Lineage
read-only · v1.0
static mock demo — no cluster connection, no oc, no credentials
Static mock demo. This page uses a small bundled sample dataset. It does not connect to a cluster, run oc, or read local credentials.
Privileged ClusterRoles Roles Role grants Cross-namespace Who can Aggregated

Resurrectable ServiceAccount identities (2)

Critical / high-severity grants whose subject ServiceAccount is gone but the binding is not. Recreating the SA name reactivates the privilege. All severities →

PrincipalSeverityCreatedNamespace stateSurviving grants
system:serviceaccount:legacy-pipelines:runner resurrectable cluster-admin privileged SCC critical 1y ns deleted recreate ns + SA reactivates
ClusterRoleBindinglegacy-runner-admin → cluster-admin (RBAC)
SCCprivileged → privileged (SCC user list)
system:serviceaccount:ci:pipeline resurrectable cluster-admin critical 1y ns present SA missing
ClusterRoleBindingci-pipeline-clusteradmin → cluster-admin (RBAC)
SCCanyuid → anyuid (SCC user list)

Role grants

Every role bound to a non-baseline subject — users, groups, your service accounts. Newest first. The audit view of what was granted to whom, when.

All roles admin cluster-admin config-reader deployment-restarter edit read-secrets system:image-builder system:image-puller system:openshift:scc:anyuid

1 grants

CreatedRoleTierSubjectScopeBinding
1y system:image-builder (ClusterRole) custom ServiceAccount builder (ci) shared-images RoleBinding/ci-builder-pushes-shared