mcp-server-kubernetes 3.1.1 → 3.2.1

package/dist/tools/kubectl-get.js

@@ -168,7 +168,7 @@ export async function kubectlGet(k8sManager, input) {
                                 name: item.metadata?.name || "",
                                 namespace: item.metadata?.namespace || "",
                                 kind: item.kind || resourceType,
-                                status: getResourceStatus(item),
+                                status: getResourceStatus(item, resourceType),
                                 createdAt: item.metadata?.creationTimestamp,
                             }));
                             return {
@@ -218,13 +218,94 @@ export async function kubectlGet(k8sManager, input) {
         throw new McpError(ErrorCode.InternalError, `Failed to execute kubectl get command: ${error.message}`);
     }
 }
+// Compute pod status the same way kubectl does, by inspecting container statuses
+// Based on kubernetes/pkg/printers/internalversion/printers.go printPod()
+function getPodStatus(pod) {
+    let reason = pod.status?.phase || "Unknown";
+    if (pod.status?.reason) {
+        reason = pod.status.reason;
+    }
+    // Check init container statuses
+    const initContainerStatuses = pod.status?.initContainerStatuses || [];
+    for (let i = 0; i < initContainerStatuses.length; i++) {
+        const container = initContainerStatuses[i];
+        const terminated = container.state?.terminated;
+        const waiting = container.state?.waiting;
+        if (terminated && terminated.exitCode === 0) {
+            // Init container completed successfully, continue
+            continue;
+        }
+        if (terminated) {
+            if (terminated.reason) {
+                reason = `Init:${terminated.reason}`;
+            }
+            else if (terminated.signal) {
+                reason = `Init:Signal:${terminated.signal}`;
+            }
+            else {
+                reason = `Init:ExitCode:${terminated.exitCode}`;
+            }
+        }
+        else if (waiting && waiting.reason && waiting.reason !== "PodInitializing") {
+            reason = `Init:${waiting.reason}`;
+        }
+        else {
+            const totalInit = initContainerStatuses.length;
+            reason = `Init:${i}/${totalInit}`;
+        }
+        break;
+    }
+    // If all init containers are done, check regular container statuses
+    if (initContainerStatuses.length === 0 ||
+        !reason.startsWith("Init:")) {
+        const containerStatuses = pod.status?.containerStatuses || [];
+        let hasRunning = false;
+        for (let i = containerStatuses.length - 1; i >= 0; i--) {
+            const container = containerStatuses[i];
+            const waiting = container.state?.waiting;
+            const terminated = container.state?.terminated;
+            if (waiting && waiting.reason) {
+                reason = waiting.reason;
+            }
+            else if (terminated) {
+                if (terminated.reason) {
+                    reason = terminated.reason;
+                }
+                else if (terminated.signal) {
+                    reason = `Signal:${terminated.signal}`;
+                }
+                else {
+                    reason = `ExitCode:${terminated.exitCode}`;
+                }
+            }
+            else if (container.ready && container.state?.running) {
+                hasRunning = true;
+            }
+        }
+        // If all containers are ready and running, use the phase
+        if (hasRunning && reason === (pod.status?.phase || "Unknown")) {
+            reason = pod.status?.phase || "Running";
+        }
+    }
+    // Handle pod deletion
+    if (pod.metadata?.deletionTimestamp) {
+        reason = "Terminating";
+    }
+    return reason;
+}
 // Extract status from various resource types
-function getResourceStatus(resource) {
+function getResourceStatus(resource, resourceType) {
     if (!resource)
         return "Unknown";
-    // Pod status
-    if (resource.status?.phase) {
-        return resource.status.phase;
+    const isPod = resource.kind === "Pod" ||
+        resourceType === "pods" ||
+        resourceType === "pod" ||
+        resourceType === "po" ||
+        (resource.status?.phase !== undefined &&
+            resource.status?.containerStatuses !== undefined);
+    // Pod status - use kubectl-equivalent logic
+    if (isPod) {
+        return getPodStatus(resource);
     }
     // Deployment, ReplicaSet, StatefulSet status
     if (resource.status?.readyReplicas !== undefined) {

package/dist/utils/auth.d.ts

@@ -0,0 +1,19 @@
+import { Request, Response, NextFunction } from "express";
+/**
+ * Authentication middleware for MCP HTTP transports.
+ *
+ * When the MCP_AUTH_TOKEN environment variable is set, this middleware
+ * requires all requests to include a matching X-MCP-AUTH header.
+ *
+ * This provides a simple authentication mechanism for securing MCP endpoints
+ * in cluster environments where full OAuth may be overkill.
+ *
+ * Example usage:
+ *   Server: MCP_AUTH_TOKEN=my-secret-token
+ *   Client: X-MCP-AUTH: my-secret-token
+ */
+export declare function createAuthMiddleware(): (req: Request, res: Response, next: NextFunction) => void;
+/**
+ * Returns whether authentication is enabled (MCP_AUTH_TOKEN is set)
+ */
+export declare function isAuthEnabled(): boolean;

package/dist/utils/auth.js

@@ -0,0 +1,53 @@
+/**
+ * Authentication middleware for MCP HTTP transports.
+ *
+ * When the MCP_AUTH_TOKEN environment variable is set, this middleware
+ * requires all requests to include a matching X-MCP-AUTH header.
+ *
+ * This provides a simple authentication mechanism for securing MCP endpoints
+ * in cluster environments where full OAuth may be overkill.
+ *
+ * Example usage:
+ *   Server: MCP_AUTH_TOKEN=my-secret-token
+ *   Client: X-MCP-AUTH: my-secret-token
+ */
+export function createAuthMiddleware() {
+    const authToken = process.env.MCP_AUTH_TOKEN;
+    return (req, res, next) => {
+        // If no auth token is configured, allow all requests
+        if (!authToken) {
+            next();
+            return;
+        }
+        const providedToken = req.headers["x-mcp-auth"];
+        if (!providedToken) {
+            res.status(401).json({
+                jsonrpc: "2.0",
+                error: {
+                    code: -32001,
+                    message: "Unauthorized: X-MCP-AUTH header is required",
+                },
+                id: null,
+            });
+            return;
+        }
+        if (providedToken !== authToken) {
+            res.status(403).json({
+                jsonrpc: "2.0",
+                error: {
+                    code: -32002,
+                    message: "Forbidden: Invalid authentication token",
+                },
+                id: null,
+            });
+            return;
+        }
+        next();
+    };
+}
+/**
+ * Returns whether authentication is enabled (MCP_AUTH_TOKEN is set)
+ */
+export function isAuthEnabled() {
+    return !!process.env.MCP_AUTH_TOKEN;
+}

package/dist/utils/sse.js

@@ -1,16 +1,19 @@
 import express from "express";
 import { SSEServerTransport } from "@modelcontextprotocol/sdk/server/sse.js";
+import { createAuthMiddleware, isAuthEnabled } from "./auth.js";
 export function startSSEServer(server) {
     const app = express();
+    // Create auth middleware - when MCP_AUTH_TOKEN is set, requires X-MCP-AUTH header
+    const authMiddleware = createAuthMiddleware();
     // Currently just copying from docs & allowing for multiple transport connections: https://modelcontextprotocol.io/docs/concepts/transports#server-sent-events-sse
-    // TODO: If exposed to web, then this will enable any client to connect to the server via http - so marked as UNSAFE until mcp has a proper auth solution.
+    // Note: When MCP_AUTH_TOKEN is set, requests require X-MCP-AUTH header for authentication
     let transports = [];
-    app.get("/sse", async (req, res) => {
+    app.get("/sse", authMiddleware, async (req, res) => {
         const transport = new SSEServerTransport("/messages", res);
         transports.push(transport);
         await server.connect(transport);
     });
-    app.post("/messages", (req, res) => {
+    app.post("/messages", authMiddleware, (req, res) => {
         const transport = transports.find((t) => t.sessionId === req.query.sessionId);
         if (transport) {
             transport.handlePostMessage(req, res);
@@ -51,6 +54,9 @@ export function startSSEServer(server) {
     }
     const host = process.env.HOST || "localhost";
     app.listen(port, host, () => {
-        console.log(`mcp-kubernetes-server is listening on port ${port}\nUse the following url to connect to the server:\n\http://${host}:${port}/sse`);
+        console.log(`mcp-kubernetes-server is listening on port ${port}\nUse the following url to connect to the server:\nhttp://${host}:${port}/sse`);
+        if (isAuthEnabled()) {
+            console.log("Authentication enabled: X-MCP-AUTH header required for all MCP requests");
+        }
     });
 }

package/dist/utils/streamable-http.js

@@ -1,9 +1,12 @@
 import express from "express";
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
+import { createAuthMiddleware, isAuthEnabled } from "./auth.js";
 export function startStreamableHTTPServer(server) {
     const app = express();
     app.use(express.json());
-    app.post("/mcp", async (req, res) => {
+    // Create auth middleware - when MCP_AUTH_TOKEN is set, requires X-MCP-AUTH header
+    const authMiddleware = createAuthMiddleware();
+    app.post("/mcp", authMiddleware, async (req, res) => {
         // In stateless mode, create a new instance of transport and server for each request
         // to ensure complete isolation. A single instance would cause request ID collisions
         // when multiple clients connect concurrently.
@@ -44,7 +47,7 @@ export function startStreamableHTTPServer(server) {
         }
     });
     // SSE notifications not supported in stateless mode
-    app.get("/mcp", async (req, res) => {
+    app.get("/mcp", authMiddleware, async (req, res) => {
         console.log("Received GET MCP request");
         res.writeHead(405).end(JSON.stringify({
             jsonrpc: "2.0",
@@ -56,7 +59,7 @@ export function startStreamableHTTPServer(server) {
         }));
     });
     // Session termination not needed in stateless mode
-    app.delete("/mcp", async (req, res) => {
+    app.delete("/mcp", authMiddleware, async (req, res) => {
         console.log("Received DELETE MCP request");
         res.writeHead(405).end(JSON.stringify({
             jsonrpc: "2.0",
@@ -98,6 +101,9 @@ export function startStreamableHTTPServer(server) {
     const host = process.env.HOST || "localhost";
     const httpServer = app.listen(port, host, () => {
         console.log(`mcp-kubernetes-server is listening on port ${port}\nUse the following url to connect to the server:\nhttp://${host}:${port}/mcp`);
+        if (isAuthEnabled()) {
+            console.log("Authentication enabled: X-MCP-AUTH header required for all MCP requests");
+        }
     });
     return httpServer;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mcp-server-kubernetes",
-  "version": "3.1.1",
+  "version": "3.2.1",
   "description": "MCP server for interacting with Kubernetes clusters via kubectl",
   "license": "MIT",
   "type": "module",
@@ -38,7 +38,7 @@
   },
   "dependencies": {
     "@kubernetes/client-node": "1.3.0",
-    "@modelcontextprotocol/sdk": "1.25.2",
+    "@modelcontextprotocol/sdk": "1.26.0",
     "express": "4.21.2",
     "js-yaml": "4.1.1",
     "yaml": "2.7.0",