# the next one is the most interesting, the rest are related to per-tool pod security policies which limit what kinds of containers can be ran on the cluster:
# this is the role object (which is defined as a ClusterRole so it is shared between namespaces, but is bound to specific namespaces) which is what's actually granted to the tool accounts