Configuration

Configuration options for Kyverno MCP

Configuration Overview

Kyverno MCP can be configured through command-line flags and MCP client configuration files. This guide covers all configuration options and best practices.

Command Line Options

Basic Options

Flag	Description	Default	Example
`--kubeconfig`	Path to kubeconfig file	`$KUBECONFIG` or `~/.kube/config`	`--kubeconfig=/path/to/config`
`--help`	Show help message	-	`--help`
`--version`	Show version information	-	`--version`

Network Options

Flag	Description	Default	Example
`--http-addr`	HTTP(S) server bind address	None (stdio mode)	`--http-addr=:8443`
`--tls-cert`	TLS certificate file path	None	`--tls-cert=/path/to/cert.pem`
`--tls-key`	TLS private key file path	None	`--tls-key=/path/to/key.pem`

MCP Client Configuration

Claude Desktop

Location:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json
Linux: ~/.config/Claude/claude_desktop_config.json

Basic configuration:

{
  "mcpServers": {
    "kyverno": {
      "command": "/usr/local/bin/kyverno-mcp",
      "args": [
        "--kubeconfig=/Users/username/.kube/config"
      ]
    }
  }
}

Advanced configuration with multiple clusters:

{
  "mcpServers": {
    "kyverno-prod": {
      "command": "/usr/local/bin/kyverno-mcp",
      "args": [
        "--kubeconfig=/Users/username/.kube/prod-config"
      ]
    },
    "kyverno-staging": {
      "command": "/usr/local/bin/kyverno-mcp",
      "args": [
        "--kubeconfig=/Users/username/.kube/staging-config"
      ]
    }
  }
}

Other MCP Clients

For other MCP-compatible clients, use similar configuration patterns:

{
  "servers": [
    {
      "name": "kyverno",
      "transport": "stdio",
      "command": {
        "path": "/path/to/kyverno-mcp",
        "args": ["--kubeconfig=/path/to/kubeconfig"]
      }
    }
  ]
}

Network Mode Configuration

HTTPS Configuration (Production)

For production deployments, always use HTTPS:

Generate TLS certificates:

# Using OpenSSL
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

# Using certbot for Let's Encrypt
certbot certonly --standalone -d kyverno-mcp.example.com

Start the server:

kyverno-mcp \
  --http-addr :8443 \
  --tls-cert /path/to/cert.pem \
  --tls-key /path/to/key.pem

Configure your MCP client to connect via HTTPS:

{
  "mcpServers": {
    "kyverno": {
      "url": "https://kyverno-mcp.example.com:8443"
    }
  }
}

HTTP Configuration (Development Only)

⚠️ Warning: Never use plain HTTP in production!

For local development:

kyverno-mcp --http-addr :8080

Environment Variables

Kyverno MCP respects standard Kubernetes environment variables:

Variable	Description	Example
`KUBECONFIG`	Default kubeconfig path	`/home/user/.kube/config`
`KUBERNETES_MASTER`	API server URL	`https://k8s.example.com:6443`

Security Configuration

Kubeconfig Security

Use separate kubeconfig files for different environments:

# Production
kyverno-mcp --kubeconfig=$HOME/.kube/prod-config

# Staging
kyverno-mcp --kubeconfig=$HOME/.kube/staging-config

Limit permissions in kubeconfig:

users:
- name: kyverno-mcp
  user:
    token: <service-account-token>

Use service accounts instead of user credentials:

kubectl create sa kyverno-mcp -n kyverno
kubectl create clusterrolebinding kyverno-mcp --clusterrole=cluster-admin --serviceaccount=kyverno:kyverno-mcp

Network Security

Always use TLS in production
Implement network policies to restrict access
Use a reverse proxy (nginx, HAProxy) for additional security layers

Example nginx configuration:

server {
    listen 443 ssl;
    server_name kyverno-mcp.example.com;
    
    ssl_certificate /etc/nginx/ssl/cert.pem;
    ssl_certificate_key /etc/nginx/ssl/key.pem;
    
    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

Performance Tuning

Connection Pooling

For high-traffic scenarios, configure connection pooling:

// This is handled internally, but you can tune via environment variables
export GOGC=100  # Garbage collection target percentage
export GOMAXPROCS=4  # Maximum number of CPUs

Resource Limits

When running in containers, set appropriate resource limits:

resources:
  requests:
    memory: "64Mi"
    cpu: "250m"
  limits:
    memory: "128Mi"
    cpu: "500m"

Logging and Debugging

Enable Debug Logging

kyverno-mcp --log-level=debug

Log Formats

Text (default): Human-readable logs
JSON: Structured logs for parsing

kyverno-mcp --log-format=json

Configuration Best Practices

Separate Configurations: Use different configurations for different environments
Version Control: Store configurations in version control (excluding secrets)
Secret Management: Use proper secret management tools for sensitive data
Regular Updates: Keep configurations up to date with security patches
Monitoring: Configure logging and monitoring for production deployments

Next Steps

Learn about Troubleshooting