Here it must be clearly defined who is allowed to control what and to what extent with kubectl. This is done with RBAC, but it doesn't hurt to prevent certain commands like kubectl "verb" sa, kubectl "verb" clusterroles and roles including bindings, kubectl config view, kubectl config "verb" context, etc. Generally to disable, regardless of RBAC.