Static mock demo. This page uses a small bundled sample dataset. It does not connect to a cluster, run oc, or read local credentials.

Lineage

A local map of OpenShift identities, access paths, workloads, and images. Click any card to follow the relationship.

review items

Review snapshot

Identity references need review

2 latent users: nina-onboarding, tom-future-hire 1 phantom user: mallory 1 bound ghost: future-hire@company.com 3 stranded users: kubeadmin, manual-approver, +1 more 1 orphan identity: dev:orphaned-user 2 critical resurrectable: legacy-pipelines/runner, ci/pipeline

Open Identity Audit →

IdentitySubjects and review-worthy references.

identity findings

critical resurrectable

Access pathsGrants, roles, and duplicate bindings.

privileged bindings

of 8 total · 1 baseline

duplicate bindings

same role + subjects, different CRB names

role grants

non-baseline subjects

aggregated roles

of 1 total

WorkloadsNamespaces, pods, ServiceAccounts, SCCs.

ImagesRunning images, registries, tag drift.

tag → multiple digests

Resurrectable ServiceAccount identities (2)

Absent ServiceAccount names with surviving grants. Recreating the name reactivates access. Open Identity Audit →

Principal	Severity	Created	Namespace state	Surviving grants
system:serviceaccount:legacy-pipelines:runner resurrectable cluster-admin privileged SCC	critical	1y	ns deleted recreate ns + SA reactivates	ClusterRoleBindinglegacy-runner-admin → cluster-admin (RBAC) SCCprivileged → privileged (SCC user list)
system:serviceaccount:ci:pipeline resurrectable cluster-admin	critical	1y	ns present SA missing	ClusterRoleBindingci-pipeline-clusteradmin → cluster-admin (RBAC) SCCanyuid → anyuid (SCC user list)

Privileged subjects (7)

Subjects bound to high-impact roles. See all → · Baseline (1)

Role	Subject	Scope	Binding
system:openshift:scc:anyuid	ServiceAccount builder (mine-platform)	mine-platform	RoleBinding/mine-builder-use-anyuid
admin	Group engineers	mine-platform	RoleBinding/admin-rb-copy
admin	Group engineers	mine-platform	RoleBinding/admin-rb
cluster-admin	ServiceAccount runner (legacy-pipelines) ghost	cluster-wide	ClusterRoleBinding/legacy-runner-admin
cluster-admin	ServiceAccount pipeline (ci) ghost	cluster-wide	ClusterRoleBinding/ci-pipeline-clusteradmin
admin	User future-hire@company.com ghost	cluster-wide	ClusterRoleBinding/ghost-future-employee
cluster-admin	Group platform-admins	cluster-wide	ClusterRoleBinding/platform-admins-cluster-admin

Recent role grants (13 total)

Newest non-baseline RBAC grants first. See all →

When	Role	Subject	Scope	Binding
1y	read-secrets	Group engineers	payments-prod	RoleBinding/secret-readers
1y	system:image-builder	ServiceAccount builder (ci)	shared-images	RoleBinding/ci-builder-pushes-shared
1y	system:image-puller	ServiceAccount default (mine-platform)	shared-images	RoleBinding/mine-pulls-shared
1y	system:openshift:scc:anyuid	ServiceAccount builder (mine-platform)	mine-platform	RoleBinding/mine-builder-use-anyuid
1y	edit	ServiceAccount builder (ci)	mine-platform	RoleBinding/ci-builder-deploy-mine
1y	deployment-restarter	User manual-approver No ID	mine-platform	RoleBinding/manual-approver-restarter
1y	config-reader	User alice htpasswd-backed	mine-platform	RoleBinding/alice-config-reader
1y	admin	Group engineers	mine-platform	RoleBinding/admin-rb-copy
1y	admin	Group engineers	mine-platform	RoleBinding/admin-rb
1y	cluster-admin	ServiceAccount runner (legacy-pipelines) ghost	cluster-wide	ClusterRoleBinding/legacy-runner-admin
1y	cluster-admin	ServiceAccount pipeline (ci) ghost	cluster-wide	ClusterRoleBinding/ci-pipeline-clusteradmin
1y	admin	User future-hire@company.com ghost	cluster-wide	ClusterRoleBinding/ghost-future-employee
1y	cluster-admin	Group platform-admins	cluster-wide	ClusterRoleBinding/platform-admins-cluster-admin

Duplicate bindings (1)

Different binding names with the same role and subjects.

Role	Subjects	Bindings
admin	Groupengineers	admin-rb, admin-rb-copy (2)

Identity providers

Name	Type	Mapping	Backing config
dev	HTPasswd	claim	Secret/htpasswd-secret