Periscope v1.0.0 — first stable release
A multi-cluster Kubernetes console with no static AWS credentials:
keyless on EKS via Pod Identity / IRSA, anywhere via the
periscope-agent tunnel. OIDC user identity, per-user K8s
impersonation, structured audit log. Apache 2.0, no telemetry.
Highlights
- Multi-cluster, one-command onboarding. Install
periscope-agent
on the managed cluster (one helm install), it dials out to the
central server over a long-lived mTLS-pinned WebSocket, registers
itself, and the operator's fleet view picks it up. Works on EKS /
GKE / AKS / on-prem k3s / kind — anything with outbound HTTPS. No
IAM trust per cluster, no inbound network access needed.
- Pod exec on every backend. WS / SPDY upgrade flows transparently
through the agent tunnel via a loopback HTTP CONNECT proxy that
works around client-go's hard-coded transport behaviour. See
RFC 0004
for the design and the two production bugs validation surfaced.
- OIDC user identity, per-user impersonation. Every K8s call
carries the human user's
Impersonate-User / Impersonate-Group
headers. The audit log shows alice@corp, never periscope-bot.
Auth0 and Okta tested; three authorization modes (shared, tier,
raw).
- First-class audit log. SQLite-backed (with in-app
/audit
page), also streamed to stdout for SIEM. Every privileged action
audited before-and-after, so denied / errored actions still leave
a row.
- Live everything. 21+ resource list pages stream over SSE with
Last-Event-ID resume; per-user concurrency caps protect
apiserver watch budgets.
- Apply-as-code. Inline Monaco YAML editor with schema-aware
autocomplete, Server-Side Apply, field-ownership glyphs, drift
detection while editing.
Install
Server (central cluster)
helm install periscope \
oci://ghcr.io/gnana997/charts/periscope \
--version 1.0.0 \
--namespace periscope --create-namespace \
--values my-values.yaml
See docs/setup/deploy.md for the full prerequisites + OIDC wiring.
Agent (per managed cluster, optional)
helm install periscope-agent \
oci://ghcr.io/gnana997/charts/periscope-agent \
--version 1.0.0 \
--namespace periscope --create-namespace \
--set agent.serverURL=wss://agents.example.com:8443/api/agents/connect \
--set agent.clusterName=prod-eu-west-1 \
--set agent.registrationToken=<paste-from-spa>
Walkthrough: docs/setup/agent-onboarding.md.
Container image
docker pull ghcr.io/gnana997/periscope:v1.0.0
Multi-arch (linux/amd64, linux/arm64). Distroless static base, non-root UID 65532, read-only root filesystem.
Supply-chain verification
cosign verify ghcr.io/gnana997/periscope:v1.0.0 \
--certificate-identity-regexp "https://github.com/gnana997/periscope" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com
Both the image and the chart are cosign-signed (keyless via Sigstore). SPDX SBOM attached to the image.
Documentation
Full v1.0.0 entry in CHANGELOG.md.
What's not in v1.0 (post-1.0 work)
- HA / multi-replica with peer routing (single-replica only today)
- Helm release write paths (rollback / upgrade / install)
- Federated search across clusters (#62 — feedback-gated)
- Agent cert auto-rotation (operators re-register manually for now)
Thanks
To everyone who tested the RCs, filed issues, and helped harden the agent-tunnel + exec path.
Full Changelog: https://github.com/gnana997/periscope/compare/v1.0.0-rc12...v1.0.0