alihan/kubernetes-mcp-server
1
0
Fork 0
mirror of https://github.com/containers/kubernetes-mcp-server.git synced 2025-10-23 01:22:57 +03:00
Code Issues Packages Projects Releases Wiki Activity
251 Commits 19 Branches 53 Tags
9e3811a737ae3c4517c41ee98d5d17a9866129ae
Commit Graph

251 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Marc Nuri
9e3811a737 chore(doc): update README.md Configuration options (#199) 
Added missing entry for --port and removed deprecated options
(should not be documented on the README)

Signed-off-by: Marc Nuri <marc@marcnuri.com>
v0.0.46 		2025-07-23 15:21:04 +02:00
Arda Güçlü
0ad8726d01 feat(auth): introduce jwks url flag to be published in oauth metadata (#197) 2025-07-23 09:48:21 +02:00
Marc Nuri
ca0aa4648d feat(mcp): log tool call (function name + arguments) 
Signed-off-by: Marc Nuri <marc@marcnuri.com>
 2025-07-22 14:35:19 +02:00
Marc Nuri
3fbfd8d7cb fix(lint): add golangci-lint make target + lint 
Signed-off-by: Marc Nuri <marc@marcnuri.com>
 2025-07-22 14:22:19 +02:00
Marc Nuri
a3e8818ffe test(http): logging middleware verifications 
Signed-off-by: Marc Nuri <marc@marcnuri.com>
 2025-07-22 14:21:39 +02:00
Marc Nuri
775fa21bd1 fix(auth): delegate JWT parsing to github.com/go-jose/go-jose (189) 
fix(auth): delegate JWT parsing to github.com/golang-jwt/jwt

Signed-off-by: Marc Nuri <marc@marcnuri.com>
---
fix(auth): delegate JWT parsing to go-jose

Signed-off-by: Marc Nuri <marc@marcnuri.com>
---
fix(auth): delegate JWT parsing to go-jose - review comment

Signed-off-by: Marc Nuri <marc@marcnuri.com>
 2025-07-18 13:01:55 +02:00
Arda Güçlü
73e9e845c4 refactor(auth): carry oidc provider directly instead of mcpServer 2025-07-18 12:52:51 +02:00
Marc Nuri
cb9f296566 test(mcp): speed up tests by not setting the fake kubeconfig master to example.com 
Signed-off-by: Marc Nuri <marc@marcnuri.com>
 2025-07-18 10:46:32 +02:00
Marc Nuri
f6e9702009 chore(http): use constants for endpoints 
Signed-off-by: Marc Nuri <marc@marcnuri.com>
v0.0.45 		2025-07-17 13:07:54 +02:00
dependabot[bot]
4d994d3790 build(deps): bump k8s.io/apiextensions-apiserver from 0.33.2 to 0.33.3 
Bumps [k8s.io/apiextensions-apiserver](https://github.com/kubernetes/apiextensions-apiserver) from 0.33.2 to 0.33.3.
- [Release notes](https://github.com/kubernetes/apiextensions-apiserver/releases)
- [Commits](https://github.com/kubernetes/apiextensions-apiserver/compare/v0.33.2...v0.33.3)

---
updated-dependencies:
- dependency-name: k8s.io/apiextensions-apiserver
  dependency-version: 0.33.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-07-17 07:38:52 +02:00
Marc Nuri
e4a8f604a1 test:fix: age expectation regex for minutes-no-seconds (42m) 
Signed-off-by: Marc Nuri <marc@marcnuri.com>
 2025-07-17 07:27:59 +02:00
dependabot[bot]
796333891a build(deps): bump github.com/spf13/pflag from 1.0.6 to 1.0.7 
Bumps [github.com/spf13/pflag](https://github.com/spf13/pflag) from 1.0.6 to 1.0.7.
- [Release notes](https://github.com/spf13/pflag/releases)
- [Commits](https://github.com/spf13/pflag/compare/v1.0.6...v1.0.7)

---
updated-dependencies:
- dependency-name: github.com/spf13/pflag
  dependency-version: 1.0.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-07-17 07:25:39 +02:00
dependabot[bot]
4cae032e84 build(deps): bump k8s.io/kubectl from 0.33.2 to 0.33.3 
Bumps [k8s.io/kubectl](https://github.com/kubernetes/kubectl) from 0.33.2 to 0.33.3.
- [Commits](https://github.com/kubernetes/kubectl/compare/v0.33.2...v0.33.3)

---
updated-dependencies:
- dependency-name: k8s.io/kubectl
  dependency-version: 0.33.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-07-17 07:18:42 +02:00
dependabot[bot]
255750a767 build(deps): bump k8s.io/metrics from 0.33.2 to 0.33.3 
Bumps [k8s.io/metrics](https://github.com/kubernetes/metrics) from 0.33.2 to 0.33.3.
- [Commits](https://github.com/kubernetes/metrics/compare/v0.33.2...v0.33.3)

---
updated-dependencies:
- dependency-name: k8s.io/metrics
  dependency-version: 0.33.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-07-17 06:37:20 +02:00
dependabot[bot]
6d3ac81fdd build(deps): bump k8s.io/api from 0.33.2 to 0.33.3 
Bumps [k8s.io/api](https://github.com/kubernetes/api) from 0.33.2 to 0.33.3.
- [Commits](https://github.com/kubernetes/api/compare/v0.33.2...v0.33.3)

---
updated-dependencies:
- dependency-name: k8s.io/api
  dependency-version: 0.33.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-07-17 06:36:48 +02:00
dependabot[bot]
92cad86e9e build(deps): bump github.com/mark3labs/mcp-go from 0.33.0 to 0.34.0 
---
updated-dependencies:
- dependency-name: github.com/mark3labs/mcp-go
  dependency-version: 0.34.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-07-16 16:44:20 +02:00
Marc Nuri
bfa699049e test(http): bootstrap tests for HTTP server (177) 
test(http): bootstrap tests for HTTP server

Contains tests for the main endpoints (proxied and handled)
- /sse
- /message
- /mcp
- /healthz
- /.well-known/oauth-protected-resource

Verifies graceful shutdown works as expected

Signed-off-by: Marc Nuri <marc@marcnuri.com>
---
fix: empty config for CI

Signed-off-by: Marc Nuri <marc@marcnuri.com>
 2025-07-16 14:46:11 +02:00
Arda Güçlü
77671617df feat(auth): introduce OIDC token verification if authorization-url is specified (176) 
Pass correct audience
---
Validate server and authorization url via url.Parse
---
Import go-oidc/v3
---
Wire initialized oidc provider if authorization url is set
---
Wire oidc issuer validation
 2025-07-16 14:45:18 +02:00
Marc Nuri
5c753275ab test(mcp): refactor tool filtering tests 
- Prevent declaring tools that are both read-only and destructive
- Remove redundant tests and preserve those behavioral and semantic
 2025-07-14 11:36:01 +02:00
dependabot[bot]
83c37ce02f build(deps): bump golang.org/x/sync from 0.15.0 to 0.16.0 
Bumps [golang.org/x/sync](https://github.com/golang/sync) from 0.15.0 to 0.16.0.
- [Commits](https://github.com/golang/sync/compare/v0.15.0...v0.16.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sync
  dependency-version: 0.16.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-07-14 06:46:00 +02:00
dependabot[bot]
6a95f35285 build(deps): bump helm.sh/helm/v3 from 3.18.3 to 3.18.4 
Bumps [helm.sh/helm/v3](https://github.com/helm/helm) from 3.18.3 to 3.18.4.
- [Release notes](https://github.com/helm/helm/releases)
- [Commits](https://github.com/helm/helm/compare/v3.18.3...v3.18.4)

---
updated-dependencies:
- dependency-name: helm.sh/helm/v3
  dependency-version: 3.18.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-07-14 06:32:07 +02:00
dependabot[bot]
288b330b5a build(deps): bump github.com/mark3labs/mcp-go from 0.32.0 to 0.33.0 
Bumps [github.com/mark3labs/mcp-go](https://github.com/mark3labs/mcp-go) from 0.32.0 to 0.33.0.
- [Release notes](https://github.com/mark3labs/mcp-go/releases)
- [Commits](https://github.com/mark3labs/mcp-go/compare/v0.32.0...v0.33.0)

---
updated-dependencies:
- dependency-name: github.com/mark3labs/mcp-go
  dependency-version: 0.33.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-07-14 06:31:55 +02:00
Arda Güçlü
275b91a00d feat(auth): introduce require-oauth flag to comply with OAuth in MCP specification (170) 
Introduce require-oauth flag

When this flag is enabled, authorization middleware will be turned on.
When this flag is enabled, Derived which is generated based on the client
token will not be used.
---
Wire Authorization middleware to http mux

This commit adds authorization middleware. Additionally, this commit
rejects the requests if the bearer token is absent in Authorization
header of the request.
---
Add offline token validation for expiration and audience

Per Model Context Protocol specification, MCP Servers must check the
audience field of the token to ensure that they are generated specifically
for them.

This commits parses the JWT token and asserts that audience is correct
and token is not expired.
---
Add online token verification via TokenReview request to API Server

This commit sends online token verification by sending request to
TokenReview endpoint of API Server with the token and expected audience.

If API Server returns the status as authenticated, that means this token
can be used to generate a new ad hoc token for MCP Server.

If API Server returns the status as not authenticated, that means this token
is invalid and MCP Server returns 401 to force the client to initiate OAuth flow.
---
Serve oauth protected resource metadata endpoint
---
Introduce server-url to be represented in protected resource metadata
---
Add error return type in Derived function
---
Return error if error occurs in Derived, when require-oauth
---
Add test cases for authorization-url and server-url
---
Wire server-url to audience, if it is set
---
Remove redundant ssebaseurl parameter from http
 2025-07-14 06:31:17 +02:00
Arda Güçlü
114726fb7c test(config): add new test case to increase the test coverage of Derived Config (167) 
Add new unit tests to check the values in Derived config
---
Rely on kubeconfig in staticConfig instead of a separate but equal one
 2025-07-08 06:07:18 +02:00
Marc Nuri
c5b2223249 test(config): explicit parsing tests 2025-07-08 06:03:37 +02:00
Arda Güçlü
42e8e3496f feat(http): add graceful shutdown of http server by catching interruption signals (164) 
Move http serving under its specific dir
---
Add gracefully shutdown for http server
 2025-07-08 06:02:54 +02:00
Arda Güçlü
00e4f1816f fix(auth): isolate bearer token config from kubeconfig 2025-07-07 07:09:26 +02:00
Arda Güçlü
9ffb818ab2 feat(auht): accept standard oauth authorization header by keeping the current header 2025-07-03 06:57:42 +02:00
Arda Güçlü
524e4f5d2a feat(http): introduce middleware for audit logs and authentication checks (157) 
Introduce wrapper middleware to intercept http requests
---
Rename middleware to http
 2025-07-02 15:08:17 +02:00
Arda Güçlü
ebe0ba9816 fix(kubernetes): wire static config to Derived object v0.0.44 2025-07-02 14:27:31 +02:00
Arda Güçlü
e6b19034aa feat(mcp): serve sse and streamable from a single port 2025-07-02 14:04:18 +02:00
Arda Güçlü
186f445ca2 feat(config): introduce enabled/disabled tool list in configuration file (155) 
Introduce allow/deny tool functionality in toml config
---
Remove duplicate fields that already defined in staticConfig
---
Add unit tests to verify tool valid check
---
Wire staticConfig to fix unit tests
---
Rename to enabled/disabled instead of allowed/denied
 2025-07-01 16:02:36 +02:00
Marc Nuri
af2a8cd19d feat(config): deny resources by using RESTMapper as an interceptor (149) 
feat(config): deny resources by using RESTMapper as an interceptor

This approach ensures that resources in the deny list are **always**
processed regardless of the implementation.

The RESTMapper takes care of verifying that the requested Group Version Kind
complies with the deny list while checking for the REST endpoint.
---
feat(config): provide a limited clientset which check access
---
review: addressed PR comments
---
feat(config): provide a limited metrics clientset to check access
---
review: addressed PR comments regarding pods_exec
 2025-07-01 14:44:22 +02:00
Arda Güçlü
2a1a3e4fbd feat(config): define flags in configuration file (152) 
Define flags in configuration file
---
Add vscode in .gitignore
 2025-07-01 09:39:38 +02:00
Marc Nuri
b777972c14 test(config): additional test cases for config errors 
Relates to #131
 2025-06-30 15:05:52 +02:00
dependabot[bot]
cd1cb1a630 build(deps): bump sigs.k8s.io/yaml from 1.4.0 to 1.5.0 
Bumps [sigs.k8s.io/yaml](https://github.com/kubernetes-sigs/yaml) from 1.4.0 to 1.5.0.
- [Release notes](https://github.com/kubernetes-sigs/yaml/releases)
- [Changelog](https://github.com/kubernetes-sigs/yaml/blob/master/RELEASE.md)
- [Commits](https://github.com/kubernetes-sigs/yaml/compare/v1.4.0...v1.5.0)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/yaml
  dependency-version: 1.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-06-26 09:42:47 +02:00
Marc Nuri
1968652aca test(config): extensive test suite for denied lists 2025-06-23 13:09:02 +02:00
Marc Nuri
f3915cd13e test(profiles): add missing pods_top to full profile tools validation v0.0.43 2025-06-20 16:41:17 +02:00
Arda Güçlü
bca2cda21a fix(mcp): gracefully cast tool call params objects and return err instead of panic 2025-06-20 15:32:13 +02:00
dependabot[bot]
a568ac1d88 build(deps): bump k8s.io/kubectl from 0.33.1 to 0.33.2 
Bumps [k8s.io/kubectl](https://github.com/kubernetes/kubectl) from 0.33.1 to 0.33.2.
- [Commits](https://github.com/kubernetes/kubectl/compare/v0.33.1...v0.33.2)

---
updated-dependencies:
- dependency-name: k8s.io/kubectl
  dependency-version: 0.33.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-06-20 12:34:57 +02:00
dependabot[bot]
6f7eb53fd8 build(deps): bump k8s.io/cli-runtime from 0.33.1 to 0.33.2 
Bumps [k8s.io/cli-runtime](https://github.com/kubernetes/cli-runtime) from 0.33.1 to 0.33.2.
- [Commits](https://github.com/kubernetes/cli-runtime/compare/v0.33.1...v0.33.2)

---
updated-dependencies:
- dependency-name: k8s.io/cli-runtime
  dependency-version: 0.33.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-06-20 12:22:55 +02:00
dependabot[bot]
21e8aa38a2 build(deps): bump k8s.io/apiextensions-apiserver from 0.33.1 to 0.33.2 
Bumps [k8s.io/apiextensions-apiserver](https://github.com/kubernetes/apiextensions-apiserver) from 0.33.1 to 0.33.2.
- [Release notes](https://github.com/kubernetes/apiextensions-apiserver/releases)
- [Commits](https://github.com/kubernetes/apiextensions-apiserver/compare/v0.33.1...v0.33.2)

---
updated-dependencies:
- dependency-name: k8s.io/apiextensions-apiserver
  dependency-version: 0.33.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-06-20 12:14:29 +02:00
dependabot[bot]
69d1e2895b build(deps): bump k8s.io/api from 0.33.1 to 0.33.2 
Bumps [k8s.io/api](https://github.com/kubernetes/api) from 0.33.1 to 0.33.2.
- [Commits](https://github.com/kubernetes/api/compare/v0.33.1...v0.33.2)

---
updated-dependencies:
- dependency-name: k8s.io/api
  dependency-version: 0.33.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-06-20 12:03:17 +02:00
dependabot[bot]
c21f97057a build(deps): bump k8s.io/metrics from 0.33.1 to 0.33.2 
Bumps [k8s.io/metrics](https://github.com/kubernetes/metrics) from 0.33.1 to 0.33.2.
- [Commits](https://github.com/kubernetes/metrics/compare/v0.33.1...v0.33.2)

---
updated-dependencies:
- dependency-name: k8s.io/metrics
  dependency-version: 0.33.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-06-20 12:02:37 +02:00
Marc Nuri
f668658217 test(cmd): additional test cases for config flags 
Relates to #131
 2025-06-19 16:26:53 +02:00
Arda Güçlü
754da19d81 feat(config): introduce toml configuration file with a set of deny list 2025-06-19 13:41:47 +02:00
Marc Nuri
25608daf4a fix(kubernetes): remove unneeded CacheInvalidate() method (127) 
fix(kubernetes): remove unneeded CacheInvalidate() method
---
test(output): improve age regex
---
test(kubernetes): remove unneeded CacheInvalidate() method (mutex lock)
---
test(kubernetes): split TestPodsTop to avoid discovery client cache issues
 2025-06-18 12:51:09 +02:00
Marc Nuri
2957faa771 test:refactor(cmd): test verifies behavior from cobra.Command layer 
Previous iteration was running method directly
 2025-06-18 06:46:17 +02:00
Marc Nuri
f138b06ba8 refactor(kubernetes): force usage of Derived kubernetes (125) 
refactor(kubernetes): force usage of Derived kubernetes

Prevents consumers of the kubernetes package the usage of
public methods on a non-derived config instance.
---
review(kubernetes): force usage of Derived kubernetes

Addresses comment by ardaguclu
 2025-06-18 06:46:05 +02:00
Arda Güçlü
4a3ff2f2ce refactor(mcp): use k8s.io/utils ptr.Deref instead of a custom func 2025-06-18 05:10:29 +02:00