User manual-approver No ID
Reach
Where this subject's permissions land. Cluster-wide grants reach every namespace; namespace-scoped grants are listed individually. Grants that come from auto-membership virtual groups (system:authenticated, system:authenticated:oauth, system:serviceaccounts, system:serviceaccounts:<ns>) are folded into the collapsible blocks below — they apply to every authenticated principal on the cluster, not to this subject specifically.
Cluster-wide via system virtual groups (1) — shared with every authenticated principal
| Role | Via | Binding |
|---|---|---|
| view | Group/system:authenticated:oauth | ClusterRoleBinding/oauth-users-self-review |
Per-namespace (1 namespace)
| Namespace | Role | Via | Binding |
|---|---|---|---|
| mine-platform | deployment-restarter | direct | RoleBinding/manual-approver-restarter |
Effective permissions (2 paths)
Each path is one (role, scope, group-membership) combination. Click Show rules to see the underlying API rules. 1 additional path via auto-membership virtual groups (system:authenticated et al.) is collapsed below — they grant the same access to every authenticated principal.
Namespace: mine-platform
User
manual-approver
bound by
RoleBinding
manual-approver-restarter
grants
Role
deployment-restarter
Verbs:
getpatch
Resources:
deployments
API groups:
apps
User
manual-approver
bound by
RoleBinding
manual-approver-restarter
grants
Role
deployment-restarter
| API group | Resources | Verbs |
|---|---|---|
| apps | deployments | get, patch |
Paths via system virtual groups (1) — shared with every authenticated principal
Cluster-wide
User
manual-approver
member of
bound by
ClusterRoleBinding
oauth-users-self-review
grants
ClusterRole
view
Verbs:
getlistwatch
Resources:
podsservices
API groups:
core
User
manual-approver
member of
bound by
ClusterRoleBinding
oauth-users-self-review
grants
ClusterRole
view
| API group | Resources | Verbs |
|---|---|---|
| core | pods, services | get, list, watch |