[Feature] Create ServiceAccounts in Namespaces by LabelSelector

[MaxRink]

Is your feature request related to a problem? Please describe.
Currently i need to manually list all namespaces where i want rbac-manager to create serviceaccounts.
In our case we have a separation between the platform team and the app owner teams, so we need to manually coordinate which namespaces get ServiceAccounts.

Describe the solution you'd like
It would be ideal to have the option to use an LabelSelector for creation of ServiceAccounts in Namespaces like you can do with RoleBindings.
e.g.

  subjects:
  - kind: ServiceAccount 
    name: tenant-sa
    namespaceSelector:    
      matchExpressions:
      - key: platform.example.de/owner
        operator: NotIn
        values:
        - platformteam

[sudermanjr]

First glance, I think this is really similar (or the same) as #137.

The potential implementation seems different though. In the other issue, I think the desired outcome is that a serviceAccount that has a rolebinding with a label selector automatically triggers creation of the serviceaccount in all the namespaces matched.

This one seems to suggest sort of the opposite? I think we should decide on which is the desired implementation. Personally I lean towards the idea of "if there are multiple namespaces with rolebindings, we create the serviceaccount in each namespace.

What do you think?

[MaxRink]

Yes, the implementation is different. I strongly prefer only creating SAs where explicitly wanted, as granular as possible.
Having SAs automatically created in all namespaces matching that binding might be an security issue in some deployments.

[MaxRink]

Being explicit also allows different use-cases.
Lets say i have a multi tenant cluster and i have components in namespaces of tenant x that need to access namespaces of tenant y.
If i dont have a seperate labelSelector for SA and RoleBinding creation i run into the issue that i have overly broad RBAC