mcp-server-kubernetes 2.5.1 → 2.6.0

package/README.md

@@ -93,6 +93,7 @@ npx mcp-chat --config "%APPDATA%\Claude\claude_desktop_config.json"
 - [x] Troubleshooting Prompt (`k8s-diagnose`)
   - Guides through a systematic Kubernetes troubleshooting flow for pods based on a keyword and optional namespace.
 - [x] Non-destructive mode for read and create/update-only access to clusters
+- [x] Secrets masking for security (masks sensitive data in `kubectl get secrets` commands, does not affect logs)
 
 ## Prompts
 

package/dist/tools/kubectl-get.js

@@ -1,6 +1,7 @@
 import { execFileSync } from "child_process";
 import { McpError, ErrorCode } from "@modelcontextprotocol/sdk/types.js";
 import { getSpawnMaxBuffer } from "../config/max-buffer.js";
+import * as yaml from "js-yaml";
 export const kubectlGetSchema = {
     name: "kubectl_get",
     description: "Get or list Kubernetes resources by resource type, name, and optionally namespace",
@@ -120,12 +121,19 @@ export async function kubectlGet(k8sManager, input) {
                 maxBuffer: getSpawnMaxBuffer(),
                 env: { ...process.env, KUBECONFIG: process.env.KUBECONFIG },
             });
+            // Apply secrets masking if enabled and dealing with secrets
+            const shouldMaskSecrets = process.env.MASK_SECRETS !== "false" &&
+                (resourceType === "secrets" || resourceType === "secret");
+            let processedResult = result;
+            if (shouldMaskSecrets) {
+                processedResult = maskSecretsData(result, output);
+            }
             // Format the results for better readability
             const isListOperation = !name;
             if (isListOperation && output === "json") {
                 try {
                     // Parse JSON and extract key information
-                    const parsed = JSON.parse(result);
+                    const parsed = JSON.parse(processedResult);
                     if (parsed.kind && parsed.kind.endsWith("List") && parsed.items) {
                         if (resourceType === "events") {
                             const formattedEvents = parsed.items.map((event) => ({
@@ -178,7 +186,7 @@ export async function kubectlGet(k8sManager, input) {
                 content: [
                     {
                         type: "text",
-                        text: result,
+                        text: processedResult,
                     },
                 ],
             };
@@ -261,3 +269,86 @@ function isNonNamespacedResource(resourceType) {
     ];
     return nonNamespacedResources.includes(resourceType.toLowerCase());
 }
+/**
+ * Recursively traverses an object and masks values in 'data' sections of Kubernetes secrets.
+ *
+ * @param {any} obj - The object to traverse. Can be an array, object, or primitive value.
+ * @returns {any} A new object with masked values in 'data' sections.
+ */
+function maskDataValues(obj) {
+    if (obj == null) {
+        return obj;
+    }
+    if (Array.isArray(obj)) {
+        return obj.map(item => maskDataValues(item));
+    }
+    if (typeof obj === "object") {
+        const result = {};
+        for (const key in obj) {
+            if (key === "data" && typeof obj[key] === "object" && obj[key] !== null) {
+                // This is a data section - mask all leaf values within it
+                result[key] = maskAllLeafValues(obj[key]);
+            }
+            else {
+                result[key] = maskDataValues(obj[key]);
+            }
+        }
+        return result;
+    }
+    return obj;
+}
+/**
+ * Recursively masks all leaf values (non-object, non-array values) in an object structure.
+ *
+ * @param {any} obj - The input object or value to process.
+ * @returns {any} A new object or value with all leaf values replaced by a mask.
+ */
+function maskAllLeafValues(obj) {
+    const maskValue = "***";
+    if (obj == null) {
+        return obj;
+    }
+    if (Array.isArray(obj)) {
+        return obj.map(item => maskAllLeafValues(item));
+    }
+    if (typeof obj === "object") {
+        const result = {};
+        for (const key in obj) {
+            result[key] = maskAllLeafValues(obj[key]);
+        }
+        return result;
+    }
+    // This is a leaf value (string, number, boolean) - mask it
+    return maskValue;
+}
+/**
+ * Masks sensitive data in Kubernetes secrets by parsing the raw output and replacing
+ * all leaf values in the "data" section with a placeholder value ("***").
+ *
+ * @param {string} output - The raw output from a `kubectl` command, containing secrets data.
+ * @param {string} format - The format of the output, either "json" or "yaml".
+ * @returns {string} - The masked output in the same format as the input.
+ */
+function maskSecretsData(output, format) {
+    try {
+        if (format === "json") {
+            const parsed = JSON.parse(output);
+            const masked = maskDataValues(parsed);
+            return JSON.stringify(masked, null, 2);
+        }
+        else if (format === "yaml") {
+            // Parse YAML to JSON, mask, then convert back to YAML
+            const parsed = yaml.load(output);
+            const masked = maskDataValues(parsed);
+            return yaml.dump(masked, {
+                indent: 2,
+                lineWidth: -1, // Don't wrap lines
+                noRefs: true // Don't use references
+            });
+        }
+    }
+    catch (error) {
+        console.warn("Failed to parse secrets output for masking:", error);
+    }
+    return output;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mcp-server-kubernetes",
-  "version": "2.5.1",
+  "version": "2.6.0",
   "description": "MCP server for interacting with Kubernetes clusters via kubectl",
   "license": "MIT",
   "type": "module",