Configuration
Configuration options for Kyverno MCP
Configuration Overview
Kyverno MCP can be configured through command-line flags and MCP client configuration files. This guide covers all configuration options and best practices.
Command Line Options
Basic Options
Flag | Description | Default | Example |
---|---|---|---|
--kubeconfig |
Path to kubeconfig file | $KUBECONFIG or ~/.kube/config |
--kubeconfig=/path/to/config |
--help |
Show help message | - | --help |
--version |
Show version information | - | --version |
Network Options
Flag | Description | Default | Example |
---|---|---|---|
--http-addr |
HTTP(S) server bind address | None (stdio mode) | --http-addr=:8443 |
--tls-cert |
TLS certificate file path | None | --tls-cert=/path/to/cert.pem |
--tls-key |
TLS private key file path | None | --tls-key=/path/to/key.pem |
MCP Client Configuration
Claude Desktop
Location:
- macOS:
~/Library/Application Support/Claude/claude_desktop_config.json
- Windows:
%APPDATA%\Claude\claude_desktop_config.json
- Linux:
~/.config/Claude/claude_desktop_config.json
Basic configuration:
{
"mcpServers": {
"kyverno": {
"command": "/usr/local/bin/kyverno-mcp",
"args": [
"--kubeconfig=/Users/username/.kube/config"
]
}
}
}
Advanced configuration with multiple clusters:
{
"mcpServers": {
"kyverno-prod": {
"command": "/usr/local/bin/kyverno-mcp",
"args": [
"--kubeconfig=/Users/username/.kube/prod-config"
]
},
"kyverno-staging": {
"command": "/usr/local/bin/kyverno-mcp",
"args": [
"--kubeconfig=/Users/username/.kube/staging-config"
]
}
}
}
Other MCP Clients
For other MCP-compatible clients, use similar configuration patterns:
{
"servers": [
{
"name": "kyverno",
"transport": "stdio",
"command": {
"path": "/path/to/kyverno-mcp",
"args": ["--kubeconfig=/path/to/kubeconfig"]
}
}
]
}
Network Mode Configuration
HTTPS Configuration (Production)
For production deployments, always use HTTPS:
- Generate TLS certificates:
# Using OpenSSL
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
# Using certbot for Let's Encrypt
certbot certonly --standalone -d kyverno-mcp.example.com
- Start the server:
kyverno-mcp \
--http-addr :8443 \
--tls-cert /path/to/cert.pem \
--tls-key /path/to/key.pem
- Configure your MCP client to connect via HTTPS:
{
"mcpServers": {
"kyverno": {
"url": "https://kyverno-mcp.example.com:8443"
}
}
}
HTTP Configuration (Development Only)
⚠️ Warning: Never use plain HTTP in production!
For local development:
kyverno-mcp --http-addr :8080
Environment Variables
Kyverno MCP respects standard Kubernetes environment variables:
Variable | Description | Example |
---|---|---|
KUBECONFIG |
Default kubeconfig path | /home/user/.kube/config |
KUBERNETES_MASTER |
API server URL | https://k8s.example.com:6443 |
Security Configuration
Kubeconfig Security
- Use separate kubeconfig files for different environments:
# Production
kyverno-mcp --kubeconfig=$HOME/.kube/prod-config
# Staging
kyverno-mcp --kubeconfig=$HOME/.kube/staging-config
- Limit permissions in kubeconfig:
users:
- name: kyverno-mcp
user:
token: <service-account-token>
- Use service accounts instead of user credentials:
kubectl create sa kyverno-mcp -n kyverno
kubectl create clusterrolebinding kyverno-mcp --clusterrole=cluster-admin --serviceaccount=kyverno:kyverno-mcp
Network Security
- Always use TLS in production
- Implement network policies to restrict access
- Use a reverse proxy (nginx, HAProxy) for additional security layers
Example nginx configuration:
server {
listen 443 ssl;
server_name kyverno-mcp.example.com;
ssl_certificate /etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/key.pem;
location / {
proxy_pass http://localhost:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
Performance Tuning
Connection Pooling
For high-traffic scenarios, configure connection pooling:
// This is handled internally, but you can tune via environment variables
export GOGC=100 # Garbage collection target percentage
export GOMAXPROCS=4 # Maximum number of CPUs
Resource Limits
When running in containers, set appropriate resource limits:
resources:
requests:
memory: "64Mi"
cpu: "250m"
limits:
memory: "128Mi"
cpu: "500m"
Logging and Debugging
Enable Debug Logging
kyverno-mcp --log-level=debug
Log Formats
- Text (default): Human-readable logs
- JSON: Structured logs for parsing
kyverno-mcp --log-format=json
Configuration Best Practices
- Separate Configurations: Use different configurations for different environments
- Version Control: Store configurations in version control (excluding secrets)
- Secret Management: Use proper secret management tools for sensitive data
- Regular Updates: Keep configurations up to date with security patches
- Monitoring: Configure logging and monitoring for production deployments
Next Steps
- Learn about Troubleshooting