kubectl-mcp-server 1.12.0__py3-none-any.whl

kubectl_mcp_tool/tools/security.py

@@ -0,0 +1,333 @@
+import logging
+from typing import Any, Dict, List, Optional
+
+from mcp.types import ToolAnnotations
+
+logger = logging.getLogger("mcp-server")
+
+
+def register_security_tools(server, non_destructive: bool):
+    """Register RBAC and security-related tools."""
+
+    @server.tool(
+        annotations=ToolAnnotations(
+            title="Get RBAC Roles",
+            readOnlyHint=True,
+        ),
+    )
+    def get_rbac_roles(namespace: Optional[str] = None) -> Dict[str, Any]:
+        """Get RBAC Roles in a namespace or cluster-wide."""
+        try:
+            from kubernetes import client, config
+            config.load_kube_config()
+            rbac = client.RbacAuthorizationV1Api()
+
+            if namespace:
+                roles = rbac.list_namespaced_role(namespace)
+            else:
+                roles = rbac.list_role_for_all_namespaces()
+
+            return {
+                "success": True,
+                "roles": [
+                    {
+                        "name": role.metadata.name,
+                        "namespace": role.metadata.namespace,
+                        "rules": [
+                            {
+                                "apiGroups": rule.api_groups,
+                                "resources": rule.resources,
+                                "verbs": rule.verbs
+                            }
+                            for rule in (role.rules or [])
+                        ]
+                    }
+                    for role in roles.items
+                ]
+            }
+        except Exception as e:
+            logger.error(f"Error getting RBAC roles: {e}")
+            return {"success": False, "error": str(e)}
+
+    @server.tool(
+        annotations=ToolAnnotations(
+            title="Get Cluster Roles",
+            readOnlyHint=True,
+        ),
+    )
+    def get_cluster_roles() -> Dict[str, Any]:
+        """Get ClusterRoles in the cluster."""
+        try:
+            from kubernetes import client, config
+            config.load_kube_config()
+            rbac = client.RbacAuthorizationV1Api()
+            roles = rbac.list_cluster_role()
+
+            return {
+                "success": True,
+                "clusterRoles": [
+                    {
+                        "name": role.metadata.name,
+                        "rules": [
+                            {
+                                "apiGroups": rule.api_groups,
+                                "resources": rule.resources,
+                                "verbs": rule.verbs
+                            }
+                            for rule in (role.rules or [])
+                        ][:5]
+                    }
+                    for role in roles.items[:20]
+                ]
+            }
+        except Exception as e:
+            logger.error(f"Error getting cluster roles: {e}")
+            return {"success": False, "error": str(e)}
+
+    @server.tool(
+        annotations=ToolAnnotations(
+            title="Analyze Pod Security",
+            readOnlyHint=True,
+        ),
+    )
+    def analyze_pod_security(namespace: Optional[str] = None) -> Dict[str, Any]:
+        """Analyze pod security configurations."""
+        try:
+            from kubernetes import client, config
+            config.load_kube_config()
+            v1 = client.CoreV1Api()
+
+            if namespace:
+                pods = v1.list_namespaced_pod(namespace)
+            else:
+                pods = v1.list_pod_for_all_namespaces()
+
+            issues = []
+            for pod in pods.items:
+                pod_issues = []
+                spec = pod.spec
+
+                if spec.host_network:
+                    pod_issues.append("hostNetwork enabled")
+                if spec.host_pid:
+                    pod_issues.append("hostPID enabled")
+                if spec.host_ipc:
+                    pod_issues.append("hostIPC enabled")
+
+                for container in (spec.containers or []):
+                    sc = container.security_context
+                    if sc:
+                        if sc.privileged:
+                            pod_issues.append(f"Container {container.name}: privileged mode")
+                        if sc.run_as_root:
+                            pod_issues.append(f"Container {container.name}: runs as root")
+                        if sc.allow_privilege_escalation:
+                            pod_issues.append(f"Container {container.name}: privilege escalation allowed")
+
+                if pod_issues:
+                    issues.append({
+                        "pod": pod.metadata.name,
+                        "namespace": pod.metadata.namespace,
+                        "issues": pod_issues
+                    })
+
+            return {
+                "success": True,
+                "totalPods": len(pods.items),
+                "podsWithIssues": len(issues),
+                "issues": issues[:50]
+            }
+        except Exception as e:
+            logger.error(f"Error analyzing pod security: {e}")
+            return {"success": False, "error": str(e)}
+
+    @server.tool(
+        annotations=ToolAnnotations(
+            title="Analyze Network Policies",
+            readOnlyHint=True,
+        ),
+    )
+    def analyze_network_policies(namespace: Optional[str] = None) -> Dict[str, Any]:
+        """Analyze network policies in the cluster."""
+        try:
+            from kubernetes import client, config
+            config.load_kube_config()
+            networking = client.NetworkingV1Api()
+            v1 = client.CoreV1Api()
+
+            if namespace:
+                policies = networking.list_namespaced_network_policy(namespace)
+                namespaces = [v1.read_namespace(namespace)]
+            else:
+                policies = networking.list_network_policy_for_all_namespaces()
+                namespaces = v1.list_namespace().items
+
+            protected_namespaces = set()
+            for policy in policies.items:
+                protected_namespaces.add(policy.metadata.namespace)
+
+            unprotected = [
+                ns.metadata.name for ns in namespaces
+                if ns.metadata.name not in protected_namespaces
+                and ns.metadata.name not in ["kube-system", "kube-public", "kube-node-lease"]
+            ]
+
+            return {
+                "success": True,
+                "totalPolicies": len(policies.items),
+                "protectedNamespaces": list(protected_namespaces),
+                "unprotectedNamespaces": unprotected,
+                "policies": [
+                    {
+                        "name": p.metadata.name,
+                        "namespace": p.metadata.namespace,
+                        "podSelector": p.spec.pod_selector.match_labels if p.spec.pod_selector else {},
+                        "policyTypes": p.spec.policy_types
+                    }
+                    for p in policies.items
+                ]
+            }
+        except Exception as e:
+            logger.error(f"Error analyzing network policies: {e}")
+            return {"success": False, "error": str(e)}
+
+    @server.tool(
+        annotations=ToolAnnotations(
+            title="Audit RBAC Permissions",
+            readOnlyHint=True,
+        ),
+    )
+    def audit_rbac_permissions(namespace: Optional[str] = None, subject: Optional[str] = None) -> Dict[str, Any]:
+        """Audit RBAC permissions for subjects."""
+        try:
+            from kubernetes import client, config
+            config.load_kube_config()
+            rbac = client.RbacAuthorizationV1Api()
+
+            cluster_bindings = rbac.list_cluster_role_binding()
+            if namespace:
+                role_bindings = rbac.list_namespaced_role_binding(namespace)
+            else:
+                role_bindings = rbac.list_role_binding_for_all_namespaces()
+
+            permissions = []
+
+            for binding in cluster_bindings.items:
+                for subj in (binding.subjects or []):
+                    if subject and subj.name != subject:
+                        continue
+                    permissions.append({
+                        "subject": subj.name,
+                        "subjectKind": subj.kind,
+                        "roleRef": binding.role_ref.name,
+                        "scope": "cluster",
+                        "bindingName": binding.metadata.name
+                    })
+
+            for binding in role_bindings.items:
+                for subj in (binding.subjects or []):
+                    if subject and subj.name != subject:
+                        continue
+                    permissions.append({
+                        "subject": subj.name,
+                        "subjectKind": subj.kind,
+                        "roleRef": binding.role_ref.name,
+                        "scope": binding.metadata.namespace,
+                        "bindingName": binding.metadata.name
+                    })
+
+            return {
+                "success": True,
+                "permissions": permissions[:100]
+            }
+        except Exception as e:
+            logger.error(f"Error auditing RBAC: {e}")
+            return {"success": False, "error": str(e)}
+
+    @server.tool(
+        annotations=ToolAnnotations(
+            title="Check Secrets Security",
+            readOnlyHint=True,
+        ),
+    )
+    def check_secrets_security(namespace: Optional[str] = None) -> Dict[str, Any]:
+        """Check security posture of secrets."""
+        try:
+            from kubernetes import client, config
+            config.load_kube_config()
+            v1 = client.CoreV1Api()
+
+            if namespace:
+                secrets = v1.list_namespaced_secret(namespace)
+            else:
+                secrets = v1.list_secret_for_all_namespaces()
+
+            findings = []
+            for secret in secrets.items:
+                issues = []
+
+                if secret.type == "Opaque":
+                    issues.append("Generic secret type - consider using specific types")
+
+                if not secret.metadata.annotations:
+                    issues.append("No annotations - consider adding metadata")
+
+                if issues:
+                    findings.append({
+                        "name": secret.metadata.name,
+                        "namespace": secret.metadata.namespace,
+                        "type": secret.type,
+                        "issues": issues
+                    })
+
+            return {
+                "success": True,
+                "totalSecrets": len(secrets.items),
+                "secretsWithIssues": len(findings),
+                "findings": findings[:50]
+            }
+        except Exception as e:
+            logger.error(f"Error checking secrets security: {e}")
+            return {"success": False, "error": str(e)}
+
+    @server.tool(
+        annotations=ToolAnnotations(
+            title="Get Pod Security Policies (Deprecated) / Pod Security Standards",
+            readOnlyHint=True,
+        ),
+    )
+    def get_pod_security_info(namespace: Optional[str] = None) -> Dict[str, Any]:
+        """Get Pod Security Standards information for namespaces."""
+        try:
+            from kubernetes import client, config
+            config.load_kube_config()
+            v1 = client.CoreV1Api()
+
+            if namespace:
+                namespaces = [v1.read_namespace(namespace)]
+            else:
+                namespaces = v1.list_namespace().items
+
+            result = []
+            for ns in namespaces:
+                labels = ns.metadata.labels or {}
+                pss_info = {
+                    "namespace": ns.metadata.name,
+                    "enforce": labels.get("pod-security.kubernetes.io/enforce"),
+                    "enforceVersion": labels.get("pod-security.kubernetes.io/enforce-version"),
+                    "audit": labels.get("pod-security.kubernetes.io/audit"),
+                    "auditVersion": labels.get("pod-security.kubernetes.io/audit-version"),
+                    "warn": labels.get("pod-security.kubernetes.io/warn"),
+                    "warnVersion": labels.get("pod-security.kubernetes.io/warn-version")
+                }
+                if any(v for k, v in pss_info.items() if k != "namespace"):
+                    result.append(pss_info)
+
+            return {
+                "success": True,
+                "note": "Pod Security Policies are deprecated. Using Pod Security Standards (PSS) labels.",
+                "namespacesWithPSS": result
+            }
+        except Exception as e:
+            logger.error(f"Error getting pod security info: {e}")
+            return {"success": False, "error": str(e)}

kubectl_mcp_tool/tools/storage.py

@@ -0,0 +1,133 @@
+import logging
+from typing import Any, Dict, Optional
+
+from mcp.types import ToolAnnotations
+
+logger = logging.getLogger("mcp-server")
+
+
+def register_storage_tools(server, non_destructive: bool):
+    """Register storage-related tools."""
+
+    @server.tool(
+        annotations=ToolAnnotations(
+            title="Get Persistent Volumes",
+            readOnlyHint=True,
+        ),
+    )
+    def get_persistent_volumes(name: Optional[str] = None) -> Dict[str, Any]:
+        """Get Persistent Volumes in the cluster."""
+        try:
+            from kubernetes import client, config
+            config.load_kube_config()
+            v1 = client.CoreV1Api()
+
+            if name:
+                pv = v1.read_persistent_volume(name)
+                pvs = [pv]
+            else:
+                pvs = v1.list_persistent_volume().items
+
+            def get_pv_source(spec):
+                sources = ['nfs', 'hostPath', 'gcePersistentDisk', 'awsElasticBlockStore',
+                          'azureDisk', 'azureFile', 'csi', 'local', 'fc', 'iscsi']
+                for source in sources:
+                    source_attr = getattr(spec, source.replace('P', '_p').replace('D', '_d'), None)
+                    if source_attr:
+                        return {"type": source, "details": str(source_attr)[:100]}
+                return {"type": "unknown"}
+
+            return {
+                "success": True,
+                "persistentVolumes": [
+                    {
+                        "name": pv.metadata.name,
+                        "capacity": pv.spec.capacity.get("storage") if pv.spec.capacity else None,
+                        "accessModes": pv.spec.access_modes,
+                        "reclaimPolicy": pv.spec.persistent_volume_reclaim_policy,
+                        "status": pv.status.phase,
+                        "storageClass": pv.spec.storage_class_name,
+                        "claimRef": {
+                            "name": pv.spec.claim_ref.name,
+                            "namespace": pv.spec.claim_ref.namespace
+                        } if pv.spec.claim_ref else None,
+                        "source": get_pv_source(pv.spec)
+                    }
+                    for pv in pvs
+                ]
+            }
+        except Exception as e:
+            logger.error(f"Error getting PVs: {e}")
+            return {"success": False, "error": str(e)}
+
+    @server.tool(
+        annotations=ToolAnnotations(
+            title="Get Persistent Volume Claims",
+            readOnlyHint=True,
+        ),
+    )
+    def get_pvcs(namespace: Optional[str] = None) -> Dict[str, Any]:
+        """Get Persistent Volume Claims in a namespace or cluster-wide."""
+        try:
+            from kubernetes import client, config
+            config.load_kube_config()
+            v1 = client.CoreV1Api()
+
+            if namespace:
+                pvcs = v1.list_namespaced_persistent_volume_claim(namespace)
+            else:
+                pvcs = v1.list_persistent_volume_claim_for_all_namespaces()
+
+            return {
+                "success": True,
+                "pvcs": [
+                    {
+                        "name": pvc.metadata.name,
+                        "namespace": pvc.metadata.namespace,
+                        "status": pvc.status.phase,
+                        "capacity": pvc.status.capacity.get("storage") if pvc.status.capacity else None,
+                        "accessModes": pvc.spec.access_modes,
+                        "storageClass": pvc.spec.storage_class_name,
+                        "volumeName": pvc.spec.volume_name
+                    }
+                    for pvc in pvcs.items
+                ]
+            }
+        except Exception as e:
+            logger.error(f"Error getting PVCs: {e}")
+            return {"success": False, "error": str(e)}
+
+    @server.tool(
+        annotations=ToolAnnotations(
+            title="Get Storage Classes",
+            readOnlyHint=True,
+        ),
+    )
+    def get_storage_classes() -> Dict[str, Any]:
+        """Get Storage Classes in the cluster."""
+        try:
+            from kubernetes import client, config
+            config.load_kube_config()
+            storage = client.StorageV1Api()
+
+            scs = storage.list_storage_class()
+
+            return {
+                "success": True,
+                "storageClasses": [
+                    {
+                        "name": sc.metadata.name,
+                        "provisioner": sc.provisioner,
+                        "reclaimPolicy": sc.reclaim_policy,
+                        "volumeBindingMode": sc.volume_binding_mode,
+                        "allowVolumeExpansion": sc.allow_volume_expansion,
+                        "default": sc.metadata.annotations.get(
+                            "storageclass.kubernetes.io/is-default-class"
+                        ) == "true" if sc.metadata.annotations else False
+                    }
+                    for sc in scs.items
+                ]
+            }
+        except Exception as e:
+            logger.error(f"Error getting Storage Classes: {e}")
+            return {"success": False, "error": str(e)}

kubectl_mcp_tool/utils/__init__.py

@@ -0,0 +1,17 @@
+from .helpers import (
+    mask_secrets,
+    check_dependencies,
+    check_tool_availability,
+    check_kubectl_availability,
+    check_helm_availability,
+    get_logger,
+)
+
+__all__ = [
+    "mask_secrets",
+    "check_dependencies",
+    "check_tool_availability",
+    "check_kubectl_availability",
+    "check_helm_availability",
+    "get_logger",
+]

kubectl_mcp_tool/utils/helpers.py

@@ -0,0 +1,80 @@
+import logging
+import os
+import re
+import subprocess
+import shutil
+import sys
+from typing import List
+
+_log_file = os.environ.get("MCP_LOG_FILE")
+_log_level = logging.DEBUG if os.environ.get("MCP_DEBUG", "").lower() in ("1", "true") else logging.INFO
+
+_handlers: List[logging.Handler] = []
+if _log_file:
+    try:
+        os.makedirs(os.path.dirname(_log_file), exist_ok=True)
+        _handlers.append(logging.FileHandler(_log_file))
+    except (OSError, ValueError):
+        _handlers.append(logging.StreamHandler(sys.stderr))
+else:
+    _handlers.append(logging.StreamHandler(sys.stderr))
+
+logging.basicConfig(
+    level=_log_level,
+    format="%(asctime)s - %(name)s - %(levelname)s - %(message)s",
+    handlers=_handlers
+)
+
+for handler in logging.root.handlers[:]:
+    if isinstance(handler, logging.StreamHandler) and handler.stream == sys.stdout:
+        logging.root.removeHandler(handler)
+
+logger = logging.getLogger("mcp-server")
+
+
+def get_logger(name: str = "mcp-server") -> logging.Logger:
+    return logging.getLogger(name)
+
+
+def mask_secrets(text: str) -> str:
+    masked = re.sub(r'(data:\s*\n)(\s+\w+:\s*)([A-Za-z0-9+/=]{20,})', r'\1\2[MASKED]', text)
+    masked = re.sub(r'(password|secret|token|key|credential)(["\s:=]+)([^\s"\n]+)', r'\1\2[MASKED]', masked, flags=re.IGNORECASE)
+    return masked
+
+
+def check_tool_availability(tool: str) -> bool:
+    try:
+        if shutil.which(tool) is None:
+            return False
+        if tool == "kubectl":
+            subprocess.check_output(
+                [tool, "version", "--client", "--output=json"],
+                stderr=subprocess.PIPE,
+                timeout=2
+            )
+        elif tool == "helm":
+            subprocess.check_output(
+                [tool, "version", "--short"],
+                stderr=subprocess.PIPE,
+                timeout=2
+            )
+        return True
+    except (subprocess.SubprocessError, subprocess.TimeoutExpired, FileNotFoundError):
+        return False
+
+
+def check_kubectl_availability() -> bool:
+    return check_tool_availability("kubectl")
+
+
+def check_helm_availability() -> bool:
+    return check_tool_availability("helm")
+
+
+def check_dependencies() -> bool:
+    all_available = True
+    for tool in ["kubectl", "helm"]:
+        if not check_tool_availability(tool):
+            logger.warning(f"{tool} not found in PATH. Operations requiring {tool} will not work.")
+            all_available = False
+    return all_available

tests/__init__.py

@@ -0,0 +1,9 @@
+"""
+Test suite for kubectl-mcp-server.
+
+This package contains comprehensive tests for:
+- MCP Tools (80+ Kubernetes operations)
+- MCP Resources (kubeconfig, namespace, cluster, manifests)
+- MCP Prompts (troubleshoot, deploy, security, cost, DR)
+- Server initialization and configuration
+"""