Static mock demo. This page uses a small bundled sample dataset. It does not connect to a cluster, run oc, or read local credentials.

Namespace legacy-pipelines deleted unclassified

Namespace object is absent. This page is reachable because at least one cluster-scoped grant still references a ServiceAccount principal in legacy-pipelines. Recreating the namespace and the named SA reactivates the grants below.

Resurrectable ServiceAccount identities here (1)

Surviving cluster-scoped grants address an SA name in this namespace even though the SA object is gone.

Severity	Principal	Surviving grants
critical	runner resurrectable	ClusterRoleBindinglegacy-runner-admin → cluster-admin (RBAC) SCCprivileged → privileged (SCC user list)

Why this category — 0 signals

No rule matched this namespace, so it is unclassified. To flag it differently, append a custom rule to SIGNAL_RULES in lineage/classifier.py.

ServiceAccounts (0)

None.

Pods (0)

No pods running.

ServiceAccounts from this namespace used elsewhere

Bindings outside legacy-pipelines that grant access to SAs that live here.

Via RoleBindings in other namespaces (0)

None.

Via ClusterRoleBindings (1)

ServiceAccount	Binding	Role
runner	ClusterRoleBinding/legacy-runner-admin	cluster-admin cluster-admin

RoleBindings (0)

None.

Subjects with access here (7)

Subjects with namespace-effective access here — local RoleBindings, cluster-wide bindings with namespaced resource rules, cross-namespace SAs, groups, and system grants — in one table. Sorted by power so cluster-admin grants surface first. Filter by access bucket or subject kind.

All kinds 7 Users 2 Groups 3 ServiceAccounts 2

2 rows shown · 7 total

Subject	Role	Scope	Binding	Source
User alice htpasswd-backed	cluster-admin	cluster	ClusterRoleBinding/platform-admins-cluster-admin	ClusterRoleBinding
User future-hire@company.com ghost	admin	cluster	ClusterRoleBinding/ghost-future-employee	ClusterRoleBinding