PyPI - kubectl-mcp-server - Versions diffs - 1.12.0__py3-none-any.whl - Mend

kubectl-mcp-server 1.12.0__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (45) hide show

kubectl_mcp_server-1.12.0.dist-info/METADATA +711 -0
kubectl_mcp_server-1.12.0.dist-info/RECORD +45 -0
kubectl_mcp_server-1.12.0.dist-info/WHEEL +5 -0
kubectl_mcp_server-1.12.0.dist-info/entry_points.txt +3 -0
kubectl_mcp_server-1.12.0.dist-info/licenses/LICENSE +21 -0
kubectl_mcp_server-1.12.0.dist-info/top_level.txt +2 -0
kubectl_mcp_tool/__init__.py +21 -0
kubectl_mcp_tool/__main__.py +46 -0
kubectl_mcp_tool/auth/__init__.py +13 -0
kubectl_mcp_tool/auth/config.py +71 -0
kubectl_mcp_tool/auth/scopes.py +148 -0
kubectl_mcp_tool/auth/verifier.py +82 -0
kubectl_mcp_tool/cli/__init__.py +9 -0
kubectl_mcp_tool/cli/__main__.py +10 -0
kubectl_mcp_tool/cli/cli.py +111 -0
kubectl_mcp_tool/diagnostics.py +355 -0
kubectl_mcp_tool/k8s_config.py +289 -0
kubectl_mcp_tool/mcp_server.py +530 -0
kubectl_mcp_tool/prompts/__init__.py +5 -0
kubectl_mcp_tool/prompts/prompts.py +823 -0
kubectl_mcp_tool/resources/__init__.py +5 -0
kubectl_mcp_tool/resources/resources.py +305 -0
kubectl_mcp_tool/tools/__init__.py +28 -0
kubectl_mcp_tool/tools/browser.py +371 -0
kubectl_mcp_tool/tools/cluster.py +315 -0
kubectl_mcp_tool/tools/core.py +421 -0
kubectl_mcp_tool/tools/cost.py +680 -0
kubectl_mcp_tool/tools/deployments.py +381 -0
kubectl_mcp_tool/tools/diagnostics.py +174 -0
kubectl_mcp_tool/tools/helm.py +1561 -0
kubectl_mcp_tool/tools/networking.py +296 -0
kubectl_mcp_tool/tools/operations.py +501 -0
kubectl_mcp_tool/tools/pods.py +582 -0
kubectl_mcp_tool/tools/security.py +333 -0
kubectl_mcp_tool/tools/storage.py +133 -0
kubectl_mcp_tool/utils/__init__.py +17 -0
kubectl_mcp_tool/utils/helpers.py +80 -0
tests/__init__.py +9 -0
tests/conftest.py +379 -0
tests/test_auth.py +256 -0
tests/test_browser.py +349 -0
tests/test_prompts.py +536 -0
tests/test_resources.py +343 -0
tests/test_server.py +384 -0
tests/test_tools.py +659 -0

kubectl_mcp_server-1.12.0.dist-info/RECORD ADDED Viewed

@@ -0,0 +1,45 @@
+kubectl_mcp_server-1.12.0.dist-info/licenses/LICENSE,sha256=nH9Z0W0WNH2oQ4cPrBAU8ldDcHfeI6NUbkSGiazYWgQ,1070
+kubectl_mcp_tool/__init__.py,sha256=Z_IyVF0iPum8NzMC_5yXS1P_1vwrW9yQUalEfCEjjzs,580
+kubectl_mcp_tool/__main__.py,sha256=CE6cTD6PA71Ap0i5_gE17Pb9FcedOJmtGRNzZ5-TFSc,1490
+kubectl_mcp_tool/diagnostics.py,sha256=uwolSoHadRkB-J8PAsabbexfj6sTNCIIRRrABBRXoTU,11776
+kubectl_mcp_tool/k8s_config.py,sha256=StM6Bb1SAVbFgNg5wKRmb_9aQ1wxEHtriCTIjvEFc5U,7853
+kubectl_mcp_tool/mcp_server.py,sha256=OUrW04BRVpmsr1-8NDTjC1vaJ0VQCbjkcXkavy9lzVs,20927
+kubectl_mcp_tool/auth/__init__.py,sha256=ot8ivZZkDtV8Rg0y1UYruwobKCPyxX1svqh35wWxKvY,347
+kubectl_mcp_tool/auth/config.py,sha256=wi3wuJNMyDqMeluDHL0MaJyedIFv5CFVxiUaEVaTvzk,2267
+kubectl_mcp_tool/auth/scopes.py,sha256=KPmuGO0SrTkjzlElWFOV29ie9apTdMklOCkiA-965lI,6147
+kubectl_mcp_tool/auth/verifier.py,sha256=ChZM-UsZJgZc3LjSfw8VfSydkKqKBZ1s8es71LlB_A0,2431
+kubectl_mcp_tool/cli/__init__.py,sha256=qGL_jH_5iv4cZsRvAbqAeKUN-ETh1K98_uJAPfgLvSU,147
+kubectl_mcp_tool/cli/__main__.py,sha256=OxhHqW8YsTd565acTDlZknljPAw6FN9JW7pNtgWIcFE,196
+kubectl_mcp_tool/cli/cli.py,sha256=f82U3B2I93lQUVJGKL33dPhxQ-5GBNjaJ26PwPj4O0Y,3769
+kubectl_mcp_tool/prompts/__init__.py,sha256=BacBNfoVxow6aci8Zzcfam3m1oM7yYzM0IRT1L3uCOQ,77
+kubectl_mcp_tool/prompts/prompts.py,sha256=ZfmTCio8NqOYYxF8VVo9f6VWGCS34J8tvmBfhNblr58,22942
+kubectl_mcp_tool/resources/__init__.py,sha256=ERkn0ErlaGi9-dybv4wrAaT8WretvNp6K002h7Agjno,83
+kubectl_mcp_tool/resources/resources.py,sha256=kvK4OM3Ox5cFvWDqJBTXOfBgnRYdoqdvvjsdCg0PJfY,12713
+kubectl_mcp_tool/tools/__init__.py,sha256=mlvnz6P99jKwj6S8NJuX9UyaOLU1ARa5-CCkcc-3ju0,958
+kubectl_mcp_tool/tools/browser.py,sha256=PDT7Uj7CCBQI9CFAaMSM_3i6v3NXIAf-mwd1y7iESa8,15193
+kubectl_mcp_tool/tools/cluster.py,sha256=qQh6bET3-KQ8nkB2GnB8A7gohbJLrx6_K11TPYR6AII,11956
+kubectl_mcp_tool/tools/core.py,sha256=zL0bGCxPGocH34ueZlSsBVsNp_tUL0C2gqyjlJljMXY,15009
+kubectl_mcp_tool/tools/cost.py,sha256=OMiNopWvi5TTY-HX-3JSekelgReTEn88wAFddhui--M,27065
+kubectl_mcp_tool/tools/deployments.py,sha256=TX1QHa22QU7rK7KG2-p5FB5KyWasZGfu-SK2CA08gWI,14990
+kubectl_mcp_tool/tools/diagnostics.py,sha256=_xVcbmT3smQvOMwrZ0hlJ0FpgPbB4bdQgLkNcDJ8Vj4,6695
+kubectl_mcp_tool/tools/helm.py,sha256=VgpiGPNbq4gQ4NQwefaRQPKGI7woN4QTHxtoz0_cNW8,57094
+kubectl_mcp_tool/tools/networking.py,sha256=4_30hyQM-9t-X-yJWBrsdA9nPONZk3F6kyw3Y5-JKrA,11977
+kubectl_mcp_tool/tools/operations.py,sha256=egYhlmqVZygddCkDJ2GDr89EjApps_PssWraOVfRmwQ,18800
+kubectl_mcp_tool/tools/pods.py,sha256=7Ezk9khxoKsJYw8xEyBMjFdpLXmisGGrnKVVJ3rbhLE,23801
+kubectl_mcp_tool/tools/security.py,sha256=Tu5SFPoeSgXkoc7WEpnnmdrMDJaB5znDoIVyyAy1Rho,12550
+kubectl_mcp_tool/tools/storage.py,sha256=lXWp7131P39eTAsaMFrrJbWPuOGfDolVbD6npTBy1eQ,5124
+kubectl_mcp_tool/utils/__init__.py,sha256=CHBCpaXwt994DlqyRFkkRky2TK8OmmDl0Gyc28369gI,348
+kubectl_mcp_tool/utils/helpers.py,sha256=W--wiVSKKqmjpxxdLT0J6rmhOQcp1OFk9jLrtQUVpGw,2444
+tests/__init__.py,sha256=qZPXYXv3whkkWhi61Ngzj09GHnIFlVSZrajE0XRk55o,290
+tests/conftest.py,sha256=6054YlpuGleV3Wg8BnVj4lnKWhGk-Eqc9JYTXxOmsXs,10782
+tests/test_auth.py,sha256=PoESfWiN92wSGUdVwLL3Z1AP6C1zUsVmgTI7Q8ZdlxM,11074
+tests/test_browser.py,sha256=Oav6N4ivr_DW9038bVl31eAACt6vQORTr0uRgfeLs9A,14074
+tests/test_prompts.py,sha256=3TcJUvSNxhTqfySW6DCrW9MwiMDumciLQRjjbucwqlA,17803
+tests/test_resources.py,sha256=Z0Ex8WdRz-B3VZa1s0eAaDDGbhy7dRdqy1uFVOe2Qbo,12689
+tests/test_server.py,sha256=lLvgbqutnivSgQMNrki0O48whBQt0UXjdwT047nf0nw,14415
+tests/test_tools.py,sha256=MYJn8YlZIg2boX0OGTXyONRuA3M7vYZEATkwSVsya0c,30241
+kubectl_mcp_server-1.12.0.dist-info/METADATA,sha256=Czr2PxQzTXEnV2Lc0d4d-wezu5rDBkSj_Fry1pajS_Q,23715
+kubectl_mcp_server-1.12.0.dist-info/WHEEL,sha256=qELbo2s1Yzl39ZmrAibXA2jjPLUYfnVhUNTlyF1rq0Y,92
+kubectl_mcp_server-1.12.0.dist-info/entry_points.txt,sha256=zeOxQGaNC4r58deEmqsLCU5hfMjF0VqFUt9P5wWsKEM,109
+kubectl_mcp_server-1.12.0.dist-info/top_level.txt,sha256=o5IpfOGG-lqU8rVWJeK9aYC0r4f6qEX09QiBhZlYbkQ,23
+kubectl_mcp_server-1.12.0.dist-info/RECORD,,

kubectl_mcp_server-1.12.0.dist-info/WHEEL ADDED Viewed

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (80.10.1)
+Root-Is-Purelib: true
+Tag: py3-none-any

kubectl_mcp_server-1.12.0.dist-info/entry_points.txt ADDED Viewed

@@ -0,0 +1,3 @@
+[console_scripts]
+kubectl-mcp = kubectl_mcp_tool.__main__:main
+kubectl-mcp-serve = kubectl_mcp_tool.cli:main

kubectl_mcp_server-1.12.0.dist-info/licenses/LICENSE ADDED Viewed

@@ -0,0 +1,21 @@
+MIT License
+Copyright (c) 2024 Rohit Ghumare
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

kubectl_mcp_server-1.12.0.dist-info/top_level.txt ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ kubectl_mcp_tool
2	+ tests

kubectl_mcp_tool/__init__.py ADDED Viewed

@@ -0,0 +1,21 @@
+"""
+Kubectl MCP Tool - A Model Context Protocol server for Kubernetes.
+This package provides an MCP server that enables AI assistants to interact
+with Kubernetes clusters through natural language commands.
+For more information, see: https://github.com/rohitg00/kubectl-mcp-server
+"""
+__version__ = "1.12.0"
+from .mcp_server import MCPServer
+from .diagnostics import run_diagnostics, check_kubectl_installation, check_cluster_connection
+__all__ = [
+    "__version__",
+    "MCPServer",
+    "run_diagnostics",
+    "check_kubectl_installation",
+    "check_cluster_connection",
+]

kubectl_mcp_tool/__main__.py ADDED Viewed

@@ -0,0 +1,46 @@
+#!/usr/bin/env python3
+"""Main entry point for the kubectl MCP tool."""
+import asyncio
+import argparse
+import logging
+import sys
+import platform
+if platform.system() == "Windows":
+    asyncio.set_event_loop_policy(asyncio.WindowsSelectorEventLoopPolicy())
+from .mcp_server import MCPServer
+logging.basicConfig(
+    level=logging.INFO,
+    format="%(asctime)s - %(name)s - %(levelname)s - %(message)s",
+    handlers=[logging.StreamHandler(sys.stderr)]
+)
+logger = logging.getLogger("mcp-server")
+def main():
+    """Run the kubectl MCP server."""
+    parser = argparse.ArgumentParser(description="Kubectl MCP Server")
+    parser.add_argument("--transport", choices=["stdio", "sse", "http", "streamable-http"], default="stdio")
+    parser.add_argument("--port", type=int, default=8000)
+    parser.add_argument("--host", type=str, default="0.0.0.0")
+    parser.add_argument("--non-destructive", action="store_true", help="Block destructive operations")
+    args = parser.parse_args()
+    server = MCPServer(name="kubernetes", non_destructive=args.non_destructive)
+    try:
+        if args.transport == "stdio":
+            asyncio.run(server.serve_stdio())
+        elif args.transport == "sse":
+            asyncio.run(server.serve_sse(host=args.host, port=args.port))
+        elif args.transport in ("http", "streamable-http"):
+            asyncio.run(server.serve_http(host=args.host, port=args.port))
+    except KeyboardInterrupt:
+        pass
+if __name__ == "__main__":
+    main()

kubectl_mcp_tool/auth/__init__.py ADDED Viewed

@@ -0,0 +1,13 @@
+"""MCP Authorization module implementing RFC 9728 OAuth 2.0 Protected Resource Metadata."""
+from .config import AuthConfig, get_auth_config
+from .scopes import MCPScopes, TOOL_SCOPES
+from .verifier import create_auth_verifier
+__all__ = [
+    "AuthConfig",
+    "get_auth_config",
+    "MCPScopes",
+    "TOOL_SCOPES",
+    "create_auth_verifier",
+]

kubectl_mcp_tool/auth/config.py ADDED Viewed

@@ -0,0 +1,71 @@
+"""Authentication configuration loaded from environment variables."""
+import os
+import logging
+from dataclasses import dataclass, field
+from typing import List, Optional
+logger = logging.getLogger("mcp-server.auth")
+@dataclass
+class AuthConfig:
+    """Authentication configuration."""
+    enabled: bool = False
+    issuer_url: Optional[str] = None
+    jwks_uri: Optional[str] = None
+    audience: str = "kubectl-mcp-server"
+    required_scopes: List[str] = field(default_factory=lambda: ["mcp:tools"])
+    resource_url: Optional[str] = None
+    def validate(self) -> bool:
+        """Validate configuration."""
+        if not self.enabled:
+            return True
+        if not self.issuer_url:
+            logger.error("MCP_AUTH_ISSUER is required when authentication is enabled")
+            return False
+        return True
+    @property
+    def effective_jwks_uri(self) -> Optional[str]:
+        """Get JWKS URI, deriving from issuer if not explicitly set."""
+        if self.jwks_uri:
+            return self.jwks_uri
+        if self.issuer_url:
+            # Standard OIDC discovery path
+            issuer = self.issuer_url.rstrip("/")
+            return f"{issuer}/.well-known/jwks.json"
+        return None
+def get_auth_config() -> AuthConfig:
+    """Load authentication configuration from environment variables."""
+    enabled = os.environ.get("MCP_AUTH_ENABLED", "").lower() in ("1", "true", "yes")
+    config = AuthConfig(
+        enabled=enabled,
+        issuer_url=os.environ.get("MCP_AUTH_ISSUER"),
+        jwks_uri=os.environ.get("MCP_AUTH_JWKS_URI"),
+        audience=os.environ.get("MCP_AUTH_AUDIENCE", "kubectl-mcp-server"),
+        required_scopes=_parse_scopes(os.environ.get("MCP_AUTH_REQUIRED_SCOPES", "mcp:tools")),
+        resource_url=os.environ.get("MCP_AUTH_RESOURCE_URL"),
+    )
+    if enabled:
+        logger.info(f"Authentication enabled with issuer: {config.issuer_url}")
+        logger.info(f"Required scopes: {config.required_scopes}")
+    else:
+        logger.debug("Authentication disabled")
+    return config
+def _parse_scopes(scopes_str: str) -> List[str]:
+    """Parse comma-separated scopes string."""
+    if not scopes_str:
+        return []
+    return [s.strip() for s in scopes_str.split(",") if s.strip()]

kubectl_mcp_tool/auth/scopes.py ADDED Viewed

@@ -0,0 +1,148 @@
+"""MCP OAuth 2.0 scope definitions for fine-grained access control."""
+from enum import Enum
+from typing import Dict, List, Set
+class MCPScopes(str, Enum):
+    """MCP OAuth 2.0 scopes."""
+    # Base scopes
+    READ = "mcp:read"
+    WRITE = "mcp:write"
+    ADMIN = "mcp:admin"
+    TOOLS = "mcp:tools"
+    # Category-specific scopes
+    HELM = "mcp:helm"
+    DIAGNOSTICS = "mcp:diagnostics"
+    NETWORKING = "mcp:networking"
+    STORAGE = "mcp:storage"
+    SECURITY = "mcp:security"
+    COST = "mcp:cost"
+    @classmethod
+    def all_scopes(cls) -> List[str]:
+        """Return all available scopes."""
+        return [scope.value for scope in cls]
+    @classmethod
+    def read_scopes(cls) -> List[str]:
+        """Return scopes for read-only access."""
+        return [cls.READ.value, cls.DIAGNOSTICS.value]
+    @classmethod
+    def write_scopes(cls) -> List[str]:
+        """Return scopes for write access."""
+        return [cls.READ.value, cls.WRITE.value]
+    @classmethod
+    def admin_scopes(cls) -> List[str]:
+        """Return scopes for admin access."""
+        return cls.all_scopes()
+# Map tool names to required scopes
+# Tools not in this map require the default scope (mcp:tools)
+TOOL_SCOPES: Dict[str, Set[str]] = {
+    # Read-only tools - require mcp:read
+    "get_pods": {MCPScopes.READ.value},
+    "get_pod_details": {MCPScopes.READ.value},
+    "list_namespaces": {MCPScopes.READ.value},
+    "get_deployments": {MCPScopes.READ.value},
+    "get_services": {MCPScopes.READ.value},
+    "get_nodes": {MCPScopes.READ.value},
+    "get_events": {MCPScopes.READ.value},
+    "get_configmaps": {MCPScopes.READ.value},
+    "describe_resource": {MCPScopes.READ.value},
+    "get_cluster_info": {MCPScopes.READ.value},
+    "get_api_resources": {MCPScopes.READ.value},
+    "get_api_versions": {MCPScopes.READ.value},
+    "get_resource_usage": {MCPScopes.READ.value},
+    "get_pod_logs": {MCPScopes.READ.value},
+    # Write tools - require mcp:write
+    "create_namespace": {MCPScopes.WRITE.value},
+    "delete_namespace": {MCPScopes.WRITE.value, MCPScopes.ADMIN.value},
+    "scale_deployment": {MCPScopes.WRITE.value},
+    "restart_deployment": {MCPScopes.WRITE.value},
+    "delete_pod": {MCPScopes.WRITE.value},
+    "apply_manifest": {MCPScopes.WRITE.value},
+    "delete_resource": {MCPScopes.WRITE.value},
+    "patch_resource": {MCPScopes.WRITE.value},
+    "create_configmap": {MCPScopes.WRITE.value},
+    "update_configmap": {MCPScopes.WRITE.value},
+    "delete_configmap": {MCPScopes.WRITE.value},
+    "create_secret": {MCPScopes.WRITE.value, MCPScopes.ADMIN.value},
+    "delete_secret": {MCPScopes.WRITE.value, MCPScopes.ADMIN.value},
+    # Admin tools - require mcp:admin
+    "get_rbac_roles": {MCPScopes.ADMIN.value, MCPScopes.SECURITY.value},
+    "get_cluster_roles": {MCPScopes.ADMIN.value, MCPScopes.SECURITY.value},
+    "audit_rbac_permissions": {MCPScopes.ADMIN.value, MCPScopes.SECURITY.value},
+    "analyze_pod_security": {MCPScopes.ADMIN.value, MCPScopes.SECURITY.value},
+    "check_secrets_security": {MCPScopes.ADMIN.value, MCPScopes.SECURITY.value},
+    "get_pod_security_info": {MCPScopes.ADMIN.value, MCPScopes.SECURITY.value},
+    "cordon_node": {MCPScopes.ADMIN.value},
+    "uncordon_node": {MCPScopes.ADMIN.value},
+    "drain_node": {MCPScopes.ADMIN.value},
+    "taint_node": {MCPScopes.ADMIN.value},
+    # Helm tools - require mcp:helm
+    "helm_list_releases": {MCPScopes.HELM.value, MCPScopes.READ.value},
+    "helm_get_values": {MCPScopes.HELM.value, MCPScopes.READ.value},
+    "helm_get_manifest": {MCPScopes.HELM.value, MCPScopes.READ.value},
+    "helm_install": {MCPScopes.HELM.value, MCPScopes.WRITE.value},
+    "helm_upgrade": {MCPScopes.HELM.value, MCPScopes.WRITE.value},
+    "helm_uninstall": {MCPScopes.HELM.value, MCPScopes.WRITE.value},
+    "helm_rollback": {MCPScopes.HELM.value, MCPScopes.WRITE.value},
+    "helm_repo_add": {MCPScopes.HELM.value, MCPScopes.WRITE.value},
+    "helm_repo_list": {MCPScopes.HELM.value, MCPScopes.READ.value},
+    "helm_search": {MCPScopes.HELM.value, MCPScopes.READ.value},
+    # Diagnostic tools - require mcp:diagnostics
+    "run_pod_diagnostics": {MCPScopes.DIAGNOSTICS.value},
+    "check_pod_health": {MCPScopes.DIAGNOSTICS.value},
+    "analyze_crashloopbackoff": {MCPScopes.DIAGNOSTICS.value},
+    "diagnose_pending_pods": {MCPScopes.DIAGNOSTICS.value},
+    "check_resource_quotas": {MCPScopes.DIAGNOSTICS.value},
+    "analyze_network_policies": {MCPScopes.DIAGNOSTICS.value, MCPScopes.NETWORKING.value},
+    "get_cluster_health": {MCPScopes.DIAGNOSTICS.value},
+    # Networking tools - require mcp:networking
+    "get_network_policies": {MCPScopes.NETWORKING.value, MCPScopes.READ.value},
+    "get_ingresses": {MCPScopes.NETWORKING.value, MCPScopes.READ.value},
+    "test_service_connectivity": {MCPScopes.NETWORKING.value, MCPScopes.DIAGNOSTICS.value},
+    # Storage tools - require mcp:storage
+    "get_persistent_volumes": {MCPScopes.STORAGE.value, MCPScopes.READ.value},
+    "get_persistent_volume_claims": {MCPScopes.STORAGE.value, MCPScopes.READ.value},
+    "get_storage_classes": {MCPScopes.STORAGE.value, MCPScopes.READ.value},
+    "analyze_storage_usage": {MCPScopes.STORAGE.value, MCPScopes.DIAGNOSTICS.value},
+    # Cost tools - require mcp:cost
+    "estimate_workload_cost": {MCPScopes.COST.value},
+    "get_resource_recommendations": {MCPScopes.COST.value, MCPScopes.DIAGNOSTICS.value},
+    "analyze_resource_efficiency": {MCPScopes.COST.value, MCPScopes.DIAGNOSTICS.value},
+}
+def get_required_scopes(tool_name: str) -> Set[str]:
+    """Get required scopes for a tool."""
+    return TOOL_SCOPES.get(tool_name, {MCPScopes.TOOLS.value})
+def has_required_scopes(token_scopes: Set[str], tool_name: str) -> bool:
+    """Check if token has required scopes for a tool."""
+    required = get_required_scopes(tool_name)
+    # mcp:tools grants access to all tools
+    if MCPScopes.TOOLS.value in token_scopes:
+        return True
+    # mcp:admin grants access to all tools
+    if MCPScopes.ADMIN.value in token_scopes:
+        return True
+    # Check if token has at least one of the required scopes
+    return bool(token_scopes & required)

kubectl_mcp_tool/auth/verifier.py ADDED Viewed

@@ -0,0 +1,82 @@
+"""JWT token verification via JWKS endpoints from OIDC-compliant identity providers."""
+import logging
+from typing import Optional, Any
+from .config import AuthConfig
+logger = logging.getLogger("mcp-server.auth")
+def create_auth_verifier(config: AuthConfig) -> Optional[Any]:
+    """
+    Create an authentication verifier based on configuration.
+    Returns a FastMCP-compatible auth verifier or None if auth is disabled.
+    """
+    if not config.enabled:
+        logger.debug("Authentication disabled, no verifier created")
+        return None
+    if not config.validate():
+        raise ValueError("Invalid authentication configuration")
+    try:
+        from fastmcp.server.auth import JWTVerifier
+    except ImportError:
+        logger.warning(
+            "FastMCP auth module not available. "
+            "Authentication requires fastmcp>=3.0.0 with auth support."
+        )
+        return None
+    jwks_uri = config.effective_jwks_uri
+    if not jwks_uri:
+        raise ValueError("JWKS URI could not be determined from configuration")
+    logger.info(f"Creating JWT verifier with JWKS URI: {jwks_uri}")
+    logger.info(f"Expected audience: {config.audience}")
+    logger.info(f"Expected issuer: {config.issuer_url}")
+    verifier = JWTVerifier(
+        jwks_uri=jwks_uri,
+        issuer=config.issuer_url,
+        audience=config.audience,
+    )
+    return verifier
+def create_auth_settings(config: AuthConfig) -> Optional[Any]:
+    """
+    Create RFC 9728 Protected Resource Metadata settings.
+    This enables the /.well-known/oauth-protected-resource endpoint
+    that MCP clients use to discover authorization requirements.
+    """
+    if not config.enabled:
+        return None
+    if not config.resource_url:
+        logger.debug("No resource URL configured, skipping RFC 9728 metadata")
+        return None
+    try:
+        from pydantic import AnyHttpUrl
+        from mcp.server.auth.settings import AuthSettings
+    except ImportError:
+        logger.warning(
+            "MCP auth settings not available. "
+            "RFC 9728 metadata requires mcp>=1.8.0."
+        )
+        return None
+    logger.info(f"Creating RFC 9728 auth settings for resource: {config.resource_url}")
+    settings = AuthSettings(
+        issuer_url=AnyHttpUrl(config.issuer_url),
+        resource_server_url=AnyHttpUrl(config.resource_url),
+        required_scopes=config.required_scopes,
+    )
+    return settings

kubectl_mcp_tool/cli/__init__.py ADDED Viewed

@@ -0,0 +1,9 @@
+"""
+CLI package for kubectl-mcp-tool.
+Provides command-line interface for managing the MCP server.
+"""
+from .cli import main
+__all__ = ["main"]

kubectl_mcp_tool/cli/__main__.py ADDED Viewed

@@ -0,0 +1,10 @@
+#!/usr/bin/env python3
+"""
+Main entry point for the kubectl-mcp-tool CLI.
+Allows running as: python -m kubectl_mcp_tool.cli
+"""
+from .cli import main
+if __name__ == "__main__":
+    exit(main())

kubectl_mcp_tool/cli/cli.py ADDED Viewed

@@ -0,0 +1,111 @@
+#!/usr/bin/env python3
+"""CLI module for kubectl-mcp-tool."""
+import sys
+import os
+import logging
+import asyncio
+import argparse
+import traceback
+from ..mcp_server import MCPServer
+log_file = os.environ.get("MCP_LOG_FILE")
+log_level = logging.DEBUG if os.environ.get("MCP_DEBUG", "").lower() in ("1", "true") else logging.INFO
+handlers = []
+if log_file:
+    os.makedirs(os.path.dirname(log_file), exist_ok=True)
+    handlers.append(logging.FileHandler(log_file))
+handlers.append(logging.StreamHandler(sys.stderr))
+logging.basicConfig(
+    level=log_level,
+    format="%(asctime)s - %(name)s - %(levelname)s - %(message)s",
+    handlers=handlers
+)
+logger = logging.getLogger("kubectl-mcp-cli")
+async def serve_stdio():
+    """Serve the MCP server over stdio transport."""
+    server = MCPServer("kubernetes")
+    await server.serve_stdio()
+async def serve_sse(host: str, port: int):
+    """Serve the MCP server over SSE transport."""
+    server = MCPServer("kubernetes")
+    await server.serve_sse(host=host, port=port)
+async def serve_http(host: str, port: int):
+    """Serve the MCP server over HTTP transport."""
+    server = MCPServer("kubernetes")
+    await server.serve_http(host=host, port=port)
+def main():
+    """Main entry point for the CLI."""
+    parser = argparse.ArgumentParser(
+        description="kubectl-mcp-tool - MCP server for Kubernetes",
+        formatter_class=argparse.RawDescriptionHelpFormatter,
+        epilog="""
+Examples:
+  kubectl-mcp serve                          # stdio transport (Claude Desktop/Cursor)
+  kubectl-mcp serve --transport sse          # SSE transport
+  kubectl-mcp serve --transport http         # HTTP transport
+  kubectl-mcp diagnostics                    # Run cluster diagnostics
+        """
+    )
+    subparsers = parser.add_subparsers(dest="command", help="Command to run")
+    serve_parser = subparsers.add_parser("serve", help="Start the MCP server")
+    serve_parser.add_argument(
+        "--transport",
+        choices=["stdio", "sse", "http", "streamable-http"],
+        default="stdio",
+        help="Transport to use (default: stdio)"
+    )
+    serve_parser.add_argument("--host", type=str, default="0.0.0.0", help="Host for SSE/HTTP (default: 0.0.0.0)")
+    serve_parser.add_argument("--port", type=int, default=8000, help="Port for SSE/HTTP (default: 8000)")
+    serve_parser.add_argument("--debug", action="store_true", help="Enable debug logging")
+    subparsers.add_parser("version", help="Show version")
+    subparsers.add_parser("diagnostics", help="Run cluster diagnostics")
+    args = parser.parse_args()
+    if hasattr(args, 'debug') and args.debug:
+        logging.getLogger().setLevel(logging.DEBUG)
+        os.environ["MCP_DEBUG"] = "1"
+    try:
+        if args.command == "serve":
+            if args.transport == "stdio":
+                asyncio.run(serve_stdio())
+            elif args.transport == "sse":
+                asyncio.run(serve_sse(args.host, args.port))
+            elif args.transport in ("http", "streamable-http"):
+                asyncio.run(serve_http(args.host, args.port))
+        elif args.command == "version":
+            from .. import __version__
+            print(f"kubectl-mcp-tool version {__version__}")
+        elif args.command == "diagnostics":
+            from ..diagnostics import run_diagnostics
+            import json
+            results = run_diagnostics()
+            print(json.dumps(results, indent=2))
+        else:
+            parser.print_help()
+    except KeyboardInterrupt:
+        pass
+    except Exception as e:
+        logger.error(f"Error: {e}")
+        if hasattr(args, 'debug') and args.debug:
+            logger.error(traceback.format_exc())
+        return 1
+    return 0
+if __name__ == "__main__":
+    sys.exit(main())