Identity audit
What can authenticate, what's stale, and which name strings still grant access after their backing object is gone.
1. Resurrectable identities and SCC groups (2)
Grants that name a missing subject. Recreating the name re-arms them.
ServiceAccount identities (0)
No low resurrectable ServiceAccount identities.
Deleted namespaces with surviving privilege (1)
Click any principal to open the surviving-grants view. A future oc new-project <ns> would re-arm these.
| Namespace | Max severity | Resurrectable principals |
|---|---|---|
| legacy-pipelines deleted | critical | runner |
2. Latent users (2)
In an IdP or Group, no User object yet. Become active on first login and inherit any pre-existing bindings.
| Username | Source | Where |
|---|---|---|
| nina-onboarding | group-listed | listed in Group/engineers |
| tom-future-hire | htpasswd | in Secret openshift-config/htpasswd-secret (idp=dev) |
3. Phantom users (1)
User + Identity exist, IdP no longer recognises them. Restoring the IdP entry re-arms their bindings.
| Name | Reason | Provider(s) |
|---|---|---|
| mallory | removed from htpasswd (dev) | dev |
4. Bound ghosts (1)
Bindings reference a subject with no backing object. Activate the moment the name appears.
| Name | Kind | Created | Bound by (grants) | Category |
|---|---|---|---|---|
| future-hire@company.com ghost | User | 1y | ClusterRoleBinding/ghost-future-employee | real anomaly |
5. Stranded users (3)
User exists, no Identity links it to an IdP.
| User | Identity link | Subject page |
|---|---|---|
| kubeadmin | No ID | Open permissions |
| manual-approver | No ID | Open permissions |
| rhea-rehire | No ID | Open permissions |
6. Orphan identities (1)
Identity points to a User that doesn't exist.
| Missing user | Identity | Provider |
|---|---|---|
| orphaned-user | dev:orphaned-user | dev |
Identity providers
HTPasswd is auditable from the backing Secret. LDAP/OIDC are not.
| Provider | Type | Audit support |
|---|---|---|
| dev | HTPasswd | auditable |