awslabs.eks-mcp-server 0.1.1__tar.gz → 0.1.2__tar.gz

{awslabs_eks_mcp_server-0.1.1 → awslabs_eks_mcp_server-0.1.2}/Dockerfile

@@ -9,7 +9,7 @@
 # OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions
 # and limitations under the License.
 
-FROM public.ecr.aws/sam/build-python3.10@sha256:a40f492a0cd8d76557f8a187fc00e49e8864b3cea683e74718ce317790c1ce61 AS uv
+FROM public.ecr.aws/sam/build-python3.10@sha256:e78695db10ca8cb129e59e30f7dc9789b0dbd0181dba195d68419c72bac51ac1 AS uv
 
 # Install the project into `/app`
 WORKDIR /app
@@ -43,7 +43,7 @@ RUN --mount=type=cache,target=/root/.cache/uv \
 # Make the directory just in case it doesn't exist
 RUN mkdir -p /root/.local
 
-FROM public.ecr.aws/sam/build-python3.10@sha256:a40f492a0cd8d76557f8a187fc00e49e8864b3cea683e74718ce317790c1ce61
+FROM public.ecr.aws/sam/build-python3.10@sha256:e78695db10ca8cb129e59e30f7dc9789b0dbd0181dba195d68419c72bac51ac1
 
 # Place executables in the environment at the front of the path and include other binaries
 ENV PATH="/app/.venv/bin:$PATH:/usr/sbin"

{awslabs_eks_mcp_server-0.1.1 → awslabs_eks_mcp_server-0.1.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: awslabs.eks-mcp-server
-Version: 0.1.1
+Version: 0.1.2
 Summary: An AWS Labs Model Context Protocol (MCP) server for EKS
 Project-URL: homepage, https://awslabs.github.io/mcp/
 Project-URL: docs, https://awslabs.github.io/mcp/servers/eks-mcp-server/
@@ -89,30 +89,35 @@ For read operations, the following permissions are required:
 
 ### Write Operations Policy
 
-For write operations, the following permissions are required:
-
-```
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": [
-        "cloudformation:CreateStack",
-        "cloudformation:UpdateStack",
-        "cloudformation:DeleteStack",
-        "iam:PutRolePolicy"
-      ],
-      "Resource": "*",
-      "Condition": {
-        "StringEquals": {
-          "aws:RequestTag/CreatedBy": "EksMcpServer"
-        }
+For write operations, we recommend the following IAM policies to ensure successful deployment of EKS clusters using the CloudFormation template in `/awslabs/eks_mcp_server/templates/eks-templates/eks-with-vpc.yaml`:
+- [**IAMFullAccess**](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/IAMFullAccess.html): Enables creation and management of IAM roles and policies required for cluster operation
+- [**AmazonVPCFullAccess**](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonVPCFullAccess.html): Allows creation and configuration of VPC resources including subnets, route tables, internet gateways, and NAT gateways
+- [**AWSCloudFormationFullAccess**](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSCloudFormationFullAccess.html): Provides permissions to create, update, and delete CloudFormation stacks that orchestrate the deployment
+- **EKS Full Access (provided below)**: Required for creating and managing EKS clusters, including control plane configuration, node groups, and add-ons
+   ```
+  {
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+        "Action": "eks:*",
+        "Resource": "*"
       }
-    }
-  ]
-}
-```
+    ]
+  }
+   ```
+
+
+**Important Security Note**: Users should exercise caution when `--allow-write` and `--allow-sensitive-data-access` modes are enabled with these broad permissions, as this combination grants significant privileges to the MCP server. Only enable these flags when necessary and in trusted environments. For production use, consider creating more restrictive custom policies.
+
+### Kubernetes API Access Requirements
+
+All Kubernetes API operations will only work when one of the following conditions is met:
+
+1. The user's principal (IAM role/user) actually created the EKS cluster being accessed
+2. An EKS Access Entry has been configured for the user's principal
+
+If you encounter authorization errors when using Kubernetes API operations, verify that an access entry has been properly configured for your principal.
 
 ## Quickstart
 

{awslabs_eks_mcp_server-0.1.1 → awslabs_eks_mcp_server-0.1.2}/README.md

@@ -55,30 +55,35 @@ For read operations, the following permissions are required:
 
 ### Write Operations Policy
 
-For write operations, the following permissions are required:
-
-```
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": [
-        "cloudformation:CreateStack",
-        "cloudformation:UpdateStack",
-        "cloudformation:DeleteStack",
-        "iam:PutRolePolicy"
-      ],
-      "Resource": "*",
-      "Condition": {
-        "StringEquals": {
-          "aws:RequestTag/CreatedBy": "EksMcpServer"
-        }
+For write operations, we recommend the following IAM policies to ensure successful deployment of EKS clusters using the CloudFormation template in `/awslabs/eks_mcp_server/templates/eks-templates/eks-with-vpc.yaml`:
+- [**IAMFullAccess**](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/IAMFullAccess.html): Enables creation and management of IAM roles and policies required for cluster operation
+- [**AmazonVPCFullAccess**](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonVPCFullAccess.html): Allows creation and configuration of VPC resources including subnets, route tables, internet gateways, and NAT gateways
+- [**AWSCloudFormationFullAccess**](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSCloudFormationFullAccess.html): Provides permissions to create, update, and delete CloudFormation stacks that orchestrate the deployment
+- **EKS Full Access (provided below)**: Required for creating and managing EKS clusters, including control plane configuration, node groups, and add-ons
+   ```
+  {
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+        "Action": "eks:*",
+        "Resource": "*"
       }
-    }
-  ]
-}
-```
+    ]
+  }
+   ```
+
+
+**Important Security Note**: Users should exercise caution when `--allow-write` and `--allow-sensitive-data-access` modes are enabled with these broad permissions, as this combination grants significant privileges to the MCP server. Only enable these flags when necessary and in trusted environments. For production use, consider creating more restrictive custom policies.
+
+### Kubernetes API Access Requirements
+
+All Kubernetes API operations will only work when one of the following conditions is met:
+
+1. The user's principal (IAM role/user) actually created the EKS cluster being accessed
+2. An EKS Access Entry has been configured for the user's principal
+
+If you encounter authorization errors when using Kubernetes API operations, verify that an access entry has been properly configured for your principal.
 
 ## Quickstart
 

{awslabs_eks_mcp_server-0.1.1 → awslabs_eks_mcp_server-0.1.2}/awslabs/eks_mcp_server/aws_helper.py

@@ -13,6 +13,7 @@
 
 import boto3
 import os
+from awslabs.eks_mcp_server import __version__
 from botocore.config import Config
 from typing import Any, Optional
 
@@ -38,7 +39,7 @@ class AwsHelper:
     def create_boto3_client(cls, service_name: str, region_name: Optional[str] = None) -> Any:
         """Create a boto3 client with the appropriate profile and region.
 
-        The client is configured with a custom user agent suffix 'awslabs/mcp/eks-mcp-server/0.1.0'
+        The client is configured with a custom user agent suffix 'awslabs/mcp/eks-mcp-server/{version}'
         to identify API calls made by the EKS MCP Server.
 
         Args:
@@ -55,7 +56,7 @@ class AwsHelper:
         profile = cls.get_aws_profile()
 
         # Create config with user agent suffix
-        config = Config(user_agent_extra='awslabs/mcp/eks-mcp-server/0.1.0')
+        config = Config(user_agent_extra=f'awslabs/mcp/eks-mcp-server/{__version__}')
 
         # Create session with profile if specified
         if profile:

{awslabs_eks_mcp_server-0.1.1 → awslabs_eks_mcp_server-0.1.2}/awslabs/eks_mcp_server/eks_stack_handler.py

@@ -36,7 +36,7 @@ from awslabs.eks_mcp_server.models import (
 from mcp.server.fastmcp import Context
 from mcp.types import EmbeddedResource, ImageContent, TextContent
 from pydantic import Field
-from typing import Dict, List, Optional, Tuple, Union, cast
+from typing import Any, Dict, List, Optional, Tuple, Union, cast
 
 
 class EksStackHandler:
@@ -345,6 +345,10 @@ class EksStackHandler:
             if 'Parameters' in template_yaml and 'ClusterName' in template_yaml['Parameters']:
                 template_yaml['Parameters']['ClusterName']['Default'] = cluster_name
 
+            # Remove checkov metadata from the EKS cluster resource
+            if 'Resources' in template_yaml and 'EksCluster' in template_yaml['Resources']:
+                self._remove_checkov_metadata(template_yaml['Resources']['EksCluster'])
+
             # Convert back to YAML
             modified_template = yaml.dump(template_yaml, default_flow_style=False)
 
@@ -589,6 +593,22 @@ class EksStackHandler:
                 outputs={},
             )
 
+    def _remove_checkov_metadata(self, resource: Dict[str, Any]) -> None:
+        """Remove checkov metadata from a resource and clean up empty Metadata sections.
+
+        Args:
+            resource: The resource dictionary to process
+        """
+        if 'Metadata' in resource:
+            # Check if there's checkov metadata
+            if 'checkov' in resource['Metadata']:
+                # Remove only the checkov metadata
+                del resource['Metadata']['checkov']
+
+                # If Metadata is now empty, remove it entirely
+                if not resource['Metadata']:
+                    del resource['Metadata']
+
     async def _delete_stack(
         self, ctx: Context, stack_name: str, cluster_name: str
     ) -> DeleteStackResponse:

{awslabs_eks_mcp_server-0.1.1 → awslabs_eks_mcp_server-0.1.2}/awslabs/eks_mcp_server/k8s_apis.py

@@ -407,22 +407,26 @@ class K8sApis:
             Pod logs as a string
         """
         try:
-            # Get the Pod resource using the dynamic client
-            pod_resource = self.dynamic_client.resources.get(api_version='v1', kind='Pod')
+            from kubernetes import client
+
+            # Create CoreV1Api client
+            core_v1_api = client.CoreV1Api(self.api_client)
 
-            # Prepare parameters for the log subresource
+            # Prepare parameters for the read_namespaced_pod_log method
             params = {}
             if container_name:
                 params['container'] = container_name
             if since_seconds:
-                params['sinceSeconds'] = since_seconds
+                params['since_seconds'] = since_seconds
             if tail_lines:
-                params['tailLines'] = tail_lines
+                params['tail_lines'] = tail_lines
             if limit_bytes:
-                params['limitBytes'] = limit_bytes
+                params['limit_bytes'] = limit_bytes
 
-            # Call the log subresource (note: singular 'log', not 'logs')
-            logs_response = pod_resource.log.get(name=pod_name, namespace=namespace, **params)
+            # Call the read_namespaced_pod_log method
+            logs_response = core_v1_api.read_namespaced_pod_log(
+                name=pod_name, namespace=namespace, **params
+            )
 
             return logs_response
 

{awslabs_eks_mcp_server-0.1.1 → awslabs_eks_mcp_server-0.1.2}/awslabs/eks_mcp_server/k8s_handler.py

@@ -780,6 +780,37 @@ class K8sHandler:
                 output_file_path='',
             )
 
+    def _remove_checkov_skip_annotations(self, content: str) -> str:
+        """Remove checkov skip annotations from YAML content.
+
+        Args:
+            content: YAML content as string
+
+        Returns:
+            YAML content with checkov skip annotations removed
+        """
+        # Use yaml to parse and modify the content
+        yaml_content = yaml.safe_load(content)
+        if (
+            yaml_content
+            and 'metadata' in yaml_content
+            and 'annotations' in yaml_content['metadata']
+        ):
+            # Remove all checkov skip annotations
+            annotations = yaml_content['metadata']['annotations']
+            checkov_keys = [key for key in annotations.keys() if key.startswith('checkov.io/skip')]
+            for key in checkov_keys:
+                del annotations[key]
+
+            # If annotations is now empty, remove it
+            if not annotations:
+                del yaml_content['metadata']['annotations']
+
+            # Convert back to YAML string
+            content = yaml.dump(yaml_content, default_flow_style=False)
+
+        return content
+
     def _load_yaml_template(self, template_files: list, values: Dict[str, Any]) -> str:
         """Load and process Kubernetes template files.
 
@@ -804,6 +835,10 @@ class K8sHandler:
             for key, value in values.items():
                 content = content.replace(key, value)
 
+            # Remove checkov skip annotations if present
+            if template_file == 'deployment.yaml':
+                content = self._remove_checkov_skip_annotations(content)
+
             template_contents.append(content)
 
         # Combine templates into a single YAML document with separator

{awslabs_eks_mcp_server-0.1.1 → awslabs_eks_mcp_server-0.1.2}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "awslabs.eks-mcp-server"
-version = "0.1.1"
+version = "0.1.2"
 description = "An AWS Labs Model Context Protocol (MCP) server for EKS"
 readme = "README.md"
 requires-python = ">=3.10"

{awslabs_eks_mcp_server-0.1.1 → awslabs_eks_mcp_server-0.1.2}/tests/test_aws_helper.py

@@ -12,6 +12,7 @@
 """Tests for the AWS Helper."""
 
 import os
+from awslabs.eks_mcp_server import __version__
 from awslabs.eks_mcp_server.aws_helper import AwsHelper
 from unittest.mock import ANY, MagicMock, patch
 
@@ -131,7 +132,7 @@ class TestAwsHelper:
             )
 
     def test_create_boto3_client_user_agent(self):
-        """Test that create_boto3_client sets the user agent suffix correctly."""
+        """Test that create_boto3_client sets the user agent suffix correctly using the package version."""
         # Create a real Config object to inspect
         with patch.object(AwsHelper, 'get_aws_profile', return_value=None):
             with patch.object(AwsHelper, 'get_aws_region', return_value=None):
@@ -143,6 +144,7 @@ class TestAwsHelper:
                     _, kwargs = mock_client.call_args
                     config = kwargs.get('config')
 
-                    # Verify the user agent suffix
+                    # Verify the user agent suffix uses the version from __init__.py
                     assert config is not None
-                    assert config.user_agent_extra == 'awslabs/mcp/eks-mcp-server/0.1.0'
+                    expected_user_agent = f'awslabs/mcp/eks-mcp-server/{__version__}'
+                    assert config.user_agent_extra == expected_user_agent

{awslabs_eks_mcp_server-0.1.1 → awslabs_eks_mcp_server-0.1.2}/tests/test_eks_stack_handler.py

@@ -505,6 +505,16 @@ class TestEksStackHandler:
           ClusterName:
             Type: String
             Default: my-cluster
+        Resources:
+          EksCluster:
+            Type: AWS::EKS::Cluster
+            Metadata:
+              checkov:
+                skip:
+                  - id: CKV_AWS_58
+                  - comment: "Secrets encryption is enabled by default in EKS 1.27+"
+            Properties:
+              Name: my-cluster
         """
         mock_yaml_content = yaml.safe_load(mock_template_content)
 
@@ -531,6 +541,76 @@ class TestEksStackHandler:
             assert result.content[0].type == 'text'
             assert 'template generated' in result.content[0].text
 
+            # Verify that the Metadata section was removed from the EksCluster resource
+            # because it only contained checkov metadata which was removed
+            assert 'Resources' in mock_yaml_content
+            assert 'EksCluster' in mock_yaml_content['Resources']
+            assert 'Metadata' not in mock_yaml_content['Resources']['EksCluster']
+
+    @pytest.mark.asyncio
+    async def test_generate_template_with_other_metadata(self):
+        """Test that _generate_template only removes checkov metadata and keeps other metadata."""
+        # Create a mock MCP server
+        mock_mcp = MagicMock()
+
+        # Initialize the EKS handler with the mock MCP server
+        handler = EksStackHandler(mock_mcp)
+
+        # Create a mock context
+        mock_ctx = MagicMock(spec=Context)
+
+        # Mock the open function to return a mock file with both checkov and other metadata
+        mock_template_content = """
+        Parameters:
+          ClusterName:
+            Type: String
+            Default: my-cluster
+        Resources:
+          EksCluster:
+            Type: AWS::EKS::Cluster
+            Metadata:
+              checkov:
+                skip:
+                  - id: CKV_AWS_58
+                  - comment: "Secrets encryption is enabled by default in EKS 1.27+"
+              other_metadata:
+                key: value
+            Properties:
+              Name: my-cluster
+        """
+        # Create a deep copy of the YAML content that we can modify
+        mock_yaml_content = yaml.safe_load(mock_template_content)
+
+        # Mock the necessary functions
+        with (
+            patch('builtins.open', mock_open(read_data=mock_template_content)),
+            patch('os.path.dirname', return_value='/mock/path'),
+            patch('os.path.join', return_value='/mock/path/template.yaml'),
+            patch('os.makedirs', return_value=None),
+            patch('yaml.safe_load', return_value=mock_yaml_content),
+            patch('yaml.dump', return_value=mock_template_content),
+        ):
+            # Call the _generate_template method
+            result = await handler._generate_template(
+                ctx=mock_ctx,
+                template_path='/path/to/output/template.yaml',
+                cluster_name='test-cluster',
+            )
+
+            # Verify the result
+            assert not result.isError
+            assert result.template_path == '/path/to/output/template.yaml'
+
+            # Verify that only the checkov metadata was removed
+            assert 'Resources' in mock_yaml_content
+            assert 'EksCluster' in mock_yaml_content['Resources']
+            assert 'Metadata' in mock_yaml_content['Resources']['EksCluster']
+            assert 'checkov' not in mock_yaml_content['Resources']['EksCluster']['Metadata']
+            assert 'other_metadata' in mock_yaml_content['Resources']['EksCluster']['Metadata']
+            assert mock_yaml_content['Resources']['EksCluster']['Metadata']['other_metadata'] == {
+                'key': 'value'
+            }
+
     @pytest.mark.asyncio
     async def test_manage_eks_stacks_generate(self):
         """Test that manage_eks_stacks handles the generate operation correctly."""

{awslabs_eks_mcp_server-0.1.1 → awslabs_eks_mcp_server-0.1.2}/tests/test_k8s_apis.py

@@ -419,69 +419,69 @@ class TestK8sApisOperations:
 
     def test_get_pod_logs(self, k8s_apis):
         """Test get_pod_logs method."""
-        # Mock the dynamic client and resources
-        mock_resource = MagicMock()
-        mock_log = MagicMock()
-        mock_resource.log = mock_log
-        mock_resources = MagicMock()
-        mock_resources.get.return_value = mock_resource
-        k8s_apis.dynamic_client.resources = mock_resources
-
-        # Mock log.get to return logs
-        mock_log.get.return_value = 'log line 1\nlog line 2\n'
-
-        # Get pod logs with all parameters
-        logs = k8s_apis.get_pod_logs(
-            pod_name='test-pod',
-            namespace='test-namespace',
-            container_name='test-container',
-            since_seconds=60,
-            tail_lines=100,
-            limit_bytes=1024,
-        )
-
-        # Verify the result
-        assert logs == 'log line 1\nlog line 2\n'
-
-        # Verify the dynamic client was used correctly
-        mock_resources.get.assert_called_once_with(api_version='v1', kind='Pod')
-        mock_log.get.assert_called_once_with(
-            name='test-pod',
-            namespace='test-namespace',
-            container='test-container',
-            sinceSeconds=60,
-            tailLines=100,
-            limitBytes=1024,
-        )
+        # Mock the CoreV1Api client
+        with patch('kubernetes.client') as mock_client:
+            # Create mock CoreV1Api
+            mock_core_v1_api = MagicMock()
+            mock_client.CoreV1Api.return_value = mock_core_v1_api
+
+            # Mock read_namespaced_pod_log to return logs
+            mock_core_v1_api.read_namespaced_pod_log.return_value = 'log line 1\nlog line 2\n'
+
+            # Get pod logs with all parameters
+            logs = k8s_apis.get_pod_logs(
+                pod_name='test-pod',
+                namespace='test-namespace',
+                container_name='test-container',
+                since_seconds=60,
+                tail_lines=100,
+                limit_bytes=1024,
+            )
+
+            # Verify the result
+            assert logs == 'log line 1\nlog line 2\n'
+
+            # Verify CoreV1Api was created with the correct API client
+            mock_client.CoreV1Api.assert_called_once_with(k8s_apis.api_client)
+
+            # Verify read_namespaced_pod_log was called with the correct parameters
+            mock_core_v1_api.read_namespaced_pod_log.assert_called_once_with(
+                name='test-pod',
+                namespace='test-namespace',
+                container='test-container',
+                since_seconds=60,
+                tail_lines=100,
+                limit_bytes=1024,
+            )
 
     def test_get_pod_logs_minimal(self, k8s_apis):
         """Test get_pod_logs method with minimal parameters."""
-        # Mock the dynamic client and resources
-        mock_resource = MagicMock()
-        mock_log = MagicMock()
-        mock_resource.log = mock_log
-        mock_resources = MagicMock()
-        mock_resources.get.return_value = mock_resource
-        k8s_apis.dynamic_client.resources = mock_resources
-
-        # Mock log.get to return logs
-        mock_log.get.return_value = 'log line 1\nlog line 2\n'
-
-        # Get pod logs with minimal parameters
-        logs = k8s_apis.get_pod_logs(
-            pod_name='test-pod',
-            namespace='test-namespace',
-        )
-
-        # Verify the result
-        assert logs == 'log line 1\nlog line 2\n'
-
-        # Verify the dynamic client was used correctly
-        mock_resources.get.assert_called_once_with(api_version='v1', kind='Pod')
-        mock_log.get.assert_called_once_with(
-            name='test-pod',
-            namespace='test-namespace',
-        )
+        # Mock the CoreV1Api client
+        with patch('kubernetes.client') as mock_client:
+            # Create mock CoreV1Api
+            mock_core_v1_api = MagicMock()
+            mock_client.CoreV1Api.return_value = mock_core_v1_api
+
+            # Mock read_namespaced_pod_log to return logs
+            mock_core_v1_api.read_namespaced_pod_log.return_value = 'log line 1\nlog line 2\n'
+
+            # Get pod logs with minimal parameters
+            logs = k8s_apis.get_pod_logs(
+                pod_name='test-pod',
+                namespace='test-namespace',
+            )
+
+            # Verify the result
+            assert logs == 'log line 1\nlog line 2\n'
+
+            # Verify CoreV1Api was created with the correct API client
+            mock_client.CoreV1Api.assert_called_once_with(k8s_apis.api_client)
+
+            # Verify read_namespaced_pod_log was called with the correct parameters
+            mock_core_v1_api.read_namespaced_pod_log.assert_called_once_with(
+                name='test-pod',
+                namespace='test-namespace',
+            )
 
     def _create_mock_event(self):
         """Create a mock event for testing."""

{awslabs_eks_mcp_server-0.1.1 → awslabs_eks_mcp_server-0.1.2}/tests/test_k8s_handler.py

@@ -132,6 +132,72 @@ class TestK8sHandler:
             # Verify that the client was returned
             assert client == mock_client_cache.get_client.return_value
 
+    def test_load_yaml_template_removes_checkov_annotations(self, mock_mcp, mock_client_cache):
+        """Test _load_yaml_template method removes checkov skip annotations from deployment template."""
+        # Initialize the K8s handler
+        with patch(
+            'awslabs.eks_mcp_server.k8s_handler.K8sClientCache', return_value=mock_client_cache
+        ):
+            handler = K8sHandler(mock_mcp)
+
+        # Create mock file content for templates with checkov skip annotations
+        deployment_template = """apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: APP_NAME
+  namespace: NAMESPACE
+  annotations:
+    checkov.io/skip1: "CKV_K8S_14=We're using a specific image version"
+    checkov.io/skip2: "CKV_K8S_43=Resource limits are set appropriately"
+    other-annotation: "This should be preserved"
+spec:
+  replicas: REPLICAS"""
+
+        service_template = """apiVersion: v1
+kind: Service
+metadata:
+  name: APP_NAME
+  namespace: NAMESPACE
+  annotations:
+    service.beta.kubernetes.io/aws-load-balancer-scheme: LOAD_BALANCER_SCHEME"""
+
+        # Mock open to return our test templates
+        mock_open_func = mock_open()
+        mock_file = MagicMock()
+        mock_file.__enter__.return_value.read.side_effect = [deployment_template, service_template]
+        mock_open_func.return_value = mock_file
+
+        # Mock yaml.safe_load and yaml.dump to use real functions
+        with patch('builtins.open', mock_open_func):
+            # Test loading and processing templates
+            template_files = ['deployment.yaml', 'service.yaml']
+            values = {
+                'APP_NAME': 'test-app',
+                'NAMESPACE': 'test-namespace',
+                'REPLICAS': '3',
+                'LOAD_BALANCER_SCHEME': 'internal',
+            }
+
+            result = handler._load_yaml_template(template_files, values)
+
+            # Verify open was called for each template
+            assert mock_open_func.call_count == 2
+
+            # Verify template content was properly processed
+            assert 'kind: Deployment' in result
+            assert 'kind: Service' in result
+            assert 'name: test-app' in result
+            assert 'namespace: test-namespace' in result
+            assert 'replicas: 3' in result
+            assert 'service.beta.kubernetes.io/aws-load-balancer-scheme: internal' in result
+
+            # Verify checkov annotations were removed
+            assert 'checkov.io/skip1' not in result
+            assert 'checkov.io/skip2' not in result
+
+            # Verify other annotations were preserved
+            assert 'other-annotation: This should be preserved' in result
+
     @pytest.mark.asyncio
     async def test_apply_yaml_relative_path(self, mock_context, mock_mcp, mock_client_cache):
         """Test apply_yaml method with a relative path."""
@@ -886,74 +952,61 @@ metadata:
         ):
             handler = K8sHandler(mock_mcp, allow_write=True)
 
-        # Prepare mock file content
-        deployment_content = """apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: APP_NAME
-  namespace: NAMESPACE"""
+        # Mock the _load_yaml_template method to avoid template loading issues
+        with patch.object(handler, '_load_yaml_template', return_value='combined yaml content'):
+            # Mock os.path.isabs to return True for absolute paths
+            with patch('os.path.isabs', return_value=True):
+                # Mock os.makedirs to avoid creating directories
+                with patch('os.makedirs') as mock_makedirs:
+                    # Mock open for writing output
+                    with patch('builtins.open', mock_open()) as mocked_open:
+                        # Mock os.path.abspath to return a predictable absolute path
+                        with patch(
+                            'os.path.abspath',
+                            return_value='/absolute/path/test-output/test-app-manifest.yaml',
+                        ):
+                            # Generate the manifest
+                            result = await handler.generate_app_manifest(
+                                mock_context,
+                                app_name='test-app',
+                                image_uri='123456789012.dkr.ecr.region.amazonaws.com/repo:tag',
+                                port=8080,
+                                replicas=3,
+                                cpu='250m',
+                                memory='256Mi',
+                                namespace='test-namespace',
+                                load_balancer_scheme='internet-facing',
+                                output_dir='/absolute/path/test-output',
+                            )
 
-        service_content = """apiVersion: v1
-kind: Service
-metadata:
-  name: APP_NAME
-  namespace: NAMESPACE
-  annotations:
-    service.beta.kubernetes.io/aws-load-balancer-scheme: LOAD_BALANCER_SCHEME"""
+                            # Verify that os.makedirs was called with exist_ok=True
+                            mock_makedirs.assert_called_once_with(
+                                '/absolute/path/test-output', exist_ok=True
+                            )
 
-        # Mock open function to return our test templates and for file writing
-        mock_open = MagicMock()
-        mock_file = MagicMock()
-        mock_file.__enter__.return_value.read.side_effect = [deployment_content, service_content]
-        mock_open.return_value = mock_file
+                            # Verify that open was called for writing output
+                            mocked_open.assert_called_once_with(
+                                '/absolute/path/test-output/test-app-manifest.yaml', 'w'
+                            )
 
-        # Mock os.path.isabs to return True for absolute paths
-        with patch('os.path.isabs', return_value=True):
-            # Mock os.makedirs to avoid creating directories
-            with patch('os.makedirs') as mock_makedirs:
-                with patch('builtins.open', mock_open):
-                    # Mock os.path.abspath to return a predictable absolute path
-                    with patch(
-                        'os.path.abspath',
-                        return_value='/absolute/path/test-output/test-app-manifest.yaml',
-                    ):
-                        # Generate the manifest
-                        result = await handler.generate_app_manifest(
-                            mock_context,
-                            app_name='test-app',
-                            image_uri='123456789012.dkr.ecr.region.amazonaws.com/repo:tag',
-                            port=8080,
-                            replicas=3,
-                            cpu='250m',
-                            memory='256Mi',
-                            namespace='test-namespace',
-                            load_balancer_scheme='internet-facing',
-                            output_dir='/absolute/path/test-output',
-                        )
-
-                        # Verify that os.makedirs was called with exist_ok=True
-                        mock_makedirs.assert_called_once_with(
-                            '/absolute/path/test-output', exist_ok=True
-                        )
-
-                        # Verify that open was called for reading templates and writing output
-                        assert mock_open.call_count == 3  # 2 reads + 1 write
-
-                        # Verify the result
-                        assert not result.isError
-                        assert isinstance(result.content[0], TextContent)
-                        assert 'Successfully generated YAML for test-app' in result.content[0].text
-                        assert (
-                            'with image 123456789012.dkr.ecr.region.amazonaws.com/repo:tag'
-                            in result.content[0].text
-                        )
-
-                        # Verify that the output path is absolute
-                        assert os.path.isabs(result.output_file_path)
-                        assert (
-                            result.output_file_path
-                            == '/absolute/path/test-output/test-app-manifest.yaml'
-                        )
+                            # Verify the result
+                            assert not result.isError
+                            assert isinstance(result.content[0], TextContent)
+                            assert (
+                                'Successfully generated YAML for test-app'
+                                in result.content[0].text
+                            )
+                            assert (
+                                'with image 123456789012.dkr.ecr.region.amazonaws.com/repo:tag'
+                                in result.content[0].text
+                            )
+
+                            # Verify that the output path is absolute
+                            assert os.path.isabs(result.output_file_path)
+                            assert (
+                                result.output_file_path
+                                == '/absolute/path/test-output/test-app-manifest.yaml'
+                            )
 
     @pytest.mark.asyncio
     async def test_generate_app_manifest_error(self, mock_context, mock_mcp, mock_client_cache):
@@ -1705,6 +1758,67 @@ metadata:
         result = handler.cleanup_resource_response(simple_input)
         assert result == simple_input
 
+    def test_remove_checkov_skip_annotations(self, mock_mcp, mock_client_cache):
+        """Test _remove_checkov_skip_annotations method directly to ensure line 807 is covered."""
+        # Initialize the K8s handler
+        with patch(
+            'awslabs.eks_mcp_server.k8s_handler.K8sClientCache', return_value=mock_client_cache
+        ):
+            handler = K8sHandler(mock_mcp)
+
+        # Test case 1: YAML with only checkov skip annotations (should remove annotations completely)
+        yaml_content = """apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: test-app
+  namespace: default
+  annotations:
+    checkov.io/skip1: "CKV_K8S_14=We're using a specific image version"
+    checkov.io/skip2: "CKV_K8S_43=Resource limits are set appropriately"
+spec:
+  replicas: 3"""
+
+        expected_result = """apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: test-app
+  namespace: default
+spec:
+  replicas: 3
+"""
+
+        result = handler._remove_checkov_skip_annotations(yaml_content)
+        # Normalize whitespace for comparison
+        result = result.replace(' ', '').replace('\n', '')
+        expected_result = expected_result.replace(' ', '').replace('\n', '')
+        assert result == expected_result
+
+        # Test case 2: YAML with mixed annotations (should keep non-checkov annotations)
+        yaml_content = """apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: test-app
+  namespace: default
+  annotations:
+    checkov.io/skip1: "CKV_K8S_14=We're using a specific image version"
+    other-annotation: "This should be preserved"
+spec:
+  replicas: 3"""
+
+        expected_result = """apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: test-app
+  namespace: default
+  annotations:
+    other-annotation: This should be preserved
+spec:
+  replicas: 3
+"""
+
+        result = handler._remove_checkov_skip_annotations(yaml_content)
+        assert 'other-annotation: This should be preserved' in result
+
     def test_filter_null_values(self, mock_mcp, mock_client_cache):
         """Test filter_null_values method for removing null values from data structures."""
         # Initialize the K8s handler