Lineage
read-only · v1.0
static mock demo — no cluster connection, no oc, no credentials
Static mock demo. This page uses a small bundled sample dataset. It does not connect to a cluster, run oc, or read local credentials.
Privileged ClusterRoles Roles Role grants Cross-namespace Who can Aggregated

Resurrectable ServiceAccount identities (2)

Critical / high-severity grants — RBAC bindings or SCC user lists — addressed at system:serviceaccount:<ns>:<name> for which the SA is gone. Recreating the name reactivates the privilege. All severities →

PrincipalSeverityCreatedNamespace stateSurviving grants
system:serviceaccount:legacy-pipelines:runner resurrectable cluster-admin privileged SCC critical 1y ns deleted recreate ns + SA reactivates
ClusterRoleBindinglegacy-runner-admin → cluster-admin (RBAC)
SCCprivileged → privileged (SCC user list)
system:serviceaccount:ci:pipeline resurrectable cluster-admin critical 1y ns present SA missing
ClusterRoleBindingci-pipeline-clusteradmin → cluster-admin (RBAC)
SCCanyuid → anyuid (SCC user list)

Privileged subjects

Subjects bound to a privileged ClusterRole (cluster-admin, admin, system:masters) or a high-risk SCC use grant. Missing subjects here deserve review because the grant can become usable if the subject is later created or recreated.

Yours 7 Unclassified 0 Baseline 1 All 8

1 bindings

RoleSubjectBindingScopeCreated
cluster-admin Group system:masters ClusterRoleBinding/cluster-admin cluster-wide 1y