github · mcp-server-kubernetes74cd11ce859d

Evidence

return JSON.stringify(masked, null, 2);

    } else if (format === "yaml") {

      // Parse YAML to JSON, mask, then convert back to YAML

      const parsed = yaml.load(output);

      const masked = maskDataValues(parsed);

      return yaml.dump(masked, {

        indent: 2,

Remediation

Replace pickle with json/msgpack or a schema-validated format (protobuf, cap'n proto). Use yaml.safe_load instead of yaml.load. Never deserialize data from an untrusted source with these APIs.

Evidence

#    - DNS service labels

# 4. TESTING: Test connectivity after applying:

#    kubectl exec -it deployment/mcp-server -- nslookup kubernetes.default

#    kubectl exec -it deployment/mcp-server -- curl -k https://kubernetes.default/api

# 5. MONITORING: Monitor NetworkPolicy denials:

#    kubectl logs -n kube-system -l app=calico-node | grep denied

Remediation

Drop the verify-disable flag. If the peer presents a private CA: - Python: pass `verify="/path/to/ca.pem"` or trust the system store - Node: `new https.Agent({ ca: fs.readFileSync("ca.pem") })` - Go: load the CA via `x509.NewCertPool().AppendCertsFromPEM(...)` and set `tls.Config.RootCAs` Self-signed certificates: import the cert into the OS trust chain rather than disabling verification per-call.

Evidence

await server.connect(transport);

      await transport.handleRequest(req, res, req.body);

    } catch (error) {

      console.error("Error handling MCP request:", error);

      if (!res.headersSent) {

        res.status(500).json({

          jsonrpc: "2.0",

Remediation

Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.

Evidence

// Session termination not needed in stateless mode

  app.delete("/mcp", authMiddleware, async (req: express.Request, res: express.Response) => {

    console.log("Received DELETE MCP request");

    res.writeHead(405).end(

      JSON.stringify({

        jsonrpc: "2.0",

Remediation

Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.

Evidence

// SSE notifications not supported in stateless mode

  app.get("/mcp", authMiddleware, async (req: express.Request, res: express.Response) => {

    console.log("Received GET MCP request");

    res.writeHead(405).end(

      JSON.stringify({

        jsonrpc: "2.0",

Remediation

Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.

Remediation

Typosquat: verify you meant the popular package. If so, correct the spelling; if you truly intended the less-common name, suppress with an inline waiver. Stale release: check whether the package has a maintained fork or successor. If no patched release exists, vendor the code or migrate to an active alternative before the unmaintained code accrues unfixed CVEs.

Evidence

#   "Version": "2012-10-17",

#   "Statement": [

#     {

#       "Effect": "Allow",

#       "Action": [

#         "eks:DescribeCluster",

#         "eks:ListClusters",

#         "sts:AssumeRole"

#       ],

#       "Resource": "*"

#     },

#     {

#       "Effect": "Allow",

Remediation

File modes: use 0600 for secrets, 0644 for read-only data, 0755 for directories. IAM: scope Action to the specific service+verb (s3:GetObject) and Resource to exact ARNs. Never use * for both.

Evidence

"custom": {

          "type": "object",

          "properties": {

            "command": {"type": "string"},

            "args": {"type": "array", "items": {"type": "string"}}

          }

        },

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

"items": {

                      "type": "object",

                      "properties": {

                        "path": {"type": "string"},

                        "pathType": {"type": "string", "enum": ["Exact", "Prefix", "ImplementationSpecific"]}

                      }

                    }

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

"type": "object",

                "properties": {

                  "name": {"type": "string"},

                  "url": {"type": "string", "format": "uri"},

                  "extraArgs": {"type": "array", "items": {"type": "string"}}

                },

                "required": ["name", "url"]

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

"volume": {

          "type": "object",

          "properties": {

            "path": {"type": "string"},

            "volumeSpec": {"type": "object"},

            "volumeMountSpec": {"type": "object"}

          },

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

{

  "manifest_version": "0.1",

  "name": "mcp-server-kubernetes",

  "display_name": "Kubernetes MCP Server",

  "version": "3.5.1",

  "description": "MCP server for interacting with Kubernetes clusters via kubectl",

  "long_description": "MCP Server that can connect to a Kubernetes cluster and manage it.\n\nBy default, the server loads kubeconfig from `~/.kube/config`.\n\nThe server will automatically connect to your current kubectl context. Make sure you have:\n\n1. kubectl installed and in your

Remediation

Declare a real authentication mechanism in the manifest, matching what the running server actually enforces: - `"auth": "bearer"` with a token scheme documented for callers - `"auth": "oauth"` / `"oauth2": { ... }` for delegated flows - `"apiKey": { "header": "X-API-Key", "prefix": "..." }` - `"mtls": true` when client certificates are required If the server is intentionally unauthenticated (stdio-only, local developer tool, trusted-host network), document the assumption in the manifest via a `"

Evidence

# Observability with OpenTelemetry

The Kubernetes MCP Server includes optional OpenTelemetry integration for distributed tracing, enabling comprehensive observability of tool executions, performance monitoring, and error tracking.

> **Current Release**: Distributed Tracing ✅

> **Coming Soon**: Metrics and Logs

## Table of Contents

- [Overview](#overview)

- [Quick Start](#quick-start)

- [Configuration](#configuration)

- [Deployment Examples](#deployment-examples)

- [Captured Telemetry](#captu

Remediation

Declare a real authentication mechanism in the manifest, matching what the running server actually enforces: - `"auth": "bearer"` with a token scheme documented for callers - `"auth": "oauth"` / `"oauth2": { ... }` for delegated flows - `"apiKey": { "header": "X-API-Key", "prefix": "..." }` - `"mtls": true` when client certificates are required If the server is intentionally unauthenticated (stdio-only, local developer tool, trusted-host network), document the assumption in the manifest via a `"

Evidence

{

  "name": "mcp-server-kubernetes",

  "version": "3.5.1",

  "mcpServers": {

    "kubernetes": {

      "command": "npx",

      "args": [

        "mcp-server-kubernetes"

      ]

    }

  }

}

Remediation

Declare a real authentication mechanism in the manifest, matching what the running server actually enforces: - `"auth": "bearer"` with a token scheme documented for callers - `"auth": "oauth"` / `"oauth2": { ... }` for delegated flows - `"apiKey": { "header": "X-API-Key", "prefix": "..." }` - `"mtls": true` when client certificates are required If the server is intentionally unauthenticated (stdio-only, local developer tool, trusted-host network), document the assumption in the manifest via a `"

Evidence

# MCP Server Kubernetes

[![CI](https://github.com/Flux159/mcp-server-kubernetes/actions/workflows/ci.yml/badge.svg)](https://github.com/yourusername/mcp-server-kubernetes/actions/workflows/ci.yml)

[![Language](https://img.shields.io/github/languages/top/Flux159/mcp-server-kubernetes)](https://github.com/yourusername/mcp-server-kubernetes)

[![Bun](https://img.shields.io/badge/runtime-bun-orange)](https://bun.sh)

[![Kubernetes](https://img.shields.io/badge/kubernetes-%23326ce5.svg?style=flat&logo

Remediation

Declare a real authentication mechanism in the manifest, matching what the running server actually enforces: - `"auth": "bearer"` with a token scheme documented for callers - `"auth": "oauth"` / `"oauth2": { ... }` for delegated flows - `"apiKey": { "header": "X-API-Key", "prefix": "..." }` - `"mtls": true` when client certificates are required If the server is intentionally unauthenticated (stdio-only, local developer tool, trusted-host network), document the assumption in the manifest via a `"

Evidence

import { Server } from "@modelcontextprotocol/sdk/server/index.js";

import express from "express";

import { SSEServerTransport } from "@modelcontextprotocol/sdk/server/sse.js";

import { createAuthMiddleware, isAuthEnabled } from "./auth.js";

export function startSSEServer(server: Server) {

  const app = express();

  // Create auth middleware - when MCP_AUTH_TOKEN is set, requires X-MCP-AUTH header

  const authMiddleware = createAuthMiddleware();

  // Currently just copying from docs & allowin

Remediation

Apply CSRF middleware at the route or router level: - Express: `app.use(csurf())` / `csrf-csrf` package - FastAPI: `fastapi-csrf-protect` with `Depends(...)` - Flask: `CSRFProtect(app)` from `flask_wtf.csrf` Or move to bearer-token auth and set `SameSite=Strict` / `SameSite=Lax` on any session cookies. Document the choice in the project README so reviewers can confirm intent.

Evidence

import express from "express";

import { Server } from "@modelcontextprotocol/sdk/server/index.js";

import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";

import http from "http";

import { createAuthMiddleware, isAuthEnabled } from "./auth.js";

export function startStreamableHTTPServer(server: Server): http.Server {

  const app = express();

  app.use(express.json());

  // Create auth middleware - when MCP_AUTH_TOKEN is set, requires X-MCP-AUTH header

Remediation

Apply CSRF middleware at the route or router level: - Express: `app.use(csurf())` / `csrf-csrf` package - FastAPI: `fastapi-csrf-protect` with `Depends(...)` - Flask: `CSRFProtect(app)` from `flask_wtf.csrf` Or move to bearer-token auth and set `SameSite=Strict` / `SameSite=Lax` on any session cookies. Document the choice in the project README so reviewers can confirm intent.

Evidence

run: bun install

      - name: Set up Helm

        uses: azure/setup-helm@v4.3.0

      - name: Login to GitHub Container Registry

        uses: docker/login-action@v3

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

run: bun run build

      - name: Setup Node.js for NPM publish

        uses: actions/setup-node@v4

        with:

          node-version: "20"

          registry-url: "https://registry.npmjs.org"

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

gh release upload v${{ steps.version.outputs.current-version }} mcp-server-kubernetes.zip --clobber

      - name: Set up QEMU

        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx

        uses: docker/setup-buildx-action@v3

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

steps:

      - uses: actions/checkout@v4

      - uses: oven-sh/setup-bun@v2

        with:

          bun-version: latest

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx

        uses: docker/setup-buildx-action@v3

      - name: Login to Docker Hub

        uses: docker/login-action@v3

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

password: ${{ secrets.DOCKER_HUB_TOKEN }}

      - name: Build and push Docker image

        uses: docker/build-push-action@v5

        with:

          context: .

          platforms: linux/amd64,linux/arm64

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

deploy:

    runs-on: ubuntu-latest

    steps:

      - uses: actions/checkout@v4

        with:

          fetch-depth: 0

          token: ${{ secrets.GITHUB_TOKEN }}

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

sed -i 's|http://localhost:8080|https://192.168.49.2:8443|g' ~/.kube/config

      - name: Update version number

        uses: reecetech/version-increment@2024.10.1

        id: version

        with:

          scheme: semver

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

fetch-depth: 0

          token: ${{ secrets.GITHUB_TOKEN }}

      - uses: oven-sh/setup-bun@v2

        with:

          bun-version: latest

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

uses: docker/setup-buildx-action@v3

      - name: Login to Docker Hub

        uses: docker/login-action@v3

        with:

          username: ${{ secrets.DOCKER_HUB_USERNAME }}

          password: ${{ secrets.DOCKER_HUB_TOKEN }}

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

bun run test --reporter default --reporter junit --outputFile junit-results.xml

      - name: Test Report

        uses: dorny/test-reporter@v2

        if: always()

        with:

          name: Bun Tests # Name of the check run which will be created

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

test:

    runs-on: ubuntu-latest

    steps:

      - uses: actions/checkout@v4

      - uses: oven-sh/setup-bun@v2

        with:

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

uses: azure/setup-helm@v4.3.0

      - name: Login to GitHub Container Registry

        uses: docker/login-action@v3

        with:

          registry: ghcr.io

          username: ${{ github.actor }}

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

import * as fs from "fs";

import * as os from "os";

import * as path from "path";

import * as k8s from "@kubernetes/client-node";

import { ResourceTracker, PortForwardTracker, WatchTracker } from "../types.js";

export class KubernetesManager {

  private resources: ResourceTracker[] = [];

  private portForwards: PortForwardTracker[] = [];

  private watches: WatchTracker[] = [];

  private kc: k8s.KubeConfig;

  private k8sApi: k8s.CoreV1Api;

  private k8sAppsApi: k8s.AppsV1Api;

  private k8sBatc

Remediation

Replace check-then-use with action-then-handle: Python: `try: with open(p) as f: ... except FileNotFoundError: ...` Node: `try { fs.readFileSync(p); } catch (e) { if (e.code === "ENOENT") ... }` For atomic file creation: Python: `os.open(p, os.O_RDWR | os.O_CREAT | os.O_EXCL)` Node: `fs.open(p, "wx")` — fails if file exists, no race. When you genuinely must check first, use `flock` (Python `fcntl`) or a similar per-process advisory lock to make the window uninteresting to a

Evidence

#!/usr/bin/env node

import { readFileSync, writeFileSync, existsSync } from 'fs';

import { join } from 'path';

const version = process.argv[2];

if (!version) {

  console.error('Usage: node scripts/update-version.js <version>');

  console.error('Example: node scripts/update-version.js 2.6.0');

  process.exit(1);

}

// Validate version format (basic semver check)

if (!/^\d+\.\d+\.\d+(-[\w\.-]+)?$/.test(version)) {

  console.error(`Invalid version format: ${version}`);

  console.error('Expected f

Remediation

Replace check-then-use with action-then-handle: Python: `try: with open(p) as f: ... except FileNotFoundError: ...` Node: `try { fs.readFileSync(p); } catch (e) { if (e.code === "ENOENT") ... }` For atomic file creation: Python: `os.open(p, os.O_RDWR | os.O_CREAT | os.O_EXCL)` Node: `fs.open(p, "wx")` — fails if file exists, no race. When you genuinely must check first, use `flock` (Python `fcntl`) or a similar per-process advisory lock to make the window uninteresting to a