Lineage
read-only · v1.0
static mock demo — no cluster connection, no oc, no credentials
Static mock demo. This page uses a small bundled sample dataset. It does not connect to a cluster, run oc, or read local credentials.
Privileged ClusterRoles Roles Role grants Cross-namespace Who can Aggregated

Resurrectable ServiceAccount identities (2)

Critical / high-severity grants whose subject ServiceAccount is gone but the binding is not. Recreating the SA name reactivates the privilege. All severities →

PrincipalSeverityCreatedNamespace stateSurviving grants
system:serviceaccount:legacy-pipelines:runner resurrectable cluster-admin privileged SCC critical 1y ns deleted recreate ns + SA reactivates
ClusterRoleBindinglegacy-runner-admin → cluster-admin (RBAC)
SCCprivileged → privileged (SCC user list)
system:serviceaccount:ci:pipeline resurrectable cluster-admin critical 1y ns present SA missing
ClusterRoleBindingci-pipeline-clusteradmin → cluster-admin (RBAC)
SCCanyuid → anyuid (SCC user list)

Role grants

Every role bound to a non-baseline subject — users, groups, your service accounts. Newest first. The audit view of what was granted to whom, when.

All roles admin cluster-admin config-reader deployment-restarter edit read-secrets system:image-builder system:image-puller system:openshift:scc:anyuid

13 grants

CreatedRoleTierSubjectScopeBinding
1y read-secrets (Role) custom Group engineers payments-prod RoleBinding/secret-readers
1y system:image-builder (ClusterRole) custom ServiceAccount builder (ci) shared-images RoleBinding/ci-builder-pushes-shared
1y system:image-puller (ClusterRole) custom ServiceAccount default (mine-platform) shared-images RoleBinding/mine-pulls-shared
1y system:openshift:scc:anyuid (ClusterRole) admin ServiceAccount builder (mine-platform) mine-platform RoleBinding/mine-builder-use-anyuid
1y edit (ClusterRole) edit ServiceAccount builder (ci) mine-platform RoleBinding/ci-builder-deploy-mine
1y deployment-restarter (Role) custom User manual-approver No ID mine-platform RoleBinding/manual-approver-restarter
1y config-reader (Role) custom User alice htpasswd-backed mine-platform RoleBinding/alice-config-reader
1y admin (ClusterRole) admin Group engineers mine-platform RoleBinding/admin-rb-copy
1y admin (ClusterRole) admin Group engineers mine-platform RoleBinding/admin-rb
1y cluster-admin (ClusterRole) admin++ ServiceAccount runner (legacy-pipelines) ghost cluster-wide ClusterRoleBinding/legacy-runner-admin
1y cluster-admin (ClusterRole) admin++ ServiceAccount pipeline (ci) ghost cluster-wide ClusterRoleBinding/ci-pipeline-clusteradmin
1y admin (ClusterRole) admin User future-hire@company.com ghost cluster-wide ClusterRoleBinding/ghost-future-employee
1y cluster-admin (ClusterRole) admin++ Group platform-admins cluster-wide ClusterRoleBinding/platform-admins-cluster-admin