cfg.PrometheusCR.DenyNamespaces)
+		for _, ns := range strings.Split(cfg.PrometheusCR.DenyNamespaces, ",") {
+			denyList[ns] = struct{}{}
+		}
+	}
+
+	factory := informers.NewMonitoringInformerFactories(allowList, denyList, mClient, allocatorconfig.DefaultResyncTime, nil)
 
 	monitoringInformers, err := getInformers(factory)
 	if err != nil {
@@ -111,7 +123,7 @@ func NewPrometheusCRWatcher(ctx context.Context, logger logr.Logger, cfg allocat
 			logger.Error(err, "Retrying namespace informer creation in promOperator CRD watcher")
 			return true
 		}, func() error {
-			nsMonInf, err = getNamespaceInformer(ctx, allowList, promLogger, clientset, operatorMetrics)
+			nsMonInf, err = getNamespaceInformer(ctx, allowList, denyList, promLogger, clientset, operatorMetrics)
 			return err
 		})
 	if getNamespaceInformerErr != nil {
@@ -161,7 +173,7 @@ type PrometheusCRWatcher struct {
 	store                           *assets.StoreBuilder
 }
 
-func getNamespaceInformer(ctx context.Context, allowList map[string]struct{}, promOperatorLogger *slog.Logger, clientset kubernetes.Interface, operatorMetrics *operator.Metrics) (cache.SharedIndexInformer, error) {
+func getNamespaceInformer(ctx context.Context, allowList, denyList map[string]struct{}, promOperatorLogger *slog.Logger, clientset kubernetes.Interface, operatorMetrics *operator.Metrics) (cache.SharedIndexInformer, error) {
 	kubernetesVersion, err := clientset.Discovery().ServerVersion()
 	if err != nil {
 		return nil, err
@@ -177,7 +189,7 @@ func getNamespaceInformer(ctx context.Context, allowList map[string]struct{}, pr
 		clientset.CoreV1(),
 		clientset.AuthorizationV1().SelfSubjectAccessReviews(),
 		allowList,
-		map[string]struct{}{},
+		denyList,
 	)
 	if err != nil {
 		return nil, err
 
@@ -7875,6 +7875,10 @@ spec:
                     type: object
                   prometheusCR:
                     properties:
+                      allowNamespaces:
+                        type: string
+                      denyNamespaces:
+                        type: string
                       enabled:
                         type: boolean
                       podMonitorSelector:
@@ -7985,8 +7989,6 @@ spec:
                             type: object
                         type: object
                         x-kubernetes-map-type: atomic
-                      watchNamespace:
-                        type: string
                     type: object
                   replicas:
                     format: int32
 
@@ -2254,6 +2254,10 @@ spec:
                 type: string
               prometheusCR:
                 properties:
+                  allowNamespaces:
+                    type: string
+                  denyNamespaces:
+                    type: string
                   enabled:
                     type: boolean
                   podMonitorSelector:
@@ -2364,8 +2368,6 @@ spec:
                         type: object
                     type: object
                     x-kubernetes-map-type: atomic
-                  watchNamespace:
-                    type: string
                 type: object
               replicas:
                 format: int32