Lineage
read-only · v1.0
static mock demo — no cluster connection, no oc, no credentials
Static mock demo. This page uses a small bundled sample dataset. It does not connect to a cluster, run oc, or read local credentials.

ServiceAccount builder in ci

Pods (1)

PodPhaseSCCOwner
build-run-1 Running anyuid Job/build-run-1

Jobs running as this ServiceAccount (1)

NameOwnerCreated
build-run-1 CronJob/nightly-build 1y

CronJobs running as this ServiceAccount (1)

NameScheduleCreated
nightly-build 0 1 * * * 1y

Bindings referencing this ServiceAccount

Every binding whose subject list names this SA — split by scope.

RoleBindings in ci (0)

None.

RoleBindings in other namespaces (2)

NamespaceBindingRole
shared-images RoleBinding/ci-builder-pushes-shared system:image-builder
mine-platform RoleBinding/ci-builder-deploy-mine edit

ClusterRoleBindings (0)

None.

Images run by this ServiceAccount (1)

Distinct images across the SA's pods.

ImageRegistryContainers
quay.io/buildah/stable:v1.35 quay.io 1

Direct SCC eligibility (1)

SCCs this ServiceAccount can use because its principal is listed directly in scc.users, or because scc.groups includes a group the principal belongs to (system:authenticated, system:serviceaccounts, or system:serviceaccounts:ci). This is not the full effective SCC set — RBAC use grants on securitycontextconstraints objects also admit pods, and those are listed on each SCC's detail page under Potential subjects.

SCCPriorityGranted viaPrivileged
restricted-v2 group system:authenticated no

Reach

Where this subject's permissions land. Cluster-wide grants reach every namespace; namespace-scoped grants are listed individually.

Per-namespace (2 namespaces)

NamespaceRoleViaBinding
mine-platform edit direct RoleBinding/ci-builder-deploy-mine
shared-images system:image-builder direct RoleBinding/ci-builder-pushes-shared

Effective permissions (2 paths)

Each path is one (role, scope, group-membership) combination. Click Show rules to see the underlying API rules.

Namespace: mine-platform 2 rules
ServiceAccount builder ci
bound by
RoleBinding ci-builder-deploy-mine
grants
ClusterRole edit
Verbs: creategetlistpatchupdatewatch  Resources: configmapsdeploymentspodsservices  API groups: apps, core
API groupResourcesVerbs
apps deployments get, list, watch, create, update, patch
core pods, services, configmaps get, list, watch, create, update, patch
Namespace: shared-images 1 rule
ServiceAccount builder ci
bound by
RoleBinding ci-builder-pushes-shared
grants
ClusterRole system:image-builder
Verbs: getupdate  Resources: imagestreams/layers  API groups: image.openshift.io
API groupResourcesVerbs
image.openshift.io imagestreams/layers get, update