Skip to content

v1.0.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 04 May 20:40
· 80 commits to main since this release
v1.0.0
7d84e68

Periscope v1.0.0 — first stable release

A multi-cluster Kubernetes console with no static AWS credentials:
keyless on EKS via Pod Identity / IRSA, anywhere via the
periscope-agent tunnel. OIDC user identity, per-user K8s
impersonation, structured audit log. Apache 2.0, no telemetry.

Highlights

  • Multi-cluster, one-command onboarding. Install periscope-agent
    on the managed cluster (one helm install), it dials out to the
    central server over a long-lived mTLS-pinned WebSocket, registers
    itself, and the operator's fleet view picks it up. Works on EKS /
    GKE / AKS / on-prem k3s / kind — anything with outbound HTTPS. No
    IAM trust per cluster, no inbound network access needed.
  • Pod exec on every backend. WS / SPDY upgrade flows transparently
    through the agent tunnel via a loopback HTTP CONNECT proxy that
    works around client-go's hard-coded transport behaviour. See
    RFC 0004
    for the design and the two production bugs validation surfaced.
  • OIDC user identity, per-user impersonation. Every K8s call
    carries the human user's Impersonate-User / Impersonate-Group
    headers. The audit log shows alice@corp, never periscope-bot.
    Auth0 and Okta tested; three authorization modes (shared, tier,
    raw).
  • First-class audit log. SQLite-backed (with in-app /audit
    page), also streamed to stdout for SIEM. Every privileged action
    audited before-and-after, so denied / errored actions still leave
    a row.
  • Live everything. 21+ resource list pages stream over SSE with
    Last-Event-ID resume; per-user concurrency caps protect
    apiserver watch budgets.
  • Apply-as-code. Inline Monaco YAML editor with schema-aware
    autocomplete, Server-Side Apply, field-ownership glyphs, drift
    detection while editing.

Install

Server (central cluster)

helm install periscope \
  oci://ghcr.io/gnana997/charts/periscope \
  --version 1.0.0 \
  --namespace periscope --create-namespace \
  --values my-values.yaml

See docs/setup/deploy.md for the full prerequisites + OIDC wiring.

Agent (per managed cluster, optional)

helm install periscope-agent \
  oci://ghcr.io/gnana997/charts/periscope-agent \
  --version 1.0.0 \
  --namespace periscope --create-namespace \
  --set agent.serverURL=wss://agents.example.com:8443/api/agents/connect \
  --set agent.clusterName=prod-eu-west-1 \
  --set agent.registrationToken=<paste-from-spa>

Walkthrough: docs/setup/agent-onboarding.md.

Container image

docker pull ghcr.io/gnana997/periscope:v1.0.0

Multi-arch (linux/amd64, linux/arm64). Distroless static base, non-root UID 65532, read-only root filesystem.

Supply-chain verification

cosign verify ghcr.io/gnana997/periscope:v1.0.0 \
  --certificate-identity-regexp "https://github.com/gnana997/periscope" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

Both the image and the chart are cosign-signed (keyless via Sigstore). SPDX SBOM attached to the image.

Documentation

Full v1.0.0 entry in CHANGELOG.md.

What's not in v1.0 (post-1.0 work)

  • HA / multi-replica with peer routing (single-replica only today)
  • Helm release write paths (rollback / upgrade / install)
  • Federated search across clusters (#62 — feedback-gated)
  • Agent cert auto-rotation (operators re-register manually for now)

Thanks

To everyone who tested the RCs, filed issues, and helped harden the agent-tunnel + exec path.

Full Changelog: v1.0.0-rc12...v1.0.0

Assets 9
Loading