Skip to main content
Version: 1.3.0

Roadmap

This is a rough, non-binding plan for where KubeAtlas is going. Dates slip, scopes change, and external feedback frequently reshapes priorities. Treat this page as direction, not contract.

For the current state, see What is KubeAtlas.

Where we are

Phase 3 is complete. Three releases shipped: v1.1 (rule packs and plugins), v1.2 (offline rendering), and v1.3 (multi-cluster federation, platform-identity edges, and the cartography Web UI redesign). Install with helm install kubeatlas oci://ghcr.io/lithastra/charts/kubeatlas --version 1.3.0 — see the Quick Start.

PhaseStatusWhat it delivered
Phase 0 (Foundation)✅ DoneCLI binary, in-memory graph, 8 edge types, 16 watched resources, contract-tested store interface, contributor docs, CI gates. No API, no UI, no Helm Chart.
Phase 1 (MVP → v0.1.0)✅ ReleasedREST + WebSocket API, React/MUI Web UI with Cytoscape topology and Mermaid neighbour view, Helm Chart with secure defaults, Playwright E2E, multi-platform release. Available as oci://ghcr.io/lithastra/charts/kubeatlas:0.1.0.
Phase 2 (→ v1.0)✅ ReleasedTier 2 persistence (PostgreSQL + Apache AGE), Rego rule packs, RBAC graph, blast radius, orphan + cycle detection, /api/v1/* GA, cert-manager TLS, OpenShift detector + embedded pack, chaos test suite. Available as oci://ghcr.io/lithastra/charts/kubeatlas:1.0.0.
Phase 3 (→ v1.1 / v1.2 / v1.3)✅ ReleasedCloud rule packs, snapshots, search, plugins (v1.1). Offline kubectl atlas, graph-image export (v1.2). Multi-cluster federation, platform-identity edges, HPA support, GitHub Action, cartography Web UI redesign (v1.3).
Beyond Phase 3💭 SketchCloud-resource integration, third-party platform deep-dives, federation cross-cluster edge inference.

KubeAtlas overlaps with a few other projects in the Kubernetes observability / introspection space. The honest position is that the overlaps are partial — these tools answer adjacent questions, and most teams will end up running more than one. This section explains the deliberate scope choices.

vs. Karpor

Karpor is a Kubernetes search and insight platform from the KusionStack ecosystem. It overlaps with KubeAtlas only at the surface — both look at K8s objects and surface relationships — but the two projects make fundamentally different choices about who they're for and what they optimise.

KubeAtlas differs in three ways that matter:

  1. KubeAtlas is an independent tool. It isn't part of a larger platform, doesn't assume an ecosystem, and doesn't impose a workflow. You install it, point it at a cluster, get answers. Adoption costs nothing beyond the binary. Removal is the same helm uninstall. No long-term commitment to a vendor or stack.

  2. KubeAtlas focuses on dependency analysis — specifically, the first-glimpse problem an infrastructure engineer faces when handed an unfamiliar cluster: "what's running here, and how is it wired together?" The answers are derived as a typed dependency graph (eight edge kinds today, more later) so questions like "if I delete this Secret, what breaks?" are one traversal, not a series of greps. Search is a side benefit; structure is the point.

  3. KubeAtlas is small, compact, and easy to onboard and extend. The default deploy is a single Pod with no external dependencies — no search backend, no message queue, no sidecars. Opt into Tier 2 persistence (PostgreSQL + Apache AGE via the embedded CloudNativePG sub-chart) when you're ready. Onboarding is helm install plus a port-forward. Extending the edge schema is either one Go file plus one test (see Adding a new edge type) or a Rego rule pack loaded at runtime from an OCI artifact — no rebuild required. The codebase is small enough that a contributor can read the full graph engine in an afternoon.

Karpor and KubeAtlas can coexist on the same cluster — they answer different questions. If you need cross-cluster search, indexing, and a centralized insight pipeline, Karpor is the right shape for that. If you need to understand a single cluster's structure right now with a tool you can install in five minutes and remove just as easily, KubeAtlas is the right shape for that.

Other tools you might evaluate alongside

A short list, with the question each is best at:

  • Headlamp / Lens — "Show me everything in this cluster, navigably." General-purpose K8s UIs. KubeAtlas ships its own UI for the graph; a Headlamp plugin (shipped in v1.1) lives in lithastra/kubeatlas-headlamp-plugin.
  • kubectl tree — "Show owner-reference children of this object." Kubectl plugin, single-edge-type, terminal-only. KubeAtlas covers the same ground via the OWNS edge plus seven others, with a server and UI on top.
  • Argo CD — Resource topology, but framed around an Application as the root. KubeAtlas roots are arbitrary; you don't need GitOps adoption.
  • Prometheus / Grafana / DataDog — Metric and event observability. Disjoint problem space.

If you have a tool that should be on this list, open a doc PR.

Phase 1 → v0.1.0 (released)

The first publicly-releasable build. Shipped on 2026-05-06. Install reference: see Quick Start. Release notes: github.com/lithastra/kubeatlas/releases/tag/v0.1.0.

Delivered scope:

  • REST APIGET /api/v1alpha1/graph at four levels (cluster / namespace / workload / resource), GET /resources/{ns}/{kind}/{name} for detail, GET /search, /healthz, /readyz, /metrics
  • WebSocket/api/v1alpha1/watch for live graph updates
  • Web UI — React 19 + TypeScript + MUI v5, technology-stack-aligned with Headlamp so a future Headlamp plugin (Phase 2) is a port rather than a rewrite
    • Cytoscape topology view (cluster / namespace / workload levels)
    • Mermaid neighbor view (single resource + one hop)
    • DataGrid resource list with namespace filter
  • Helm Chartoci://ghcr.io/lithastra/charts/kubeatlas with secure defaults baked in:
    • service.type: ClusterIP (no automatic LoadBalancer exposure)
    • Ingress disabled by default; enabling it requires explicit acknowledgeNoBuiltinAuth=true (schema-validated)
    • RBAC ClusterRole hard-coded to [get, list, watch] (KubeAtlas is read-only, always)
    • Pod runs as non-root with read-only root filesystem
  • Distribution — multi-arch container image (linux/amd64, linux/arm64) on ghcr.io/lithastra/kubeatlas, four-platform binaries via goreleaser, Helm Chart published as OCI artifact
  • Docs site — quick-start, installation guides per Ingress flavour, architecture, FAQ, this roadmap

Explicitly not in v0.1.0

So v0.1.0 shipped something usable instead of trying to ship everything:

  • ❌ Built-in authentication — operators provide it via the Ingress layer (oauth2-proxy / Pomerium / Cloudflare Access; example values shipped)
  • ❌ Persistence — Tier 1 in-memory only; restart loses graph state
  • ❌ Multi-cluster — one kubeconfig per KubeAtlas instance
  • ❌ Custom edge types — the eight built-in edges were it for v0.1.0
  • ❌ Dynamic CRD discovery — the 16 watched GVRs were hard-coded
  • ❌ RBAC graph and NetworkPolicy graph
  • ❌ Historical snapshots / diff
  • ❌ Dark mode
  • ❌ Headlamp plugin

The first seven shipped in v1.0; the Headlamp plugin shipped in v1.1.

Phase 2 → v1.0 (released)

The "make it suitable for production observability" cycle. Shipped scope:

ThemeWhat landed
PersistenceTier 2 storage on PostgreSQL ≥ 14 with the Apache AGE extension. Opt-in via persistence.enabled=true; the embedded mode (persistence.embedded.enabled=true) ships CloudNativePG as a sub-chart. Restart now preserves the graph; informer cold-start drops to ~4 s reading the persisted state.
ExtensibilityRego rule packs — declare CRD edges in Rego, no rebuild. Packs are OCI-distributed and signed. Embedded OpenShift pack auto-loads when route.openshift.io is detected; extras load via rulePacks.extras. Dynamic CRD discovery is built in — KubeAtlas walks the cluster's CRDs and registers per-CRD informers at runtime.
More edge kindsRBAC graphBINDS_SUBJECT and BINDS_ROLE edges plus three new endpoints (/api/v1/rbac/serviceaccount/<ns>/<name>/permissions, /api/v1/rbac/role/<ns>/<name>/subjects, /api/v1/rbac/clusterrole/<name>/subjects).
Impact radiusBlast radius/api/v1/blast-radius/<ns>/<kind>/<name> walks incoming edges and returns the affected set. Folded into the v1 resource-detail bundle as blastRadiusCount.
Orphans + cyclesDetection — two new endpoints for stale resources and Tarjan-detected SCCs.
API surface/api/v1/* GA endpoints, frozen /api/v1alpha1/* retained — see API versioning.
TLScert-manager Helm integration — selfsigned / letsencrypt-staging / letsencrypt-prod / custom.
OpenShiftAuto-detect + install path plus the weekly e2e-openshift-local (CRC) workflow.
Performance5K-resource perf bench + regression gate; recursive-CTE traversal so blast-radius p95 stays under 500 ms on a 7K-resource cluster.
Chaostest/chaos/ scenarios (pg-disconnect, rego-panic, rego-runaway, cert-manager-flap) gating the release.

Shipped in v1.1

These were in the original Phase 2 plan but moved out for the v1.0 cut and landed in v1.1:

  • Headlamp plugin (lithastra/kubeatlas-headlamp-plugin)
  • Historical snapshots / diff

Phase 3 → v1.1 / v1.2 / v1.3 (in progress)

Phase 3 widens KubeAtlas beyond a single cluster's core resources and reaches it from places besides the in-cluster UI. It ships in three releases.

v1.1 (released) — rule packs, snapshots, search, plugins

Shipped scope:

ThemeWhat landed
Cloud-platform rule packsOpt-in EKS / AKS / GKE add-on CRD packs in the sibling lithastra/kubeatlas-rules repo — AWS Load Balancer Controller, Karpenter, GKE Ingress, Multi-cluster Services, and more. Loaded via rulePacks.extras.
Historical snapshotsAn append-only resource-change event stream with GET /api/v1/snapshots/diff — "what changed in the last hour?" Tier 2; configured under snapshots.*.
Full-text searchRanked GET /api/v1/search over resource name, kind, namespace, and label values; indexed on Tier 2.
Label filteringlabel.<key>=<value> narrowing on the cluster / namespace views, plus a GET /api/v1/labels vocabulary endpoint.
NetworkPolicy edgesNetworkPolicy is first-class — the Pods a policy selects and the peers it allows.
Rule-pack signingKeyless Sigstore signature verification for OCI rule packs (rulePacks.verifySignature).
PluginsThe kubectl atlas plugin and a Headlamp plugin (separate repo).

v1.2 (released) — offline rendering and a self-contained plugin

KubeAtlas usable without a server in the cluster. Shipped scope:

  • Offline kubectl atlas — the plugin builds the dependency graph straight from the Kubernetes API and renders it locally: a static SVG by default, or an interactive in-process web UI with --local-ui. The plugin is self-contained — it no longer needs a separate kubeatlas binary.
  • Graph-image exportkubeatlas -once -format=svg and a GET /api/v1/export endpoint render cluster / namespace views as SVG or PNG.
  • Cluster selection — the CLI and the plugin honour the standard --context / --kubeconfig flags.
  • Rule-pack signature verification on by defaultrulePacks.verifySignature defaults to true; air-gapped installs must set it false explicitly.

v1.3 (released) — multi-cluster, platform identity, cartography UI

The final Phase 3 release. Stretching the graph across cluster boundaries and replacing the Headlamp-styled web shell with a purpose-built cartography UI:

  • Multi-cluster federation (F-201) — one KubeAtlas instance, N clusters. A new pkg/multicluster/ package, a ClusterID on the graph model, federation aggregator and /federation route group, and cluster-scoped WebSocket subscriptions. KUBEATLAS_MULTICLUSTER_KUBECONFIG_DIR points at a directory of per-cluster kubeconfigs (one file per cluster, filename = cluster ID). GET /api/v1/federation/{clusters,graph} is the read surface; the Web UI LeftClusterStrip is wired to it for cluster picking.
  • Platform-identity edges (F-209)BINDS_PLATFORM_IDENTITY from a ServiceAccount to a synthetic ExternalIdentity representing the cloud account it is bound to:
    • EKSeks.amazonaws.com/role-arn annotation.
    • AKSazure.workload.identity/client-id label.
    • GKEiam.gke.io/gcp-service-account annotation.
  • HorizontalPodAutoscaler support — new SCALES edge type from an HPA to whatever its spec.scaleTargetRef names (Deployment / StatefulSet / any /scale-bearing kind).
  • kubeatlas-action — a new repo lithastra/kubeatlas-action so KubeAtlas can run in GitHub Actions CI pipelines, rendering the dependency graph as an SVG artifact.
  • Cartography Web UI redesign — the whole web shell rebuilt around the "one graph, many modes" design:
    • 5 runtime-switchable themes (Parchment / Survey / Terrain / Ink / Slate) sharing one CSS-variable contract.
    • Persistent time axis with diff-mode anchor presets (1h / 4h / 24h / 7d) that highlight added / removed / modified resources on the canvas.
    • Blast-radius mode (BFS from selected node with depth + direction controls, canvas dim/brighten, hop-by-hop summary).
    • ⌘K command palette over /api/v1alpha1/search with matched nodes highlighted on the canvas.
    • Zoom-scale widget mapping cytoscape zoom × → L1–L4 bands.
    • Edge-type filter presets (All / RBAC / Network / Config / Storage) that fold a sub-graph into the canvas without route changes.
    • Left cluster strip wired to the federation cluster list with deterministic per-cluster chip colours.
  • v1.3 perf baseline — dual-tier (Tier 1 + Tier 2) on the 10K-resource stress fixture; multi-cluster merge bench and a cluster-disconnect chaos scenario.

v1.3.x follow-ups

Polish items that didn't gate v1.3.0:

  • Cluster picker → federation graph wiring — the LeftClusterStrip picks clusters today but the topology canvas still fetches /api/v1alpha1/graph. Routing the picked cluster through /api/v1/federation/graph?cluster=… and per-cluster chip-colour stripes on each node is the next pass.
  • FLIP zoom transitions — the zoom-scale widget animates the cytoscape zoom level today; the aggregated → expanded node split/merge with the design's 400ms FLIP choreography is queued.
  • Drag-anchor on the time-axis rail — the preset chips (1h / 4h / 24h / 7d) work today; click-and-drag on the rail to pick an arbitrary anchor instant is queued.
  • Full M6 a11y sweep — keyboard graph traversal, screen-reader announcements on mode change, WCAG AA contrast audit of the Slate theme.

Beyond Phase 3 (sketch)

Direction, not commitment:

  • Third-party Kubernetes platform deep-dives — going beyond the identity edges v1.3 lands:
    • Amazon EKS — recognise EKS-Anywhere quirks; deeper Karpenter / AWS LBC modeling.
    • Azure AKS — surface AKS-specific add-ons beyond Workload Identity.
    • Google GKE — recognise Autopilot resource constraints.
    • Red Hat OpenShift — model Route as a first-class edge alongside Ingress/HTTPRoute, recognise DeploymentConfig and BuildConfig natively, ship installation docs that work with OpenShift's stricter SCC defaults. Verified install paths, platform-specific Helm values examples, and an integration-test matrix per platform.
  • Cloud-resource integration — surface AWS/GCP/Azure objects (S3 buckets, IAM roles, Cloud SQL instances) that K8s resources reference, so the graph spans the cluster boundary. Builds on the platform-identity edges from v1.3 (the IAM/identity bindings give us the edges to follow off-cluster).

Compatibility promises

  • From v0.1.0 onward: semver. A field added to graph.Resource or graph.Edge is a minor-version event; renaming or removing one is a major-version event.
  • -once CLI mode stays available across the v1.x line as a scriptable scrape path.
  • Helm values schema changes additively where possible; breaking renames are called out in CHANGELOG and accompany a migration note.

How to influence the roadmap

  • Open an issue on GitHub describing the use case (not the proposed solution).
  • Reactions on existing issues are read as priority signal.
  • PRs welcome for items already on the roadmap; for items not on it, open an issue first so we can talk shape before you spend time.
  • v1.3 scope is set (multi-cluster + platform identity + Action), but the order within v1.3 — and what lands first beyond Phase 3 — will partly reflect what current users ask for first. If your team would adopt a future release conditional on a particular feature, say so in an issue.