Static mock demo. This page uses a small bundled sample dataset. It does not connect to a cluster, run oc, or read local credentials.

ServiceAccount runner in legacy-pipelines ghost

This ServiceAccount object is absent, but the principal system:serviceaccount:legacy-pipelines:runner is still referenced by at least one surviving grant (RBAC or SCC). Recreating the ServiceAccount with the same name reactivates whatever role or SCC the grant points to. If the namespace itself is also absent, recreating both does the same in a single shell session.

Pods (0)

No pods running as this ServiceAccount.

Jobs running as this ServiceAccount (0)

None.

CronJobs running as this ServiceAccount (0)

None.

Surviving grants for this absent ServiceAccount

The ServiceAccount object is gone, but these grants still address its principal. Recreating the SA with the same name reactivates them.

Severity	Kind / Name	Role	Via
critical	ClusterRoleBindinglegacy-runner-admin	cluster-admin	RBAC
critical	SCCprivileged	privileged	SCC user list

Bindings referencing this ServiceAccount

Every binding whose subject list names this SA — split by scope.

RoleBindings in `legacy-pipelines` (0)

None.

RoleBindings in other namespaces (0)

None.

ClusterRoleBindings (1)

Binding	Role
ClusterRoleBinding/legacy-runner-admin	cluster-admin cluster-admin

Direct SCC eligibility (2)

SCCs this ServiceAccount can use because its principal is listed directly in scc.users, or because scc.groups includes a group the principal belongs to (system:authenticated, system:serviceaccounts, or system:serviceaccounts:legacy-pipelines). This is not the full effective SCC set — RBAC use grants on securitycontextconstraints objects also admit pods, and those are listed on each SCC's detail page under Potential subjects.

SCC	Priority	Granted via	Privileged
privileged	10	user system:serviceaccount:legacy-pipelines:runner	yes
restricted-v2	—	group system:authenticated	no

Reach

Where this subject's permissions land. Cluster-wide grants reach every namespace; namespace-scoped grants are listed individually.

Cluster-wide (1)

Role	Via	Binding
cluster-admin	direct	ClusterRoleBinding/legacy-runner-admin

Effective permissions (1 path)

Each path is one (role, scope, group-membership) combination. Click Show rules to see the underlying API rules.

Cluster-wide * wildcard 1 rule

ServiceAccount runner legacy-pipelines

bound by

ClusterRoleBinding legacy-runner-admin

grants

ClusterRole cluster-admin privileged

Verbs: * Resources: * API groups: *

API group	Resources	Verbs
*	*	*

ServiceAccount runner in legacy-pipelines ghost

Pods (0)

Jobs running as this ServiceAccount (0)

CronJobs running as this ServiceAccount (0)

Surviving grants for this absent ServiceAccount

Bindings referencing this ServiceAccount

RoleBindings in legacy-pipelines (0)

RoleBindings in other namespaces (0)

ClusterRoleBindings (1)

Direct SCC eligibility (2)

Reach

Cluster-wide (1)

Effective permissions (1 path)

RoleBindings in `legacy-pipelines` (0)