Cross-namespace bindings
RoleBindings whose subject is a ServiceAccount in a different namespace than the binding. These paths are useful to review because a CI or automation namespace can hold access inside a separate application namespace.
Below: Image-puller / image-builder grants ↓ (2)
| SA namespace | ServiceAccount | → binding namespace | Role | Created |
|---|---|---|---|---|
| ci | builder | shared-images | system:image-builder | 1y |
| mine-platform | default | shared-images | system:image-puller | 1y |
| ci | builder | mine-platform | edit | 1y |
Image-puller / image-builder grants
OpenShift's system:image-puller and system:image-builder roles allow pods to pull and push images via the internal registry. The default system:serviceaccounts:<ns> group binding is filtered out — anything else is worth a look. Cross-namespace grants enable silent image access between projects.
| Subject | Namespace | Role | Cross-NS | Created |
|---|---|---|---|---|
| ServiceAccount builder (ci) | shared-images | system:image-builder | cross-ns | 1y |
| ServiceAccount default (mine-platform) | shared-images | system:image-puller | cross-ns | 1y |