I have a user called John that I gave admin permissions in development-john ns as follows. I wanted to validate that he can not create a new resource of type NEW_CRD that I have and also can not create a rolebinding to grant him permissions to do so. When he applied the roleBinding he got no error but when he tried to create the CRD resource he got error rbac permission denied. I wonder why the rolebinding to give him permissions to create NEW_CRD succeeded in the first place? I expected to get an error indicating such rolebing is forbidden for that user following https://kubernetes.io/docs/reference/access-authn-authz/rbac/#restrictions-on-role-creation-or-update.

here is the admin permissions in development-john ns for user john:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding 
metadata:
name: admin-rolebinding-john
namespace: development-john
subjects:
- kind: User
  name: john
  apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: admin
apiGroup: rbac.authorization.k8s.io

here are the role and role-binding to give john permission to create NEW_CRD resource:

kubectl apply -f roleBindingJohn.yaml --as=john
rolebinding.rbac.authorization.k8s.io/john_external-rosource-rb created



kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: john_crd
namespace: development-john
subjects:
- kind: User
  name: john
  apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: crd-creation


kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: crd-creation
 rules:
- apiGroups: ["kubernetes-client.io/v1"]
  resources: ["NEW_CRD"]
  verbs: ["create, list, get"]