Is there a way to control or prevent an authenticated user from specifying the service account that a pod or deployment uses? I currently have a single namespace that contains 2 service accounts, each bound to a different role. I'd like to be able to restrict a particular authenticated user so they can only create deployments using one of the service accounts and not the other.

The K8s cluster I'm using is on prem and deployed using kubeadm, with RBAC enabled.