npm - mcp-server-kubernetes - Versions diffs - 3.3.0 → 3.4.0 - Mend

mcp-server-kubernetes 3.3.0 → 3.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/index.d.ts +11 -0
package/dist/index.js +6 -0
package/dist/tools/kubectl-reconnect.d.ts +19 -0
package/dist/tools/kubectl-reconnect.js +32 -0
package/dist/utils/auth.js +25 -1
package/dist/utils/kubernetes-manager.d.ts +1 -0
package/dist/utils/kubernetes-manager.js +5 -0
package/package.json +1 -1

package/dist/index.d.ts CHANGED Viewed

@@ -393,6 +393,17 @@ declare const allTools: ({
         };
         readonly required: readonly ["operation"];
     };
+} | {
+    readonly name: "kubectl_reconnect";
+    readonly description: "Reconnect to the Kubernetes API server by recreating all API clients. Use this after cluster upgrades (e.g., EKS control plane upgrades that rotate ENIs/IPs) to force fresh DNS resolution and new TCP connections.";
+    readonly annotations: {
+        readonly readOnlyHint: false;
+    };
+    readonly inputSchema: {
+        readonly type: "object";
+        readonly properties: {};
+        readonly required: readonly [];
+    };
 } | {
     readonly name: "kubectl_get";
     readonly description: "Get or list Kubernetes resources by resource type, name, and optionally namespace";

package/dist/index.js CHANGED Viewed

@@ -18,6 +18,7 @@ import { startSSEServer } from "./utils/sse.js";
 import { startPortForward, PortForwardSchema, stopPortForward, StopPortForwardSchema, } from "./tools/port_forward.js";
 import { kubectlScale, kubectlScaleSchema } from "./tools/kubectl-scale.js";
 import { kubectlContext, kubectlContextSchema, } from "./tools/kubectl-context.js";
+import { kubectlReconnect, kubectlReconnectSchema, } from "./tools/kubectl-reconnect.js";
 import { kubectlGet, kubectlGetSchema } from "./tools/kubectl-get.js";
 import { kubectlDescribe, kubectlDescribeSchema, } from "./tools/kubectl-describe.js";
 import { kubectlApply, kubectlApplySchema } from "./tools/kubectl-apply.js";
@@ -41,6 +42,7 @@ const readonlyTools = [
     kubectlDescribeSchema,
     kubectlLogsSchema,
     kubectlContextSchema,
+    kubectlReconnectSchema,
     explainResourceSchema,
     listApiResourcesSchema,
     pingSchema,
@@ -69,6 +71,7 @@ const allTools = [
     kubectlRolloutSchema,
     // Kubernetes context management
     kubectlContextSchema,
+    kubectlReconnectSchema,
     // Special operations that aren't covered by simple kubectl commands
     explainResourceSchema,
     // Helm operations
@@ -129,6 +132,9 @@ server.setRequestHandler(CallToolRequestSchema, withTelemetry(async (request) =>
         if (name === "kubectl_context") {
             return await kubectlContext(k8sManager, input);
         }
+        if (name === "kubectl_reconnect") {
+            return await kubectlReconnect(k8sManager);
+        }
         if (name === "kubectl_get") {
             return await kubectlGet(k8sManager, input);
         }

package/dist/tools/kubectl-reconnect.d.ts ADDED Viewed

@@ -0,0 +1,19 @@
+import { KubernetesManager } from "../types.js";
+export declare const kubectlReconnectSchema: {
+    readonly name: "kubectl_reconnect";
+    readonly description: "Reconnect to the Kubernetes API server by recreating all API clients. Use this after cluster upgrades (e.g., EKS control plane upgrades that rotate ENIs/IPs) to force fresh DNS resolution and new TCP connections.";
+    readonly annotations: {
+        readonly readOnlyHint: false;
+    };
+    readonly inputSchema: {
+        readonly type: "object";
+        readonly properties: {};
+        readonly required: readonly [];
+    };
+};
+export declare function kubectlReconnect(k8sManager: KubernetesManager): Promise<{
+    content: {
+        type: string;
+        text: string;
+    }[];
+}>;

package/dist/tools/kubectl-reconnect.js ADDED Viewed

@@ -0,0 +1,32 @@
+import { McpError, ErrorCode } from "@modelcontextprotocol/sdk/types.js";
+export const kubectlReconnectSchema = {
+    name: "kubectl_reconnect",
+    description: "Reconnect to the Kubernetes API server by recreating all API clients. Use this after cluster upgrades (e.g., EKS control plane upgrades that rotate ENIs/IPs) to force fresh DNS resolution and new TCP connections.",
+    annotations: {
+        readOnlyHint: false,
+    },
+    inputSchema: {
+        type: "object",
+        properties: {},
+        required: [],
+    },
+};
+export async function kubectlReconnect(k8sManager) {
+    try {
+        k8sManager.refreshApiClients();
+        return {
+            content: [
+                {
+                    type: "text",
+                    text: JSON.stringify({
+                        success: true,
+                        message: "API clients refreshed. DNS will be re-resolved on the next request.",
+                    }, null, 2),
+                },
+            ],
+        };
+    }
+    catch (error) {
+        throw new McpError(ErrorCode.InternalError, `Failed to reconnect: ${error.message}`);
+    }
+}

package/dist/utils/auth.js CHANGED Viewed

@@ -1,3 +1,15 @@
+import { timingSafeEqual } from "crypto";
+/** Constant-time string comparison that prevents timing attacks (CWE-208). */
+function timingSafeCompare(a, b) {
+    const bufA = Buffer.from(a);
+    const bufB = Buffer.from(b);
+    if (bufA.length !== bufB.length) {
+        // Compare against itself to keep constant time, then return false
+        timingSafeEqual(bufA, bufA);
+        return false;
+    }
+    return timingSafeEqual(bufA, bufB);
+}
 /**
  * Authentication middleware for MCP HTTP transports.
  *
@@ -31,7 +43,19 @@ export function createAuthMiddleware() {
             });
             return;
         }
-        if (providedToken !== authToken) {
+        // Reject array-valued headers (e.g. duplicate X-MCP-AUTH)
+        if (Array.isArray(providedToken)) {
+            res.status(401).json({
+                jsonrpc: "2.0",
+                error: {
+                    code: -32001,
+                    message: "Unauthorized: Only single X-MCP-AUTH header is allowed",
+                },
+                id: null,
+            });
+            return;
+        }
+        if (!timingSafeCompare(providedToken, authToken)) {
             res.status(403).json({
                 jsonrpc: "2.0",
                 error: {

package/dist/utils/kubernetes-manager.d.ts CHANGED Viewed

@@ -51,6 +51,7 @@ export declare class KubernetesManager {
      *
      * @param contextName
      */
+    refreshApiClients(): void;
     setCurrentContext(contextName: string): void;
     cleanup(): Promise<void>;
     trackResource(kind: string, name: string, namespace: string): void;

package/dist/utils/kubernetes-manager.js CHANGED Viewed

@@ -186,6 +186,11 @@ export class KubernetesManager {
      *
      * @param contextName
      */
+    refreshApiClients() {
+        this.k8sApi = this.kc.makeApiClient(k8s.CoreV1Api);
+        this.k8sAppsApi = this.kc.makeApiClient(k8s.AppsV1Api);
+        this.k8sBatchApi = this.kc.makeApiClient(k8s.BatchV1Api);
+    }
     setCurrentContext(contextName) {
         // Get all available contexts
         const contexts = this.kc.getContexts();

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "mcp-server-kubernetes",
-  "version": "3.3.0",
+  "version": "3.4.0",
   "description": "MCP server for interacting with Kubernetes clusters via kubectl",
   "license": "MIT",
   "type": "module",