{"id":"reza-gholizade-k8s-mcp-server","name":"k8s-mcp-server","homepage":null,"repo_url":"https://github.com/reza-gholizade/k8s-mcp-server","category":"infrastructure","subcategories":[],"tags":["kubernetes","mcp","ai-agents","observability","helm","devtools","go","cloud-infrastructure"],"what_it_does":"Provides an MCP (Model Context Protocol) server exposing Kubernetes cluster interactions (discovery/listing/details/describe, logs, node/pod metrics, events, and resource create/update/delete), with optional Helm-related tooling and a read-only mode. Can run over stdio, SSE, or streamable-http transports.","use_cases":["Agent-assisted Kubernetes operations (read-only browsing, investigation, resource discovery)","Automating Kubernetes workflows such as creating/updating/deleting resources from YAML/JSON manifests","Observability via pod/node metrics and pod logs retrieved by an agent","Integrating Kubernetes tooling into an MCP-compatible assistant or web app"],"not_for":["Highly sensitive production clusters without tight network/RBAC controls (it can modify resources)","Environments requiring strict, fine-grained authorization per tool-call beyond Kubernetes RBAC","Use as a public unauthenticated endpoint on the internet (no external auth described)"],"best_when":"You have an MCP-capable agent and want a standardized, tool-based interface to Kubernetes (especially for listing/inspecting and read-only exploration, optionally with controlled write access).","avoid_when":"When you cannot enforce strong Kubernetes RBAC, network isolation, and (if applicable) transport-level access controls for the MCP server endpoint.","alternatives":["k8s API directly via client libraries (kubectl/client-go)","kubectl/Helm CLIs orchestrated by an agent","Other MCP Kubernetes tools (if available)","Workflow automation tools (e.g., Argo CD, GitOps pipelines) for write operations"],"af_score":56.5,"security_score":46.8,"reliability_score":31.2,"package_type":"mcp_server","discovery_source":["github"],"priority":"high","status":"evaluated","version_evaluated":null,"last_evaluated":"2026-03-30T13:41:24.348611+00:00","interface":{"has_rest_api":false,"has_graphql":false,"has_grpc":false,"has_mcp_server":true,"mcp_server_url":"http://localhost:8080/mcp (streamable-http) / http://localhost:8080/ for MCP JSON-RPC calls (per README examples)","has_sdk":false,"sdk_languages":[],"openapi_spec_url":null,"webhooks":false},"auth":{"methods":["KUBECONFIG_DATA (kubeconfig content via env)","KUBERNETES_SERVER + KUBERNETES_TOKEN (bearer token) with optional CA/TLS settings","In-cluster service account token from /var/run/secrets/kubernetes.io/serviceaccount/token","Kubeconfig file via KUBECONFIG or default ~/.kube/config"],"oauth":false,"scopes":false,"notes":"Authentication to Kubernetes is done via kubeconfig/token/service account. The README does not describe any separate auth for protecting access to the MCP server itself."},"pricing":{"model":null,"free_tier_exists":false,"free_tier_limits":null,"paid_tiers":[],"requires_credit_card":false,"estimated_workload_costs":null,"notes":"A hosted deployment is mentioned on a third-party site, but no pricing details are provided in the README excerpt."},"requirements":{"requires_signup":false,"requires_credit_card":false,"domain_verification":false,"data_residency":[],"compliance":[],"min_contract":null},"agent_readiness":{"af_score":56.5,"security_score":46.8,"reliability_score":31.2,"mcp_server_quality":85.0,"documentation_accuracy":70.0,"error_message_quality":0.0,"error_message_notes":null,"auth_complexity":75.0,"rate_limit_clarity":5.0,"tls_enforcement":25.0,"auth_strength":55.0,"scope_granularity":40.0,"dependency_hygiene":40.0,"secret_handling":70.0,"security_notes":"Runs as non-root in Docker containers per README. It supports Kubernetes auth via kubeconfig content, bearer token, or in-cluster service account, and offers --read-only plus tool category disabling to reduce risk. However, TLS/enforcement for the MCP HTTP/SSE endpoints is not clearly documented, and there is no described authentication/authorization protecting access to the MCP server itself; access control relies primarily on Kubernetes RBAC and how you expose the service.","uptime_documented":0.0,"version_stability":55.0,"breaking_changes_history":40.0,"error_recovery":30.0,"idempotency_support":"false","idempotency_notes":null,"pagination_style":"none","retry_guidance_documented":false,"known_agent_gotchas":["Write-capable tools exist (resource create/update/delete and Helm install/upgrade/uninstall/rollback) unless mitigated via --read-only or tool disabling flags.","When using --no-k8s and --no-helm together, the server will exit with an error (must enable at least one tool category).","Authentication is to Kubernetes only; agents must ensure the MCP server endpoint is not exposed without appropriate access controls."]}}