Skip to content

fix: add async lock to list_namespaces cache#52

Merged
geored merged 1 commit into
mainfrom
fix/namespace-cache-lock
Jun 22, 2026
Merged

fix: add async lock to list_namespaces cache#52
geored merged 1 commit into
mainfrom
fix/namespace-cache-lock

Conversation

@geored

@geored geored commented Jun 21, 2026

Copy link
Copy Markdown
Member

Problem

list_namespaces() accesses the shared _namespace_cache dict without any lock. Concurrent MCP tool calls during cache expiry cause duplicate K8s API calls and potential inconsistent cache state (TOCTOU race).

Fix

Added _namespace_cache_lock = asyncio.Lock() with double-checked locking:

  • Fast path: read cache without lock (no contention for cache hits)
  • Slow path: acquire lock, re-check cache, then fetch from K8s API

Testing

Verified with MCP Inspector: list_namespaces returns correct namespace list.

Closes #44

The shared _namespace_cache dict is accessed without a lock. When multiple
MCP tool calls invoke list_namespaces() concurrently and the cache expires,
duplicate K8s API calls are made and the cache can be written inconsistently.

Added double-checked locking with asyncio.Lock(): fast path reads without
lock, slow path (cache miss) acquires lock and re-checks before fetching.

Closes #44
@geored geored merged commit 5683a46 into main Jun 22, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

BUG: list_namespaces() has no async lock on shared cache — race condition

2 participants