mcp-server-kubernetes

# Example: Generic Kubernetes Kubeconfig Configuration # This example shows how to use a standard kubeconfig file with the MCP server # Useful for on-premises clusters, custom Kubernetes distributions, or any cluster # where you have direct kubeconfig access. # Deploy with: helm install mcp-server ./helm-chart -f examples/generic-kubeconfig.yaml image: repository: flux159/mcp-server-kubernetes tag: "latest" # HTTP transport for web accessibility transport: mode: "http" service: type: ClusterIP port: 3001 ingress: enabled: false # If enabling ingress, use streaming-friendly annotations: # annotations: # nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" # nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" # nginx.ingress.kubernetes.io/proxy-buffering: "off" # Direct kubeconfig content kubeconfig: provider: "content" # Paste your kubeconfig content here # This can be a single cluster or multiple clusters with contexts content: | apiVersion: v1 kind: Config clusters: - cluster: certificate-authority-data: LS0tLS1CRUdJTi... server: https://your-k8s-api-server:6443 name: my-cluster contexts: - context: cluster: my-cluster user: my-user namespace: default name: my-context current-context: my-context users: - name: my-user user: client-certificate-data: LS0tLS1CRUdJTi... client-key-data: LS0tLS1CRUdJTi... # If your kubeconfig needs specific environment variables env: {} # Example: # env: # KUBERNETES_SERVICE_HOST: "api.k8s.example.com" # KUBERNETES_SERVICE_PORT: "443" # Security configuration - adjust based on your needs security: # Non-destructive mode prevents deletion operations allowOnlyNonDestructive: false # Read-only mode for monitoring/observability use cases allowOnlyReadonly: false # Whitelist specific tools (optional) allowedTools: "" podSecurityContext: fsGroup: 1000 runAsNonRoot: true runAsUser: 1000 securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 # ServiceAccount configuration # Note: When using content provider, the ServiceAccount only affects pod permissions # in the current cluster, not the target cluster specified in kubeconfig serviceAccount: create: true annotations: {} # RBAC for local cluster operations (if needed) rbac: create: true annotations: description: "MCP Server with generic kubeconfig" # Minimal RBAC rules for local cluster (if ServiceAccount is used for anything) rules: # Basic read access to local cluster resources - apiGroups: [""] resources: ["pods", "services", "configmaps"] verbs: ["get", "list", "watch"] # Events read-only - apiGroups: [""] resources: ["events"] verbs: ["get", "list", "watch"] # Resource limits resources: limits: cpu: 500m memory: 512Mi requests: cpu: 100m memory: 128Mi # Network Policy (optional - enable for security) networkPolicy: enabled: false # DNS and Kubernetes API access dns: enabled: true kubernetesApi: enabled: true # Adjust serviceCidr to match your cluster serviceCidr: "10.96.0.0/12" # Allow egress to your Kubernetes API server egress: # Allow HTTPS to your API server - to: - ipBlock: cidr: 0.0.0.0/0 ports: - protocol: TCP port: 443 - protocol: TCP port: 6443 # Health checks livenessProbe: enabled: true tcpSocket: port: 3001 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 3 readinessProbe: enabled: true tcpSocket: port: 3001 initialDelaySeconds: 5 periodSeconds: 5 timeoutSeconds: 5 failureThreshold: 3 # Additional labels podLabels: app: mcp-server-kubernetes kubeconfig-type: generic # Additional annotations podAnnotations: description: "MCP Server with generic kubeconfig" # Common labels for all resources commonLabels: managed-by: helm component: mcp-server # Node selector (optional) nodeSelector: {} # Tolerations (optional) tolerations: [] # Affinity rules (optional) affinity: {} # USAGE NOTES: # # 1. Obtaining your kubeconfig: # - From existing file: cat ~/.kube/config # - From managed cluster: Use cloud provider CLI to get credentials # - From kubeadm: sudo cat /etc/kubernetes/admin.conf # # 2. Multi-cluster kubeconfig: # You can include multiple clusters and contexts in the content field. # The MCP server will respect the current-context setting, and you can # switch contexts using the kubectl_context tool. # # 3. Security considerations: # - Store sensitive kubeconfig in Kubernetes Secrets, not in values files # - Use RBAC to limit what the kubeconfig user can do in the target cluster # - Enable networkPolicy to restrict egress to only necessary endpoints # - Consider using certificate-based auth over token-based auth # # 4. Alternative: Using Secrets # Instead of putting kubeconfig in content field, you can mount a secret: # a) Create secret: kubectl create secret generic kubeconfig --from-file=config=~/.kube/config # b) Add volume mount in values: # volumes: # - name: kubeconfig # secret: # secretName: kubeconfig # volumeMounts: # - name: kubeconfig # mountPath: /home/node/.kube # readOnly: true # env: # KUBECONFIG: "/home/node/.kube/config" # c) Set provider to: "serviceaccount" (it will use KUBECONFIG env var)