4.2.1 部署python版本的mcp¶
项目地址:https://pypi.org/project/mcp-kubernetes-server
该项目已经纳入pip的仓库了,可以直接使用pip install安装,非常方便。 该mcp提供了非常多的工具
1、命令行工具
| Tool | Description | Parameters |
|---|---|---|
| kubectl | Run any kubectl command and return the output | command (string) |
| helm | Run any helm command and return the output | command (string) |
2、只读的工具
| Tool | Description | Parameters |
|---|---|---|
| k8s_get | Fetch any Kubernetes object (or list) as JSON string | resource (string), name (string), namespace (string) |
| k8s_describe | Show detailed information about a specific resource or group of resources | resource_type (string), name (string, optional), namespace (string, optional), selector (string, optional), all_namespaces (boolean, optional) |
| k8s_logs | Print the logs for a container in a pod | pod_name (string), container (string, optional), namespace (string, optional), tail (integer, optional), previous (boolean, optional), since (string, optional), timestamps (boolean, optional), follow (boolean, optional) |
| k8s_events | List events in the cluster | namespace (string, optional), all_namespaces (boolean, optional), field_selector (string, optional), resource_type (string, optional), resource_name (string, optional), sort_by (string, optional), watch (boolean, optional) |
| k8s_apis | List all available APIs in the Kubernetes cluster | none |
| k8s_crds | List all Custom Resource Definitions (CRDs) in the Kubernetes cluster | none |
| k8s_top_nodes | Display resource usage (CPU/memory) of nodes | sort_by (string, optional) |
| k8s_top_pods | Display resource usage (CPU/memory) of pods | namespace (string, optional), all_namespaces (boolean, optional), sort_by (string, optional), selector (string, optional) |
| k8s_rollout_status | Get the status of a rollout for a deployment, daemonset, or statefulset | resource_type (string), name (string), namespace (string, optional) |
| k8s_rollout_history | Get the rollout history for a deployment, daemonset, or statefulset | resource_type (string), name (string), namespace (string, optional), revision (string, optional) |
| k8s_auth_can_i | Check whether an action is allowed | verb (string), resource (string), subresource (string, optional), namespace (string, optional), name (string, optional) |
| k8s_auth_whoami | Show the subject that you are currently authenticated as | none |
3、可写的工具
| Tool | Description | Parameters |
|---|---|---|
| k8s_create | Create a Kubernetes resource from YAML/JSON content | yaml_content (string), namespace (string, optional) |
| k8s_apply | Apply a configuration to a resource by filename or stdin | yaml_content (string), namespace (string, optional) |
| k8s_expose | Expose a resource as a new Kubernetes service | resource_type (string), name (string), port (integer), target_port (integer, optional), namespace (string, optional), protocol (string, optional), service_name (string, optional), labels (object, optional), selector (string, optional), type (string, optional) |
| k8s_run | Create and run a particular image in a pod | name (string), image (string), namespace (string, optional), command (array, optional), env (object, optional), labels (object, optional), restart (string, optional) |
| k8s_set_resources | Set resource limits and requests for containers | resource_type (string), resource_name (string), namespace (string, optional), containers (array, optional), limits (object, optional), requests (object, optional) |
| k8s_set_image | Set the image for a container | resource_type (string), resource_name (string), container (string), image (string), namespace (string, optional) |
| k8s_set_env | Set environment variables for a container | resource_type (string), resource_name (string), container (string), env_dict (object), namespace (string, optional) |
| k8s_rollout_undo | Undo a rollout for a deployment, daemonset, or statefulset | resource_type (string), name (string), namespace (string, optional), to_revision (string, optional) |
| k8s_rollout_restart | Restart a rollout for a deployment, daemonset, or statefulset | resource_type (string), name (string), namespace (string, optional) |
| k8s_rollout_pause | Pause a rollout for a deployment, daemonset, or statefulset | resource_type (string), name (string), namespace (string, optional) |
| k8s_rollout_resume | Resume a rollout for a deployment, daemonset, or statefulset | resource_type (string), name (string), namespace (string, optional) |
| k8s_scale | Scale a resource | resource_type (string), name (string), replicas (integer), namespace (string, optional) |
| k8s_autoscale | Autoscale a deployment, replica set, stateful set, or replication controller | resource_type (string), name (string), min (integer), max (integer), namespace (string, optional), cpu_percent (integer, optional) |
| k8s_cordon | Mark a node as unschedulable | node_name (string) |
| k8s_uncordon | Mark a node as schedulable | node_name (string) |
| k8s_drain | Drain a node in preparation for maintenance | node_name (string), force (boolean, optional), ignore_daemonsets (boolean, optional), delete_local_data (boolean, optional), timeout (integer, optional) |
| k8s_taint | Update the taints on one or more nodes | node_name (string), key (string), value (string, optional), effect (string) |
| k8s_untaint | Remove the taints from a node | node_name (string), key (string), effect (string, optional) |
| k8s_exec_command | Execute a command in a container | pod_name (string), command (string), container (string, optional), namespace (string, optional), stdin (boolean, optional), tty (boolean, optional), timeout (integer, optional) |
| k8s_port_forward | Forward one or more local ports to a pod | resource_type (string), name (string), ports (array), namespace (string, optional), address (string, optional) |
| k8s_cp | Copy files and directories to and from containers | src_path (string), dst_path (string), container (string, optional), namespace (string, optional) |
| k8s_patch | Update fields of a resource | resource_type (string), name (string), patch (object), namespace (string, optional) |
| k8s_label | Update the labels on a resource | resource_type (string), name (string), labels (object), namespace (string, optional), overwrite (boolean, optional) |
| k8s_annotate | Update the annotations on a resource | resource_type (string), name (string), annotations (object), namespace (string, optional), overwrite (boolean, optional) |
4、删除工具
| Tool | Description | Parameters |
|---|---|---|
| k8s_delete | Delete resources by name, label selector, or all resources in a namespace | resource_type (string), name (string, optional), namespace (string, optional), label_selector (string, optional), all_namespaces (boolean, optional), force (boolean, optional), grace_period (integer, optional) |
注意:
- 该MCP需要python版本不低于3.11
- 将该MCP部署在k8s集群的某个节点上,它需要访问到kubeconfig,并且该节点上可以执行kubectl、heml命令
4.2.1.1 安装helm¶
适配k8s1.32版本的helm版本:3.17、3.18、3.19
这里我安装3.18
1、下载二进制包
wget https://get.helm.sh/helm-v3.18.2-linux-amd64.tar.gz
2、解压并做软链
tar zxf helm-v3.18.2-linux-amd64.tar.gz -C /opt/
mv /opt/linux-amd64/ /opt/helm
ln -s /opt/helm/helm /bin/
3、添加仓库,这样会把该仓库添加到本地
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo add stable http://mirror.azure.cn/kubernetes/charts/
4、更新仓库列表到本地
helm repo update
5、安装应用(比如nginx)
##先搜一下
helm search repo nginx
#这个nginx-test就是release名字,同时也是service和deployment/statefulset以及pod前缀,当然你也可以不去定义release name,让Helm帮忙定义,那么命令就要改为helm install bitnami/nginx --generate-name
helm install nginx-test bitnami/nginx
6、安装完后,查看用helm安装过的chart
helm list -A #-A会列出所有namespace里的release,不加-A只列default namespace里的release
7、卸载
helm uninstall nginx-test
更多操作,参考 https://app.yinxiang.com/fx/7d2ee259-5a8a-4b3a-8268-c371ff334f22
4.2.1.2 安装mcp¶
我系统为Rocky9.4,可以使用yum安装python3.12:
yum install -y python3.12 python3.12-pip
用pip安装mcp
python3.12 -m pip install mcp-kubernetes-server -i https://mirrors.aliyun.com/pypi/simple/
启动mcp服务
nohup mcp-kubernetes-server --transport sse --host
4.2.2 部署go版本的mcp(python或go二选一)¶
项目地址: https://github.com/containers/kubernetes-mcp-server.git
该MCP项目并非官方提供,是一个开源项目,相比较python版本的mcp,其提供的工具不算多,后面大家可以基于该开源项目做定制化开发更多工具。
以下操作大家可以在k8s那台机器上操作,这样就比较方便将docker镜像导入为k8s的镜像,否则还需要远程传输到k8s节点上。
1、克隆代码
git clone https://github.com/containers/kubernetes-mcp-server.git
cd kubernetes-mcp-server
2、编译镜像
docker build --build-arg HTTP_PROXY="http://t.lishiming.net:15888" --build-arg HTTPS_PROXY="http://new.lishiming.net:15888" -t kubernetes-mcp-server:latest
说明:由于该镜像编译过程中需要下载很多资源,但好多因为网络原因无法直接下载到,所以需要设置代理
3、将镜像导入为k8s镜像
# 导出镜像docker save kubernetes-mcp-server:latest -o k8s-mcp.tar# 加载进 containerdctr -n k8s.io images import /tmp/k8s-mcp.tar# 检查是否导入成功ctr -n k8s.io images ls | grep kubernetes-mcp
4、编写将mcp部署到k8s的yaml文件
文件名:k8s-mcp.yaml
apiVersion: v1
kind: Namespace
metadata:
name: mcp-tools
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: k8s-mcp-server-sa
namespace: mcp-tools
---
# 授予最小权限原则 (Principle of Least Privilege)
# 我们只授予读取、描述和日志查看权限,避免任何破坏性操作
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole # 使用 ClusterRole 以便跨命名空间查询
metadata:
name: k8s-mcp-server-role
rules:
- apiGroups: [""]
resources: ["pods", "nodes", "services", "namespaces", "events"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
- apiGroups: ["apps"]
resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions"]
resources: ["deployments", "replicasets", "daemonsets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["metrics.k8s.io"]
resources: ["pods", "nodes"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: k8s-mcp-server-rolebinding
subjects:
- kind: ServiceAccount
name: k8s-mcp-server-sa
namespace: mcp-tools
roleRef:
kind: ClusterRole
name: k8s-mcp-server-role
apiGroup: rbac.authorization.k8s.io
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: kubernetes-mcp-server
namespace: mcp-tools
labels:
app: kubernetes-mcp-server
spec:
replicas: 1
selector:
matchLabels:
app: kubernetes-mcp-server
template:
metadata:
labels:
app: kubernetes-mcp-server
spec:
serviceAccountName: k8s-mcp-server-sa
containers:
- name: server
# 使用自己编译的镜像
image: kubernetes-mcp-server:latest
imagePullPolicy: IfNotPresent
# 该镜像默认使用集群内配置,无需额外参数
# 如果需要指定 kubeconfig,可以添加 args 和 volume
# args: ["--kubeconfig", "/etc/kubeconfig/config"]
# volumeMounts:
# - name: kubeconfig
# mountPath: /etc/kubeconfig
# readOnly: true
# volumes:
# - name: kubeconfig
# secret:
# secretName: kubeconfig-secret
---
apiVersion: v1
kind: Service
metadata:
name: kubernetes-mcp-server
namespace: mcp-tools
spec:
selector:
app: kubernetes-mcp-server
type: NodePort
ports:
- name: http
port: 8080 # Pod 内部端口
targetPort: 8080
nodePort: 30080
5、应用该yaml文件
kubectl apply -f k8s-mcp.yaml
4.3 在Dify中配置k8s的MCP¶
菜单栏点击“工具”,再点击“MCP”,然后添加MCP服务
4.3.1 基于python版本¶
1、服务端点URL:http://hostip:8080/sse (这里hostip是部署mcp工具的机器ip)
2、名称、服务器标识:k8s-mcp
3、认证,无需认证
4.3.2 基于go版本¶
1、服务端点URL:http://<host>:30080/sse(这里host地址就是你k8s节点的IP地址)
2、名称、服务器标识:k8s-mcp
3、认证,这需要获取前面创建的ServiceAccount用户的Token
先进入mcp的pod里
POD_NAME=$(kubectl get pods -n mcp-tools -l app=kubernetes-mcp-server -o jsonpath='{.items[0].metadata.name}')
kubectl exec -it $POD_NAME -n mcp-tools -- sh
进到pod里,再查看token
cat /var/run/secrets/kubernetes.io/serviceaccount/token
注意请求值的格式: Bearer Token
点击“添加并授权”
4.4 在Dify里创建Agents应用¶
说明:以下操作基于python版本的mcp,go版本操作基本一样
提示词
你现在作为一个 Kubernetes 智能助手,背后连接了一个 “MCP K8s Server” 工具集,可执行对 Kubernetes 集群的各种操作(包括查询状态、执行命令、创建/更新/删除资源等)。
当用户以自然语言提出需求时,请按照以下流程操作:
1. 理解用户的意图:判断用户希望做什么(比如查看某个 Pod 日志、扩容 Deployment、标记节点为不可调度、删除某个 Service 等)。
2. 选择合适的工具:根据意图,从 MCP K8s Server 的工具集里选择一个最合适的工具。例如:
- 若仅仅读取某个资源信息,使用 `k8s_get` 或 `k8s_describe`。
- 若需要查看日志,使用 `k8s_logs`。
- 若需要执行任意 kubectl 命令,则使用 `kubectl` 工具。
- 若需要创建/修改资源,则使用 `k8s_create`、`k8s_apply`、`k8s_patch`。
- 若需要删除资源,使用 `k8s_delete`。
- 若需要节点操作(如 cordon/uncordon/drain),使用 `k8s_cordon`、`k8s_uncordon`、`k8s_drain` 等。
3. 构造调用参数:按照该工具所需的参数结构构造 JSON 或类似格式(如 `resource_type`、`name`、`namespace`、`selector`、`image`、`pods`、`containers` 等字段)。确保必要字段填写正确。
4. 错误防范:如果用户的意图不明确、参数不完整或可能造成破坏(如在生产环境删除全部 pods),请先提出澄清或者风险提示,而不是直接执行。
注意事项
1. 在生成调用语句时,务必严格遵循工具参数结构,以便 MCP K8s Server 能正确执行。
2. 如果用户的需求涉及k8s_delete,需要先给出删除提示,详细说明此操作会删除什么资源,一定要提示该操作是有风险的,请确认。
3. 如果用户希望直接用 `kubectl` 或 `helm` 命令,也可以,但请说明为何选这种通用命令工具,而不是专门接口。
4. 如果用户询问状态、事件、资源指标等,只进行“读取”工具,不执行写入。
5. 在解释里,可以加入 “操作后如何检查结果” 的建议,例如:执行完 `k8s_scale` 后,可用 `k8s_get` 或 `k8s_top_pods` 查看变化。
添加MCP工具
测试:
示例1:
查看我k8s里都有哪些namespace
示例2:
列出所有pod
示例3:
部署一个nginx实例
实例4:
查看nginx pod状态以及日志