kubernetes-mcp-server

alihan/kubernetes-mcp-server

Fork 0

mirror of https://github.com/containers/kubernetes-mcp-server.git synced 2025-10-23 01:22:57 +03:00

Commit Graph

Author	SHA1	Message	Date
Marc Nuri	cad863ff22	fix(migration): rebranded from manusa/kubernetes-mcp-server to containers/kubernetes-mcp-server (#202 ) Signed-off-by: Marc Nuri <marc@marcnuri.com>	2025-07-25 09:53:04 +02:00
Arda Güçlü	275b91a00d	feat(auth): introduce require-oauth flag to comply with OAuth in MCP specification (170) Introduce require-oauth flag When this flag is enabled, authorization middleware will be turned on. When this flag is enabled, Derived which is generated based on the client token will not be used. --- Wire Authorization middleware to http mux This commit adds authorization middleware. Additionally, this commit rejects the requests if the bearer token is absent in Authorization header of the request. --- Add offline token validation for expiration and audience Per Model Context Protocol specification, MCP Servers must check the audience field of the token to ensure that they are generated specifically for them. This commits parses the JWT token and asserts that audience is correct and token is not expired. --- Add online token verification via TokenReview request to API Server This commit sends online token verification by sending request to TokenReview endpoint of API Server with the token and expected audience. If API Server returns the status as authenticated, that means this token can be used to generate a new ad hoc token for MCP Server. If API Server returns the status as not authenticated, that means this token is invalid and MCP Server returns 401 to force the client to initiate OAuth flow. --- Serve oauth protected resource metadata endpoint --- Introduce server-url to be represented in protected resource metadata --- Add error return type in Derived function --- Return error if error occurs in Derived, when require-oauth --- Add test cases for authorization-url and server-url --- Wire server-url to audience, if it is set --- Remove redundant ssebaseurl parameter from http	2025-07-14 06:31:17 +02:00
Marc Nuri	af2a8cd19d	feat(config): deny resources by using RESTMapper as an interceptor (149) feat(config): deny resources by using RESTMapper as an interceptor This approach ensures that resources in the deny list are always processed regardless of the implementation. The RESTMapper takes care of verifying that the requested Group Version Kind complies with the deny list while checking for the REST endpoint. --- feat(config): provide a limited clientset which check access --- review: addressed PR comments --- feat(config): provide a limited metrics clientset to check access --- review: addressed PR comments regarding pods_exec	2025-07-01 14:44:22 +02:00

Author

SHA1

Message

Date

Marc Nuri

cad863ff22

fix(migration): rebranded from manusa/kubernetes-mcp-server to containers/kubernetes-mcp-server (#202 )

Signed-off-by: Marc Nuri <marc@marcnuri.com>

2025-07-25 09:53:04 +02:00

Arda Güçlü

275b91a00d

feat(auth): introduce require-oauth flag to comply with OAuth in MCP specification (170)

Introduce require-oauth flag

When this flag is enabled, authorization middleware will be turned on.
When this flag is enabled, Derived which is generated based on the client
token will not be used.
---
Wire Authorization middleware to http mux

This commit adds authorization middleware. Additionally, this commit
rejects the requests if the bearer token is absent in Authorization
header of the request.
---
Add offline token validation for expiration and audience

Per Model Context Protocol specification, MCP Servers must check the
audience field of the token to ensure that they are generated specifically
for them.

This commits parses the JWT token and asserts that audience is correct
and token is not expired.
---
Add online token verification via TokenReview request to API Server

This commit sends online token verification by sending request to
TokenReview endpoint of API Server with the token and expected audience.

If API Server returns the status as authenticated, that means this token
can be used to generate a new ad hoc token for MCP Server.

If API Server returns the status as not authenticated, that means this token
is invalid and MCP Server returns 401 to force the client to initiate OAuth flow.
---
Serve oauth protected resource metadata endpoint
---
Introduce server-url to be represented in protected resource metadata
---
Add error return type in Derived function
---
Return error if error occurs in Derived, when require-oauth
---
Add test cases for authorization-url and server-url
---
Wire server-url to audience, if it is set
---
Remove redundant ssebaseurl parameter from http

2025-07-14 06:31:17 +02:00

Marc Nuri

af2a8cd19d

feat(config): deny resources by using RESTMapper as an interceptor (149)

feat(config): deny resources by using RESTMapper as an interceptor

This approach ensures that resources in the deny list are **always**
processed regardless of the implementation.

The RESTMapper takes care of verifying that the requested Group Version Kind
complies with the deny list while checking for the REST endpoint.
---
feat(config): provide a limited clientset which check access
---
review: addressed PR comments
---
feat(config): provide a limited metrics clientset to check access
---
review: addressed PR comments regarding pods_exec

2025-07-01 14:44:22 +02:00

3 Commits