Skip to content

Security: apecloud/mcp-k8s

Security

docs/security.md

Security Configuration

K8s MCP Server includes several safety features and security configurations to ensure safe operation when interacting with Kubernetes clusters.

Security Modes

K8s MCP Server supports two security modes:

  • Strict Mode (default): All commands are validated against security rules
  • Permissive Mode: Security validation is skipped, allowing all commands to execute

Setting Security Mode

To run in permissive mode (allow all commands):

{
  "mcpServers": {
    "k8s-mcp-server": {
      "command": "docker",
      "args": [
        "run",
        "-i",
        "--rm",
        "-v",
        "/Users/YOUR_USER_NAME/.kube:/home/appuser/.kube:ro",
        "-e",
        "K8S_MCP_SECURITY_MODE=permissive",
        "ghcr.io/alexei-led/k8s-mcp-server:latest"
      ]
    }
  }
}

Security Features

  • Isolation: When running in Docker, the server operates in an isolated container environment
  • Read-only access: All credentials and configuration files are mounted as read-only
  • Non-root execution: All processes run as a non-root user inside the container
  • Command validation: Potentially dangerous commands require explicit resource names
  • Context separation: Automatic context and namespace injection for commands

Customizing Security Rules

Security rules can be customized using a YAML configuration file. This allows for more flexibility than the built-in rules.

  1. Create a Security Configuration File: Create a YAML file with your custom rules (e.g., security_config.yaml):

    # Security configuration for k8s-mcp-server

# Potentially dangerous command patterns (prefix-based)
dangerous_commands:
  kubectl:
    - "kubectl delete"
    - "kubectl drain"
    # Add your custom dangerous commands here

# Safe pattern overrides (prefix-based)
safe_patterns:
  kubectl:
    - "kubectl delete pod"
    - "kubectl delete deployment"
    # Add your custom safe patterns here

# Advanced regex pattern rules
regex_rules:
  kubectl:
    - pattern: "kubectl\\s+delete\\s+(-[A-Za-z]+\\s+)*--all\\b"
      description: "Deleting all resources of a type"
      error_message: "Deleting all resources is restricted. Specify individual resources to delete."
    # Add your custom regex rules here

  2. Mount the Configuration File in Docker:

    {
  "mcpServers": {
    "k8s-mcp-server": {
      "command": "docker",
      "args": [
        "run",
        "-i",
        "--rm",
        "-v",
        "/Users/YOUR_USER_NAME/.kube:/home/appuser/.kube:ro",
        "-v",
        "/path/to/security_config.yaml:/app/security_config.yaml:ro",
        "-e",
        "K8S_MCP_SECURITY_CONFIG=/app/security_config.yaml",
        "ghcr.io/alexei-led/k8s-mcp-server:latest"
      ]
    }
  }
}

Configuration Structure

The security configuration YAML file has three main sections:

  1. dangerous_commands: Dictionary of command prefixes that are considered dangerous for each tool
  2. safe_patterns: Dictionary of command prefixes that override dangerous commands (exceptions)
  3. regex_rules: Advanced regex patterns for more complex validation rules

Each regex rule should include:

  • pattern: Regular expression pattern to match against commands
  • description: Description of what the rule checks for
  • error_message: Custom error message to display when the rule is violated

Examples

Example 1: Restricting Namespace Operations

regex_rules:
  kubectl:
    - pattern: "kubectl\\s+.*\\s+--namespace=kube-system\\b"
      description: "Operations in kube-system namespace"
      error_message: "Operations in kube-system namespace are restricted."

Example 2: Allowing Additional Safe Patterns

safe_patterns:
  kubectl:
    - "kubectl delete pod"
    - "kubectl delete job"
    - "kubectl delete cronjob"

Example 3: Restricting Dangerous File System Access

regex_rules:
  kubectl:
    - pattern: "kubectl\\s+exec\\s+.*\\s+-[^-]*c\\s+.*(rm|mv|cp|curl|wget|chmod)\\b"
      description: "Dangerous file operations in exec"
      error_message: "File system operations within kubectl exec are restricted."

There aren’t any published security advisories