Static mock demo. This page uses a small bundled sample dataset. It does not connect to a cluster, run oc, or read local credentials.

Privileged ClusterRoles Roles Role grants Cross-namespace Who can Aggregated

Resurrectable ServiceAccount identities (2)

Critical / high-severity grants — RBAC bindings or SCC user lists — addressed at system:serviceaccount:<ns>:<name> for which the SA is gone. Recreating the name reactivates the privilege. All severities →

Principal	Severity	Created	Namespace state	Surviving grants
system:serviceaccount:legacy-pipelines:runner resurrectable cluster-admin privileged SCC	critical	1y	ns deleted recreate ns + SA reactivates	ClusterRoleBindinglegacy-runner-admin → cluster-admin (RBAC) SCCprivileged → privileged (SCC user list)
system:serviceaccount:ci:pipeline resurrectable cluster-admin	critical	1y	ns present SA missing	ClusterRoleBindingci-pipeline-clusteradmin → cluster-admin (RBAC) SCCanyuid → anyuid (SCC user list)

Privileged subjects

Subjects bound to a privileged ClusterRole (cluster-admin, admin, system:masters) or a high-risk SCC use grant. Missing subjects here deserve review because the grant can become usable if the subject is later created or recreated.

7 bindings

Role	Subject	Binding	Scope	Created
system:openshift:scc:anyuid	ServiceAccount builder (mine-platform)	RoleBinding/mine-builder-use-anyuid	mine-platform	1y
admin	Group engineers	RoleBinding/admin-rb-copy	mine-platform	1y
admin	Group engineers	RoleBinding/admin-rb	mine-platform	1y
cluster-admin	ServiceAccount runner (legacy-pipelines) ghost	ClusterRoleBinding/legacy-runner-admin	cluster-wide	1y
cluster-admin	ServiceAccount pipeline (ci) ghost	ClusterRoleBinding/ci-pipeline-clusteradmin	cluster-wide	1y
admin	User future-hire@company.com ghost	ClusterRoleBinding/ghost-future-employee	cluster-wide	1y
cluster-admin	Group platform-admins	ClusterRoleBinding/platform-admins-cluster-admin	cluster-wide	1y