@futuretea/rancher-mcp-server 0.4.3 → 0.4.5

package/README.md

@@ -19,12 +19,20 @@ A [Model Context Protocol (MCP)](https://modelcontextprotocol.io/) server for Ra
   - Describe resources with related events (similar to `kubectl describe`)
   - List and filter Kubernetes events by namespace, object name, and object kind
   - Query container logs with filtering (tail lines, time range, timestamps, keyword search)
+  - Multi-pod log aggregation via label selector with time-based sorting
+  - View rollout history for Deployments
+  - Analyze node health and resource usage
   - Inspect pods with parent workload, metrics, and logs
+  - Show dependency/dependent trees for any resource (inspired by kube-lineage)
 - **Rancher Resources via Norman API**: List clusters and projects
 - **Security Controls**:
   - `read_only`: Disables create, patch, and delete operations
   - `disable_destructive`: Disables delete operations only
-  - Secret data is never exposed, only metadata
+  - `show_sensitive_data`: Global administrator control for sensitive data visibility (default: `false`)
+    - When disabled (default): All sensitive data is masked with `***`
+    - When enabled: Per-tool `showSensitiveData` parameter controls visibility
+    - Applies to: Kubernetes Secret `data` and `stringData` fields
+    - Affects tools: `kubernetes_get`, `kubernetes_list`, `kubernetes_describe`
 - **Output Formats**: Table, YAML, and JSON
 - **Output Filters**: Remove verbose fields like `managedFields` from responses
 - **Pagination**: Limit and page parameters for list operations
@@ -96,6 +104,7 @@ npx @futuretea/rancher-mcp-server@latest --help
 | `--rancher-tls-insecure` | Skip TLS verification | `false` |
 | `--read-only` | Disable write operations | `true` |
 | `--disable-destructive` | Disable delete operations | `false` |
+| `--show-sensitive-data` | Global admin flag to allow sensitive data visibility | `false` |
 | `--list-output` | Output format (json, table, yaml) | `json` |
 | `--output-filters` | Fields to remove from output | `metadata.managedFields` |
 | `--toolsets` | Toolsets to enable | `kubernetes,rancher` |
@@ -121,6 +130,13 @@ rancher_token: your-bearer-token
 read_only: true  # default: true
 disable_destructive: false
 
+# Sensitive Data Control:
+# Global administrator setting that controls whether sensitive data can be shown.
+# - false (default): All sensitive data is always masked with '***'
+# - true: Allows per-tool showSensitiveData parameter to control visibility
+# Applies to Kubernetes Secret data and stringData fields.
+show_sensitive_data: false
+
 list_output: json
 
 # Remove verbose fields from output
@@ -145,6 +161,7 @@ RANCHER_MCP_PORT=8080
 RANCHER_MCP_RANCHER_SERVER_URL=https://rancher.example.com
 RANCHER_MCP_RANCHER_TOKEN=your-token
 RANCHER_MCP_READ_ONLY=true
+RANCHER_MCP_SHOW_SENSITIVE_DATA=false  # Global admin control for sensitive data
 ```
 
 ### HTTP/SSE Mode
@@ -174,6 +191,86 @@ rancher-mcp-server --port 8080 \
 
 ## Tools and Functionalities <a id="tools-and-functionalities"></a>
 
+### Sensitive Data Protection
+
+The server provides a two-tier security control for handling sensitive Kubernetes resources (currently Secrets):
+
+#### Global Administrator Control
+
+The `--show-sensitive-data` flag (default: `false`) is a global administrator setting that determines whether sensitive data can ever be revealed:
+
+- **Disabled (default: `false`)**: All sensitive data is **always masked** with `***`, regardless of per-tool parameters
+  - Secret `data` and `stringData` fields are masked
+  - Provides maximum security by preventing any accidental data exposure
+  - Recommended for production environments
+
+- **Enabled (`true`)**: Allows per-tool `showSensitiveData` parameter to control visibility
+  - Each tool call can choose whether to show or mask sensitive data
+  - Useful for troubleshooting and administrative tasks
+  - Requires explicit per-call parameter to reveal data
+
+#### Per-Tool Parameter Control
+
+When global `--show-sensitive-data` is enabled, tools that access sensitive resources accept a `showSensitiveData` parameter:
+
+- `showSensitiveData: false` (default): Masks sensitive fields with `***`
+- `showSensitiveData: true`: Shows actual values
+
+**Affected Tools:**
+- `kubernetes_get`: Get individual resources including Secrets
+- `kubernetes_list`: List resources including Secrets
+- `kubernetes_describe`: Describe resources with events
+
+**Example Behavior:**
+
+```yaml
+# Global flag disabled (--show-sensitive-data=false)
+# Secret data is ALWAYS masked, regardless of per-tool parameter
+apiVersion: v1
+kind: Secret
+data:
+  password: "***"  # Always masked
+  token: "***"     # Always masked
+
+# Global flag enabled (--show-sensitive-data=true)
+# Per-tool parameter controls visibility:
+
+# With showSensitiveData: false (default)
+apiVersion: v1
+kind: Secret
+data:
+  password: "***"  # Masked
+  token: "***"     # Masked
+
+# With showSensitiveData: true
+apiVersion: v1
+kind: Secret
+data:
+  password: "<base64-encoded-value>"  # Actual base64 value shown
+  token: "<base64-encoded-value>"     # Actual base64 value shown
+```
+
+**Configuration Examples:**
+
+```shell
+# Maximum security (production recommended)
+rancher-mcp-server --show-sensitive-data=false  # or omit (default)
+
+# Allow administrators to reveal data when needed
+rancher-mcp-server --show-sensitive-data=true
+```
+
+```yaml
+# config.yaml
+show_sensitive_data: false  # Production: always mask
+# show_sensitive_data: true  # Development: allow per-tool control
+```
+
+```shell
+# Environment variable
+RANCHER_MCP_SHOW_SENSITIVE_DATA=false
+```
+
 Tools are organized into toolsets. Use `--toolsets` to enable specific sets or `--enabled-tools`/`--disabled-tools` for fine-grained control.
 
 ### Toolsets
@@ -185,6 +282,23 @@ Tools are organized into toolsets. Use `--toolsets` to enable specific sets or `
 
 ### kubernetes
 
+<details>
+<summary>kubernetes_dep</summary>
+
+Show all dependencies or dependents of any Kubernetes resource as a tree. Covers OwnerReference chains, Pod→Node/SA/ConfigMap/Secret/PVC, Service→Pod (label selector), Ingress→IngressClass/Service/TLS Secret, PVC↔PV→StorageClass, RBAC bindings, PDB→Pod, and Events.
+
+| Parameter | Type | Required | Description |
+|-----------|------|----------|-------------|
+| `cluster` | string | Yes | Cluster ID |
+| `kind` | string | Yes | Resource kind (e.g., deployment, pod, service, ingress, node) |
+| `namespace` | string | No | Namespace (optional for cluster-scoped resources) |
+| `name` | string | Yes | Resource name |
+| `direction` | string | No | Traversal direction: `dependents` (default) or `dependencies` |
+| `depth` | integer | No | Maximum traversal depth, 1-20 (default: 10) |
+| `format` | string | No | Output format: tree, json (default: tree) |
+
+</details>
+
 <details>
 <summary>kubernetes_get</summary>
 
@@ -197,6 +311,7 @@ Get a Kubernetes resource by kind, namespace, and name.
 | `namespace` | string | No | Namespace (optional for cluster-scoped resources) |
 | `name` | string | Yes | Resource name |
 | `format` | string | No | Output format: json, yaml (default: json) |
+| `showSensitiveData` | boolean | No | Show sensitive data values (e.g., Secret data). Default: false. Only takes effect when global `--show-sensitive-data` is enabled. When global setting is disabled, data is always masked with `***` |
 
 </details>
 
@@ -215,26 +330,33 @@ List Kubernetes resources by kind.
 | `limit` | integer | No | Items per page (default: 100) |
 | `page` | integer | No | Page number, starting from 1 (default: 1) |
 | `format` | string | No | Output format: json, table, yaml (default: json) |
+| `showSensitiveData` | boolean | No | Show sensitive data values (e.g., Secret data). Default: false. Only takes effect when global `--show-sensitive-data` is enabled. When global setting is disabled, data is always masked with `***` |
 
 </details>
 
 <details>
 <summary>kubernetes_logs</summary>
 
-Get logs from a pod container.
+Get logs from a pod container. Supports multi-pod log aggregation via label selector with time-based sorting.
 
 | Parameter | Type | Required | Description |
 |-----------|------|----------|-------------|
 | `cluster` | string | Yes | Cluster ID |
 | `namespace` | string | Yes | Namespace |
-| `name` | string | Yes | Pod name |
+| `name` | string | No | Pod name (required if labelSelector not specified) |
+| `labelSelector` | string | No | Label selector for multi-pod log aggregation (e.g., "app=nginx") |
 | `container` | string | No | Container name (empty = all containers) |
 | `tailLines` | integer | No | Lines from end (default: 100) |
 | `sinceSeconds` | integer | No | Logs from last N seconds |
-| `timestamps` | boolean | No | Include timestamps (default: false) |
+| `timestamps` | boolean | No | Include timestamps (default: true) |
 | `previous` | boolean | No | Previous container instance (default: false) |
 | `keyword` | string | No | Filter log lines containing this keyword (case-insensitive) |
 
+**Notes:**
+- When `labelSelector` is specified, logs from all matching pods are aggregated and sorted by timestamp
+- Output format for single pod: `[container] timestamp content`
+- Output format for multi-pod: `[pod/container] timestamp content`
+
 </details>
 
 <details>
@@ -250,6 +372,31 @@ Get pod diagnostics: details, parent workload, metrics, and logs.
 
 </details>
 
+<details>
+<summary>kubernetes_rollout_history</summary>
+
+View rollout history for Deployments. Shows revision history with change annotations (similar to `kubectl rollout history`).
+
+| Parameter | Type | Required | Description |
+|-----------|------|----------|-------------|
+| `cluster` | string | Yes | Cluster ID |
+| `namespace` | string | Yes | Namespace |
+| `name` | string | Yes | Deployment name |
+
+</details>
+
+<details>
+<summary>kubernetes_node_analysis</summary>
+
+Analyze node health and resource usage. Shows node capacity, allocatable resources, pod distribution, and identifies potential issues.
+
+| Parameter | Type | Required | Description |
+|-----------|------|----------|-------------|
+| `cluster` | string | Yes | Cluster ID |
+| `name` | string | No | Node name (if empty, analyzes all nodes) |
+
+</details>
+
 <details>
 <summary>kubernetes_describe</summary>
 
@@ -262,6 +409,7 @@ Describe a Kubernetes resource with its related events. Similar to `kubectl desc
 | `namespace` | string | No | Namespace (optional for cluster-scoped resources) |
 | `name` | string | Yes | Resource name |
 | `format` | string | No | Output format: json, yaml (default: json) |
+| `showSensitiveData` | boolean | No | Show sensitive data values (e.g., Secret data). Default: false. Only takes effect when global `--show-sensitive-data` is enabled. When global setting is disabled, data is always masked with `***` |
 
 </details>
 

package/package.json

@@ -1,18 +1,18 @@
 {
   "name": "@futuretea/rancher-mcp-server",
-  "version": "0.4.3",
+  "version": "0.4.5",
   "description": "Model Context Protocol (MCP) server for Rancher multi-cluster management",
   "main": "./bin/index.js",
   "bin": {
     "rancher-mcp-server": "bin/index.js"
   },
   "optionalDependencies": {
-    "@futuretea/rancher-mcp-server-darwin-amd64": "0.4.3",
-    "@futuretea/rancher-mcp-server-darwin-arm64": "0.4.3",
-    "@futuretea/rancher-mcp-server-linux-amd64": "0.4.3",
-    "@futuretea/rancher-mcp-server-linux-arm64": "0.4.3",
-    "@futuretea/rancher-mcp-server-windows-amd64": "0.4.3",
-    "@futuretea/rancher-mcp-server-windows-arm64": "0.4.3"
+    "@futuretea/rancher-mcp-server-darwin-amd64": "0.4.5",
+    "@futuretea/rancher-mcp-server-darwin-arm64": "0.4.5",
+    "@futuretea/rancher-mcp-server-linux-amd64": "0.4.5",
+    "@futuretea/rancher-mcp-server-linux-arm64": "0.4.5",
+    "@futuretea/rancher-mcp-server-windows-amd64": "0.4.5",
+    "@futuretea/rancher-mcp-server-windows-arm64": "0.4.5"
   },
   "repository": {
     "type": "git",