Skip to main content
Glama
deenesjakoruzh

mcp-server-kubernetes

by Flux159
npmGitHub
TypeScript
MIT License
1,604
1,177
  • Linux
  • Apple
OverviewInspectNewEndpointsSchemaRelated ServersReviewsScore
Need Help?View Source CodeReport Issue
custom-kubeconfig.yaml10.3 kB
# Example: Custom Command Kubeconfig Configuration # This example shows how to use a custom command/script to generate kubeconfig # Useful for complex scenarios like: # - Custom authentication workflows # - Integration with proprietary credential systems # - Dynamic kubeconfig generation based on runtime parameters # - Multi-step authentication processes # Deploy with: helm install mcp-server ./helm-chart -f examples/custom-kubeconfig.yaml image: repository: flux159/mcp-server-kubernetes tag: "latest" # HTTP transport for web accessibility transport: mode: "http" service: type: ClusterIP port: 3001 ingress: enabled: false # Custom command-based kubeconfig generation kubeconfig: provider: "custom" custom: # Path to your custom script or binary # This should be available in the container or mounted via volumeMounts command: "/usr/local/bin/generate-kubeconfig.sh" # Arguments to pass to the command args: - "--output=/shared/kubeconfig" - "--format=yaml" - "--clusters=prod,staging,dev" - "--context=prod" # Alternative examples: # Example 1: Python script for custom authentication # command: "/usr/bin/python3" # args: # - "/scripts/fetch_kubeconfig.py" # - "--vault-addr=${VAULT_ADDR}" # - "--vault-token=${VAULT_TOKEN}" # - "--output=/shared/kubeconfig" # Example 2: Custom binary for proprietary system # command: "/opt/company/bin/k8s-config-fetcher" # args: # - "generate" # - "--user=${SERVICE_ACCOUNT}" # - "--clusters=all" # - "--output-path=/shared/kubeconfig" # Example 3: Shell script with multiple steps # command: "/bin/bash" # args: # - "/scripts/multi-step-config.sh" # Environment variables available to the custom command env: # Vault integration example VAULT_ADDR: "https://vault.example.com" VAULT_TOKEN: "your-vault-token" VAULT_NAMESPACE: "admin/kubernetes" # Custom system credentials SERVICE_ACCOUNT: "mcp-server" API_ENDPOINT: "https://config-api.example.com" API_KEY: "your-api-key" # Cluster selection CLUSTER_ENVIRONMENT: "production" CLUSTER_REGION: "us-east-1" # Output configuration KUBECONFIG_OUTPUT_PATH: "/shared/kubeconfig" # Init container retry configuration initContainer: maxRetries: 5 retryDelay: 15 resources: limits: cpu: 200m memory: 256Mi requests: cpu: 100m memory: 128Mi # Security configuration security: allowOnlyNonDestructive: false allowOnlyReadonly: false podSecurityContext: fsGroup: 1000 runAsNonRoot: true runAsUser: 1000 securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL # Note: readOnlyRootFilesystem may need to be false if your script # needs to write temporary files. Use /tmp for temp files. readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 # ServiceAccount configuration serviceAccount: create: true annotations: {} # If using cloud provider workload identity: # annotations: # eks.amazonaws.com/role-arn: "arn:aws:iam::123456789:role/custom-config-role" # iam.gke.io/gcp-service-account: "config-fetcher@project.iam.gserviceaccount.com" # RBAC for local cluster (minimal permissions) rbac: create: true annotations: description: "MCP Server with custom kubeconfig command" rules: # Minimal read access to local cluster - apiGroups: [""] resources: ["pods", "services"] verbs: ["get", "list", "watch"] # Mount custom scripts via ConfigMap or Secret volumes: # Mount custom script from ConfigMap - name: custom-scripts configMap: name: kubeconfig-generator-scripts defaultMode: 0755 # Make scripts executable # Mount credentials from Secret - name: custom-creds secret: secretName: custom-kubeconfig-credentials defaultMode: 0400 # Read-only for security volumeMounts: # Mount scripts directory - name: custom-scripts mountPath: /usr/local/bin/generate-kubeconfig.sh subPath: generate-kubeconfig.sh readOnly: true # Mount credentials - name: custom-creds mountPath: /var/secrets/custom readOnly: true # Resource limits resources: limits: cpu: 500m memory: 512Mi requests: cpu: 100m memory: 128Mi # Network Policy - Allow egress to custom services networkPolicy: enabled: true dns: enabled: true kubernetesApi: enabled: true serviceCidr: "10.96.0.0/12" # Allow egress to custom authentication/config services egress: # Allow HTTPS to external services (Vault, custom APIs, etc.) - to: - ipBlock: cidr: 0.0.0.0/0 ports: - protocol: TCP port: 443 - protocol: TCP port: 8200 # Vault default port # Allow internal service access - to: - namespaceSelector: matchLabels: name: auth-system ports: - protocol: TCP port: 443 # Health checks livenessProbe: enabled: true tcpSocket: port: 3001 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 3 readinessProbe: enabled: true tcpSocket: port: 3001 initialDelaySeconds: 10 periodSeconds: 5 timeoutSeconds: 5 failureThreshold: 3 # Labels and annotations podLabels: app: mcp-server-kubernetes kubeconfig-type: custom podAnnotations: description: "MCP Server with custom kubeconfig command" commonLabels: managed-by: helm component: mcp-server # SETUP INSTRUCTIONS: # # 1. Create your custom script as a ConfigMap: # kubectl create configmap kubeconfig-generator-scripts \ # --from-file=generate-kubeconfig.sh=./path/to/your/script.sh # # 2. Create secrets for credentials: # kubectl create secret generic custom-kubeconfig-credentials \ # --from-literal=vault-token='your-token' \ # --from-literal=api-key='your-key' # # 3. Deploy the chart: # helm install mcp-server ./helm-chart -f examples/custom-kubeconfig.yaml --- # Example ConfigMap with custom script # Create this before deploying the Helm chart: # kubectl apply -f this-section-below apiVersion: v1 kind: ConfigMap metadata: name: kubeconfig-generator-scripts data: generate-kubeconfig.sh: | #!/bin/bash set -euo pipefail # Example custom kubeconfig generation script # This is a template - customize for your needs OUTPUT_PATH="${1:-/shared/kubeconfig}" echo "Generating kubeconfig..." # Example 1: Fetch from Vault if [ -n "${VAULT_ADDR:-}" ] && [ -n "${VAULT_TOKEN:-}" ]; then echo "Fetching kubeconfig from Vault..." curl -s -H "X-Vault-Token: ${VAULT_TOKEN}" \ "${VAULT_ADDR}/v1/secret/data/kubernetes/config" \ | jq -r '.data.data.kubeconfig' > "${OUTPUT_PATH}" fi # Example 2: Call custom API if [ -n "${API_ENDPOINT:-}" ] && [ -n "${API_KEY:-}" ]; then echo "Fetching kubeconfig from custom API..." curl -s -H "X-API-Key: ${API_KEY}" \ "${API_ENDPOINT}/api/v1/kubeconfig?cluster=${CLUSTER_ENVIRONMENT}" \ > "${OUTPUT_PATH}" fi # Example 3: Generate from templates and credentials if [ -f "/var/secrets/custom/cluster-cert" ]; then echo "Generating kubeconfig from credentials..." cat > "${OUTPUT_PATH}" <<EOF apiVersion: v1 kind: Config clusters: - cluster: certificate-authority-data: $(cat /var/secrets/custom/cluster-cert | base64 -w0) server: https://${CLUSTER_API_SERVER:-kubernetes.default.svc} name: ${CLUSTER_NAME:-default} contexts: - context: cluster: ${CLUSTER_NAME:-default} user: ${SERVICE_ACCOUNT:-default} name: ${CLUSTER_NAME:-default} current-context: ${CLUSTER_NAME:-default} users: - name: ${SERVICE_ACCOUNT:-default} user: token: $(cat /var/secrets/custom/token) EOF fi # Validate generated kubeconfig if [ -f "${OUTPUT_PATH}" ]; then echo "Kubeconfig generated successfully at ${OUTPUT_PATH}" # Optional: Test the kubeconfig # kubectl --kubeconfig="${OUTPUT_PATH}" cluster-info else echo "Error: Failed to generate kubeconfig" exit 1 fi --- # Example Secret with credentials # Create this before deploying the Helm chart: # kubectl apply -f this-section-below apiVersion: v1 kind: Secret metadata: name: custom-kubeconfig-credentials type: Opaque stringData: vault-token: "your-vault-token-here" api-key: "your-api-key-here" cluster-cert: | -----BEGIN CERTIFICATE----- YOUR_CLUSTER_CERTIFICATE_HERE -----END CERTIFICATE----- token: "your-service-account-token" # USAGE NOTES: # # 1. Custom Script Requirements: # - Must be executable (chmod +x or ConfigMap defaultMode: 0755) # - Must output kubeconfig to the path specified in args # - Should handle errors and return non-zero exit code on failure # - Should support retry logic if possible # - Must complete within init container timeout # # 2. Common Use Cases: # a) HashiCorp Vault Integration - Fetch kubeconfig from Vault # b) Custom SSO/OIDC - Authenticate via proprietary SSO # c) Dynamic Cluster Discovery - Query service registry for clusters # d) Certificate-based Auth - Generate kubeconfig from PKI # e) Multi-step Authentication - Complex auth workflows # # 3. Debugging: # - View init container logs: kubectl logs <pod> -c fetch-kubeconfig # - Check script output and errors # - Verify environment variables are set correctly # - Ensure volumes are mounted properly # - Test script locally before deploying # # 4. Security Best Practices: # - Never hardcode credentials in scripts # - Use Kubernetes Secrets for sensitive data # - Minimize script privileges # - Validate input parameters # - Use HTTPS for external API calls # - Implement proper error handling # - Log securely (don't log secrets) # # 5. Advanced Examples: # - Multi-cluster from service discovery # - Credential rotation with CertManager # - Integration with external CMDB # - Dynamic RBAC policy generation # - Cross-cloud authentication

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Flux159/mcp-server-kubernetes'

If you have feedback or need assistance with the MCP directory API, please join our Discord server