01
keyless
no aws_access_key_id. uses pod identity / irsa.
values.yaml
podIdentity:
enabled: trueone dashboard.
every
cluster.
keyless on aws via pod identity, anywhere via the periscope-agent. oidc identity, per-user impersonation, audit-trail-clean.
eks 1.27+ keyless · agent works on any k8s · oidc 1.0 · k8s rbac
periscope · alice@corp
prod-eu-west-1·12 nodes
alice@corp · oidcworkloadspods
live6 running
| name | ready | status | age |
|---|---|---|---|
| payments / checkout-7f9 | 1/1 | Running | 3d |
| payments / checkout-8a2 | 1/1 | Running | 3d |
| periscope / audit-6c1 | 1/1 | Running | 17h |
| frontend / web-5d4b | 1/1 | Running | 2d |
| backend / api-2b8e | 2/2 | Running | 8h |
| backend / worker-9c3 | 1/1 | Running | 8h |
6 pods · 0 not readywatch · 30s
principles
02
multi-cluster
one app, every cluster. eks, gke, aks, on-prem k3s. agent dials out, no inbound network.
values.yaml
clusters:
- name: prod-eu
backend: agent03
audited
every action signed by the human who made it. searchable, time-filterable, sqlite-backed.
audit row
actor: alice@corp
verb: apply → ok04
open
apache-2.0. self-host in five minutes. no telemetry.
license
apache-2.0 · no telemetrythe dashboard
who did what,
signed by them.
every action is signed by the human who made it. the audit log is a first-class view in the app — searchable, time-filtered, with denials and failures called out.
- actor column always populated — never
periscope-bot - outcome glyphs: ● ok · ▲ failure · ✕ denied
- density strip surfaces the bad columns at a glance
- retained in sqlite, time-filterable, retention-bounded
periscope · alice@corp
prod-eu-west-1 / history
audit log
scope: alllast 1h
actor:*verb:*outcome:denied|failurens:payments142 events · refreshed 3s ago
density142 events · peak 3/bucket
1h agonow
- ●22:14:09alice@corpapplypayments / pods/checkout-7f9ok
- ●22:13:54alice@corpexec_openperiscope / pods/audit-6c1ok
- ✕22:11:22bob@corpsecret_revealpayments / secrets/db-creds↳ rbac: secrets.read denieddenied
- ●22:09:01alice@corplog_openpayments / pods/checkout-8a2ok
- ●22:02:38ci-botapplyfrontend / deployments/webok
- ▲21:58:11bob@corpdeleteops / cronjobs/nightly↳ conflict: resourceVersion mismatchfailure
showing 1–6 of 142
←page 1 / 24→
auth flow
identity carries through. nothing is shared.
01user
browseralice@corp02idp
okta / auth0id_token (oidc)03mid-tier
periscopeimpersonate user04k8s
eks apiaudit: alice@corpperiscope receives an id_tokenfrom your idp, assumes the user's identity via k8s.io/v1 Impersonate headers, and lets the apiserver enforce rbac. the audit row says alice@corp, never periscope-bot.
install
five minutes. no credentials.
- 01 pick a control cluster — eks 1.27+ with a pod identity association, or any cluster running periscope as its own in-cluster service account. periscope reads from that identity; no static aws keys, no shared kubeconfig.
- 02 on that cluster, run the helm install below to bring up the server, dashboards, and audit log. wire oidc and ingress next via the deployment guide.
- 01 in periscope, open the fleet page and click + onboard cluster. type a cluster name (e.g.
prod-eu), copy the bootstrap token the modal shows you. the token is single-use and expires in 15 minutes. - 02 on the managed cluster, paste the token into the helm install below and run it:
helm install periscope \
oci://ghcr.io/gnana997/charts/periscope \
--version 1.0.0-rc9 \
--namespace periscope --create-namespacehelm install periscope-agent \
oci://ghcr.io/gnana997/charts/periscope-agent \
--version 1.0.0-rc9 \
--namespace periscope --create-namespace \
--set agent.serverURL=wss://agents.periscope.example.com:8443/api/agents/connect \
--set agent.clusterName=prod-eu \
--set agent.registrationToken=<paste-token-from-ui>install on the central cluster — needs eks 1.27+ with pod identity association, or any cluster with the in-cluster service account. see the deployment guide for oidc, rbac, and ingress wiring. then click the agent tab above to add managed clusters.
run on every cluster you want in the fleet — eks, gke, aks, on-prem k3s, anything with outbound https. set agent.clusterName to the same name you typed in the onboard modal so the tunnel registers under that identity. full walkthrough including the three deployment topologies (single lb, alb+nlb split, self-signed) lives in the agent onboarding guide.
community
built in the open. self-host it. fork it.
early days. apache-2.0, no telemetry, no paid tier. issues, prs, and rfcs all happen on github.
stars2forks3contributors5latestv1.0.0-rc9todaygood first issues5open since2026-05