1. A RoleBinding binds a Role to a subject. If the Role lives in namespace `team-a` but the RoleBinding lives in namespace `team-b`, what happens?
2. You grant a ServiceAccount a Role with `verbs: ["*"]` on `resources: ["configmaps"]`. Which new permissions does the SA gain compared to `verbs: [get, list, watch]`?
3. Why is Workload Identity Federation preferable to mounting a long-lived service account key as a Secret in the pod?
4. A pod runs as namespace `prod`'s `default` ServiceAccount. It needs to `list secrets` in its own namespace. What's the correct next step?
5. In a GitHub Actions workflow deploying to GKE via OIDC federation, which claim in the OIDC token determines which IAM role the run can assume?
6. Your `rbac-iam-scaffold` skill is asked to grant a ServiceAccount `list pods` across all namespaces. What should it do?
7. Which is the correct analysis of 'least privilege proven'?