Defining a single user that can access the jdoe Namespace was probably the best approach. We expect that only John will want to access it. He is the owner of that Namespace. It’s his private playground. Even if he chooses to add more users to it, he’ll probably do it independently from our YAML definitions.
After all, what’s the point of giving him god-like privileges if not to let him do things without asking for our permission or involvement? From our perspective, that Namespace has, and will continue having only one User.