Configuration

Configuration options for Kyverno MCP

Configuration Overview

Kyverno MCP can be configured through command-line flags and MCP client configuration files. This guide covers all configuration options and best practices.

Command Line Options

Basic Options

Flag Description Default Example
--kubeconfig Path to kubeconfig file $KUBECONFIG or ~/.kube/config --kubeconfig=/path/to/config
--help Show help message - --help
--version Show version information - --version

Network Options

Flag Description Default Example
--http-addr HTTP(S) server bind address None (stdio mode) --http-addr=:8443
--tls-cert TLS certificate file path None --tls-cert=/path/to/cert.pem
--tls-key TLS private key file path None --tls-key=/path/to/key.pem

MCP Client Configuration

Claude Desktop

Location:

  • macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
  • Windows: %APPDATA%\Claude\claude_desktop_config.json
  • Linux: ~/.config/Claude/claude_desktop_config.json

Basic configuration:

{
  "mcpServers": {
    "kyverno": {
      "command": "/usr/local/bin/kyverno-mcp",
      "args": [
        "--kubeconfig=/Users/username/.kube/config"
      ]
    }
  }
}

Advanced configuration with multiple clusters:

{
  "mcpServers": {
    "kyverno-prod": {
      "command": "/usr/local/bin/kyverno-mcp",
      "args": [
        "--kubeconfig=/Users/username/.kube/prod-config"
      ]
    },
    "kyverno-staging": {
      "command": "/usr/local/bin/kyverno-mcp",
      "args": [
        "--kubeconfig=/Users/username/.kube/staging-config"
      ]
    }
  }
}

Other MCP Clients

For other MCP-compatible clients, use similar configuration patterns:

{
  "servers": [
    {
      "name": "kyverno",
      "transport": "stdio",
      "command": {
        "path": "/path/to/kyverno-mcp",
        "args": ["--kubeconfig=/path/to/kubeconfig"]
      }
    }
  ]
}

Network Mode Configuration

HTTPS Configuration (Production)

For production deployments, always use HTTPS:

  1. Generate TLS certificates:
# Using OpenSSL
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

# Using certbot for Let's Encrypt
certbot certonly --standalone -d kyverno-mcp.example.com
  1. Start the server:
kyverno-mcp \
  --http-addr :8443 \
  --tls-cert /path/to/cert.pem \
  --tls-key /path/to/key.pem
  1. Configure your MCP client to connect via HTTPS:
{
  "mcpServers": {
    "kyverno": {
      "url": "https://kyverno-mcp.example.com:8443"
    }
  }
}

HTTP Configuration (Development Only)

⚠️ Warning: Never use plain HTTP in production!

For local development:

kyverno-mcp --http-addr :8080

Environment Variables

Kyverno MCP respects standard Kubernetes environment variables:

Variable Description Example
KUBECONFIG Default kubeconfig path /home/user/.kube/config
KUBERNETES_MASTER API server URL https://k8s.example.com:6443

Security Configuration

Kubeconfig Security

  1. Use separate kubeconfig files for different environments:
# Production
kyverno-mcp --kubeconfig=$HOME/.kube/prod-config

# Staging
kyverno-mcp --kubeconfig=$HOME/.kube/staging-config
  1. Limit permissions in kubeconfig:
users:
- name: kyverno-mcp
  user:
    token: <service-account-token>
  1. Use service accounts instead of user credentials:
kubectl create sa kyverno-mcp -n kyverno
kubectl create clusterrolebinding kyverno-mcp --clusterrole=cluster-admin --serviceaccount=kyverno:kyverno-mcp

Network Security

  1. Always use TLS in production
  2. Implement network policies to restrict access
  3. Use a reverse proxy (nginx, HAProxy) for additional security layers

Example nginx configuration:

server {
    listen 443 ssl;
    server_name kyverno-mcp.example.com;
    
    ssl_certificate /etc/nginx/ssl/cert.pem;
    ssl_certificate_key /etc/nginx/ssl/key.pem;
    
    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

Performance Tuning

Connection Pooling

For high-traffic scenarios, configure connection pooling:

// This is handled internally, but you can tune via environment variables
export GOGC=100  # Garbage collection target percentage
export GOMAXPROCS=4  # Maximum number of CPUs

Resource Limits

When running in containers, set appropriate resource limits:

resources:
  requests:
    memory: "64Mi"
    cpu: "250m"
  limits:
    memory: "128Mi"
    cpu: "500m"

Logging and Debugging

Enable Debug Logging

kyverno-mcp --log-level=debug

Log Formats

  • Text (default): Human-readable logs
  • JSON: Structured logs for parsing
kyverno-mcp --log-format=json

Configuration Best Practices

  1. Separate Configurations: Use different configurations for different environments
  2. Version Control: Store configurations in version control (excluding secrets)
  3. Secret Management: Use proper secret management tools for sensitive data
  4. Regular Updates: Keep configurations up to date with security patches
  5. Monitoring: Configure logging and monitoring for production deployments

Next Steps