Callout that impersonation needs (ClusterRole)Binding (#34082)

* Callout that impersonation needs (ClusterRole)Binding

I learned through trial and error that impersonation does not work with Role and RoleBinding - this was not obvious. It would be good if the docs call this out.

* Update content/en/docs/reference/access-authn-authz/authentication.md

Co-authored-by: Qiming Teng <tengqm@outlook.com>

* Update content/en/docs/reference/access-authn-authz/authentication.md

Co-authored-by: Tim Bannister <tim@scalefactory.com>

* Update content/en/docs/reference/access-authn-authz/authentication.md

Co-authored-by: ZSC <zacharysarah@users.noreply.github.com>

* Update content/en/docs/reference/access-authn-authz/authentication.md

Co-authored-by: ZSC <zacharysarah@users.noreply.github.com>

Co-authored-by: Qiming Teng <tengqm@outlook.com>
Co-authored-by: Tim Bannister <tim@scalefactory.com>
Co-authored-by: ZSC <zacharysarah@users.noreply.github.com>

content/en/docs/reference/access-authn-authz/authentication.md

@@ -856,6 +856,14 @@ rules:
   resourceNames: ["06f6ce97-e2c5-4ab8-7ba5-7654dd08d52b"]
 ```
 
+{{< note >}}
+Impersonating a user or group allows you to perform any action as if you were that user or group;
+for that reason, impersonation is not namespace scoped.
+If you want to allow impersonation using Kubernetes RBAC, 
+this requires using a `ClusterRole` and a `ClusterRoleBinding`,
+not a `Role` and `RoleBinding`.
+{{< /note >}}
+
 ## client-go credential plugins
 
 {{< feature-state for_k8s_version="v1.22" state="stable" >}}