OpenChoreo just shipped v1.1.0, and it is not your typical minor-version bump. This CNCF sandbox project went from “interesting platform engineering tool” to “fully-stocked internal developer platform” in a single release, packing resource abstractions, a FinOps cost agent, AI agent sandboxing, an AI-powered portal assistant, advanced network observability, and about a dozen more features across 180+ pull requests.
If you have never heard of OpenChoreo, here is the short version: it is an internal developer platform built on Kubernetes that lets platform teams define how developers deploy, connect, and manage services. Think of it like a control plane for your developer experience. Instead of every team hand-rolling their Helm charts, service mesh configs, and observability stacks, OpenChoreo gives you a declarative model to standardize all of that. It sits on top of Backstage (the CNCF developer portal) and orchestrates the messy infrastructure plumbing underneath.
The problem it solves? The gap between “I wrote code” and “it is running reliably in production.” Without something like OpenChoreo, every microservice team needs to understand Kubernetes networking, secrets management, tracing setup, RBAC policies, and cost allocation. With it, those concerns get abstracted behind a platform layer that just handles them.
Platform engineers building internal developer platforms for teams that deploy lots of services to Kubernetes are the core audience. If you are running Backstage and wondering how to connect it to actual infrastructure orchestration, this is the project for you.
v1.1.0 is exciting because it takes OpenChoreo from a deployment orchestrator to something much more ambitious: a platform that manages your infrastructure dependencies, watches your cloud spend, runs AI agents safely, and gives you deep network visibility, all at once. Let us look at the biggest additions.
Resource Abstractions: Your Infrastructure, Declaratively
This is the headline feature. OpenChoreo now ships ClusterResourceTypes and Resource CRDs with matching controllers, API endpoints, and CLI commands that let you declare infrastructure dependencies like Postgres, Valkey, and NATS the same way you declare Kubernetes workloads.
Instead of a developer filing a ticket to provision a database and waiting three days, the platform team defines a ClusterResourceType for Postgres, and developers simply reference it in their workload descriptor. OpenChoreo handles the wiring.
apiVersion: core.openchoreo.dev/v1
kind: Resource
metadata:
name: my-app-db
spec:
resourceTypeName: postgres
parameters:
database: orders
plan: standard
The release even ships default ClusterResourceTypes for Postgres, Valkey, and NATS out of the box, so you have working examples from day one. The CLI gets new commands too: occ resource get, occ resource list, and occ resource-tree to visualize your dependency graph. Resources can produce composite outputs (like connection strings with URLs) that get automatically injected into your workloads.
This is the kind of thing that makes platform engineers nod quietly and then immediately start planning their migration. PR #3392 added the CRDs and controllers, PR #3440 added the API endpoints, PR #3445 added the CLI commands, and PR #3521 shipped the default types.
FinOps Agent: Because Nobody Likes Surprise Cloud Bills
OpenChoreo now includes a FinOps agent that monitors your Kubernetes resource costs and can trigger budget alerts when spending crosses thresholds. This is not just passive monitoring: the agent can recommend CPU and memory limit adjustments and even apply them automatically.
The integration is clean: budget alerts flow through the same ObservabilityAlertRule CRD that handles regular alerts, so your existing notification channels (webhooks, email) just work. A new finopsreport:view action in the RBAC model gives you fine-grained control over who can see cost data.
apiVersion: observability.openchoreo.dev/v1
kind: ObservabilityAlertRule
metadata:
name: budget-alert
spec:
type: budget
parameters:
threshold: 500
period: monthly
The FinOps agent exposes its own URL through the ObservabilityPlane CRD and integrates with the observer for alert routing. PR #3358 introduced the agent, PR #3381 added the budget alert type, and PR #3488 added the ability to update resource limits through remediation.
AI Agent Infrastructure: Sandbox, Gateway, and a Portal Assistant
This is where things get spicy. OpenChoreo v1.1.0 introduces three distinct AI-related capabilities that together form a surprisingly coherent AI agent platform.
Agent sandboxing lets you run AI agents in isolated execution environments, keeping them safely away from your production workloads while still giving them access to the platform APIs they need. PR #3201 added permission-based tool filtering middleware so each agent only sees the tools it is authorized to use.
The Agent Gateway is a new AI gateway module that sits between your agents and the outside world, handling authentication, rate limiting, and tool routing. Think of it as an API gateway purpose-built for AI agent traffic.
The Portal Assistant (originally codenamed “Perch”) is the user-facing piece: an AI assistant built directly into the OpenChoreo portal that helps developers interact with the platform through natural language. Need to deploy a service? Ask the assistant. Want to check your resource dependency tree? Ask. The team iterated on the latency heavily across PR #3455, PR #3487, and PR #3502 to get response times down.
Advanced Network Observability
If you have ever tried to debug why Service A cannot talk to Service B in a multi-cluster setup, you will appreciate this one. OpenChoreo v1.1.0 ships advanced network observability features including:
- Runtime topology — A new endpoint that maps out the actual network connections between your services in real time, not just what is declared in YAML. Added in PR #3451.
- Trace and span attributes — Observability queries now include span and resource attributes, giving you much richer context when debugging latency issues. PR #3231 and PR #3185.
- Metrics adapter — The observer can now use an external metrics adapter, so you are not locked into a single metrics backend. PR #3240.
- AWS observability stack — First-class support for CloudWatch and X-Ray, so teams running on AWS get native integration without custom exporters.
- CiliumNetworkPolicy generation — OpenChoreo can now auto-generate Cilium network policies for your services, adding a layer of network security that works hand-in-hand with the observability features. PR #3270.
Everything Else Worth Mentioning
There is a lot more packed into this release:
- External secret stores — A full Secret API with
occ secretCLI commands (get, list, create, delete, update), feature-flagged through the Helm chart. Secrets work across planes with label support. PR #3261, PR #3415, PR #3495. - CEL-based ABAC — Attribute-based access control using Common Expression Language conditions on role bindings. Wildcard action patterns, admission webhooks, and condition type registry. PR #3243, PR #3410.
- Event-driven catalog sync — An event forwarder that keeps your Backstage catalog in sync with OpenChoreo resources automatically. No more manual refresh. PR #3382.
- Backstage plugin installation — Install OpenChoreo plugins into an existing Backstage portal instead of running the bundled one. This is huge for teams that already have a Backstage deployment. PR #3219 added the Helm values.
- Rolling restart — Trigger rolling restarts by annotating a ReleaseBinding, giving you a clean way to restart workloads without deleting anything. PR #3301.
- MCP tools — A comprehensive set of Model Context Protocol tools for workflow run status, logs, events, authz CRUD, resource tree queries, and more. PR #3269, PR #3486, PR #3529.
Security Fixes
The release bumps several dependencies to address known vulnerabilities:
- gRPC bumped to v1.79.3 addressing CVE-2026-33186 (PR #3357)
- pgx bumped to v5.9.0 addressing CVE-2026-33816 (PR #3361)
- MCP Go SDK bumped to v1.4.1 addressing CVE-2026-27896 (PR #3362)
- Additional Go dependency bumps for vulnerability alerts (PR #3367)
OpenChoreo v1.1.0 is the kind of release that makes you take a sandbox project seriously.
