npm - mcp-server-kubernetes - Versions diffs - 2.5.1 → 2.7.0 - Mend

mcp-server-kubernetes 2.5.1 → 2.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md +1 -0
package/dist/index.js +5 -0
package/dist/tools/kubectl-get.js +93 -2
package/dist/utils/streamable-http.d.ts +3 -0
package/dist/utils/streamable-http.js +79 -0
package/package.json +2 -2

package/README.md CHANGED Viewed

@@ -93,6 +93,7 @@ npx mcp-chat --config "%APPDATA%\Claude\claude_desktop_config.json"
 - [x] Troubleshooting Prompt (`k8s-diagnose`)
   - Guides through a systematic Kubernetes troubleshooting flow for pods based on a keyword and optional namespace.
 - [x] Non-destructive mode for read and create/update-only access to clusters
+- [x] Secrets masking for security (masks sensitive data in `kubectl get secrets` commands, does not affect logs)
 ## Prompts

package/dist/index.js CHANGED Viewed

@@ -24,6 +24,7 @@ import { kubectlPatch, kubectlPatchSchema } from "./tools/kubectl-patch.js";
 import { kubectlRollout, kubectlRolloutSchema, } from "./tools/kubectl-rollout.js";
 import { registerPromptHandlers } from "./prompts/index.js";
 import { ping, pingSchema } from "./tools/ping.js";
+import { startStreamableHTTPServer } from "./utils/streamable-http.js";
 // Check environment variables for tool filtering
 const allowOnlyReadonlyTools = process.env.ALLOW_ONLY_READONLY_TOOLS === "true";
 const allowedToolsEnv = process.env.ALLOWED_TOOLS;
@@ -217,6 +218,10 @@ if (process.env.ENABLE_UNSAFE_SSE_TRANSPORT) {
     startSSEServer(server);
     console.log(`SSE server started`);
 }
+else if (process.env.ENABLE_UNSAFE_STREAMABLE_HTTP_TRANSPORT) {
+    startStreamableHTTPServer(server);
+    console.log(`Streamable HTTP server started`);
+}
 else {
     const transport = new StdioServerTransport();
     console.error(`Starting Kubernetes MCP server v${serverConfig.version}, handling commands...`);

package/dist/tools/kubectl-get.js CHANGED Viewed

@@ -1,6 +1,7 @@
 import { execFileSync } from "child_process";
 import { McpError, ErrorCode } from "@modelcontextprotocol/sdk/types.js";
 import { getSpawnMaxBuffer } from "../config/max-buffer.js";
+import * as yaml from "js-yaml";
 export const kubectlGetSchema = {
     name: "kubectl_get",
     description: "Get or list Kubernetes resources by resource type, name, and optionally namespace",
@@ -120,12 +121,19 @@ export async function kubectlGet(k8sManager, input) {
                 maxBuffer: getSpawnMaxBuffer(),
                 env: { ...process.env, KUBECONFIG: process.env.KUBECONFIG },
             });
+            // Apply secrets masking if enabled and dealing with secrets
+            const shouldMaskSecrets = process.env.MASK_SECRETS !== "false" &&
+                (resourceType === "secrets" || resourceType === "secret");
+            let processedResult = result;
+            if (shouldMaskSecrets) {
+                processedResult = maskSecretsData(result, output);
+            }
             // Format the results for better readability
             const isListOperation = !name;
             if (isListOperation && output === "json") {
                 try {
                     // Parse JSON and extract key information
-                    const parsed = JSON.parse(result);
+                    const parsed = JSON.parse(processedResult);
                     if (parsed.kind && parsed.kind.endsWith("List") && parsed.items) {
                         if (resourceType === "events") {
                             const formattedEvents = parsed.items.map((event) => ({
@@ -178,7 +186,7 @@ export async function kubectlGet(k8sManager, input) {
                 content: [
                     {
                         type: "text",
-                        text: result,
+                        text: processedResult,
                     },
                 ],
             };
@@ -261,3 +269,86 @@ function isNonNamespacedResource(resourceType) {
     ];
     return nonNamespacedResources.includes(resourceType.toLowerCase());
 }
+/**
+ * Recursively traverses an object and masks values in 'data' sections of Kubernetes secrets.
+ *
+ * @param {any} obj - The object to traverse. Can be an array, object, or primitive value.
+ * @returns {any} A new object with masked values in 'data' sections.
+ */
+function maskDataValues(obj) {
+    if (obj == null) {
+        return obj;
+    }
+    if (Array.isArray(obj)) {
+        return obj.map(item => maskDataValues(item));
+    }
+    if (typeof obj === "object") {
+        const result = {};
+        for (const key in obj) {
+            if (key === "data" && typeof obj[key] === "object" && obj[key] !== null) {
+                // This is a data section - mask all leaf values within it
+                result[key] = maskAllLeafValues(obj[key]);
+            }
+            else {
+                result[key] = maskDataValues(obj[key]);
+            }
+        }
+        return result;
+    }
+    return obj;
+}
+/**
+ * Recursively masks all leaf values (non-object, non-array values) in an object structure.
+ *
+ * @param {any} obj - The input object or value to process.
+ * @returns {any} A new object or value with all leaf values replaced by a mask.
+ */
+function maskAllLeafValues(obj) {
+    const maskValue = "***";
+    if (obj == null) {
+        return obj;
+    }
+    if (Array.isArray(obj)) {
+        return obj.map(item => maskAllLeafValues(item));
+    }
+    if (typeof obj === "object") {
+        const result = {};
+        for (const key in obj) {
+            result[key] = maskAllLeafValues(obj[key]);
+        }
+        return result;
+    }
+    // This is a leaf value (string, number, boolean) - mask it
+    return maskValue;
+}
+/**
+ * Masks sensitive data in Kubernetes secrets by parsing the raw output and replacing
+ * all leaf values in the "data" section with a placeholder value ("***").
+ *
+ * @param {string} output - The raw output from a `kubectl` command, containing secrets data.
+ * @param {string} format - The format of the output, either "json" or "yaml".
+ * @returns {string} - The masked output in the same format as the input.
+ */
+function maskSecretsData(output, format) {
+    try {
+        if (format === "json") {
+            const parsed = JSON.parse(output);
+            const masked = maskDataValues(parsed);
+            return JSON.stringify(masked, null, 2);
+        }
+        else if (format === "yaml") {
+            // Parse YAML to JSON, mask, then convert back to YAML
+            const parsed = yaml.load(output);
+            const masked = maskDataValues(parsed);
+            return yaml.dump(masked, {
+                indent: 2,
+                lineWidth: -1, // Don't wrap lines
+                noRefs: true // Don't use references
+            });
+        }
+    }
+    catch (error) {
+        console.warn("Failed to parse secrets output for masking:", error);
+    }
+    return output;
+}

package/dist/utils/streamable-http.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import http from "http";
+export declare function startStreamableHTTPServer(server: Server): http.Server;

package/dist/utils/streamable-http.js ADDED Viewed

@@ -0,0 +1,79 @@
+import express from "express";
+import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
+export function startStreamableHTTPServer(server) {
+    const app = express();
+    app.use(express.json());
+    app.post("/mcp", async (req, res) => {
+        // In stateless mode, create a new instance of transport and server for each request
+        // to ensure complete isolation. A single instance would cause request ID collisions
+        // when multiple clients connect concurrently.
+        try {
+            // DNS rebinding protection is disabled by default for backwards compatibility. If you are running this server
+            // locally, make sure to set DNS_REBINDING_PROTECTION=true
+            const enableDnsRebindingProtection = process.env.DNS_REBINDING_PROTECTION === "true";
+            const allowedHosts = process.env.DNS_REBINDING_ALLOWED_HOST
+                ? [process.env.DNS_REBINDING_ALLOWED_HOST]
+                : ["127.0.0.1"];
+            const transport = new StreamableHTTPServerTransport({
+                sessionIdGenerator: undefined,
+                enableDnsRebindingProtection,
+                allowedHosts,
+            });
+            res.on("close", () => {
+                transport.close();
+                server.close();
+            });
+            await server.connect(transport);
+            await transport.handleRequest(req, res, req.body);
+        }
+        catch (error) {
+            console.error("Error handling MCP request:", error);
+            if (!res.headersSent) {
+                res.status(500).json({
+                    jsonrpc: "2.0",
+                    error: {
+                        code: -32603,
+                        message: "Internal server error",
+                    },
+                    id: null,
+                });
+            }
+        }
+    });
+    // SSE notifications not supported in stateless mode
+    app.get("/mcp", async (req, res) => {
+        console.log("Received GET MCP request");
+        res.writeHead(405).end(JSON.stringify({
+            jsonrpc: "2.0",
+            error: {
+                code: -32000,
+                message: "Method not allowed.",
+            },
+            id: null,
+        }));
+    });
+    // Session termination not needed in stateless mode
+    app.delete("/mcp", async (req, res) => {
+        console.log("Received DELETE MCP request");
+        res.writeHead(405).end(JSON.stringify({
+            jsonrpc: "2.0",
+            error: {
+                code: -32000,
+                message: "Method not allowed.",
+            },
+            id: null,
+        }));
+    });
+    let port = 3000;
+    try {
+        port = parseInt(process.env.PORT || "3000", 10);
+    }
+    catch (e) {
+        console.error("Invalid PORT environment variable, using default port 3000.");
+    }
+    const host = process.env.HOST || "localhost";
+    const httpServer = app.listen(port, host, () => {
+        console.log(`mcp-kubernetes-server is listening on port ${port}\nUse the following url to connect to the server:\nhttp://${host}:${port}/mcp`);
+    });
+    return httpServer;
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "mcp-server-kubernetes",
-  "version": "2.5.1",
+  "version": "2.7.0",
   "description": "MCP server for interacting with Kubernetes clusters via kubectl",
   "license": "MIT",
   "type": "module",
@@ -38,7 +38,7 @@
   },
   "dependencies": {
     "@kubernetes/client-node": "1.3.0",
-    "@modelcontextprotocol/sdk": "1.7.0",
+    "@modelcontextprotocol/sdk": "1.17.0",
     "express": "4.21.2",
     "js-yaml": "4.1.0",
     "yaml": "2.7.0",