forked from containers/kubernetes-mcp-server
-
Notifications
You must be signed in to change notification settings - Fork 33
Expand file tree
/
Copy pathvalues.yaml
More file actions
284 lines (253 loc) · 10.4 KB
/
values.yaml
File metadata and controls
284 lines (253 loc) · 10.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
# -- Enable OpenShift specific features
openshift: false
# -- This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/
replicaCount: 1
# -- This sets the container image more information can be found here: https://kubernetes.io/docs/concepts/containers/images/
image:
registry: quay.io
repository: containers/kubernetes_mcp_server
# -- This sets the tag or sha digest for the image.
version: latest
# -- This sets the pull policy for images.
pullPolicy: IfNotPresent
# -- This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
imagePullSecrets: []
# This is to override the chart name.
nameOverride: ""
fullnameOverride: ""
# -- This section builds out the service account more information can be found here: https://kubernetes.io/docs/concepts/security/service-accounts/
serviceAccount:
# -- Specifies whether a service account should be created
create: true
# -- Annotations to add to the service account
annotations: {}
# -- The name of the service account to use.
# -- If not set and create is true, a name is generated using the fullname template
name: ""
# -- RBAC configuration for the MCP server.
# -- Use these lists to add custom RBAC resources without modifying templates.
# -- This is useful for downstream forks that need provider-specific permissions.
# -- Note: Resource names are limited to 63 characters (Kubernetes DNS naming spec).
# -- When using long names, they will be automatically truncated.
rbac:
# -- Specifies whether RBAC resources should be created.
# -- When set to false, no RBAC resources will be created regardless of the
# -- contents of extraClusterRoles, extraClusterRoleBindings, extraRoles, and extraRoleBindings.
create: true
# -- Extra ClusterRoles to create. Each entry creates a ClusterRole named
# -- "<release-fullname>-<name>" with the specified rules.
extraClusterRoles: []
# - name: my-provider
# rules:
# - apiGroups: [""]
# resources: ["pods"]
# verbs: ["get", "list"]
# -- Extra ClusterRoleBindings to create. Each entry creates a ClusterRoleBinding
# -- that binds to the release's ServiceAccount by default.
# -- Use roleRef.external: true to reference existing cluster roles (e.g., "view", "edit", "admin")
# -- without prefixing the release fullname.
extraClusterRoleBindings: []
# - name: my-provider
# roleRef:
# name: my-provider # References "<release-fullname>-my-provider" ClusterRole
# - name: use-view-role
# roleRef:
# name: view
# external: true # References the existing "view" ClusterRole directly
# -- Extra Roles to create (namespace-scoped). Each entry creates a Role named
# -- "<release-fullname>-<name>" in the specified namespace.
extraRoles: []
# - name: my-provider
# namespace: some-namespace
# rules:
# - apiGroups: [""]
# resources: ["services"]
# verbs: ["get"]
# -- Extra RoleBindings to create. Each entry creates a RoleBinding
# -- that binds to the release's ServiceAccount by default.
# -- Use roleRef.external: true to reference existing roles without prefixing the release fullname.
extraRoleBindings: []
# - name: my-provider
# namespace: some-namespace
# roleRef:
# name: my-provider # References "<release-fullname>-my-provider" Role
# - name: use-existing-role
# namespace: some-namespace
# roleRef:
# name: some-existing-role
# external: true # References the existing "some-existing-role" Role directly
# -- This is for setting Kubernetes Annotations to a Pod.
# -- For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
podAnnotations: {}
# -- This is for setting Kubernetes Labels to a Pod.
# -- For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
podLabels: {}
# -- Default Security Context for the Pod when one is not provided
defaultPodSecurityContext:
seccompProfile:
type: RuntimeDefault
# -- Define the Security Context for the Pod
podSecurityContext: {}
# -- Default Security Context for the Container when one is not provided
defaultSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: true
# -- Define the Security Context for the Container
securityContext: {}
# -- This is for setting up a service more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/
service:
# -- This sets the service type more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
type: ClusterIP
# -- This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports
port: 8080
# -- This sets the target port on the pod. Defaults to "http" (the container port name).
# -- Target port for the service. Useful when deploying with an proxy sidecar or exposing a different port. Set this to the sidecar's port to route traffic through the proxy before reaching the main container.
targetPort: http
# -- Annotations to add to the service
annotations: {}
# -- This block is for setting up the ingress for more information can be found here: https://kubernetes.io/docs/concepts/services-networking/ingress/
ingress:
enabled: true
className: ""
annotations: {}
host: ""
path: /
pathType: ImplementationSpecific
termination: edge
hosts:
tls:
#secretName: ""
# -- Resource requests and limits for the container.
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
# -- Liveness and readiness probes for the container.
livenessProbe:
httpGet:
path: /healthz
port: http
readinessProbe:
httpGet:
path: /healthz
port: http
# -- Additional volumes on the output Deployment definition.
extraVolumes: []
# - name: foo
# secret:
# secretName: mysecret
# optional: false
# -- Additional volumeMounts on the output Deployment definition.
extraVolumeMounts: []
# - name: foo
# mountPath: "/etc/foo"
# readOnly: true
# -- Init containers to run before the main container starts. Each container is defined as a complete container spec. Supports tpl for templating.
initContainers: []
# - name: init-config
# image: busybox:latest
# command: ["sh", "-c", "echo 'Preparing config...' && cp /defaults/* /config/"]
# volumeMounts:
# - name: config-volume
# mountPath: /config
# -- TLS configuration for the MCP server.
# -- When enabled, the server will serve HTTPS and health probes will use the HTTPS scheme.
# -- This is the recommended way to enable TLS instead of using extraArgs.
tls:
# -- Enable TLS for the MCP server
enabled: false
# -- Name of the Kubernetes Secret containing TLS certificate and key.
# -- The secret should be of type kubernetes.io/tls with tls.crt and tls.key.
secretName: ""
# -- Path where the TLS secret will be mounted inside the container
mountPath: /etc/tls
# -- Name of the certificate file within the secret (default: tls.crt)
certFile: tls.crt
# -- Name of the key file within the secret (default: tls.key)
keyFile: tls.key
# -- Extra arguments to pass to the kubernetes-mcp-server command line.
# -- Useful for passing additional configuration options. It can also be configured using ConfigMap.
# -- Note: For TLS configuration, use the tls section above instead of extraArgs.
extraArgs: []
# -- Additional containers to add to the pod (sidecars).
# -- Each container is defined as a complete container spec.
extraContainers: []
# - name: sidecar-example
# image: quay.io/prometheus/busybox:latest
# command: ["sh", "-c", "while true; do echo 'Sidecar running'; sleep 30; done"]
# resources:
# requests:
# cpu: 10m
# memory: 32Mi
# limits:
# cpu: 50m
# memory: 64Mi
nodeSelector: {}
tolerations: []
affinity: {}
# Path to the configuration file inside the container
configFilePath: /etc/kubernetes-mcp-server/config.toml
# -- Metrics and monitoring configuration
metrics:
# -- ServiceMonitor configuration for Prometheus Operator monitoring
serviceMonitor:
# -- Enable ServiceMonitor for Prometheus scraping
enabled: false
# -- Additional labels for the ServiceMonitor (useful for prometheus-operator serviceMonitorSelector)
labels: {}
# -- Annotations for the ServiceMonitor
annotations: {}
# -- Scrape interval (e.g., "30s", "1m")
interval: ""
# -- Scrape timeout (e.g., "10s")
scrapeTimeout: ""
# -- Scheme to use for scraping (http or https)
scheme: ""
# -- TLS configuration for scraping
tlsConfig: {}
# -- Relabeling rules for metrics
relabelings: []
# -- Metric relabeling rules
metricRelabelings: []
# -- PrometheusRule configuration for recording rules
# Recording rules aggregate high-cardinality metrics for efficient querying
# and Telemeter compatibility
prometheusRule:
# -- Enable PrometheusRule for recording rules
enabled: false
# -- Additional labels for the PrometheusRule
labels: {}
# -- Annotations for the PrometheusRule
annotations: {}
# -- Default recording rules configuration
defaultRules:
# -- Enable default recording rules that aggregate MCP metrics
# These rules create aggregates at two levels:
#
# Cluster-level (for Telemeter):
# - cluster:k8s_mcp_tool_calls:sum - Total tool calls across all tools
# - cluster:k8s_mcp_tool_errors:sum - Total tool errors across all tools
# - cluster:k8s_mcp_http_requests:sum - Total HTTP requests
#
# Namespace-level (for multi-tenant RBAC, grouped by namespace label):
# - namespace:k8s_mcp_tool_calls:sum - Tool calls by namespace
# - namespace:k8s_mcp_tool_errors:sum - Tool errors by namespace
# - namespace:k8s_mcp_http_requests:sum - HTTP requests by namespace
enabled: true
# -- Additional custom recording rules (appended to default rules if enabled)
# Example:
# additionalRules:
# - name: custom-mcp-rules
# rules:
# - record: my_custom_metric
# expr: sum(some_metric)
additionalRules: []
# MCP Server configuration options. See https://github.com/containers/kubernetes-mcp-server/blob/main/pkg/config/config.go for details.
config:
port: "{{ .Values.service.port }}"