Namespace per branch under project-level k8s cluster does not work anymore! after update to 11.10.1

Right now the hierarchy is like this:

project > k8s-cluster > $KUBE_NAMESPACE

And what used to work for me before updating to 11.10.1 was:

project > k8s-cluster > $CI_COMMIT_REF_SLUG-$KUBE_NAMESPACE

The defaults Auto-DevOps .gitlab-ci.yml template has the following function:

function ensure_namespace() {
  kubectl describe namespace "$KUBE_NAMESPACE" || kubectl create namespace "$KUBE_NAMESPACE"
}

The one i am using is:

function ensure_namespace() {
  kubectl describe namespace "$CI_COMMIT_REF_SLUG-$KUBE_NAMESPACE" || kubectl create namespace "$CI_COMMIT_REF_SLUG-$KUBE_NAMESPACE"
}

But the deploy pipeline now fails with the following error:

$ ensure_namespace
+ echo '$ ensure_namespace'
+ ensure_namespace
+ kubectl describe namespace master-multiadvertising-104
Error from server (Forbidden): namespaces "master-multiadvertising-104" is forbidden: User "system:serviceaccount:multiadvertising-104:multiadvertising-104-service-account" cannot get resource "namespaces" in API group "" in the namespace "master-multiadvertising-104"
+ kubectl create namespace master-multiadvertising-104
Error from server (Forbidden): namespaces is forbidden: User "system:serviceaccount:multiadvertising-104:multiadvertising-104-service-account" cannot create resource "namespaces" in API group "" at the cluster scope

It seems like the service-account and namespace are now being set to the default $KUBE_NAMESPACE And there is no way of overwriting them!

Is there a way to cope with this?

I'm doing review apps, which means each app is its own environment. Keeping them all clean and tidy each in its own kubernetes namespace, so when the review is done the cleanup task can just remove the entire namespace instead of having to go through each related pod/containers/secrets/volumes separately. That just does not make sense to have all those pods of different branches/environments in 1 namespace!

Before updating to 11.10.1 this behaviour of being forced to use and stay within the default $KUBE_NAMESPACE was not there.

I reported the issue here before but it was closed because it was in the wrong place: https://gitlab.com/gitlab-org/gitlab-ce/issues/61098