This is a follow up from #183 (comment)
Context
The PR #193 enables the parameter "context" to be used for a stateless multi-cluster usage, which is useful in a scenario where multiple users access the same MCP server, however with the tool kubectl_context enabled, an LLM can use the subcommand "set", instead of using the parameter "context" directly in the tools, which would make it use the stateful approach again (and possibly affecting other users where the LLM chose to set an context too).
Disabling the kubectl_context using ALLOWED_TOOLS env var is also not optimal, because the tool is still useful for the LLM to list all available clusters in the KUBECONFIG, mainly when the name of the cluster is not used correctly in the prompt.
Issue
Have a way to be able to disable just the subcommand "set" of the kubectl_context tool, while retaining the "get" and "list" subcommands.
As discussed in the other issue, would be useful to have this feature in a generic way, instead of a env var dedicated for just a tool.
e.g. ALLOWED_TOOLS="kubectl_context:get, kubectl_context:list" or an ALLOWED_SUBCOMMANDS env var.
Example
Below there's a practical example based on a fork of an agent using the MCP with kubectl_context disabled vs enabled only for get and list:
Objective: list pods of the namespace XXXX in the cluster cluster-2.example.com (cluster name was changed, but is actually bigger than this one)
Prompt: Check all pods of the namespace 'XXXX' in the cluster 'cluster-2'
Agent using the MCP without the context tool (ALLOWED_TOOLS):
I need to check all pods in the 'XXXX' namespace using the 'cluster-2' cluster context. I'll use the kubectl_get tool to list all pods in that specific namespace and context.
... (tries to use kubectl_get with context and gets an error, then proceeds to wrongly use kubectl_get without context to get all contexts)
Action: kubectl_get
Action Input: {"resourceType": "pods", "namespace": "troubleshooter", "context": "cluster-2"}
Final Answer: I attempted to check all pods in the `XXXX` namespace using the `cluster-2` cluster context, but encountered the following issues:
**❌ Context Error**: The context `cluster-2` does not exist in the current kubeconfig. The error message was:
error: context "cluster-2" does not exist
Agent using the MCP with the modified kubectl_context tool (list, get only):
I need to check all pods in the 'XXXX' namespace in the 'cluster-2' cluster. I'll use the kubectl_get tool to list all pods in that specific namespace and context.
... (tries to use kubectl_get and gets the same error as above)
thought: The context "cluster-2" doesn't exist. Let me first check what contexts are available in the cluster to see the correct context name.
Action: kubectl_context
Action Input: {"operation": "list", "showCurrent": true}
I can see the available contexts. The correct context name for the cluster-2 cluster is `cluster-2.example.com`. Now let me check all pods in the 'XXXX' namespace using this correct context.
... (sucessfully uses the kubectl_get tool)
Action: kubectl_get
Action Input: {"resourceType": "pods", "namespace": "XXXX", "context": "cluster-2.example.com"}
I now know the final answer
Final Answer: I successfully checked all pods in the `XXXX` namespace in the cluster-2 cluster. Here are the results:
This is a follow up from #183 (comment)
Context
The PR #193 enables the parameter "context" to be used for a stateless multi-cluster usage, which is useful in a scenario where multiple users access the same MCP server, however with the tool kubectl_context enabled, an LLM can use the subcommand "set", instead of using the parameter "context" directly in the tools, which would make it use the stateful approach again (and possibly affecting other users where the LLM chose to set an context too).
Disabling the kubectl_context using ALLOWED_TOOLS env var is also not optimal, because the tool is still useful for the LLM to list all available clusters in the KUBECONFIG, mainly when the name of the cluster is not used correctly in the prompt.
Issue
Have a way to be able to disable just the subcommand "set" of the kubectl_context tool, while retaining the "get" and "list" subcommands.
As discussed in the other issue, would be useful to have this feature in a generic way, instead of a env var dedicated for just a tool.
e.g. ALLOWED_TOOLS="kubectl_context:get, kubectl_context:list" or an ALLOWED_SUBCOMMANDS env var.
Example
Below there's a practical example based on a fork of an agent using the MCP with kubectl_context disabled vs enabled only for get and list:
Objective: list pods of the namespace XXXX in the cluster cluster-2.example.com (cluster name was changed, but is actually bigger than this one)
Prompt: Check all pods of the namespace 'XXXX' in the cluster 'cluster-2'
Agent using the MCP without the context tool (ALLOWED_TOOLS):
... (tries to use kubectl_get with context and gets an error, then proceeds to wrongly use kubectl_get without context to get all contexts)
Agent using the MCP with the modified kubectl_context tool (list, get only):
... (tries to use kubectl_get and gets the same error as above)
... (sucessfully uses the kubectl_get tool)