Kubernetes MCP Server
Community MCP server for Kubernetes cluster management via kubectl and Helm, with read-only and non-destructive mode support
Score Breakdown
Server Info
- Package
- mcp-server-kubernetes
- Registry
- npm
- Repository
- Flux159/mcp-server-kubernetes
- Maintainer
- Community
- Category
- Cloud & Infrastructure
- Tags
- containersdevopsk8s
- Last Scanned
- 7 Apr 2026
Findings
7 issuesAuthentication & Identity
MEDIUMHTTP/SSE transport supports per-request credentials
Supports three transports: stdio (default), SSE (via ENABLE_UNSAFE_SSE_TRANSPORT), and StreamableHTTP (via ENABLE_UNSAFE_STREAMABLE_HTTP_TRANSPORT). The 'UNSAFE' prefix on HTTP transports acknowledges they lack authentication. Kubeconfig loaded from KUBECONFIG_YAML env var, KUBECONFIG path, or ~/.kube/config. No MCP OAuth.
Implement the MCP OAuth spec so users authenticate directly without platform mediation.
Tool Schema Quality
HIGHRequired fields missing on 4 write operations
Write tools without required field declarations: cleanup, kubectl_apply, kubectl_delete, kubectl_create.
Add required arrays to all write/delete tool schemas.
MEDIUMOnly 5 of 23 schemas have parameter constraints
Most schemas lack maxLength, enum, or pattern constraints on string parameters.
Add constraints to string parameters, especially on write operations.
CRITICALDangerous execution surface: kubectl_generic
Tool allows raw code/query execution which could be exploited via prompt injection.
Use parameterized queries or validated command sets.
CRITICALDangerous execution surface: exec_in_pod
Tool allows raw code/query execution which could be exploited via prompt injection.
Use parameterized queries or validated command sets.
Permission Granularity
MEDIUM1 tools combine read and write operations
Strong permission model with three filtering modes: ALLOW_ONLY_READONLY_TOOLS (8 read tools only), ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS (excludes delete, uninstall, cleanup, generic, node management), and ALLOWED_TOOLS (explicit whitelist). Destructive tools are explicitly categorized in the destructiveTools array. kubectl_generic is correctly classified as destructive. Annotations properly mark destructiveHint on write/admin tools.
Split into separate read and write tools.
Maintenance & Trust
LOWCommunity-maintained by Flux159
No official vendor backing.
Seek vendor verification.
Tools
23 total| Name | Description | Risk |
|---|---|---|
| cleanup | Clean up tracked Kubernetes resources | admin |
| kubectl_get | Get or list Kubernetes resources by resource type, name, and optionally namespace | read |
| kubectl_describe | Describe a Kubernetes resource in detail | read |
| kubectl_apply | Apply a Kubernetes YAML manifest from a string or file | write |
| kubectl_delete | Delete Kubernetes resources by resource type, name, labels, or from a manifest file | admin |
| kubectl_create | Create Kubernetes resources from a YAML manifest | write |
| kubectl_logs | Get logs from a Kubernetes resource | read |
| kubectl_scale | Scale a Kubernetes resource to a specified number of replicas | write |
| kubectl_patch | Patch a Kubernetes resource | write |
| kubectl_rollout | Manage rollouts for Kubernetes deployments, daemonsets, and statefulsets | write |
| kubectl_context | List, get, or set kubectl contexts | read |
| kubectl_reconnect | Reconnect to the Kubernetes cluster by reloading kubeconfig | read |
| explain_resource | Explain a Kubernetes resource type and its fields | read |
| install_helm_chart | Install a Helm chart with support for both standard and template-based installation | write |
| upgrade_helm_chart | Upgrade an existing Helm chart release | write |
| uninstall_helm_chart | Uninstall a Helm chart release | admin |
| node_management | Manage Kubernetes nodes (cordon, drain, uncordon) | admin |
| port_forward | Start port forwarding to a Kubernetes resource | read |
| stop_port_forward | Stop an active port forward session | read |
| exec_in_pod | Execute a command in a Kubernetes pod or container and return the output. Command must be an array of strings where the first element is the executable and remaining elements are arguments. This executes directly without shell interpretation for security. | admin |
| list_api_resources | List available API resources in the Kubernetes cluster | read |
| kubectl_generic | Execute any kubectl command with the provided arguments and flags | admin |
| ping | Ping the MCP server to check connectivity | read |
Deploy Kubernetes MCP Server securely
CompleteFlow adds per-user authentication, permission scoping, and audit logging to any MCP server out of the box.
Deploy on CompleteFlow