We provide kubernetes cluster for many users, the separation between applications by namespace.
For deploy use kubernetes-helm. There are situations when we need to close the opportunity to deploy the app in the cluster. One option is to change permissions for default sa (which the use kubernetes-helm).
How else can solve?
You'd use an admission controller.
Unfortunately, this might involve writing some code to manage it. There are tools out there that help, like Open Policy Agent