Grant a pod access to create new Namespaces

To give a pod control over something in Kubernetes you need at least four things:

1. Create or select existing Role/ClusterRole (you picked administer-cluster, which rules are unknown to me).
2. Create or select existing ServiceAccount (you created k8s-deployer in namespace tooling).
3. Put the two together with RoleBinding/ClusterRoleBinding.
4. Assign the ServiceAccount to a pod.

Here's an example that can manage namespaces:

# Create a service accountapiVersion: v1kind: ServiceAccountmetadata:  name: k8s-deployer  namespace: tooling---# Create a cluster role that allowed to perform # ["get", "list", "create", "delete", "patch"] over ["namespaces"]apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:  name: k8s-deployerrules:  - apiGroups: [""]    resources: ["namespaces"]    verbs: ["get", "list", "create", "delete", "patch"]---# Associate the cluster role with the service accountapiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata:  name: k8s-deployer  # make sure NOT to mention 'namespace' here or  # the permissions will only have effect in the  # given namespaceroleRef:  apiGroup: rbac.authorization.k8s.io  kind: ClusterRole  name: k8s-deployersubjects:- kind: ServiceAccount  name: k8s-deployer  namespace: tooling

After that you need to mention the service account name in pod spec as you already did. More info about RBAC in the documentation.