Konrad:
I have a problem understanding RBAC. Tried this both in a plain Katacoda environment as well as in the “Practice Test Role Based Access Control” environment provided with this course. There are two namespaces A and B. Some pod scheduled in namespace A using an image that ships kubectl is able to patch an existing secret in both namespace A and B. Is that supposed to be allowed? I had thought that I would need to create one role per namespace allowing “patch” on the “secrets” type and bind that to the default service account or to a custom service account and make the pod use that. But it just works out of the box. 
JohnC:
were you using Role or ClusterRole?
Konrad:
Nothing, it just worked without any RBAC modifications.
Tried it in a real cluster now where these RBAC modifications are required (I use Role).
The demo environments seem to put cluster-admin or similar to default service accounts, that’s why it just worked.