Static mock demo. This page uses a small bundled sample dataset. It does not connect to a cluster, run oc, or read local credentials.

Identity audit

What can authenticate, what's stale, and which name strings still grant access after their backing object is gone.

Self-provisioner: disabled — No ClusterRoleBinding to `self-provisioner` for `system:authenticated[:oauth]` is visible. Non-admin users cannot self-provision projects, so namespace-reuse findings need administrator action to trigger.

1. Resurrectable identities and SCC groups (2)

Grants that name a missing subject. Recreating the name re-arms them.

2 critical — recreation would unlock cluster-admin or a privileged SCC.

All 2 Critical 2 High 0 Medium 0 Low 0

ServiceAccount identities (2)

Principal	Severity	Created	Namespace state	Surviving grants
system:serviceaccount:legacy-pipelines:runner resurrectable cluster-admin privileged SCC	critical	1y	ns deleted recreate ns + SA reactivates	ClusterRoleBindinglegacy-runner-admin → cluster-admin (RBAC) SCCprivileged → privileged (SCC user list)
system:serviceaccount:ci:pipeline resurrectable cluster-admin	critical	1y	ns present SA missing	ClusterRoleBindingci-pipeline-clusteradmin → cluster-admin (RBAC) SCCanyuid → anyuid (SCC user list)

Deleted namespaces with surviving privilege (1)

Click any principal to open the surviving-grants view. A future oc new-project <ns> would re-arm these.

Namespace	Max severity	Resurrectable principals
legacy-pipelines deleted	critical	runner

2. Latent users (2)

In an IdP or Group, no User object yet. Become active on first login and inherit any pre-existing bindings.

Username	Source	Where
nina-onboarding	group-listed	listed in Group/engineers
tom-future-hire	htpasswd	in Secret openshift-config/htpasswd-secret (idp=dev)

3. Phantom users (1)

User + Identity exist, IdP no longer recognises them. Restoring the IdP entry re-arms their bindings.

Name	Reason	Provider(s)
mallory	removed from htpasswd (dev)	dev

4. Bound ghosts (1)

Bindings reference a subject with no backing object. Activate the moment the name appears.

Name	Kind	Created	Bound by (grants)	Category
future-hire@company.com ghost	User	1y	ClusterRoleBinding/ghost-future-employee	real anomaly

5. Stranded users (3)

User exists, no Identity links it to an IdP.

User	Identity link	Subject page
kubeadmin	No ID	Open permissions
manual-approver	No ID	Open permissions
rhea-rehire	No ID	Open permissions

6. Orphan identities (1)

Identity points to a User that doesn't exist.

Missing user	Identity	Provider
orphaned-user	dev:orphaned-user	dev

Identity providers

HTPasswd is auditable from the backing Secret. LDAP/OIDC are not.

Provider	Type	Audit support
dev	HTPasswd	auditable