kubernetes

package
v0.0.60 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 1, 2026 License: Apache-2.0 Imports: 62 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	CustomAuthorizationHeader = HeaderKey("kubernetes-authorization")
	OAuthAuthorizationHeader  = HeaderKey("Authorization")
	UserAgentHeader           = HeaderKey("User-Agent")

	CustomUserAgent = "kubernetes-mcp-server/bearer-token-auth"
)
View Source 
const (
	AppKubernetesComponent = "app.kubernetes.io/component"
	AppKubernetesManagedBy = "app.kubernetes.io/managed-by"
	AppKubernetesName      = "app.kubernetes.io/name"
	AppKubernetesPartOf    = "app.kubernetes.io/part-of"
)
View Source 
const DefaultTailLines = int64(100)

DefaultTailLines is the default number of lines to retrieve from the end of the logs

View Source 
const KubeConfigTargetParameterName = "context"

KubeConfigTargetParameterName is the parameter name used to specify the kubeconfig context when using the kubeconfig cluster provider strategy.

Variables

View Source 
var (
	ErrorKubeconfigInClusterNotAllowed = errors.New("kubeconfig manager cannot be used in in-cluster deployments")
	ErrorInClusterNotInCluster         = errors.New("in-cluster manager cannot be used outside of a cluster")
)
View Source 
var InClusterConfig = func() (*rest.Config, error) {

	inClusterConfig, err := rest.InClusterConfig()
	if inClusterConfig != nil {
		inClusterConfig.Host = "https://kubernetes.default.svc"
	}
	return inClusterConfig, err
}

InClusterConfig is a variable that holds the function to get the in-cluster config Exposed for testing

View Source 
var ParameterCodec = runtime.NewParameterCodec(Scheme)
View Source 
var Scheme = scheme.Scheme

Functions

func CanI added in v0.0.58 

func CanI(
	ctx context.Context,
	authClient authv1client.AuthorizationV1Interface,
	gvr *schema.GroupVersionResource,
	namespace, resourceName, verb string,
) (bool, error)

CanI checks if the current identity can perform verb on resource. Uses SelfSubjectAccessReview to pre-check RBAC permissions.

func CreateValidators added in v0.0.58 

func CreateValidators(providers ValidatorProviders) []api.HTTPValidator

CreateValidators creates all registered validators with the given providers.

func ExchangeTokenInContext added in v0.0.57 

func ExchangeTokenInContext(
	ctx context.Context,
	stsConfigProvider api.StsConfigProvider,
	oidcProvider *oidc.Provider,
	httpClient *http.Client,
	provider Provider,
	target string,
) context.Context

func GetRegisteredStrategies added in v0.0.53 

func GetRegisteredStrategies() []string

GetRegisteredStrategies returns a sorted list of all registered strategy names. This is useful for error messages and debugging.

func IsInCluster added in v0.0.54 

func IsInCluster(cfg api.ClusterProvider) bool

func RegisterProvider added in v0.0.53 

func RegisterProvider(strategy string, factory ProviderFactory)

RegisterProvider registers a provider factory for a given strategy name. This should be called from init() functions in provider implementation files. Panics if a provider is already registered for the given strategy.

func RegisterValidator added in v0.0.58 

func RegisterValidator(name string, factory ValidatorFactory)

RegisterValidator adds a validator factory to the registry. Panics if a validator is already registered with the given name.

Types

type AccessControlRoundTripper added in v0.0.55 

type AccessControlRoundTripper struct {
	// contains filtered or unexported fields
}

AccessControlRoundTripper intercepts HTTP requests to enforce access control and optionally run validators before they reach the Kubernetes API.

func NewAccessControlRoundTripper added in v0.0.58 

func NewAccessControlRoundTripper(cfg AccessControlRoundTripperConfig) *AccessControlRoundTripper

NewAccessControlRoundTripper creates a new AccessControlRoundTripper.

func (*AccessControlRoundTripper) RoundTrip added in v0.0.55 

func (rt *AccessControlRoundTripper) RoundTrip(req *http.Request) (*http.Response, error)

func (*AccessControlRoundTripper) WrappedRoundTripper added in v0.0.59 

func (rt *AccessControlRoundTripper) WrappedRoundTripper() http.RoundTripper

type AccessControlRoundTripperConfig added in v0.0.58 

type AccessControlRoundTripperConfig struct {
	Delegate                  http.RoundTripper
	DeniedResourcesProvider   api.DeniedResourcesProvider
	RestMapperProvider        func() meta.RESTMapper
	HostURL                   string
	DiscoveryProvider         func() discovery.DiscoveryInterface
	AuthClientProvider        func() authv1client.AuthorizationV1Interface
	ValidationEnabled         bool
	ConfirmationRulesProvider api.ConfirmationRulesProvider
}

AccessControlRoundTripperConfig configures the AccessControlRoundTripper.

type CloseWatchKubeConfig 

type CloseWatchKubeConfig func() error

type ConfirmationValidator added in v0.0.60 

type ConfirmationValidator struct {
	// contains filtered or unexported fields
}

ConfirmationValidator validates Kubernetes API requests against confirmation rules.

func (*ConfirmationValidator) Name added in v0.0.60 

func (v *ConfirmationValidator) Name() string

func (*ConfirmationValidator) Validate added in v0.0.60 

func (v *ConfirmationValidator) Validate(ctx context.Context, req *api.HTTPValidationRequest) error

type Core added in v0.0.56 

type Core struct {
	api.KubernetesClient
}

func NewCore added in v0.0.56 

func NewCore(client api.KubernetesClient) *Core

func (*Core) ConfigurationContextsDefault added in v0.0.56 

func (c *Core) ConfigurationContextsDefault() (string, error)

ConfigurationContextsDefault returns the current context name TODO: Should be moved to the Provider level ?

func (*Core) ConfigurationContextsList added in v0.0.56 

func (c *Core) ConfigurationContextsList() (map[string]string, error)

ConfigurationContextsList returns the list of available context names TODO: Should be moved to the Provider level ?

func (*Core) ConfigurationView added in v0.0.56 

func (c *Core) ConfigurationView(minify bool) (runtime.Object, error)

ConfigurationView returns the current kubeconfig content as a kubeconfig YAML If minify is true, keeps only the current-context and the relevant pieces of the configuration for that context. If minify is false, all contexts, clusters, auth-infos, and users are returned in the configuration. TODO: Should be moved to the Provider level ?

func (*Core) EventsList added in v0.0.56 

func (c *Core) EventsList(ctx context.Context, namespace string) ([]map[string]any, error)

func (*Core) NamespacesList added in v0.0.56 

func (c *Core) NamespacesList(ctx context.Context, options api.ListOptions) (runtime.Unstructured, error)

func (*Core) NodesLog added in v0.0.56 

func (c *Core) NodesLog(ctx context.Context, name string, query string, tailLines int64) (string, error)

func (*Core) NodesStatsSummary added in v0.0.56 

func (c *Core) NodesStatsSummary(ctx context.Context, name string) (string, error)

func (*Core) NodesTop added in v0.0.56 

func (c *Core) NodesTop(ctx context.Context, options api.NodesTopOptions) (*metrics.NodeMetricsList, error)

func (*Core) PodsDelete added in v0.0.56 

func (c *Core) PodsDelete(ctx context.Context, namespace, name string) (string, error)

func (*Core) PodsExec added in v0.0.56 

func (c *Core) PodsExec(ctx context.Context, namespace, name, container string, command []string) (string, error)

func (*Core) PodsGet added in v0.0.56 

func (c *Core) PodsGet(ctx context.Context, namespace, name string) (*unstructured.Unstructured, error)

func (*Core) PodsListInAllNamespaces added in v0.0.56 

func (c *Core) PodsListInAllNamespaces(ctx context.Context, options api.ListOptions) (runtime.Unstructured, error)

func (*Core) PodsListInNamespace added in v0.0.56 

func (c *Core) PodsListInNamespace(ctx context.Context, namespace string, options api.ListOptions) (runtime.Unstructured, error)

func (*Core) PodsLog added in v0.0.56 

func (c *Core) PodsLog(ctx context.Context, namespace, name, container string, previous bool, tail int64) (string, error)

func (*Core) PodsRun added in v0.0.56 

func (c *Core) PodsRun(ctx context.Context, namespace, name, image string, port int32) ([]*unstructured.Unstructured, error)

func (*Core) PodsTop added in v0.0.56 

func (c *Core) PodsTop(ctx context.Context, options api.PodsTopOptions) (*metrics.PodMetricsList, error)

func (*Core) ProjectsList added in v0.0.56 

func (c *Core) ProjectsList(ctx context.Context, options api.ListOptions) (runtime.Unstructured, error)

func (*Core) ResourcesCreateOrUpdate added in v0.0.56 

func (c *Core) ResourcesCreateOrUpdate(ctx context.Context, resource string) ([]*unstructured.Unstructured, error)

func (*Core) ResourcesDelete added in v0.0.56 

func (c *Core) ResourcesDelete(ctx context.Context, gvk *schema.GroupVersionKind, namespace, name string, gracePeriodSeconds *int64) error

func (*Core) ResourcesGet added in v0.0.56 

func (c *Core) ResourcesGet(ctx context.Context, gvk *schema.GroupVersionKind, namespace, name string) (*unstructured.Unstructured, error)

func (*Core) ResourcesList added in v0.0.56 

func (c *Core) ResourcesList(ctx context.Context, gvk *schema.GroupVersionKind, namespace string, options api.ListOptions) (runtime.Unstructured, error)

func (*Core) ResourcesScale added in v0.0.56 

func (c *Core) ResourcesScale(
	ctx context.Context,
	gvk *schema.GroupVersionKind,
	namespace, name string,
	desiredScale int64,
	shouldScale bool,
) (*unstructured.Unstructured, error)

type HeaderKey 

type HeaderKey string

type Kubernetes 

type Kubernetes struct {
	kubernetes.Interface
	// contains filtered or unexported fields
}

Kubernetes is a limited Kubernetes Client delegating interface to the standard kubernetes.Clientset Only a limited set of functions are implemented with a single point of access to the kubernetes API where apiVersion and kinds are checked for allowed access

func NewKubernetes added in v0.0.56 

func NewKubernetes(baseConfig api.BaseConfig, clientCmdConfig clientcmd.ClientConfig, restConfig *rest.Config) (*Kubernetes, error)

func (*Kubernetes) DiscoveryClient added in v0.0.56 

func (k *Kubernetes) DiscoveryClient() discovery.CachedDiscoveryInterface

func (*Kubernetes) DynamicClient added in v0.0.56 

func (k *Kubernetes) DynamicClient() dynamic.Interface

func (*Kubernetes) MetricsV1beta1Client added in v0.0.56 

func (k *Kubernetes) MetricsV1beta1Client() *metricsv1beta1.MetricsV1beta1Client

func (*Kubernetes) NamespaceOrDefault 

func (k *Kubernetes) NamespaceOrDefault(namespace string) string

func (*Kubernetes) RESTConfig added in v0.0.56 

func (k *Kubernetes) RESTConfig() *rest.Config

func (*Kubernetes) RESTMapper added in v0.0.56 

func (k *Kubernetes) RESTMapper() meta.ResettableRESTMapper

func (*Kubernetes) ToDiscoveryClient added in v0.0.55 

func (k *Kubernetes) ToDiscoveryClient() (discovery.CachedDiscoveryInterface, error)

func (*Kubernetes) ToRESTConfig added in v0.0.55 

func (k *Kubernetes) ToRESTConfig() (*rest.Config, error)

ToRESTConfig returns the rest.Config object (genericclioptions.RESTClientGetter)

func (*Kubernetes) ToRESTMapper added in v0.0.55 

func (k *Kubernetes) ToRESTMapper() (meta.RESTMapper, error)

func (*Kubernetes) ToRawKubeConfigLoader added in v0.0.55 

func (k *Kubernetes) ToRawKubeConfigLoader() clientcmd.ClientConfig

ToRawKubeConfigLoader returns the clientcmd.ClientConfig object (genericclioptions.RESTClientGetter)

type Manager 

type Manager struct {
	// contains filtered or unexported fields
}

func NewInClusterManager added in v0.0.54 

func NewInClusterManager(config api.BaseConfig) (*Manager, error)

func NewKubeconfigManager added in v0.0.54 

func NewKubeconfigManager(config api.BaseConfig, kubeconfigContext string) (*Manager, error)

func NewManager 

func NewManager(config api.BaseConfig, restConfig *rest.Config, clientCmdConfig clientcmd.ClientConfig) (*Manager, error)

func (*Manager) Close 

func (m *Manager) Close()

Close releases HTTP transport resources held by this manager.

func (*Manager) Derived 

func (m *Manager) Derived(ctx context.Context) (*Kubernetes, error)

func (*Manager) Invalidate added in v0.0.55 

func (m *Manager) Invalidate()

Invalidate invalidates the cached discovery information.

func (*Manager) IsOpenShift 

func (m *Manager) IsOpenShift(ctx context.Context) bool

type McpReload added in v0.0.55 

type McpReload func() error

McpReload is a function type that defines a callback for reloading MCP toolsets (including tools, prompts, or other configurations)

type Provider added in v0.0.54 

type Provider interface {
	// Openshift extends the Openshift interface to provide OpenShift specific functionality to toolset providers
	// TODO: with the configurable toolset implementation and especially the multi-cluster approach
	// extending this interface might not be a good idea anymore.
	// For the kubecontext case, a user might be targeting both an OpenShift flavored cluster and a vanilla Kubernetes cluster.
	// See: https://github.com/containers/kubernetes-mcp-server/pull/372#discussion_r2421592315
	api.Openshift
	// IsMultiTarget reports whether the provider is configured for multiple targets.
	// Unlike GetTargets, it does not require a user-scoped context and should be
	// implementable without expensive lookups.
	// Note that GetTargets may return fewer targets than the provider is configured for
	// (e.g. due to user-scoped access restrictions).
	IsMultiTarget() bool
	GetTargets(ctx context.Context) ([]string, error)
	GetDerivedKubernetes(ctx context.Context, target string) (*Kubernetes, error)
	GetDefaultTarget() string
	GetTargetParameterName() string
	// WatchTargets sets up a watcher for changes in the cluster targets and calls the provided McpReload function when changes are detected
	WatchTargets(reload McpReload)
	Close()
}

func NewProvider added in v0.0.54 

func NewProvider(cfg api.BaseConfig, opts ...ProviderOption) (Provider, error)

type ProviderFactory added in v0.0.53 

type ProviderFactory func(cfg api.BaseConfig) (Provider, error)

ProviderFactory creates a new Provider instance for a given strategy. Implementations should validate that the Manager is compatible with their strategy (e.g., kubeconfig provider should reject in-cluster managers).

type ProviderOption added in v0.0.57 

type ProviderOption func(*providerOptions)

func WithTokenExchange added in v0.0.57 

func WithTokenExchange(oidcProvider *oidc.Provider, httpClient *http.Client) ProviderOption

type RBACValidator added in v0.0.58 

type RBACValidator struct {
	// contains filtered or unexported fields
}

RBACValidator pre-checks RBAC permissions before execution.

func NewRBACValidator added in v0.0.58 

func NewRBACValidator(authClientProvider func() authv1client.AuthorizationV1Interface) *RBACValidator

NewRBACValidator creates a new RBAC validator.

func (*RBACValidator) Name added in v0.0.58 

func (v *RBACValidator) Name() string

func (*RBACValidator) Validate added in v0.0.58 

func (v *RBACValidator) Validate(ctx context.Context, req *api.HTTPValidationRequest) error

type SchemaValidator added in v0.0.58 

type SchemaValidator struct {
	// contains filtered or unexported fields
}

SchemaValidator validates resource manifests against the OpenAPI schema.

func NewSchemaValidator added in v0.0.58 

func NewSchemaValidator(discoveryClientProvider func() discovery.DiscoveryInterface) *SchemaValidator

NewSchemaValidator creates a new schema validator.

func (*SchemaValidator) Name added in v0.0.58 

func (v *SchemaValidator) Name() string

func (*SchemaValidator) Validate added in v0.0.58 

func (v *SchemaValidator) Validate(ctx context.Context, req *api.HTTPValidationRequest) error

type SecurityTokenService added in v0.0.57 

type SecurityTokenService struct {
	*oidc.Provider
	ClientId                string
	ClientSecret            string
	ExternalAccountAudience string
	ExternalAccountScopes   []string
}

func NewFromConfig added in v0.0.57 

func NewFromConfig(stsConfigProvider api.StsConfigProvider, provider *oidc.Provider) *SecurityTokenService

func (*SecurityTokenService) ExternalAccountTokenExchange added in v0.0.57 

func (sts *SecurityTokenService) ExternalAccountTokenExchange(ctx context.Context, originalToken *oauth2.Token) (*oauth2.Token, error)

func (*SecurityTokenService) IsEnabled added in v0.0.57 

func (sts *SecurityTokenService) IsEnabled() bool

type TokenExchangeProvider added in v0.0.57 

type TokenExchangeProvider interface {
	// GetTokenExchangeConfig returns the token exchange configuration for the specified target.
	// Returns nil if no per-target exchange is configured
	GetTokenExchangeConfig(target string) *tokenexchange.TargetTokenExchangeConfig

	// GetTokenExchangeStrategy returns the token exchange strategy to use (e.g. "keycloak-v1" or "rfc8693").
	GetTokenExchangeStrategy() string
}

TokenExchangeProvider is an optional interface that providers can implement to suport per-target token exchange.

When a provider implements this interface and GetTokenExchangeConfig returns a non-nil config for a target, token exchange will be performed before creating the derived Kubernetes client. The exchanged token replaces the original in the Authorization header used by the derived client.

If GetTokenExchangeConfig returns nil for a target, or the interface is not implemented for a provider, no per-target token exchange is performed and the original token is used as-is.

type UserAgentRoundTripper added in v0.0.58 

type UserAgentRoundTripper struct {
	// contains filtered or unexported fields
}

func (*UserAgentRoundTripper) RoundTrip added in v0.0.58 

func (u *UserAgentRoundTripper) RoundTrip(req *http.Request) (*http.Response, error)

func (*UserAgentRoundTripper) WrappedRoundTripper added in v0.0.59 

func (u *UserAgentRoundTripper) WrappedRoundTripper() http.RoundTripper

type ValidatorFactory added in v0.0.58 

type ValidatorFactory func(ValidatorProviders) api.HTTPValidator

ValidatorFactory creates a validator given the providers.

type ValidatorProviders added in v0.0.58 

type ValidatorProviders struct {
	Discovery  func() discovery.DiscoveryInterface
	AuthClient func() authv1client.AuthorizationV1Interface
}

ValidatorProviders holds the providers needed to create validators.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.