Enables comprehensive security analysis of Kubernetes RBAC Roles, generating hardened configurations, validating security postures, and correlating runtime logs with granted permissions.
Leverages OpenAI's language models for intelligent Kubernetes Role security analysis, providing automated risk assessment and security recommendations through structured prompt chains.
KubeGuard MCP Server
A Model Context Protocol (MCP) server for Kubernetes Role security analysis using LLM-assisted prompt chaining, based on the KubeGuard research paper: "LLM-Assisted Kubernetes Hardening via Configuration Files and Runtime Logs Analysis."
Features
š”ļø Security Analysis
Static Analysis: Rule-based security assessment of Kubernetes Roles
LLM Prompt Chaining: 5-step modular analysis workflow using OpenAI/Anthropic
Runtime Correlation: Analyze actual permission usage vs granted permissions
Security Scoring: 0-100 scale risk assessment with detailed breakdown
š§ Analysis Tools
analyze_role_security: Comprehensive Role security analysisgenerate_hardened_role: Create least-privilege Role configurationsvalidate_role_security: Validate against security thresholdsget_server_status: Server configuration and capabilities
š Analysis Methods
Rule-Based: Fast, reliable analysis using security pattern matching
LLM Chain: Deep analysis using 5-step prompt chaining methodology
Hybrid: Automatic fallback between methods
Quick Start
1. Installation
2. Configuration
3. Run Server
4. Test Analysis
Configuration
Environment Variables
Variable | Description | Default |
| LLM provider (openai/anthropic/none) |
|
| OpenAI API key | - |
| Anthropic API key | - |
| Model to use |
|
| Security validation threshold |
|
| Enable usage simulation |
|
Analysis Configuration
KubeGuard Methodology
5-Step LLM Prompt Chain
Role Understanding: Analyze structure and infer purpose
Permission Analysis: Deep security assessment
Runtime Correlation: Usage pattern analysis
Risk Assessment: Comprehensive risk scoring
Recommendation Generation: Actionable improvements
Security Scoring
90-100: Excellent security posture
70-89: Good security, minor improvements
50-69: Moderate risk, review required
30-49: High risk, immediate action needed
0-29: Critical risk, urgent remediation
Common Issues Detected
Wildcard permissions (
*)Excessive privileges beyond actual usage
Access to sensitive resources (secrets, configmaps)
Dangerous subresources (pods/exec, pods/portforward)
Privilege escalation vectors
Usage Examples
Basic Analysis
Generate Hardened Role
Runtime Log Integration
MCP Integration
Available Tools
analyze_role_security
Input: Role manifest, optional runtime logs
Output: Comprehensive security analysis
generate_hardened_role
Input: Role manifest
Output: Hardened Role with improvements
validate_role_security
Input: Role manifest, security threshold
Output: Pass/fail validation with recommendations
Available Resources
kubeguard://security-guidelines: Security best practiceskubeguard://example-roles: Example secure/insecure configurationskubeguard://prompt-chain-info: LLM methodology detailskubeguard://configuration: Server configuration
Development
Project Structure
Testing
Contributing
Fork the repository
Create feature branch (
git checkout -b feature/amazing-feature)Commit changes (
git commit -m 'Add amazing feature')Push branch (
git push origin feature/amazing-feature)Open Pull Request
License
This project is licensed under the MIT License - see the LICENSE file for details.
Citation
If you use KubeGuard in your research, please cite the original paper:
Support
š§ Email: support@kubeguard.io
š Issues: GitHub Issues
š Documentation: Wiki
This server cannot be installed