There are no Deny rules in Kubernetes RBAC
ClusterRoles can be applied to one or more namespaces
RBAC permissions are additive
ServiceAccounts are only used by non-humans
Users do not live in the cluster as resources
202404011006
