MCP-K8s
view release on metacpan or search on metacpan
lib/MCP/K8s.pm view on Meta::CPAN
Kubeconfig context to use. Default: the kubeconfig's C<current-context>.
=item C<MCP_K8S_TOKEN>
Bearer token for direct authentication. Bypasses kubeconfig entirely.
Useful for CI/CD pipelines or when you have a service account token.
=item C<MCP_K8S_SERVER>
Kubernetes API server URL. Used with C<MCP_K8S_TOKEN> or in-cluster auth.
Default when in-cluster: C<https://kubernetes.default.svc.cluster.local>.
=item C<MCP_K8S_NAMESPACES>
Comma-separated list of namespaces to operate on.
Default: auto-discovered from the cluster (lists all namespaces the
service account can see). Falls back to C<default> if discovery fails.
=back
=head1 AUTHENTICATION
MCP::K8s supports three authentication methods, tried in order:
=over 4
=item 1. B<Direct token> â Set C<MCP_K8S_TOKEN> (and optionally C<MCP_K8S_SERVER>)
=item 2. B<In-cluster> â Auto-detected when running as a Kubernetes pod (reads mounted service account token from C</var/run/secrets/kubernetes.io/serviceaccount/token>)
=item 3. B<Kubeconfig> â Reads C<~/.kube/config> (or C<$KUBECONFIG>), optionally filtered by C<MCP_K8S_CONTEXT>
=back
For in-cluster and direct token auth, the CA certificate at
C</var/run/secrets/kubernetes.io/serviceaccount/ca.crt> is automatically
used if present.
=head1 RBAC SETUP
Use a dedicated ServiceAccount with minimal permissions for AI access.
Example RBAC manifests are included in the C<examples/> directory:
=over 4
=item C<examples/readonly-serviceaccount.yaml> â Read-only access (recommended starting point)
=item C<examples/deployer-serviceaccount.yaml> â Read + deploy/restart capabilities
=item C<examples/full-ops-serviceaccount.yaml> â Full access except secrets
=back
RBAC is the single source of truth â if the service account shouldn't have
access, don't grant it via RBAC. MCP::K8s does B<not> implement
application-layer permission filtering.
=head1 CLAUDE DESKTOP INTEGRATION
Add this to your Claude Desktop MCP configuration
(C<~/.config/claude/claude_desktop_config.json>):
{
"mcpServers": {
"kubernetes": {
"command": "mcp-k8s",
"env": {
"MCP_K8S_CONTEXT": "my-cluster",
"MCP_K8S_NAMESPACES": "default,production"
}
}
}
}
=head1 CLAUDE CODE INTEGRATION
Add to your project's C<.mcp.json> or global MCP settings:
{
"mcpServers": {
"kubernetes": {
"command": "mcp-k8s",
"env": {
"MCP_K8S_CONTEXT": "dev-cluster"
}
}
}
}
=head1 LANGERTHA RAIDER INTEGRATION
Use L<Langertha::Raider> to build an autonomous AI agent that can
interact with your Kubernetes cluster using MCP::K8s as its tool source:
use IO::Async::Loop;
use Future::AsyncAwait;
use Net::Async::MCP;
use Langertha::Engine::Anthropic;
use Langertha::Raider;
use MCP::K8s;
my $k8s = MCP::K8s->new(
namespaces => ['default', 'production'],
);
my $loop = IO::Async::Loop->new;
my $mcp = Net::Async::MCP->new(server => $k8s->server);
$loop->add($mcp);
async sub main {
await $mcp->initialize;
my $engine = Langertha::Engine::Anthropic->new(
api_key => $ENV{ANTHROPIC_API_KEY},
model => 'claude-sonnet-4-6',
mcp_servers => [$mcp],
);
my $raider = Langertha::Raider->new(
engine => $engine,
mission => 'You are a Kubernetes operations assistant. '
( run in 1.522 second using v1.01-cache-2.11-cpan-bbb979687b5 )