This example demonstrates deploying the kubernetes-mcp-server using the MCP Lifecycle Operator.
- Kubernetes cluster
- MCP Lifecycle Operator installed (
make install) - Controller running (
make run)
Deploy the kubernetes-mcp-server with default configuration:
kubectl apply -f mcpserver.yamlThis creates:
- Deployment running the MCP server
- Service exposing port 8080
Check status:
kubectl get mcpserver kubernetes-mcp-serverDeploy with custom TOML configuration:
kubectl apply -f mcpserver-with-config.yamlThis example shows how to:
- Create a ConfigMap with
config.toml - Mount the ConfigMap via
spec.config.storagearray - Specify the mount path and ConfigMap details
- Pass the config path via
spec.config.arguments
The ConfigMap is mounted as a read-only volume (readOnly defaults to true).
The kubernetes-mcp-server needs RBAC permissions to access Kubernetes resources like pods, namespaces, and events.
Deploy with a ServiceAccount and proper RBAC:
kubectl apply -f mcpserver-with-rbac.yamlThis creates:
- ServiceAccount (
mcp-viewer) - Identity for the MCP server pods - ClusterRoleBinding - Binds the ServiceAccount to the built-in
viewClusterRole - ConfigMap - Optional configuration
- MCPServer - References the ServiceAccount via
serviceAccountName
The kubernetes-mcp-server provides tools that interact with the Kubernetes API:
namespaces_list- List all namespacesevents_list- List cluster eventspods_list- List pods across namespacesresources_get- Get specific resources- And many more read-only operations
Without proper RBAC, these tools will fail with permission errors.
The view ClusterRole provides read-only access to most resources:
- Pods, Services, ConfigMaps, Secrets (metadata only)
- Deployments, ReplicaSets, StatefulSets
- Events, Namespaces
- And more
This is perfect for read-only MCP server operations.
For tighter control, create a custom ClusterRole with specific permissions:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: mcp-custom-viewer
rules:
- apiGroups: [""]
resources: ["pods", "namespaces", "events"]
verbs: ["get", "list"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list"]Then create a ClusterRoleBinding and update the MCPServer to use your ServiceAccount:
spec:
runtime:
security:
serviceAccountName: my-custom-saPort-forward to the service:
kubectl port-forward svc/kubernetes-mcp-server 8080:8080Test the health endpoint:
curl http://localhost:8080/healthzVerify the ServiceAccount is being used:
kubectl get pod -l mcp-server=kubernetes-mcp-server -o jsonpath='{.items[0].spec.serviceAccountName}'
# Should output: mcp-viewer# Basic deployment
kubectl delete -f mcpserver.yaml
# With ConfigMap
kubectl delete -f mcpserver-with-config.yaml
# With RBAC (also deletes ServiceAccount and ClusterRoleBinding)
kubectl delete -f mcpserver-with-rbac.yaml