diff --git a/pkg/resmap/resmap.go b/pkg/resmap/resmap.go
index 58e552137..c2aab9a2f 100644
--- a/pkg/resmap/resmap.go
+++ b/pkg/resmap/resmap.go
@@ -530,7 +530,20 @@ func (m *resWrangler) SubsetThatCouldBeReferencedByResource(
 	inputRes *resource.Resource) ResMap {
 	inputId := inputRes.OrgId()
 	if !inputId.IsNamespaceableKind() {
-		return m
+		if inputRes.GetOutermostNamePrefix() == "" {
+			return m
+		}
+		result := New()
+		for _, r := range m.Resources() {
+			if r.GetOutermostNamePrefix() == inputRes.GetOutermostNamePrefix() &&
+				r.GetOutermostNameSuffix() == inputRes.GetOutermostNameSuffix() {
+				err := result.Append(r)
+				if err != nil {
+					panic(err)
+				}
+			}
+		}
+		return result
 	}
 	result := New()
 	for _, r := range m.Resources() {
diff --git a/pkg/target/resourceconflict_test.go b/pkg/target/resourceconflict_test.go
index 0f1f8108c..676eab44c 100644
--- a/pkg/target/resourceconflict_test.go
+++ b/pkg/target/resourceconflict_test.go
@@ -15,6 +15,7 @@ func writeBase(th *kusttest_test.KustTestHarness) {
 resources:
 - serviceaccount.yaml
 - rolebinding.yaml
+- clusterrolebinding.yaml
 namePrefix: pfx-
 nameSuffix: -sfx
 `)
@@ -34,6 +35,19 @@ roleRef:
   kind: Role
   name: role
 subjects:
+- kind: ServiceAccount
+  name: serviceaccount
+`)
+	th.WriteF("/app/base/clusterrolebinding.yaml", `
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: role
+subjects:
 - kind: ServiceAccount
   name: serviceaccount
 `)
@@ -86,6 +100,18 @@ roleRef:
   kind: Role
   name: role
 subjects:
+- kind: ServiceAccount
+  name: pfx-serviceaccount-sfx
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: pfx-rolebinding-sfx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: role
+subjects:
 - kind: ServiceAccount
   name: pfx-serviceaccount-sfx
 `)
@@ -114,6 +140,18 @@ roleRef:
   kind: Role
   name: role
 subjects:
+- kind: ServiceAccount
+  name: a-pfx-serviceaccount-sfx-suffixA
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: a-pfx-rolebinding-sfx-suffixA
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: role
+subjects:
 - kind: ServiceAccount
   name: a-pfx-serviceaccount-sfx-suffixA
 `)
@@ -142,6 +180,18 @@ roleRef:
   kind: Role
   name: role
 subjects:
+- kind: ServiceAccount
+  name: b-pfx-serviceaccount-sfx-suffixB
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: b-pfx-rolebinding-sfx-suffixB
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: role
+subjects:
 - kind: ServiceAccount
   name: b-pfx-serviceaccount-sfx-suffixB
 `)
@@ -174,6 +224,18 @@ subjects:
 - kind: ServiceAccount
   name: a-pfx-serviceaccount-sfx-suffixA
 ---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: a-pfx-rolebinding-sfx-suffixA
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: role
+subjects:
+- kind: ServiceAccount
+  name: a-pfx-serviceaccount-sfx-suffixA
+---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -188,6 +250,18 @@ roleRef:
   kind: Role
   name: role
 subjects:
+- kind: ServiceAccount
+  name: b-pfx-serviceaccount-sfx-suffixB
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: b-pfx-rolebinding-sfx-suffixB
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: role
+subjects:
 - kind: ServiceAccount
   name: b-pfx-serviceaccount-sfx-suffixB
 `)