mcp-server-kubernetes 3.2.1 → 3.4.0

package/README.md

@@ -171,6 +171,73 @@ gemini extensions install https://github.com/Flux159/mcp-server-kubernetes
   - Guides through a systematic Kubernetes troubleshooting flow for pods based on a keyword and optional namespace.
 - [x] Non-destructive mode for read and create/update-only access to clusters
 - [x] Secrets masking for security (masks sensitive data in `kubectl get secrets` commands, does not affect logs)
+- [x] **OpenTelemetry Observability** (opt-in)
+  - Distributed tracing for all tool calls
+  - Export to Jaeger, Tempo, Grafana, or any OTLP backend
+  - Configurable sampling strategies
+  - Rich span attributes (tool name, duration, K8s context, errors)
+  - See [docs/OBSERVABILITY.md](docs/OBSERVABILITY.md) for details
+
+## Observability
+
+The MCP Kubernetes server includes optional **OpenTelemetry integration** for comprehensive observability. This feature is disabled by default and can be enabled via environment variables or Helm configuration.
+
+### Quick Start
+
+Enable observability with environment variables:
+
+```bash
+export ENABLE_TELEMETRY=true
+export OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4317
+
+npx mcp-server-kubernetes
+```
+
+### What Gets Traced
+
+- **All tool calls**: kubectl_get, kubectl_apply, kubectl_logs, etc.
+- **Execution duration**: How long each operation takes
+- **Success/failure status**: Automatic error tracking
+- **Kubernetes context**: Namespace, context, resource type
+- **Rich metadata**: Host, process, and custom attributes
+
+### Backends Supported
+
+Works with any OTLP-compatible backend:
+- **Jaeger** (open source)
+- **Grafana Tempo** (open source)
+- **Grafana Cloud** (commercial)
+- **Datadog**, **New Relic**, **Honeycomb**, **Lightstep**, **AWS X-Ray**
+
+### Configuration
+
+See **[docs/OBSERVABILITY.md](docs/OBSERVABILITY.md)** for comprehensive documentation including:
+- Configuration options
+- Deployment examples (Kubernetes, Helm, Claude Code)
+- Sampling strategies
+- Production best practices
+- Troubleshooting guide
+
+### Example with Jaeger
+
+```bash
+# Start Jaeger
+docker run -d --name jaeger \
+  -e COLLECTOR_OTLP_ENABLED=true \
+  -p 16686:16686 \
+  -p 4317:4317 \
+  jaegertracing/all-in-one:latest
+
+# Enable telemetry
+export ENABLE_TELEMETRY=true
+export OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4317
+export OTEL_TRACES_SAMPLER=always_on
+
+# Run server
+npx mcp-server-kubernetes
+
+# View traces: http://localhost:16686
+```
 
 ## Prompts
 

package/dist/config/telemetry-config.d.ts

@@ -0,0 +1,30 @@
+import { NodeSDK } from "@opentelemetry/sdk-node";
+/**
+ * Telemetry configuration for OpenTelemetry integration
+ * Supports environment variable configuration for flexible deployment
+ */
+export interface TelemetryConfig {
+    enabled: boolean;
+    endpoint?: string;
+    serviceName: string;
+    serviceVersion: string;
+    resourceAttributes: Record<string, string>;
+    sampler?: {
+        type: "always_on" | "always_off" | "traceidratio";
+        arg?: number;
+    };
+    captureResponseMetadata: boolean;
+}
+/**
+ * Get telemetry configuration from environment variables
+ */
+export declare function getTelemetryConfig(): TelemetryConfig;
+/**
+ * Initialize OpenTelemetry SDK with configuration
+ * Call this before starting the MCP server
+ */
+export declare function initializeTelemetry(): NodeSDK | null;
+/**
+ * Get telemetry configuration summary for logging
+ */
+export declare function getTelemetryConfigSummary(): string;

package/dist/config/telemetry-config.js

@@ -0,0 +1,155 @@
+import { NodeSDK, resources } from "@opentelemetry/sdk-node";
+import { OTLPTraceExporter } from "@opentelemetry/exporter-trace-otlp-grpc";
+import { SEMRESATTRS_SERVICE_NAME, SEMRESATTRS_SERVICE_VERSION, } from "@opentelemetry/semantic-conventions";
+import { getNodeAutoInstrumentations } from "@opentelemetry/auto-instrumentations-node";
+import { serverConfig } from "./server-config.js";
+/**
+ * Parse OpenTelemetry sampling configuration from environment variables
+ */
+function parseSamplerConfig() {
+    const samplerType = process.env.OTEL_TRACES_SAMPLER;
+    const samplerArg = process.env.OTEL_TRACES_SAMPLER_ARG;
+    if (!samplerType) {
+        return undefined;
+    }
+    const config = {
+        type: samplerType,
+    };
+    if (samplerArg && (samplerType === "traceidratio" || samplerType.includes("traceidratio"))) {
+        const arg = parseFloat(samplerArg);
+        if (!isNaN(arg) && arg >= 0 && arg <= 1) {
+            config.arg = arg;
+        }
+    }
+    return config;
+}
+/**
+ * Parse resource attributes from environment variable
+ * Format: "key1=value1,key2=value2"
+ */
+function parseResourceAttributes() {
+    const attrs = {};
+    const envAttrs = process.env.OTEL_RESOURCE_ATTRIBUTES;
+    if (envAttrs) {
+        const pairs = envAttrs.split(",");
+        for (const pair of pairs) {
+            const [key, value] = pair.split("=").map((s) => s.trim());
+            if (key && value) {
+                attrs[key] = value;
+            }
+        }
+    }
+    return attrs;
+}
+/**
+ * Get telemetry configuration from environment variables
+ */
+export function getTelemetryConfig() {
+    // Check if telemetry is explicitly enabled (opt-in)
+    const enableFlag = process.env.ENABLE_TELEMETRY;
+    const isExplicitlyEnabled = enableFlag === "true" || enableFlag === "1";
+    const endpoint = process.env.OTEL_EXPORTER_OTLP_ENDPOINT;
+    // Telemetry is enabled only if:
+    // 1. ENABLE_TELEMETRY=true is set, AND
+    // 2. OTEL_EXPORTER_OTLP_ENDPOINT is configured
+    const enabled = isExplicitlyEnabled && !!endpoint;
+    // Check if response metadata capture is enabled (default: true)
+    const captureResponseEnv = process.env.OTEL_CAPTURE_RESPONSE_METADATA;
+    const captureResponseMetadata = captureResponseEnv !== "false" && captureResponseEnv !== "0";
+    return {
+        enabled,
+        endpoint,
+        serviceName: process.env.OTEL_SERVICE_NAME || serverConfig.name,
+        serviceVersion: process.env.OTEL_SERVICE_VERSION || serverConfig.version,
+        resourceAttributes: parseResourceAttributes(),
+        sampler: parseSamplerConfig(),
+        captureResponseMetadata, // Enabled by default, can be disabled with OTEL_CAPTURE_RESPONSE_METADATA=false
+    };
+}
+/**
+ * Initialize OpenTelemetry SDK with configuration
+ * Call this before starting the MCP server
+ */
+export function initializeTelemetry() {
+    const config = getTelemetryConfig();
+    if (!config.enabled) {
+        const enableFlag = process.env.ENABLE_TELEMETRY;
+        const endpoint = process.env.OTEL_EXPORTER_OTLP_ENDPOINT;
+        if (!enableFlag || enableFlag === "false" || enableFlag === "0") {
+            // Observability is disabled by default
+            return null;
+        }
+        else if (!endpoint) {
+            console.error("OpenTelemetry: ENABLE_TELEMETRY=true but OTEL_EXPORTER_OTLP_ENDPOINT not set");
+            return null;
+        }
+        return null;
+    }
+    console.error(`Initializing OpenTelemetry: endpoint=${config.endpoint}, service=${config.serviceName}`);
+    // Create OTLP trace exporter
+    const traceExporter = new OTLPTraceExporter({
+        url: config.endpoint,
+    });
+    // Create resource with service metadata
+    const defaultRes = resources.defaultResource();
+    const customRes = resources.resourceFromAttributes({
+        [SEMRESATTRS_SERVICE_NAME]: config.serviceName,
+        [SEMRESATTRS_SERVICE_VERSION]: config.serviceVersion,
+        ...config.resourceAttributes,
+    });
+    const resource = defaultRes.merge(customRes);
+    // Initialize Node SDK
+    const sdk = new NodeSDK({
+        resource,
+        traceExporter,
+        instrumentations: [
+            getNodeAutoInstrumentations({
+                // Disable some instrumentations that may be too verbose
+                "@opentelemetry/instrumentation-fs": {
+                    enabled: false,
+                },
+            }),
+        ],
+    });
+    try {
+        sdk.start();
+        console.error("OpenTelemetry SDK initialized successfully");
+        // Graceful shutdown on process termination
+        process.on("SIGTERM", async () => {
+            try {
+                await sdk.shutdown();
+                console.error("OpenTelemetry SDK shut down successfully");
+            }
+            catch (error) {
+                console.error("Error shutting down OpenTelemetry SDK:", error);
+            }
+        });
+        return sdk;
+    }
+    catch (error) {
+        console.error("Failed to initialize OpenTelemetry SDK:", error);
+        return null;
+    }
+}
+/**
+ * Get telemetry configuration summary for logging
+ */
+export function getTelemetryConfigSummary() {
+    const config = getTelemetryConfig();
+    if (!config.enabled) {
+        return "Telemetry: Disabled";
+    }
+    const parts = [
+        `Telemetry: Enabled`,
+        `Endpoint: ${config.endpoint}`,
+        `Service: ${config.serviceName}@${config.serviceVersion}`,
+    ];
+    if (config.sampler) {
+        parts.push(`Sampler: ${config.sampler.type}${config.sampler.arg !== undefined ? `(${config.sampler.arg})` : ""}`);
+    }
+    const attrCount = Object.keys(config.resourceAttributes).length;
+    if (attrCount > 0) {
+        parts.push(`Resource Attributes: ${attrCount}`);
+    }
+    return parts.join(", ");
+}

package/dist/index.d.ts

@@ -393,6 +393,17 @@ declare const allTools: ({
         };
         readonly required: readonly ["operation"];
     };
+} | {
+    readonly name: "kubectl_reconnect";
+    readonly description: "Reconnect to the Kubernetes API server by recreating all API clients. Use this after cluster upgrades (e.g., EKS control plane upgrades that rotate ENIs/IPs) to force fresh DNS resolution and new TCP connections.";
+    readonly annotations: {
+        readonly readOnlyHint: false;
+    };
+    readonly inputSchema: {
+        readonly type: "object";
+        readonly properties: {};
+        readonly required: readonly [];
+    };
 } | {
     readonly name: "kubectl_get";
     readonly description: "Get or list Kubernetes resources by resource type, name, and optionally namespace";

package/dist/index.js

@@ -1,4 +1,8 @@
 #!/usr/bin/env node
+// Initialize OpenTelemetry before any other imports
+// This must be done first to ensure proper instrumentation
+import { initializeTelemetry, getTelemetryConfigSummary } from "./config/telemetry-config.js";
+const telemetrySdk = initializeTelemetry();
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { installHelmChart, installHelmChartSchema, upgradeHelmChart, upgradeHelmChartSchema, uninstallHelmChart, uninstallHelmChartSchema, } from "./tools/helm-operations.js";
@@ -14,6 +18,7 @@ import { startSSEServer } from "./utils/sse.js";
 import { startPortForward, PortForwardSchema, stopPortForward, StopPortForwardSchema, } from "./tools/port_forward.js";
 import { kubectlScale, kubectlScaleSchema } from "./tools/kubectl-scale.js";
 import { kubectlContext, kubectlContextSchema, } from "./tools/kubectl-context.js";
+import { kubectlReconnect, kubectlReconnectSchema, } from "./tools/kubectl-reconnect.js";
 import { kubectlGet, kubectlGetSchema } from "./tools/kubectl-get.js";
 import { kubectlDescribe, kubectlDescribeSchema, } from "./tools/kubectl-describe.js";
 import { kubectlApply, kubectlApplySchema } from "./tools/kubectl-apply.js";
@@ -26,6 +31,7 @@ import { kubectlRollout, kubectlRolloutSchema, } from "./tools/kubectl-rollout.j
 import { registerPromptHandlers } from "./prompts/index.js";
 import { ping, pingSchema } from "./tools/ping.js";
 import { startStreamableHTTPServer } from "./utils/streamable-http.js";
+import { withTelemetry } from "./middleware/telemetry-middleware.js";
 // Check environment variables for tool filtering
 const allowOnlyReadonlyTools = process.env.ALLOW_ONLY_READONLY_TOOLS === "true";
 const allowedToolsEnv = process.env.ALLOWED_TOOLS;
@@ -36,6 +42,7 @@ const readonlyTools = [
     kubectlDescribeSchema,
     kubectlLogsSchema,
     kubectlContextSchema,
+    kubectlReconnectSchema,
     explainResourceSchema,
     listApiResourcesSchema,
     pingSchema,
@@ -64,6 +71,7 @@ const allTools = [
     kubectlRolloutSchema,
     // Kubernetes context management
     kubectlContextSchema,
+    kubectlReconnectSchema,
     // Special operations that aren't covered by simple kubectl commands
     explainResourceSchema,
     // Helm operations
@@ -117,13 +125,16 @@ server.setRequestHandler(ListToolsRequestSchema, async () => {
     }
     return { tools };
 });
-server.setRequestHandler(CallToolRequestSchema, async (request) => {
+server.setRequestHandler(CallToolRequestSchema, withTelemetry(async (request) => {
     try {
         const { name, arguments: input = {} } = request.params;
         // Handle new kubectl-style commands
         if (name === "kubectl_context") {
             return await kubectlContext(k8sManager, input);
         }
+        if (name === "kubectl_reconnect") {
+            return await kubectlReconnect(k8sManager);
+        }
         if (name === "kubectl_get") {
             return await kubectlGet(k8sManager, input);
         }
@@ -219,7 +230,7 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
             throw error;
         throw new McpError(ErrorCode.InternalError, `Tool execution failed: ${error}`);
     }
-});
+}));
 // Start the server
 if (process.env.ENABLE_UNSAFE_SSE_TRANSPORT) {
     startSSEServer(server);
@@ -232,6 +243,7 @@ else if (process.env.ENABLE_UNSAFE_STREAMABLE_HTTP_TRANSPORT) {
 else {
     const transport = new StdioServerTransport();
     console.error(`Starting Kubernetes MCP server v${serverConfig.version}, handling commands...`);
+    console.error(getTelemetryConfigSummary());
     server.connect(transport);
 }
 ["SIGINT", "SIGTERM"].forEach((signal) => {

package/dist/middleware/telemetry-middleware.d.ts

@@ -0,0 +1,44 @@
+/**
+ * Tool call handler function type
+ */
+type ToolCallHandler = (request: {
+    params: {
+        name: string;
+        _meta?: any;
+        arguments?: Record<string, any>;
+    };
+    method: string;
+}) => Promise<any>;
+/**
+ * Wrap a tool call handler with OpenTelemetry tracing
+ * Creates a span for each tool invocation with detailed attributes
+ *
+ * @param handler - The original tool call handler function
+ * @returns Wrapped handler with tracing instrumentation
+ */
+export declare function withTelemetry(handler: ToolCallHandler): ToolCallHandler;
+/**
+ * Create a manual span for non-tool operations
+ * Useful for tracing other server operations outside of tool calls
+ *
+ * @param name - Span name
+ * @param fn - Function to execute within the span
+ * @returns Result of the function
+ */
+export declare function withSpan<T>(name: string, attributes: Record<string, string | number | boolean>, fn: () => Promise<T>): Promise<T>;
+/**
+ * Add custom attributes to the current active span
+ * Useful for adding context during tool execution
+ *
+ * @param attributes - Key-value pairs to add to the span
+ */
+export declare function addSpanAttributes(attributes: Record<string, string | number | boolean>): void;
+/**
+ * Record an event on the current active span
+ * Useful for tracking significant moments during tool execution
+ *
+ * @param name - Event name
+ * @param attributes - Optional event attributes
+ */
+export declare function recordSpanEvent(name: string, attributes?: Record<string, string | number | boolean>): void;
+export {};

package/dist/middleware/telemetry-middleware.js

@@ -0,0 +1,178 @@
+import { trace, SpanStatusCode } from "@opentelemetry/api";
+import { getTelemetryConfig } from "../config/telemetry-config.js";
+/**
+ * Telemetry middleware for MCP tool call tracing
+ * Wraps tool handlers with OpenTelemetry spans to provide automatic instrumentation
+ */
+// Get tracer instance
+const tracer = trace.getTracer("mcp-server-kubernetes", "0.1.0");
+/**
+ * Wrap a tool call handler with OpenTelemetry tracing
+ * Creates a span for each tool invocation with detailed attributes
+ *
+ * @param handler - The original tool call handler function
+ * @returns Wrapped handler with tracing instrumentation
+ */
+export function withTelemetry(handler) {
+    return async (request) => {
+        const { name: toolName, arguments: args } = request.params;
+        // Create span for this tool call
+        return await tracer.startActiveSpan(`tools/call ${toolName}`, {
+            attributes: {
+                "mcp.method.name": "tools/call",
+                "gen_ai.tool.name": toolName,
+                "gen_ai.operation.name": "execute_tool",
+                "network.transport": "pipe", // STDIO mode
+            },
+        }, async (span) => {
+            const startTime = Date.now();
+            try {
+                // Add argument metadata (safely, without exposing sensitive data)
+                if (args) {
+                    const argKeys = Object.keys(args);
+                    span.setAttribute("tool.argument_count", argKeys.length);
+                    span.setAttribute("tool.argument_keys", argKeys.join(","));
+                    // Add specific attributes for common arguments
+                    if (args.context) {
+                        span.setAttribute("k8s.context", args.context);
+                    }
+                    if (args.namespace) {
+                        span.setAttribute("k8s.namespace", args.namespace);
+                    }
+                    if (args.resourceType) {
+                        span.setAttribute("k8s.resource_type", args.resourceType);
+                    }
+                }
+                // Execute the actual tool handler
+                const result = await handler(request);
+                // Record success
+                const duration = Date.now() - startTime;
+                span.setAttribute("tool.duration_ms", duration);
+                span.setStatus({ code: SpanStatusCode.OK });
+                // Capture response metadata (not the actual data)
+                // Can be disabled with OTEL_CAPTURE_RESPONSE_METADATA=false for privacy
+                const telemetryConfig = getTelemetryConfig();
+                if (result && telemetryConfig.captureResponseMetadata) {
+                    // Check if result has content array (MCP response format)
+                    if (result.content && Array.isArray(result.content)) {
+                        span.setAttribute("response.content_items", result.content.length);
+                        // Get the first content item to analyze
+                        if (result.content.length > 0) {
+                            const firstItem = result.content[0];
+                            span.setAttribute("response.content_type", firstItem.type || "unknown");
+                            // If it's text content, capture size and maybe a snippet
+                            if (firstItem.type === "text" && firstItem.text) {
+                                const textSize = firstItem.text.length;
+                                span.setAttribute("response.text_size_bytes", textSize);
+                                // Try to parse JSON and get item count
+                                try {
+                                    const parsed = JSON.parse(firstItem.text);
+                                    // Check for Kubernetes list response
+                                    if (parsed.items && Array.isArray(parsed.items)) {
+                                        span.setAttribute("response.k8s_items_count", parsed.items.length);
+                                        span.setAttribute("response.k8s_kind", parsed.kind || "unknown");
+                                    }
+                                    // Check for MCP list response
+                                    if (Array.isArray(parsed)) {
+                                        span.setAttribute("response.items_count", parsed.length);
+                                    }
+                                    // Capture if response indicates success
+                                    if (parsed.success !== undefined) {
+                                        span.setAttribute("response.success", parsed.success);
+                                    }
+                                }
+                                catch (e) {
+                                    // Not JSON, that's fine - just capture text size
+                                }
+                            }
+                        }
+                    }
+                    // Check for direct success indicators
+                    if (typeof result.success === "boolean") {
+                        span.setAttribute("response.success", result.success);
+                    }
+                }
+                return result;
+            }
+            catch (error) {
+                // Record failure
+                const duration = Date.now() - startTime;
+                span.setAttribute("tool.duration_ms", duration);
+                span.setAttribute("error.type", "tool_error");
+                if (error.message) {
+                    span.setAttribute("error.message", error.message);
+                }
+                if (error.code) {
+                    span.setAttribute("error.code", error.code);
+                }
+                span.setStatus({
+                    code: SpanStatusCode.ERROR,
+                    message: error.message || "Tool execution failed",
+                });
+                // Re-throw to maintain original error behavior
+                throw error;
+            }
+            finally {
+                span.end();
+            }
+        });
+    };
+}
+/**
+ * Create a manual span for non-tool operations
+ * Useful for tracing other server operations outside of tool calls
+ *
+ * @param name - Span name
+ * @param fn - Function to execute within the span
+ * @returns Result of the function
+ */
+export async function withSpan(name, attributes, fn) {
+    return await tracer.startActiveSpan(name, { attributes }, async (span) => {
+        try {
+            const result = await fn();
+            span.setStatus({ code: SpanStatusCode.OK });
+            return result;
+        }
+        catch (error) {
+            span.setAttribute("error.type", "operation_error");
+            if (error.message) {
+                span.setAttribute("error.message", error.message);
+            }
+            span.setStatus({
+                code: SpanStatusCode.ERROR,
+                message: error.message || "Operation failed",
+            });
+            throw error;
+        }
+        finally {
+            span.end();
+        }
+    });
+}
+/**
+ * Add custom attributes to the current active span
+ * Useful for adding context during tool execution
+ *
+ * @param attributes - Key-value pairs to add to the span
+ */
+export function addSpanAttributes(attributes) {
+    const currentSpan = trace.getActiveSpan();
+    if (currentSpan) {
+        for (const [key, value] of Object.entries(attributes)) {
+            currentSpan.setAttribute(key, value);
+        }
+    }
+}
+/**
+ * Record an event on the current active span
+ * Useful for tracking significant moments during tool execution
+ *
+ * @param name - Event name
+ * @param attributes - Optional event attributes
+ */
+export function recordSpanEvent(name, attributes) {
+    const currentSpan = trace.getActiveSpan();
+    if (currentSpan) {
+        currentSpan.addEvent(name, attributes);
+    }
+}

package/dist/tools/exec_in_pod.d.ts

@@ -1,11 +1,12 @@
 /**
  * Tool: exec_in_pod
  * Execute a command in a Kubernetes pod or container and return the output.
- * Uses the official Kubernetes client-node Exec API for native execution.
+ * Uses kubectl exec for consistency with other kubectl-based tools.
  *
  * SECURITY: Only accepts commands as an array of strings. This prevents command
- * injection attacks by executing directly without shell interpretation.
- * Shell operators (pipes, redirects, etc.) are intentionally not supported.
+ * injection attacks by using execFileSync which executes directly without shell
+ * interpretation. Shell operators (pipes, redirects, etc.) are intentionally
+ * not supported.
  */
 import { KubernetesManager } from "../types.js";
 /**
@@ -58,12 +59,12 @@ export declare const execInPodSchema: {
     };
 };
 /**
- * Execute a command in a Kubernetes pod or container using the Kubernetes client-node Exec API.
+ * Execute a command in a Kubernetes pod or container using kubectl exec.
  * Returns the stdout output as a text response.
  * Throws McpError on failure.
  *
- * SECURITY: Command must be an array of strings. This executes directly via the
- * Kubernetes exec API without shell interpretation, preventing command injection.
+ * SECURITY: Command must be an array of strings. execFileSync does not invoke
+ * a shell, preventing command injection.
  */
 export declare function execInPod(k8sManager: KubernetesManager, input: {
     name: string;

package/dist/tools/exec_in_pod.js

@@ -1,15 +1,16 @@
 /**
  * Tool: exec_in_pod
  * Execute a command in a Kubernetes pod or container and return the output.
- * Uses the official Kubernetes client-node Exec API for native execution.
+ * Uses kubectl exec for consistency with other kubectl-based tools.
  *
  * SECURITY: Only accepts commands as an array of strings. This prevents command
- * injection attacks by executing directly without shell interpretation.
- * Shell operators (pipes, redirects, etc.) are intentionally not supported.
+ * injection attacks by using execFileSync which executes directly without shell
+ * interpretation. Shell operators (pipes, redirects, etc.) are intentionally
+ * not supported.
  */
-import * as k8s from "@kubernetes/client-node";
+import { execFileSync } from "child_process";
 import { McpError, ErrorCode } from "@modelcontextprotocol/sdk/types.js";
-import { Writable } from "stream";
+import { getSpawnMaxBuffer } from "../config/max-buffer.js";
 import { contextParameter, namespaceParameter } from "../models/common-parameters.js";
 /**
  * Schema for exec_in_pod tool.
@@ -51,12 +52,12 @@ export const execInPodSchema = {
     },
 };
 /**
- * Execute a command in a Kubernetes pod or container using the Kubernetes client-node Exec API.
+ * Execute a command in a Kubernetes pod or container using kubectl exec.
  * Returns the stdout output as a text response.
  * Throws McpError on failure.
  *
- * SECURITY: Command must be an array of strings. This executes directly via the
- * Kubernetes exec API without shell interpretation, preventing command injection.
+ * SECURITY: Command must be an array of strings. execFileSync does not invoke
+ * a shell, preventing command injection.
  */
 export async function execInPod(k8sManager, input) {
     const namespace = input.namespace || "default";
@@ -73,94 +74,35 @@ export async function execInPod(k8sManager, input) {
             throw new McpError(ErrorCode.InvalidParams, `Command array element at index ${i} must be a string`);
         }
     }
-    const commandArr = input.command;
-    // Prepare buffers to capture stdout and stderr
-    let stdout = "";
-    let stderr = "";
-    // Use Node.js Writable streams to collect output
-    const stdoutStream = new Writable({
-        write(chunk, _encoding, callback) {
-            stdout += chunk.toString();
-            callback();
-        }
-    });
-    const stderrStream = new Writable({
-        write(chunk, _encoding, callback) {
-            stderr += chunk.toString();
-            callback();
-        }
-    });
-    // Add a dummy stdin stream
-    const stdinStream = new Writable({
-        write(_chunk, _encoding, callback) {
-            callback();
-        }
-    });
     try {
-        // Set context if provided
+        const args = ["exec", input.name, "-n", namespace];
+        if (input.container) {
+            args.push("-c", input.container);
+        }
         if (input.context) {
-            k8sManager.setCurrentContext(input.context);
+            args.push("--context", input.context);
         }
-        // Use the Kubernetes client-node Exec API for native exec
-        const kc = k8sManager.getKubeConfig();
-        const exec = new k8s.Exec(kc);
-        // Add a timeout to avoid hanging forever if exec never returns
-        await new Promise((resolve, reject) => {
-            let finished = false;
-            const timeoutMs = input.timeout || 60000;
-            const timeout = setTimeout(() => {
-                if (!finished) {
-                    finished = true;
-                    reject(new McpError(ErrorCode.InternalError, "Exec operation timed out (possible networking, RBAC, or cluster issue)"));
-                }
-            }, timeoutMs);
-            console.log("[exec_in_pod] Calling exec.exec with params:", {
-                namespace,
-                pod: input.name,
-                container: input.container ?? "",
-                commandArr,
-                stdoutStreamType: typeof stdoutStream,
-                stderrStreamType: typeof stderrStream,
-            });
-            exec.exec(namespace, input.name, input.container ?? "", commandArr, stdoutStream, stderrStream, stdinStream, // use dummy stdin
-            true, // set tty to true
-            (status) => {
-                console.log("[exec_in_pod] exec.exec callback called. Status:", status);
-                if (finished)
-                    return;
-                finished = true;
-                clearTimeout(timeout);
-                // Always resolve; handle errors based on stderr or thrown errors
-                resolve();
-            }).catch((err) => {
-                console.log("[exec_in_pod] exec.exec threw error:", err);
-                if (!finished) {
-                    finished = true;
-                    clearTimeout(timeout);
-                    reject(new McpError(ErrorCode.InternalError, `Exec threw error: ${err?.message || err}`));
-                }
-            });
+        args.push("--", ...input.command);
+        const timeoutMs = input.timeout || 60000;
+        const result = execFileSync("kubectl", args, {
+            encoding: "utf8",
+            maxBuffer: getSpawnMaxBuffer(),
+            timeout: timeoutMs,
+            env: { ...process.env, KUBECONFIG: process.env.KUBECONFIG },
         });
-        // Return the collected stdout as the result
-        // If there is stderr output or no output at all, treat as error
-        if (stderr || (!stdout && !stderr)) {
-            throw new McpError(ErrorCode.InternalError, `Failed to execute command in pod: ${stderr || "No output"}`);
-        }
         return {
             content: [
                 {
                     type: "text",
-                    text: stdout,
+                    text: result,
                 },
             ],
         };
     }
     catch (error) {
-        // Collect error message and stderr output if available
-        let message = error.message || "Unknown error";
-        if (stderr) {
-            message += "\n" + stderr;
+        if (error.killed || error.signal === "SIGTERM") {
+            throw new McpError(ErrorCode.InternalError, "Exec operation timed out (possible networking, RBAC, or cluster issue)");
         }
-        throw new McpError(ErrorCode.InternalError, `Failed to execute command in pod: ${message}`);
+        throw new McpError(ErrorCode.InternalError, `Failed to execute command in pod: ${error.stderr || error.message}`);
     }
 }

package/dist/tools/kubectl-reconnect.d.ts

@@ -0,0 +1,19 @@
+import { KubernetesManager } from "../types.js";
+export declare const kubectlReconnectSchema: {
+    readonly name: "kubectl_reconnect";
+    readonly description: "Reconnect to the Kubernetes API server by recreating all API clients. Use this after cluster upgrades (e.g., EKS control plane upgrades that rotate ENIs/IPs) to force fresh DNS resolution and new TCP connections.";
+    readonly annotations: {
+        readonly readOnlyHint: false;
+    };
+    readonly inputSchema: {
+        readonly type: "object";
+        readonly properties: {};
+        readonly required: readonly [];
+    };
+};
+export declare function kubectlReconnect(k8sManager: KubernetesManager): Promise<{
+    content: {
+        type: string;
+        text: string;
+    }[];
+}>;

package/dist/tools/kubectl-reconnect.js

@@ -0,0 +1,32 @@
+import { McpError, ErrorCode } from "@modelcontextprotocol/sdk/types.js";
+export const kubectlReconnectSchema = {
+    name: "kubectl_reconnect",
+    description: "Reconnect to the Kubernetes API server by recreating all API clients. Use this after cluster upgrades (e.g., EKS control plane upgrades that rotate ENIs/IPs) to force fresh DNS resolution and new TCP connections.",
+    annotations: {
+        readOnlyHint: false,
+    },
+    inputSchema: {
+        type: "object",
+        properties: {},
+        required: [],
+    },
+};
+export async function kubectlReconnect(k8sManager) {
+    try {
+        k8sManager.refreshApiClients();
+        return {
+            content: [
+                {
+                    type: "text",
+                    text: JSON.stringify({
+                        success: true,
+                        message: "API clients refreshed. DNS will be re-resolved on the next request.",
+                    }, null, 2),
+                },
+            ],
+        };
+    }
+    catch (error) {
+        throw new McpError(ErrorCode.InternalError, `Failed to reconnect: ${error.message}`);
+    }
+}

package/dist/utils/auth.js

@@ -1,3 +1,15 @@
+import { timingSafeEqual } from "crypto";
+/** Constant-time string comparison that prevents timing attacks (CWE-208). */
+function timingSafeCompare(a, b) {
+    const bufA = Buffer.from(a);
+    const bufB = Buffer.from(b);
+    if (bufA.length !== bufB.length) {
+        // Compare against itself to keep constant time, then return false
+        timingSafeEqual(bufA, bufA);
+        return false;
+    }
+    return timingSafeEqual(bufA, bufB);
+}
 /**
  * Authentication middleware for MCP HTTP transports.
  *
@@ -31,7 +43,19 @@ export function createAuthMiddleware() {
             });
             return;
         }
-        if (providedToken !== authToken) {
+        // Reject array-valued headers (e.g. duplicate X-MCP-AUTH)
+        if (Array.isArray(providedToken)) {
+            res.status(401).json({
+                jsonrpc: "2.0",
+                error: {
+                    code: -32001,
+                    message: "Unauthorized: Only single X-MCP-AUTH header is allowed",
+                },
+                id: null,
+            });
+            return;
+        }
+        if (!timingSafeCompare(providedToken, authToken)) {
             res.status(403).json({
                 jsonrpc: "2.0",
                 error: {

package/dist/utils/kubernetes-manager.d.ts

@@ -51,6 +51,7 @@ export declare class KubernetesManager {
      *
      * @param contextName
      */
+    refreshApiClients(): void;
     setCurrentContext(contextName: string): void;
     cleanup(): Promise<void>;
     trackResource(kind: string, name: string, namespace: string): void;

package/dist/utils/kubernetes-manager.js

@@ -186,6 +186,11 @@ export class KubernetesManager {
      *
      * @param contextName
      */
+    refreshApiClients() {
+        this.k8sApi = this.kc.makeApiClient(k8s.CoreV1Api);
+        this.k8sAppsApi = this.kc.makeApiClient(k8s.AppsV1Api);
+        this.k8sBatchApi = this.kc.makeApiClient(k8s.BatchV1Api);
+    }
     setCurrentContext(contextName) {
         // Get all available contexts
         const contexts = this.kc.getContexts();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mcp-server-kubernetes",
-  "version": "3.2.1",
+  "version": "3.4.0",
   "description": "MCP server for interacting with Kubernetes clusters via kubectl",
   "license": "MIT",
   "type": "module",
@@ -39,18 +39,24 @@
   "dependencies": {
     "@kubernetes/client-node": "1.3.0",
     "@modelcontextprotocol/sdk": "1.26.0",
+    "@opentelemetry/api": "^1.9.0",
+    "@opentelemetry/auto-instrumentations-node": "^0.69.0",
+    "@opentelemetry/exporter-trace-otlp-grpc": "^0.211.0",
+    "@opentelemetry/resources": "^2.5.0",
+    "@opentelemetry/sdk-node": "^0.211.0",
+    "@opentelemetry/semantic-conventions": "^1.39.0",
     "express": "4.21.2",
     "js-yaml": "4.1.1",
     "yaml": "2.7.0",
     "zod": "3.25.76"
   },
   "devDependencies": {
+    "@anthropic-ai/mcpb": "1.1.0",
     "@types/express": "5.0.1",
     "@types/js-yaml": "4.0.9",
     "@types/node": "22.9.3",
     "shx": "0.3.4",
     "typescript": "5.6.2",
-    "vitest": "2.1.9",
-    "@anthropic-ai/mcpb": "1.1.0"
+    "vitest": "2.1.9"
   }
 }