🐛 MCP error -32603: Tool execution failed: Error: self-signed certificate in certificate chain: Local Rancher K3S cluster

[marcellodesales]

Problem

• I have a local deployment of k3s Cluster running

$ docker compose -f docker-compose-k8s.yaml ps
NAME         IMAGE                                                                 COMMAND                  SERVICE      CREATED      STATUS                    PORTS
kubernetes   dockerhub.docker.artifactory.company.com/rancher/k3s:v1.32.3-k3s1      "/bin/k3s server"        kubernetes   7 days ago   Up 14 minutes (healthy)   0.0.0.0:6443->6443/tcp

• As such, I can connect to it and run local tests of Operators, etc

$ export KUBECONFIG=/Users/mdesales/dev/git.company.com/seceng-devsecops-platform/vionix-platform-aws-localstack/data/kubernetes/kubeconfig.yaml
$ kubectl get nodes
NAME           STATUS     ROLES                  AGE     VERSION
69600f095d70   Ready      control-plane,master   6d23h   v1.32.3+k3s1
ebfe1d86afd9   NotReady   control-plane,master   7d3h    v1.32.3+k3s1

• Its config is pointing to localhost

$ kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://127.0.0.1:6443
  name: default
contexts:
- context:
    cluster: default
    user: default
  name: default
current-context: default
kind: Config
preferences: {}
users:
- name: default
  user:
    client-certificate-data: DATA+OMITTED
    client-key-data: DATA+OMITTED

Problem: How to use the Kubernetes MCP Server to reach this server?

• The kubernetes instance is running in a local docker network, that is from a bridge

$ docker compose -f docker-compose-k8s.yaml config

....
networks:
  local-aws:
    name: local-aws
    external: true

• How to run the MCP server to run in a given local docker network?
  • That is, if the MCP Server is also in the same bridge network, it can have access to the server

📓 Notes from the thread

• The current version 0.1.0 loads the default ~/.kube/config file always and caches it in memory
  • The suggestion could be to always receive the kubeconfig file via param to avoid the local cache on server bootstrap.

[Flux159]

When running the server, can you try using NODE_TLS_REJECT_UNAUTHORIZED="0" or try this in your kube config kubernetes-client/javascript#7

[marcellodesales]

• Attempting to disable the TLS check for this specific server by adding an ENV var to the MCP server config
  • Accessing a Rancher cluster fails with "unable to get issuer certificate" kubernetes-client/javascript#430 (comment)
• However, it feels like this is better if we configure the kubecofig.yaml itself with the flag, since this is a unique use-case

🔧 Bypass TLS from @kubernetes/client

• Attempted to use the following settings Accessing a Rancher cluster fails with "unable to get issuer certificate" kubernetes-client/javascript#430 (comment)

    "kubernetes": {
      "env": {
        "NODE_TLS_REJECT_UNAUTHORIZED": "0"
      },
      "command": "npx",
      "args": ["mcp-server-kubernetes"]
    }

🔴 Failed with HTTP request failed

{}
Error executing code: MCP error -32603: MCP error -32603: Tool execution failed: HttpError: HTTP request failed

[marcellodesales]

🔧 Bypass TLS from kubeconfig.yaml

• Attempted to change the file based on the configs as well

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkekNDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdGMyVnkKZG1WeUxXTmhRREUzTkRNd01UWTRNamN3SGhjTk1qVXdNekkyTVRreU1ESTNXaGNOTXpVd016STBNVGt5TURJMwpXakFqTVNFd0h3WURWUVFEREJock0zTXRjMlZ5ZG1WeUxXTmhRREUzTkRNd01UWTRNamN3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFUekFDZ1d2dUNHRDFxd0hLMVRwdnVLSEhzS2VwSEF4ZDIraUVURXVGZFoKTWtHR0VkRElEU2dwbTE0QXB4L1RnRkI0eG50QzMwUkVtZS9FdVpHNWpXUmlvMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVThrZmJxMlhGMmlJZHJFWk0ydVIzClVZQ2hlZDR3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUlnYVhTQzhPRUJMVUgzUEorR2RzT0djRG1zWnRtM3Z3d0oKQWxFZlB0elNIZUFDSVFDVUN1UEd6Mm16TDZSUlVuK2w3djdDU2RjNzQ1RCtsN09vM2dJVzM1aElOQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    insecure-skip-tls-verify: true
    server: https://127.0.0.1:6443
  name: default
contexts:
- context:
    cluster: default
    user: default
  name: default
current-context: default
kind: Config
preferences: {}
users:
- name: default
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJrVENDQVRlZ0F3SUJBZ0lJS0prQ2ZTa2I1VWd3Q2dZSUtvWkl6ajBFQXdJd0l6RWhNQjhHQTFVRUF3d1kKYXpOekxXTnNhV1Z1ZEMxallVQXhOelF6TURFMk9ESTNNQjRYRFRJMU1ETXlOakU1TWpBeU4xb1hEVEkyTURNeQpOakU1TWpBeU4xb3dNREVYTUJVR0ExVUVDaE1PYzNsemRHVnRPbTFoYzNSbGNuTXhGVEFUQmdOVkJBTVRESE41CmMzUmxiVHBoWkcxcGJqQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJQbFpTaFFJaTdIS3VHZ0kKTmtoS1RSVURjMVpYak5SQkxXMU9ZS2tuOEptY0NLbXM1L2Y1dDhNOHcvVjZXOHAzYW1TeEJBZGVzT0dUdG1yLwo5M0QrOFBHalNEQkdNQTRHQTFVZER3RUIvd1FFQXdJRm9EQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0RBakFmCkJnTlZIU01FR0RBV2dCUUl1NC9GMTZ2ckN1aUFMb2ZOKy9FSTVwZC9uREFLQmdncWhrak9QUVFEQWdOSUFEQkYKQWlFQTNudTREU2dnOXBJWWZsUlZGZktxSzQxWGVPMmVIS1A2Y05mK0xhS004b3dDSUVLQzUvN0doL0cvemlpUQprd3g2ZXpMRGIybU52cU9xbHAxaUpnL01DWWllCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkakNDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdFkyeHAKWlc1MExXTmhRREUzTkRNd01UWTRNamN3SGhjTk1qVXdNekkyTVRreU1ESTNXaGNOTXpVd016STBNVGt5TURJMwpXakFqTVNFd0h3WURWUVFEREJock0zTXRZMnhwWlc1MExXTmhRREUzTkRNd01UWTRNamN3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFSZzlzY28va0F2YW9wWFB0MEcxaCtSQTZ6azNPY1JuaUJLQnBaajNiQ2MKcXkwSUdrUW1wK1NuS0NXamlWQkdoRGtBSGVHVCsvUTRCR2RNak90V2VLZDZvMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVUNMdVB4ZGVyNndyb2dDNkh6ZnZ4CkNPYVhmNXd3Q2dZSUtvWkl6ajBFQXdJRFJ3QXdSQUlnUVRnZnNmM09mcW5zdmd4UTUrcFlVb1Rob3lzdDAyVnUKL29obi81YXdWTTRDSUhsK0xvOEJuSy9BTGkrc1NjZ2J4SXZVNzZXQ204OHlpMGtwRWdzb1I5dGoKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    client-key-data: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUx6c3RiMEF4ZWtrK05FVnZRQ2g3R2FPYkZtZEJZNlNXL2l5MVJrSmo3MTVvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFK1ZsS0ZBaUxzY3E0YUFnMlNFcE5GUU56VmxlTTFFRXRiVTVncVNmd21ad0lxYXpuOS9tMwp3enpEOVhwYnluZHFaTEVFQjE2dzRaTzJhdi8zY1A3dzhRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=

• It has failed

{}
Error executing code: MCP error -32603: MCP error -32603: Tool execution failed: Error: self-signed certificate in certificate chain

✍ Manually verifying

• Testing it locally also failed with the config setting...

$ kubectl get namespaces
error: specifying a root certificates file with the insecure flag is not allowed

• Then, removing the certificate-data made it working locally

$ kubectl get namespaces
NAME              STATUS   AGE
default           Active   7d15h
kube-node-lease   Active   7d15h
kube-public       Active   7d15h
kube-system       Active   7d15h

❓ Questions

• Does Claude map the file-system to /projects and creates a copy of the files?
  • Somehow the docker volume mapping works, but it doesn't see any changes to the file (Seems like it)
  • I will further confirm, but I'm running out of free messages
• Based on the error above, and it is different from the host execution in the terminal, I suspect that the file-system volume mount is not seeing the changes to the file when it's executed again.

This is my claude_desktop_config.json currently...

{
  "mcpServers": {
    "filesystem": {
      "command": "docker",
      "args": [
        "run",
        "-i",
        "--rm",
        "--mount", "type=bind,src=/Users/mdesales/dev,dst=/projects/dev",
        "mcp/filesystem",
        "/projects"
      ]
    },
    "kubernetes": {
      "command": "npx",
      "args": ["mcp-server-kubernetes"]
    }
  }
}

[Flux159]

Based on the error above, and it is different from the host execution in the terminal, I suspect that the file-system volume mount is not seeing the changes to the file when it's executed again.

Making sure I understand this correctly - did you restart Claude desktop after the file changes? (or at least made sure that the npx mcp-server-kubernetes process was restarted by removing / adding it back into your claude_desktop_config.json)?

The kubernetes MCP server loads your kube config once and then caches it - https://github.com/Flux159/mcp-server-kubernetes/blob/main/src/utils/kubernetes-manager.ts#L15 and it's initialized here: https://github.com/Flux159/mcp-server-kubernetes/blob/main/src/index.ts#L71

[marcellodesales]

@Flux159 hummm That might be the reason... The cache... I only update it and restart Claude but without removing and adding it back.. Maybe that might be the reason... I will make sure to follow the steps and report back...

[marcellodesales]

@Flux159 here are the observations...

• Given the code that loads the default, does it mean that it always caches from ~/kube/config???
• That means, it has been attempting to load the cluster from docker-desktop that I have installed?
• When I use prompts instructing it to load a different KUBECONFIG through the environment variable, it can't get it reflected?
  • Maybe do I have to maybe symlink the default host config file to point to the default?

$ export KUBECONFIG=


 📛 [email protected] 🎡 [email protected] 👽 [email protected]   🐳 [email protected] 🐙 [email protected]
👮
We found a Keybase service (keybase.service) but it's not running.
You might try starting it: keybase launchd start keybase.service

~/dev/github.com/marcellodesales/model-context-protocol-servers/src/github on  feature/github/support-enterprise-github-server-urls! 📅 04-03-2025 ⌚20:06:29
$ kubectl get nodes
Unable to connect to the server: tls: failed to verify certificate: x509: certificate signed by unknown authority

I think I can now understand the confusion of why that is the case based on the default code... Here's what I have attempted before figuring out that the actual server being hit is from the ~/.kube/config

Rancher cluster running remotely

• The connection uses a self-signed cert by Rancher
• No complaints about self-signed cert

$ kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://console.rancher.az.company.com/k8s/clusters/c-m-zstxchb8
  name: az-eastus-security-openai-prod
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://az-eastus-security-openai-prod-api.rancher.az.company.com
  name: az-eastus-security-openai-prod-fqdn
contexts:
- context:
    cluster: az-eastus-security-openai-prod
    user: az-eastus-security-openai-prod
  name: az-eastus-security-openai-prod
- context:
    cluster: az-eastus-security-openai-prod-fqdn
    user: az-eastus-security-openai-prod
  name: az-eastus-security-openai-prod-fqdn
current-context: az-eastus-security-openai-prod
kind: Config
preferences: {}
users:
- name: az-eastus-security-openai-prod
  user:
    token: REDACTED

• List namespaces works by just using export KUBECONFIG=path/to/kubeconfig.yaml and then get namespaces

$ kubectl get namespaces
NAME                                       STATUS   AGE
azure-chatgpt-az-eastus-prdt-ppd-dev       Active   641d
azure-chatgpt-az-eastus-prdt-prd-prd       Active   641d
azure-chatgpt-az-eastus-prdt-prd-prd-com   Active   713d
azure-chatgpt-az-eastus-prdt-prd-stg       Active   641d
cattle-dashboards                          Active   2y4d
cattle-fleet-system                        Active   2y4d
cattle-gatekeeper-system                   Active   2y4d
cattle-impersonation-system                Active   2y4d
cattle-logging-system                      Active   2y4d
cattle-monitoring-system                   Active   2y4d
cattle-neuvector-system                    Active   2y4d
cattle-system                              Active   2y4d
cattle-ui-plugin-system                    Active   189d
cert-manager                               Active   722d
contour-external                           Active   717d
contour-internal                           Active   717d
default                                    Active   2y4d
direktiv-az-eastus-prdt-prd-prd            Active   718d
direktiv-services-direktiv                 Active   718d
external-dns                               Active   2y4d
external-dns-public                        Active   612d
ghasapp-az-eastus-pltf-prd-prd             Active   478d
ghasm-az-eastus-pltf-ppd-dev               Active   548d
infoblox-external-dns                      Active   2y3d
istio-system                               Active   2y
knative-eventing                           Active   715d
knative-serving                            Active   715d
kube-node-lease                            Active   2y4d
kube-public                                Active   2y4d
kube-system                                Active   2y4d
local                                      Active   2y4d
nginx                                      Active   699d
oauth2-proxy-gpt-com-prd                   Active   713d
oauth2-proxy-gpt-prd                       Active   681d
oauth2-proxy-gpt-stg                       Active   681d
postgres                                   Active   719d
vault-infra                                Active   2y4d
velero                                     Active   2y4d

🧠 From Claude

• I have the filesystem mcp server running in docker
  • It has the mappings to the /projects path
• I use the following prompt to select the file:

using KUBECONFIG=/projects/Downloads/az-eastus-security-openai-prod.yaml list the namespaces

Then, it attempts to find but fails:

I'll list the namespaces in your Kubernetes cluster using the provided KUBECONFIG file.


View result from list_namespaces from kubernetes (local)



{}
Error executing code: MCP error -32603: MCP error -32603: Tool execution failed: Error: self-signed certificate in certificate chain

Even though it is trying to connect, it still fails with the same error... The fact that it's caching the default kubernetes file in the home directory may explain that the output is usually the same...

[marcellodesales]

@Flux159 I think there's the theory is correct... The library does load KUBECONFIG from ~/.kube/config... I have replaced it the one from the server above...

But for both Racher Enterprise and Rancher K3S clusters, I'm seeing the same problem... Maybe it's time to throw in npx --node-options="--inspect" on bootstrap... Here's the current logs...

🔴 Logs with the bug ending with {"code":-32601,"message":"Method not found"}}

• I have deleted the previous logs, and ran it again and collected fresh bootstrap of the server with the cluster in a remote location.
• It does load on the server, but it fails for some reason I can't grap yet... Maybe with a remote debugger..

2025-04-04T03:17:16.991Z [kubernetes] [info] Initializing server...
2025-04-04T03:17:17.038Z [kubernetes] [info] Server started and connected successfully
2025-04-04T03:17:17.039Z [kubernetes] [info] Message from client: {"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"claude-ai","version":"0.1.0"}},"jsonrpc":"2.0","id":0}
(node:71536) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead.
(Use `node --trace-deprecation ...` to show where the warning was created)
2025-04-04T03:17:24.901Z [kubernetes] [info] Message from server: {"jsonrpc":"2.0","id":0,"result":{"protocolVersion":"2024-11-05","capabilities":{"resources":{},"tools":{}},"serverInfo":{"name":"kubernetes","version":"0.1.0"}}}
2025-04-04T03:17:24.901Z [kubernetes] [info] Message from client: {"method":"notifications/initialized","jsonrpc":"2.0"}
2025-04-04T03:17:24.903Z [kubernetes] [info] Message from client: {"method":"resources/list","params":{},"jsonrpc":"2.0","id":1}
2025-04-04T03:17:24.904Z [kubernetes] [info] Message from client: {"method":"tools/list","params":{},"jsonrpc":"2.0","id":2}
2025-04-04T03:17:24.904Z [kubernetes] [info] Message from server: {"jsonrpc":"2.0","id":1,"result":{"resources":[{"uri":"k8s://default/pods","name":"Kubernetes Pods","mimeType":"application/json","description":"List of pods in the default namespace"},{"uri":"k8s://default/deployments","name":"Kubernetes Deployments","mimeType":"application/json","description":"List of deployments in the default namespace"},{"uri":"k8s://default/services","name":"Kubernetes Services","mimeType":"application/json","description":"List of services in the default namespace"},{"uri":"k8s://namespaces","name":"Kubernetes Namespaces","mimeType":"application/json","description":"List of all namespaces"},{"uri":"k8s://nodes","name":"Kubernetes Nodes","mimeType":"application/json","description":"List of all nodes in the cluster"}]}}
2025-04-04T03:17:24.904Z [kubernetes] [info] Message from server: {"jsonrpc":"2.0","id":2,"result":{"tools":[{"name":"cleanup","description":"Cleanup all managed resources","inputSchema":{"type":"object","properties":{}}},{"name":"create_deployment","description":"Create a new Kubernetes deployment","inputSchema":{"type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"},"template":{"type":"string","enum":["ubuntu","nginx","busybox","alpine","custom"]},"replicas":{"type":"number","default":1},"ports":{"type":"array","items":{"type":"number"},"optional":true},"customConfig":{"type":"object","optional":true,"properties":{"image":{"type":"string"},"command":{"type":"array","items":{"type":"string"}},"args":{"type":"array","items":{"type":"string"}},"ports":{"type":"array","items":{"type":"object","properties":{"containerPort":{"type":"number"},"name":{"type":"string"},"protocol":{"type":"string"}}}},"resources":{"type":"object","properties":{"limits":{"type":"object","additionalProperties":{"type":"string"}},"requests":{"type":"object","additionalProperties":{"type":"string"}}}},"env":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"},"valueFrom":{"type":"object"}}}},"volumeMounts":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"mountPath":{"type":"string"},"readOnly":{"type":"boolean"}}}}}}},"required":["name","namespace","template"]}},{"name":"create_namespace","description":"Create a new Kubernetes namespace","inputSchema":{"type":"object","properties":{"name":{"type":"string"}},"required":["name"]}},{"name":"create_pod","description":"Create a new Kubernetes pod","inputSchema":{"type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"},"template":{"type":"string","enum":["ubuntu","nginx","busybox","alpine","custom"]},"command":{"type":"array","items":{"type":"string"},"optional":true},"customConfig":{"type":"object","optional":true,"properties":{"image":{"type":"string"},"command":{"type":"array","items":{"type":"string"}},"args":{"type":"array","items":{"type":"string"}},"ports":{"type":"array","items":{"type":"object","properties":{"containerPort":{"type":"number"},"name":{"type":"string"},"protocol":{"type":"string"}}}},"resources":{"type":"object","properties":{"limits":{"type":"object","additionalProperties":{"type":"string"}},"requests":{"type":"object","additionalProperties":{"type":"string"}}}},"env":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"value":{"type":"string"},"valueFrom":{"type":"object"}}}},"volumeMounts":{"type":"array","items":{"type":"object","properties":{"name":{"type":"string"},"mountPath":{"type":"string"},"readOnly":{"type":"boolean"}}}}}}},"required":["name","namespace","template"]}},{"name":"create_cronjob","description":"Create a new Kubernetes CronJob","inputSchema":{"type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"},"schedule":{"type":"string"},"image":{"type":"string"},"command":{"type":"array","items":{"type":"string"},"optional":true},"suspend":{"type":"boolean","optional":true}},"required":["name","namespace","schedule","image"]}},{"name":"delete_pod","description":"Delete a Kubernetes pod","inputSchema":{"type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"},"ignoreNotFound":{"type":"boolean","default":false}},"required":["name","namespace"]}},{"name":"delete_deployment","description":"Delete a Kubernetes deployment","inputSchema":{"type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"},"ignoreNotFound":{"type":"boolean","default":false}},"required":["name","namespace"]}},{"name":"delete_namespace","description":"Delete a Kubernetes namespace","inputSchema":{"type":"object","properties":{"name":{"type":"string"},"ignoreNotFound":{"type":"boolean","default":false}},"required":["name"]}},{"name":"describe_cronjob","description":"Get detailed information about a Kubernetes CronJob including recent job history","inputSchema":{"type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string","default":"default"}},"required":["name","namespace"]}},{"name":"describe_pod","description":"Describe a Kubernetes pod (read details like status, containers, etc.)","inputSchema":{"type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}},"required":["name","namespace"]}},{"name":"describe_deployment","description":"Get details about a Kubernetes deployment","inputSchema":{"type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}},"required":["name","namespace"]}},{"name":"explain_resource","description":"Get documentation for a Kubernetes resource or field","inputSchema":{"type":"object","properties":{"resource":{"type":"string","description":"Resource name or field path (e.g. 'pods' or 'pods.spec.containers')"},"apiVersion":{"type":"string","description":"API version to use (e.g. 'apps/v1')"},"recursive":{"type":"boolean","description":"Print the fields of fields recursively","default":false},"output":{"type":"string","description":"Output format (plaintext or plaintext-openapiv2)","enum":["plaintext","plaintext-openapiv2"],"default":"plaintext"}},"required":["resource"]}},{"name":"get_events","description":"Get Kubernetes events from the cluster","inputSchema":{"type":"object","properties":{"namespace":{"type":"string","description":"Namespace to get events from. If not specified, gets events from all namespaces"},"fieldSelector":{"type":"string","description":"Field selector to filter events"}},"required":[]}},{"name":"get_job_logs","description":"Get logs from Pods created by a specific Job","inputSchema":{"type":"object","properties":{"name":{"type":"string","description":"Name of the Job to get logs from"},"namespace":{"type":"string","default":"default"},"tail":{"type":"number","description":"Number of lines to return from the end of the logs","optional":true},"timestamps":{"type":"boolean","description":"Include timestamps in the logs","optional":true}},"required":["name","namespace"]}},{"name":"get_logs","description":"Get logs from pods, deployments, jobs, or resources matching a label selector","inputSchema":{"type":"object","properties":{"resourceType":{"type":"string","enum":["pod","deployment","job"],"description":"Type of resource to get logs from"},"name":{"type":"string","description":"Name of the resource"},"namespace":{"type":"string","description":"Namespace of the resource","default":"default"},"labelSelector":{"type":"string","description":"Label selector to filter resources","optional":true},"container":{"type":"string","description":"Container name (required when pod has multiple containers)","optional":true},"tail":{"type":"number","description":"Number of lines to show from end of logs","optional":true},"since":{"type":"number","description":"Get logs since relative time in seconds","optional":true},"timestamps":{"type":"boolean","description":"Include timestamps in logs","default":false}},"required":["resourceType"]}},{"name":"install_helm_chart","description":"Install a Helm chart","inputSchema":{"type":"object","properties":{"name":{"type":"string","description":"Release name"},"chart":{"type":"string","description":"Chart name"},"repo":{"type":"string","description":"Chart repository URL"},"namespace":{"type":"string","description":"Kubernetes namespace"},"values":{"type":"object","description":"Chart values","additionalProperties":true}},"required":["name","chart","repo","namespace"]}},{"name":"list_api_resources","description":"List the API resources available in the cluster","inputSchema":{"type":"object","properties":{"apiGroup":{"type":"string","description":"API group to filter by"},"namespaced":{"type":"boolean","description":"If true, only show namespaced resources"},"verbs":{"type":"array","items":{"type":"string"},"description":"List of verbs to filter by"},"output":{"type":"string","description":"Output format (wide, name, or no-headers)","enum":["wide","name","no-headers"],"default":"wide"}}}},{"name":"list_cronjobs","description":"List CronJobs in a namespace","inputSchema":{"type":"object","properties":{"namespace":{"type":"string","default":"default"}},"required":["namespace"]}},{"name":"list_deployments","description":"List deployments in a namespace","inputSchema":{"type":"object","properties":{"namespace":{"type":"string","default":"default"}},"required":["namespace"]}},{"name":"list_jobs","description":"List Jobs in a namespace, optionally filtered by a CronJob parent","inputSchema":{"type":"object","properties":{"namespace":{"type":"string","default":"default"},"cronJobName":{"type":"string","description":"Optional: Filter jobs created by a specific CronJob","optional":true}},"required":["namespace"]}},{"name":"list_namespaces","description":"List all namespaces","inputSchema":{"type":"object","properties":{}}},{"name":"list_nodes","description":"List all nodes in the cluster","inputSchema":{"type":"object","properties":{}}},{"name":"list_pods","description":"List pods in a namespace","inputSchema":{"type":"object","properties":{"namespace":{"type":"string","default":"default"}},"required":["namespace"]}},{"name":"list_services","description":"List services in a namespace","inputSchema":{"type":"object","properties":{"namespace":{"type":"string","default":"default"}},"required":["namespace"]}},{"name":"uninstall_helm_chart","description":"Uninstall a Helm release","inputSchema":{"type":"object","properties":{"name":{"type":"string","description":"Release name"},"namespace":{"type":"string","description":"Kubernetes namespace"}},"required":["name","namespace"]}},{"name":"upgrade_helm_chart","description":"Upgrade a Helm release","inputSchema":{"type":"object","properties":{"name":{"type":"string","description":"Release name"},"chart":{"type":"string","description":"Chart name"},"repo":{"type":"string","description":"Chart repository URL"},"namespace":{"type":"string","description":"Kubernetes namespace"},"values":{"type":"object","description":"Chart values","additionalProperties":true}},"required":["name","chart","repo","namespace"]}},{"name":"port_forward","description":"Forward a local port to a port on a Kubernetes resource","inputSchema":{"type":"object","properties":{"resourceType":{"type":"string"},"resourceName":{"type":"string"},"localPort":{"type":"number"},"targetPort":{"type":"number"},"namespace":{"type":"string"}},"required":["resourceType","resourceName","localPort","targetPort"]}},{"name":"stop_port_forward","description":"Stop a port-forward process","inputSchema":{"type":"object","properties":{"id":{"type":"string"}},"required":["id"]}},{"name":"scale_deployment","description":"Scale a Kubernetes deployment","inputSchema":{"type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"},"replicas":{"type":"number"}},"required":["name","namespace","replicas"]}},{"name":"delete_cronjob","description":"Delete a Kubernetes CronJob","inputSchema":{"type":"object","properties":{"name":{"type":"string"},"namespace":{"type":"string"}},"required":["name","namespace"]}}]}}
2025-04-04T03:17:24.915Z [kubernetes] [info] Message from client: {"method":"prompts/list","params":{},"jsonrpc":"2.0","id":3}
2025-04-04T03:17:24.915Z [kubernetes] [info] Message from server: {"jsonrpc":"2.0","id":3,"error":{"code":-32601,"message":"Method not found"}}
2025-04-04T03:17:29.905Z [kubernetes] [info] Message from client: {"method":"resources/list","params":{},"jsonrpc":"2.0","id":4}
2025-04-04T03:17:29.906Z [kubernetes] [info] Message from server: {"jsonrpc":"2.0","id":4,"result":{"resources":[{"uri":"k8s://default/pods","name":"Kubernetes Pods","mimeType":"application/json","description":"List of pods in the default namespace"},{"uri":"k8s://default/deployments","name":"Kubernetes Deployments","mimeType":"application/json","description":"List of deployments in the default namespace"},{"uri":"k8s://default/services","name":"Kubernetes Services","mimeType":"application/json","description":"List of services in the default namespace"},{"uri":"k8s://namespaces","name":"Kubernetes Namespaces","mimeType":"application/json","description":"List of all namespaces"},{"uri":"k8s://nodes","name":"Kubernetes Nodes","mimeType":"application/json","description":"List of all nodes in the cluster"}]}}
2025-04-04T03:17:29.911Z [kubernetes] [info] Message from client: {"method":"prompts/list","params":{},"jsonrpc":"2.0","id":5}
2025-04-04T03:17:29.912Z [kubernetes] [info] Message from server: {"jsonrpc":"2.0","id":5,"error":{"code":-32601,"message":"Method not found"}}
2025-04-04T03:17:34.910Z [kubernetes] [info] Message from client: {"method":"resources/list","params":{},"jsonrpc":"2.0","id":6}
2025-04-04T03:17:34.911Z [kubernetes] [info] Message from server: {"jsonrpc":"2.0","id":6,"result":{"resources":[{"uri":"k8s://default/pods","name":"Kubernetes Pods","mimeType":"application/json","description":"List of pods in the default namespace"},{"uri":"k8s://default/deployments","name":"Kubernetes Deployments","mimeType":"application/json","description":"List of deployments in the default namespace"},{"uri":"k8s://default/services","name":"Kubernetes Services","mimeType":"application/json","description":"List of services in the default namespace"},{"uri":"k8s://namespaces","name":"Kubernetes Namespaces","mimeType":"application/json","description":"List of all namespaces"},{"uri":"k8s://nodes","name":"Kubernetes Nodes","mimeType":"application/json","description":"List of all nodes in the cluster"}]}}
2025-04-04T03:17:34.916Z [kubernetes] [info] Message from client: {"method":"prompts/list","params":{},"jsonrpc":"2.0","id":7}
2025-04-04T03:17:34.916Z [kubernetes] [info] Message from server: {"jsonrpc":"2.0","id":7,"error":{"code":-32601,"message":"Method not found"}}
2025-04-04T03:17:38.702Z [kubernetes] [info] Message from client: {"method":"resources/list","params":{},"jsonrpc":"2.0","id":8}
2025-04-04T03:17:38.703Z [kubernetes] [info] Message from server: {"jsonrpc":"2.0","id":8,"result":{"resources":[{"uri":"k8s://default/pods","name":"Kubernetes Pods","mimeType":"application/json","description":"List of pods in the default namespace"},{"uri":"k8s://default/deployments","name":"Kubernetes Deployments","mimeType":"application/json","description":"List of deployments in the default namespace"},{"uri":"k8s://default/services","name":"Kubernetes Services","mimeType":"application/json","description":"List of services in the default namespace"},{"uri":"k8s://namespaces","name":"Kubernetes Namespaces","mimeType":"application/json","description":"List of all namespaces"},{"uri":"k8s://nodes","name":"Kubernetes Nodes","mimeType":"application/json","description":"List of all nodes in the cluster"}]}}
2025-04-04T03:17:38.736Z [kubernetes] [info] Message from client: {"method":"prompts/list","params":{},"jsonrpc":"2.0","id":9}
2025-04-04T03:17:38.740Z [kubernetes] [info] Message from server: {"jsonrpc":"2.0","id":9,"error":{"code":-32601,"message":"Method not found"}}
2025-04-04T03:17:43.705Z [kubernetes] [info] Message from client: {"method":"resources/list","params":{},"jsonrpc":"2.0","id":10}
2025-04-04T03:17:43.705Z [kubernetes] [info] Message from server: {"jsonrpc":"2.0","id":10,"result":{"resources":[{"uri":"k8s://default/pods","name":"Kubernetes Pods","mimeType":"application/json","description":"List of pods in the default namespace"},{"uri":"k8s://default/deployments","name":"Kubernetes Deployments","mimeType":"application/json","description":"List of deployments in the default namespace"},{"uri":"k8s://default/services","name":"Kubernetes Services","mimeType":"application/json","description":"List of services in the default namespace"},{"uri":"k8s://namespaces","name":"Kubernetes Namespaces","mimeType":"application/json","description":"List of all namespaces"},{"uri":"k8s://nodes","name":"Kubernetes Nodes","mimeType":"application/json","description":"List of all nodes in the cluster"}]}}
2025-04-04T03:17:43.709Z [kubernetes] [info] Message from client: {"method":"prompts/list","params":{},"jsonrpc":"2.0","id":11}
2025-04-04T03:17:43.710Z [kubernetes] [info] Message from server: {"jsonrpc":"2.0","id":11,"error":{"code":-32601,"message":"Method not found"}}
2025-04-04T03:17:44.214Z [kubernetes] [info] Message from client: {"method":"tools/call","params":{"name":"list_namespaces","arguments":{}},"jsonrpc":"2.0","id":12}
2025-04-04T03:17:45.835Z [kubernetes] [info] Message from server: {"jsonrpc":"2.0","id":12,"result":{"content":[{"type":"text","text":"{\n  \"namespaces\": [\n    {\n      \"name\": \"azure-chatgpt-az-eastus-prdt-ppd-dev\",\n      \"status\": \"Active\",\n      \"createdAt\": \"2023-07-02T02:06:11.000Z\"\n    },\n    {\n      \"name\": \"azure-chatgpt-az-eastus-prdt-prd-prd\",\n      \"status\": \"Active\",\n      \"createdAt\": \"2023-07-02T02:06:36.000Z\"\n    },\n    {\n      \"name\": \"azure-chatgpt-az-eastus-prdt-prd-prd-com\",\n      \"status\": \"Active\",\n      \"createdAt\": \"2023-04-21T21:52:40.000Z\"\n    },\n    {\n      \"name\": \"azure-chatgpt-az-eastus-prdt-prd-stg\",\n      \"status\": \"Active\",\n      \"createdAt\": \"2023-07-02T02:06:47.000Z\"\n    },\n    {\n      \"name\": \"cattle-dashboards\",\n      \"status\": \"Active\",\n      \"createdAt\": \"2023-03-31T22:02:56.000Z\"\n    },\n    {\n      \"name\": \"cattle-fleet-system\",\n      \"status\": \"Active\",\n      \"createdAt\": \"2023-03-31T21:41:07.000Z\"\n    },\n    {\n      \"name\": \"cattle-gatekeeper-system\",\n      \"status\": \"Active\",\n      \"createdAt\": \"2023-03-31T22:01:43.000Z\"\n    },\n    {\n      \"name\": \"cattle-impersonation-system\",\n      \"status\": \"Active\",\n      \"createdAt\": \"2023-03-31T21:40:36.000Z\"\n    },\n    {\n      \"name\": \"cattle-logging-system\",\n      \"status\": \"Active\",\n      \"createdAt\": \"2023-03-31T22:01:50.000Z\"\n    },\n    {\n      \"name\": \"cattle-monitoring-system\",\n      \"status\": \"Active\",\n      \"createdAt\": \"2023-03-31T22:01:47.000Z\"\n    },\n    {\n      \"name\": \"cattle-neuvector-system\",\n      \"status\": \"Active\",\n      \"createdAt\": \"2023-03-31T22:15:24.000Z\"\n    },\n    {\n      \"name\": \"cattle-system\",\n      \"status\": \"Active\",\n      \"createdAt\": \"2023-03-31T21:38:46.000Z\"\n    },\n    {\n      \"name\": \"cattle-ui-plugin-system\",\n      \"status\": \"Active\",\n      \"createdAt\": \"2024-09-26T15:31:03.000Z\"\n    },\n    {\n      \"name\": \"cert-manager\",\n      \"status\": \"Active\",\n      \"createdAt\": \"2023-04-12T21:22:47.000Z\"\n    },\n    {\n      \"name\": \"contour-external\",\n      \"status\": \"Active\",\n      \"createdAt\": \"2023-04-17T23:23:41.000Z\"\n    },\n    {\n      \"name\": \"contour-internal\",\n      \"status\": \"Active\",\n      \"createdAt\": \"2023-04-17T23:23:41.000Z\"\n    },\n    {\n      \"name\": \"default\",\n      \"status\": \"Active\",\n      \"createdAt\": \"2023-03-31T21:38:42.000Z\"\n    },\n    {\n      \"name\": \"direktiv-az-eastus-prdt-prd-prd\",\n      \"status\": \"Active\",\n      \"createdAt\": \"2023-04-16T21:36:49.000Z\"\n    },\n    {\n      \"name\": \"direktiv-services-direktiv\",\n      \"status\": \"Active\",\n      \"createdAt\": \"2023-04-17T01:21:37.000Z\"\n    },\n    {\n      \"name\": \"external-dns\",\n      \"status\": \"Active\",\n      \"createdAt\": \"2023-03-31T22:01:41.000Z\"\n    },\n    {\n      \"name\": \"external-dns-public\",\n      \"status\": \"Active\",\n      \"createdAt\": \"2023-07-31T16:48:58.000Z\"\n    },\n    {\n      \"name\": \"ghasapp-az-eastus-pltf-prd-prd\",\n      \"status\": \"Active\",\n      \"createdAt\": \"2023-12-12T15:01:49.000Z\"\n    },\n    {\n      \"name\": \"ghasm-az-eastus-pltf-ppd-dev\",\n      \"status\": \"Active\",\n      \"createdAt\": \"2023-10-03T20:05:48.000Z\"\n    },\n    {\n      \"name\": \"infoblox-external-dns\",\n      \"status\": \"Active\",\n      \"createdAt\": \"2023-04-01T20:46:02.000Z\"\n    },\n    {\n      \"name\": \"istio-system\",\n      \"status\": \"Active\",\n      \"createdAt\": \"2023-04-04T19:51:31.000Z\"\n    },\n    {\n      \"name\": \"knative-eventing\",\n      \"status\": \"Active\",\n      \"createdAt\": \"2023-04-19T18:39:27.000Z\"\n    },\n    {\n      \"name\": \"knative-serving\",\n      \"status\": \"Active\",\n      \"createdAt\": \"2023-04-19T22:04:47.000Z\"\n    },\n    {\n      \"name\": \"kube-node-lease\",\n      \"status\": \"Active\",\n      \"createdAt\": \"2023-03-31T21:38:41.000Z\"\n    },\n    {\n      \"name\": \"kube-public\",\n      \"status\": \"Active\",\n      \"createdAt\": \"2023-03-31T21:38:41.000Z\"\n    },\n    {\n      \"name\": \"kube-system\",\n      \"status\": \"Active\",\n      \"createdAt\": \"2023-03-31T21:38:41.000Z\"\n    },\n    {\n      \"name\": \"local\",\n      \"status\": \"Active\",\n      \"createdAt\": \"2023-03-31T21:40:41.000Z\"\n    },\n    {\n      \"name\": \"nginx\",\n      \"status\": \"Active\",\n      \"createdAt\": \"2023-05-05T04:55:35.000Z\"\n    },\n    {\n      \"name\": \"oauth2-proxy-gpt-com-prd\",\n      \"status\": \"Active\",\n      \"createdAt\": \"2023-04-21T20:41:38.000Z\"\n    },\n    {\n      \"name\": \"oauth2-proxy-gpt-prd\",\n      \"status\": \"Active\",\n      \"createdAt\": \"2023-05-23T23:37:32.000Z\"\n    },\n    {\n      \"name\": \"oauth2-proxy-gpt-stg\",\n      \"status\": \"Active\",\n      \"createdAt\": \"2023-05-23T21:09:26.000Z\"\n    },\n    {\n      \"name\": \"postgres\",\n      \"status\": \"Active\",\n      \"createdAt\": \"2023-04-16T00:41:59.000Z\"\n    },\n    {\n      \"name\": \"vault-infra\",\n      \"status\": \"Active\",\n      \"createdAt\": \"2023-03-31T22:01:36.000Z\"\n    },\n    {\n      \"name\": \"velero\",\n      \"status\": \"Active\",\n      \"createdAt\": \"2023-03-31T22:16:24.000Z\"\n    }\n  ]\n}"}]}}
2025-04-04T03:17:48.705Z [kubernetes] [info] Message from client: {"method":"resources/list","params":{},"jsonrpc":"2.0","id":13}
2025-04-04T03:17:48.707Z [kubernetes] [info] Message from server: {"jsonrpc":"2.0","id":13,"result":{"resources":[{"uri":"k8s://default/pods","name":"Kubernetes Pods","mimeType":"application/json","description":"List of pods in the default namespace"},{"uri":"k8s://default/deployments","name":"Kubernetes Deployments","mimeType":"application/json","description":"List of deployments in the default namespace"},{"uri":"k8s://default/services","name":"Kubernetes Services","mimeType":"application/json","description":"List of services in the default namespace"},{"uri":"k8s://namespaces","name":"Kubernetes Namespaces","mimeType":"application/json","description":"List of all namespaces"},{"uri":"k8s://nodes","name":"Kubernetes Nodes","mimeType":"application/json","description":"List of all nodes in the cluster"}]}}
2025-04-04T03:17:48.716Z [kubernetes] [info] Message from client: {"method":"prompts/list","params":{},"jsonrpc":"2.0","id":14}
2025-04-04T03:17:48.717Z [kubernetes] [info] Message from server: {"jsonrpc":"2.0","id":14,"error":{"code":-32601,"message":"Method not found"}}
2025-04-04T03:17:53.705Z [kubernetes] [info] Message from client: {"method":"resources/list","params":{},"jsonrpc":"2.0","id":15}
2025-04-04T03:17:53.706Z [kubernetes] [info] Message from server: {"jsonrpc":"2.0","id":15,"result":{"resources":[{"uri":"k8s://default/pods","name":"Kubernetes Pods","mimeType":"application/json","description":"List of pods in the default namespace"},{"uri":"k8s://default/deployments","name":"Kubernetes Deployments","mimeType":"application/json","description":"List of deployments in the default namespace"},{"uri":"k8s://default/services","name":"Kubernetes Services","mimeType":"application/json","description":"List of services in the default namespace"},{"uri":"k8s://namespaces","name":"Kubernetes Namespaces","mimeType":"application/json","description":"List of all namespaces"},{"uri":"k8s://nodes","name":"Kubernetes Nodes","mimeType":"application/json","description":"List of all nodes in the cluster"}]}}
2025-04-04T03:17:53.709Z [kubernetes] [info] Message from client: {"method":"prompts/list","params":{},"jsonrpc":"2.0","id":16}
2025-04-04T03:17:53.709Z [kubernetes] [info] Message from server: {"jsonrpc":"2.0","id":16,"error":{"code":-32601,"message":"Method not found"}}
2025-04-04T03:17:58.706Z [kubernetes] [info] Message from client: {"method":"resources/list","params":{},"jsonrpc":"2.0","id":17}
2025-04-04T03:17:58.707Z [kubernetes] [info] Message from server: {"jsonrpc":"2.0","id":17,"result":{"resources":[{"uri":"k8s://default/pods","name":"Kubernetes Pods","mimeType":"application/json","description":"List of pods in the default namespace"},{"uri":"k8s://default/deployments","name":"Kubernetes Deployments","mimeType":"application/json","description":"List of deployments in the default namespace"},{"uri":"k8s://default/services","name":"Kubernetes Services","mimeType":"application/json","description":"List of services in the default namespace"},{"uri":"k8s://namespaces","name":"Kubernetes Namespaces","mimeType":"application/json","description":"List of all namespaces"},{"uri":"k8s://nodes","name":"Kubernetes Nodes","mimeType":"application/json","description":"List of all nodes in the cluster"}]}}
2025-04-04T03:17:58.716Z [kubernetes] [info] Message from client: {"method":"prompts/list","params":{},"jsonrpc":"2.0","id":18}
2025-04-04T03:17:58.717Z [kubernetes] [info] Message from server: {"jsonrpc":"2.0","id":18,"error":{"code":-32601,"message":"Method not found"}}
2025-04-04T03:18:03.705Z [kubernetes] [info] Message from client: {"method":"resources/list","params":{},"jsonrpc":"2.0","id":19}
2025-04-04T03:18:03.706Z [kubernetes] [info] Message from server: {"jsonrpc":"2.0","id":19,"result":{"resources":[{"uri":"k8s://default/pods","name":"Kubernetes Pods","mimeType":"application/json","description":"List of pods in the default namespace"},{"uri":"k8s://default/deployments","name":"Kubernetes Deployments","mimeType":"application/json","description":"List of deployments in the default namespace"},{"uri":"k8s://default/services","name":"Kubernetes Services","mimeType":"application/json","description":"List of services in the default namespace"},{"uri":"k8s://namespaces","name":"Kubernetes Namespaces","mimeType":"application/json","description":"List of all namespaces"},{"uri":"k8s://nodes","name":"Kubernetes Nodes","mimeType":"application/json","description":"List of all nodes in the cluster"}]}}
2025-04-04T03:18:03.716Z [kubernetes] [info] Message from client: {"method":"prompts/list","params":{},"jsonrpc":"2.0","id":20}
2025-04-04T03:18:03.716Z [kubernetes] [info] Message from server: {"jsonrpc":"2.0","id":20,"error":{"code":-32601,"message":"Method not found"}}

[Flux159]

I can guarantee that using KUBECONFIG=/projects/Downloads/az-eastus-security-openai-prod.yaml list the namespaces will not work, there's no tool call that allows an llm to change the kubeconfig and the underlying client library doesn't support it. Specifically, this project uses the official kubernetes-client/javascript library and it has a known issue around caching credentials. See more here.

While we do use the kubectl cli directly for certain things like explain and api-resources, those are exceptions since those functions are not available via the client sdk.

---

To try to resolve your issue though - can you try using insecure-skip-tls-verify: true in the default kubeconfig at ~/.kube/config & remove the certificate-data so that kubectl get namespaces works in a default shell as you expect - no custom env vars or kubeconfig locations. Then reboot claude desktop with the mcp-server-kubernetes config to test it out?