feat(auth): Authorize user from custom SSE header

manusa · manusa · commit 2bd12f8a64f9 · 2025-05-28T12:35:54.000+02:00
PoC to show how we can propagate an Authorization Bearer token
from the MCP client up to the Kubernetes API by passing a custom
header (Kubernetes-Authorization-Bearer-Token).

A new Derived client is necessary for each request due to the incompleteness
of some of the client-go clients.
This might add some overhead for each prompt.
Ideally, the issue with the discoveryclient and others should be fixed to
allow reading the authorization header from the request context.

To use the feature, the MCP Server still needs to be started with a basic
configuration (either provided InCluster by a service account or locally by
 a .kube/config file) so that it's able to infer the server settings.
diff --git a/pkg/kubernetes/impersonate_roundtripper.go b/pkg/kubernetes/impersonate_roundtripper.go
@@ -0,0 +1,20 @@
+package kubernetes
+
+import "net/http"
+
+const (
+	AuthorizationHeader            = "Kubernetes-Authorization"
+	AuthorizationBearerTokenHeader = "Kubernetes-Authorization-Bearer-Token"
+)
+
+type impersonateRoundTripper struct {
+	delegate http.RoundTripper
+}
+
+func (irt *impersonateRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	// TODO: Solution won't work with discoveryclient which uses context.TODO() instead of the passed-in context
+	if v, ok := req.Context().Value(AuthorizationHeader).(string); ok {
+		req.Header.Set("Authorization", v)
+	}
+	return irt.delegate.RoundTrip(req)
+}
diff --git a/pkg/kubernetes/kubernetes.go b/pkg/kubernetes/kubernetes.go
@@ -1,6 +1,7 @@
 package kubernetes
 
 import (
+	"context"
 	"github.com/fsnotify/fsnotify"
 	"github.com/manusa/kubernetes-mcp-server/pkg/helm"
 	v1 "k8s.io/api/core/v1"
@@ -14,6 +15,7 @@ import (
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/restmapper"
 	"k8s.io/client-go/tools/clientcmd"
+	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 	"sigs.k8s.io/yaml"
 )
 
@@ -41,6 +43,10 @@ func NewKubernetes(kubeconfig string) (*Kubernetes, error) {
 	if err := resolveKubernetesConfigurations(k8s); err != nil {
 		return nil, err
 	}
+	// TODO: Won't work because not all client-go clients use the shared context (e.g. discovery client uses context.TODO())
+	//k8s.cfg.Wrap(func(original http.RoundTripper) http.RoundTripper {
+	//	return &impersonateRoundTripper{original}
+	//})
 	var err error
 	k8s.clientSet, err = kubernetes.NewForConfig(k8s.cfg)
 	if err != nil {
@@ -115,6 +121,37 @@ func (k *Kubernetes) ToRESTMapper() (meta.RESTMapper, error) {
 	return k.deferredDiscoveryRESTMapper, nil
 }
 
+func (k *Kubernetes) Derived(ctx context.Context) *Kubernetes {
+	bearerToken, ok := ctx.Value(AuthorizationBearerTokenHeader).(string)
+	if !ok {
+		return k
+	}
+	var _ error // TODO: ignored --> should be handled eventually
+	derivedCfg := rest.CopyConfig(k.cfg)
+	derivedCfg.BearerToken = bearerToken
+	derivedCfg.BearerTokenFile = ""
+	derivedCfg.AuthProvider = nil
+	derivedCfg.Username = ""
+	derivedCfg.Password = ""
+	derivedCfg.Impersonate = rest.ImpersonationConfig{}
+	clientcmdapiConfig, _ := k.clientCmdConfig.RawConfig()
+	clientcmdapiConfig.AuthInfos = make(map[string]*clientcmdapi.AuthInfo)
+	derived := &Kubernetes{
+		Kubeconfig:      k.Kubeconfig,
+		clientCmdConfig: clientcmd.NewDefaultClientConfig(clientcmdapiConfig, nil),
+		cfg:             derivedCfg,
+	}
+	derived.clientSet, _ = kubernetes.NewForConfig(derived.cfg)
+	discoveryClient, _ := discovery.NewDiscoveryClientForConfig(derived.cfg)
+	derived.discoveryClient = memory.NewMemCacheClient(discoveryClient)
+	derived.deferredDiscoveryRESTMapper = restmapper.NewDeferredDiscoveryRESTMapper(memory.NewMemCacheClient(derived.discoveryClient))
+	derived.dynamicClient, _ = dynamic.NewForConfig(derived.cfg)
+	derived.scheme = runtime.NewScheme()
+	derived.parameterCodec = runtime.NewParameterCodec(derived.scheme)
+	derived.Helm = helm.NewHelm(derived)
+	return derived
+}
+
 func marshal(v any) (string, error) {
 	switch t := v.(type) {
 	case []unstructured.Unstructured:
diff --git a/pkg/mcp/events.go b/pkg/mcp/events.go
@@ -27,7 +27,7 @@ func (s *Server) eventsList(ctx context.Context, ctr mcp.CallToolRequest) (*mcp.
 	if namespace == nil {
 		namespace = ""
 	}
-	ret, err := s.k.EventsList(ctx, namespace.(string))
+	ret, err := s.k.Derived(ctx).EventsList(ctx, namespace.(string))
 	if err != nil {
 		return NewTextResult("", fmt.Errorf("failed to list events in all namespaces: %v", err)), nil
 	}
diff --git a/pkg/mcp/helm.go b/pkg/mcp/helm.go
@@ -64,14 +64,14 @@ func (s *Server) helmInstall(ctx context.Context, ctr mcp.CallToolRequest) (*mcp
 	if v, ok := ctr.GetArguments()["namespace"].(string); ok {
 		namespace = v
 	}
-	ret, err := s.k.Helm.Install(ctx, chart, values, name, namespace)
+	ret, err := s.k.Derived(ctx).Helm.Install(ctx, chart, values, name, namespace)
 	if err != nil {
 		return NewTextResult("", fmt.Errorf("failed to install helm chart '%s': %w", chart, err)), nil
 	}
 	return NewTextResult(ret, err), nil
 }
 
-func (s *Server) helmList(_ context.Context, ctr mcp.CallToolRequest) (*mcp.CallToolResult, error) {
+func (s *Server) helmList(ctx context.Context, ctr mcp.CallToolRequest) (*mcp.CallToolResult, error) {
 	allNamespaces := false
 	if v, ok := ctr.GetArguments()["all_namespaces"].(bool); ok {
 		allNamespaces = v
@@ -80,14 +80,14 @@ func (s *Server) helmList(_ context.Context, ctr mcp.CallToolRequest) (*mcp.Call
 	if v, ok := ctr.GetArguments()["namespace"].(string); ok {
 		namespace = v
 	}
-	ret, err := s.k.Helm.List(namespace, allNamespaces)
+	ret, err := s.k.Derived(ctx).Helm.List(namespace, allNamespaces)
 	if err != nil {
 		return NewTextResult("", fmt.Errorf("failed to list helm releases in namespace '%s': %w", namespace, err)), nil
 	}
 	return NewTextResult(ret, err), nil
 }
 
-func (s *Server) helmUninstall(_ context.Context, ctr mcp.CallToolRequest) (*mcp.CallToolResult, error) {
+func (s *Server) helmUninstall(ctx context.Context, ctr mcp.CallToolRequest) (*mcp.CallToolResult, error) {
 	var name string
 	ok := false
 	if name, ok = ctr.GetArguments()["name"].(string); !ok {
@@ -97,7 +97,7 @@ func (s *Server) helmUninstall(_ context.Context, ctr mcp.CallToolRequest) (*mcp
 	if v, ok := ctr.GetArguments()["namespace"].(string); ok {
 		namespace = v
 	}
-	ret, err := s.k.Helm.Uninstall(name, namespace)
+	ret, err := s.k.Derived(ctx).Helm.Uninstall(name, namespace)
 	if err != nil {
 		return NewTextResult("", fmt.Errorf("failed to uninstall helm chart '%s': %w", name, err)), nil
 	}
diff --git a/pkg/mcp/mcp.go b/pkg/mcp/mcp.go
@@ -1,10 +1,12 @@
 package mcp
 
 import (
+	"context"
 	"github.com/manusa/kubernetes-mcp-server/pkg/kubernetes"
 	"github.com/manusa/kubernetes-mcp-server/pkg/version"
 	"github.com/mark3labs/mcp-go/mcp"
 	"github.com/mark3labs/mcp-go/server"
+	"net/http"
 )
 
 type Configuration struct {
@@ -71,6 +73,7 @@ func (s *Server) ServeStdio() error {
 
 func (s *Server) ServeSse(baseUrl string) *server.SSEServer {
 	options := make([]server.SSEOption, 0)
+	options = append(options, server.WithSSEContextFunc(contextFunc))
 	if baseUrl != "" {
 		options = append(options, server.WithBaseURL(baseUrl))
 	}
@@ -104,3 +107,8 @@ func NewTextResult(content string, err error) *mcp.CallToolResult {
 		},
 	}
 }
+
+func contextFunc(ctx context.Context, r *http.Request) context.Context {
+	//return context.WithValue(ctx, kubernetes.AuthorizationHeader, r.Header.Get(kubernetes.AuthorizationHeader))
+	return context.WithValue(ctx, kubernetes.AuthorizationBearerTokenHeader, r.Header.Get(kubernetes.AuthorizationBearerTokenHeader))
+}
diff --git a/pkg/mcp/namespaces.go b/pkg/mcp/namespaces.go
@@ -35,15 +35,15 @@ func (s *Server) initNamespaces() []server.ServerTool {
 }
 
 func (s *Server) namespacesList(ctx context.Context, _ mcp.CallToolRequest) (*mcp.CallToolResult, error) {
-	ret, err := s.k.NamespacesList(ctx)
+	ret, err := s.k.Derived(ctx).NamespacesList(ctx)
 	if err != nil {
 		err = fmt.Errorf("failed to list namespaces: %v", err)
 	}
 	return NewTextResult(ret, err), nil
 }
 
 func (s *Server) projectsList(ctx context.Context, _ mcp.CallToolRequest) (*mcp.CallToolResult, error) {
-	ret, err := s.k.ProjectsList(ctx)
+	ret, err := s.k.Derived(ctx).ProjectsList(ctx)
 	if err != nil {
 		err = fmt.Errorf("failed to list projects: %v", err)
 	}
diff --git a/pkg/mcp/pods.go b/pkg/mcp/pods.go
@@ -110,7 +110,7 @@ func (s *Server) podsListInAllNamespaces(ctx context.Context, ctr mcp.CallToolRe
 		selector = labelSelector.(string)
 	}
 
-	ret, err := s.k.PodsListInAllNamespaces(ctx, selector)
+	ret, err := s.k.Derived(ctx).PodsListInAllNamespaces(ctx, selector)
 	if err != nil {
 		return NewTextResult("", fmt.Errorf("failed to list pods in all namespaces: %v", err)), nil
 	}
@@ -127,7 +127,7 @@ func (s *Server) podsListInNamespace(ctx context.Context, ctr mcp.CallToolReques
 	if labelSelector != nil {
 		selector = labelSelector.(string)
 	}
-	ret, err := s.k.PodsListInNamespace(ctx, ns.(string), selector)
+	ret, err := s.k.Derived(ctx).PodsListInNamespace(ctx, ns.(string), selector)
 	if err != nil {
 		return NewTextResult("", fmt.Errorf("failed to list pods in namespace %s: %v", ns, err)), nil
 	}
@@ -143,7 +143,7 @@ func (s *Server) podsGet(ctx context.Context, ctr mcp.CallToolRequest) (*mcp.Cal
 	if name == nil {
 		return NewTextResult("", errors.New("failed to get pod, missing argument name")), nil
 	}
-	ret, err := s.k.PodsGet(ctx, ns.(string), name.(string))
+	ret, err := s.k.Derived(ctx).PodsGet(ctx, ns.(string), name.(string))
 	if err != nil {
 		return NewTextResult("", fmt.Errorf("failed to get pod %s in namespace %s: %v", name, ns, err)), nil
 	}
@@ -159,7 +159,7 @@ func (s *Server) podsDelete(ctx context.Context, ctr mcp.CallToolRequest) (*mcp.
 	if name == nil {
 		return NewTextResult("", errors.New("failed to delete pod, missing argument name")), nil
 	}
-	ret, err := s.k.PodsDelete(ctx, ns.(string), name.(string))
+	ret, err := s.k.Derived(ctx).PodsDelete(ctx, ns.(string), name.(string))
 	if err != nil {
 		return NewTextResult("", fmt.Errorf("failed to delete pod %s in namespace %s: %v", name, ns, err)), nil
 	}
@@ -190,7 +190,7 @@ func (s *Server) podsExec(ctx context.Context, ctr mcp.CallToolRequest) (*mcp.Ca
 	} else {
 		return NewTextResult("", errors.New("failed to exec in pod, invalid command argument")), nil
 	}
-	ret, err := s.k.PodsExec(ctx, ns.(string), name.(string), container.(string), command)
+	ret, err := s.k.Derived(ctx).PodsExec(ctx, ns.(string), name.(string), container.(string), command)
 	if err != nil {
 		return NewTextResult("", fmt.Errorf("failed to exec in pod %s in namespace %s: %v", name, ns, err)), nil
 	} else if ret == "" {
@@ -212,7 +212,7 @@ func (s *Server) podsLog(ctx context.Context, ctr mcp.CallToolRequest) (*mcp.Cal
 	if container == nil {
 		container = ""
 	}
-	ret, err := s.k.PodsLog(ctx, ns.(string), name.(string), container.(string))
+	ret, err := s.k.Derived(ctx).PodsLog(ctx, ns.(string), name.(string), container.(string))
 	if err != nil {
 		return NewTextResult("", fmt.Errorf("failed to get pod %s log in namespace %s: %v", name, ns, err)), nil
 	} else if ret == "" {
@@ -238,7 +238,7 @@ func (s *Server) podsRun(ctx context.Context, ctr mcp.CallToolRequest) (*mcp.Cal
 	if port == nil {
 		port = float64(0)
 	}
-	ret, err := s.k.PodsRun(ctx, ns.(string), name.(string), image.(string), int32(port.(float64)))
+	ret, err := s.k.Derived(ctx).PodsRun(ctx, ns.(string), name.(string), image.(string), int32(port.(float64)))
 	if err != nil {
 		return NewTextResult("", fmt.Errorf("failed to get pod %s log in namespace %s: %v", name, ns, err)), nil
 	}
diff --git a/pkg/mcp/resources.go b/pkg/mcp/resources.go
@@ -111,7 +111,7 @@ func (s *Server) resourcesList(ctx context.Context, ctr mcp.CallToolRequest) (*m
 	if err != nil {
 		return NewTextResult("", fmt.Errorf("failed to list resources, %s", err)), nil
 	}
-	ret, err := s.k.ResourcesList(ctx, gvk, namespace.(string), labelSelector.(string))
+	ret, err := s.k.Derived(ctx).ResourcesList(ctx, gvk, namespace.(string), labelSelector.(string))
 	if err != nil {
 		return NewTextResult("", fmt.Errorf("failed to list resources: %v", err)), nil
 	}
@@ -131,7 +131,7 @@ func (s *Server) resourcesGet(ctx context.Context, ctr mcp.CallToolRequest) (*mc
 	if name == nil {
 		return NewTextResult("", errors.New("failed to get resource, missing argument name")), nil
 	}
-	ret, err := s.k.ResourcesGet(ctx, gvk, namespace.(string), name.(string))
+	ret, err := s.k.Derived(ctx).ResourcesGet(ctx, gvk, namespace.(string), name.(string))
 	if err != nil {
 		return NewTextResult("", fmt.Errorf("failed to get resource: %v", err)), nil
 	}
@@ -143,7 +143,7 @@ func (s *Server) resourcesCreateOrUpdate(ctx context.Context, ctr mcp.CallToolRe
 	if resource == nil || resource == "" {
 		return NewTextResult("", errors.New("failed to create or update resources, missing argument resource")), nil
 	}
-	ret, err := s.k.ResourcesCreateOrUpdate(ctx, resource.(string))
+	ret, err := s.k.Derived(ctx).ResourcesCreateOrUpdate(ctx, resource.(string))
 	if err != nil {
 		return NewTextResult("", fmt.Errorf("failed to create or update resources: %v", err)), nil
 	}
@@ -163,7 +163,7 @@ func (s *Server) resourcesDelete(ctx context.Context, ctr mcp.CallToolRequest) (
 	if name == nil {
 		return NewTextResult("", errors.New("failed to delete resource, missing argument name")), nil
 	}
-	err = s.k.ResourcesDelete(ctx, gvk, namespace.(string), name.(string))
+	err = s.k.Derived(ctx).ResourcesDelete(ctx, gvk, namespace.(string), name.(string))
 	if err != nil {
 		return NewTextResult("", fmt.Errorf("failed to delete resource: %v", err)), nil
 	}

Original file line number	Diff line number	Diff line change
`@@ -27,7 +27,7 @@ func (s Server) eventsList(ctx context.Context, ctr mcp.CallToolRequest) (mcp.`
`27`	`27`	`if namespace == nil {`
`28`	`28`	`namespace = ""`
`29`	`29`	`}`
`30`		`- ret, err := s.k.EventsList(ctx, namespace.(string))`
	`30`	`+ ret, err := s.k.Derived(ctx).EventsList(ctx, namespace.(string))`
`31`	`31`	`if err != nil {`
`32`	`32`	`return NewTextResult("", fmt.Errorf("failed to list events in all namespaces: %v", err)), nil`
`33`	`33`	`}`
Original file line number	Diff line number	Diff line change
`@@ -64,14 +64,14 @@ func (s Server) helmInstall(ctx context.Context, ctr mcp.CallToolRequest) (mcp`
`64`	`64`	`if v, ok := ctr.GetArguments()["namespace"].(string); ok {`
`65`	`65`	`namespace = v`
`66`	`66`	`}`
`67`		`- ret, err := s.k.Helm.Install(ctx, chart, values, name, namespace)`
	`67`	`+ ret, err := s.k.Derived(ctx).Helm.Install(ctx, chart, values, name, namespace)`
`68`	`68`	`if err != nil {`
`69`	`69`	`return NewTextResult("", fmt.Errorf("failed to install helm chart '%s': %w", chart, err)), nil`
`70`	`70`	`}`
`71`	`71`	`return NewTextResult(ret, err), nil`
`72`	`72`	`}`
`73`	`73`
`74`		`-func (s Server) helmList(_ context.Context, ctr mcp.CallToolRequest) (mcp.CallToolResult, error) {`
	`74`	`+func (s Server) helmList(ctx context.Context, ctr mcp.CallToolRequest) (mcp.CallToolResult, error) {`
`75`	`75`	`allNamespaces := false`
`76`	`76`	`if v, ok := ctr.GetArguments()["all_namespaces"].(bool); ok {`
`77`	`77`	`allNamespaces = v`
`@@ -80,14 +80,14 @@ func (s Server) helmList(_ context.Context, ctr mcp.CallToolRequest) (mcp.Call`
`80`	`80`	`if v, ok := ctr.GetArguments()["namespace"].(string); ok {`
`81`	`81`	`namespace = v`
`82`	`82`	`}`
`83`		`- ret, err := s.k.Helm.List(namespace, allNamespaces)`
	`83`	`+ ret, err := s.k.Derived(ctx).Helm.List(namespace, allNamespaces)`
`84`	`84`	`if err != nil {`
`85`	`85`	`return NewTextResult("", fmt.Errorf("failed to list helm releases in namespace '%s': %w", namespace, err)), nil`
`86`	`86`	`}`
`87`	`87`	`return NewTextResult(ret, err), nil`
`88`	`88`	`}`
`89`	`89`
`90`		`-func (s Server) helmUninstall(_ context.Context, ctr mcp.CallToolRequest) (mcp.CallToolResult, error) {`
	`90`	`+func (s Server) helmUninstall(ctx context.Context, ctr mcp.CallToolRequest) (mcp.CallToolResult, error) {`
`91`	`91`	`var name string`
`92`	`92`	`ok := false`
`93`	`93`	`if name, ok = ctr.GetArguments()["name"].(string); !ok {`
`@@ -97,7 +97,7 @@ func (s Server) helmUninstall(_ context.Context, ctr mcp.CallToolRequest) (mcp`
`97`	`97`	`if v, ok := ctr.GetArguments()["namespace"].(string); ok {`
`98`	`98`	`namespace = v`
`99`	`99`	`}`
`100`		`- ret, err := s.k.Helm.Uninstall(name, namespace)`
	`100`	`+ ret, err := s.k.Derived(ctx).Helm.Uninstall(name, namespace)`
`101`	`101`	`if err != nil {`
`102`	`102`	`return NewTextResult("", fmt.Errorf("failed to uninstall helm chart '%s': %w", name, err)), nil`
`103`	`103`	`}`
Original file line number	Diff line number	Diff line change
`@@ -35,15 +35,15 @@ func (s *Server) initNamespaces() []server.ServerTool {`
`35`	`35`	`}`
`36`	`36`
`37`	`37`	`func (s Server) namespacesList(ctx context.Context, _ mcp.CallToolRequest) (mcp.CallToolResult, error) {`
`38`		`- ret, err := s.k.NamespacesList(ctx)`
	`38`	`+ ret, err := s.k.Derived(ctx).NamespacesList(ctx)`
`39`	`39`	`if err != nil {`
`40`	`40`	`err = fmt.Errorf("failed to list namespaces: %v", err)`
`41`	`41`	`}`
`42`	`42`	`return NewTextResult(ret, err), nil`
`43`	`43`	`}`
`44`	`44`
`45`	`45`	`func (s Server) projectsList(ctx context.Context, _ mcp.CallToolRequest) (mcp.CallToolResult, error) {`
`46`		`- ret, err := s.k.ProjectsList(ctx)`
	`46`	`+ ret, err := s.k.Derived(ctx).ProjectsList(ctx)`
`47`	`47`	`if err != nil {`
`48`	`48`	`err = fmt.Errorf("failed to list projects: %v", err)`
`49`	`49`	`}`
Original file line number	Diff line number	Diff line change
`@@ -110,7 +110,7 @@ func (s *Server) podsListInAllNamespaces(ctx context.Context, ctr mcp.CallToolRe`
`110`	`110`	`selector = labelSelector.(string)`
`111`	`111`	`}`
`112`	`112`
`113`		`- ret, err := s.k.PodsListInAllNamespaces(ctx, selector)`
	`113`	`+ ret, err := s.k.Derived(ctx).PodsListInAllNamespaces(ctx, selector)`
`114`	`114`	`if err != nil {`
`115`	`115`	`return NewTextResult("", fmt.Errorf("failed to list pods in all namespaces: %v", err)), nil`
`116`	`116`	`}`
`@@ -127,7 +127,7 @@ func (s *Server) podsListInNamespace(ctx context.Context, ctr mcp.CallToolReques`
`127`	`127`	`if labelSelector != nil {`
`128`	`128`	`selector = labelSelector.(string)`
`129`	`129`	`}`
`130`		`- ret, err := s.k.PodsListInNamespace(ctx, ns.(string), selector)`
	`130`	`+ ret, err := s.k.Derived(ctx).PodsListInNamespace(ctx, ns.(string), selector)`
`131`	`131`	`if err != nil {`
`132`	`132`	`return NewTextResult("", fmt.Errorf("failed to list pods in namespace %s: %v", ns, err)), nil`
`133`	`133`	`}`
`@@ -143,7 +143,7 @@ func (s Server) podsGet(ctx context.Context, ctr mcp.CallToolRequest) (mcp.Cal`
`143`	`143`	`if name == nil {`
`144`	`144`	`return NewTextResult("", errors.New("failed to get pod, missing argument name")), nil`
`145`	`145`	`}`
`146`		`- ret, err := s.k.PodsGet(ctx, ns.(string), name.(string))`
	`146`	`+ ret, err := s.k.Derived(ctx).PodsGet(ctx, ns.(string), name.(string))`
`147`	`147`	`if err != nil {`
`148`	`148`	`return NewTextResult("", fmt.Errorf("failed to get pod %s in namespace %s: %v", name, ns, err)), nil`
`149`	`149`	`}`
`@@ -159,7 +159,7 @@ func (s Server) podsDelete(ctx context.Context, ctr mcp.CallToolRequest) (mcp.`
`159`	`159`	`if name == nil {`
`160`	`160`	`return NewTextResult("", errors.New("failed to delete pod, missing argument name")), nil`
`161`	`161`	`}`
`162`		`- ret, err := s.k.PodsDelete(ctx, ns.(string), name.(string))`
	`162`	`+ ret, err := s.k.Derived(ctx).PodsDelete(ctx, ns.(string), name.(string))`
`163`	`163`	`if err != nil {`
`164`	`164`	`return NewTextResult("", fmt.Errorf("failed to delete pod %s in namespace %s: %v", name, ns, err)), nil`
`165`	`165`	`}`
`@@ -190,7 +190,7 @@ func (s Server) podsExec(ctx context.Context, ctr mcp.CallToolRequest) (mcp.Ca`
`190`	`190`	`} else {`
`191`	`191`	`return NewTextResult("", errors.New("failed to exec in pod, invalid command argument")), nil`
`192`	`192`	`}`
`193`		`- ret, err := s.k.PodsExec(ctx, ns.(string), name.(string), container.(string), command)`
	`193`	`+ ret, err := s.k.Derived(ctx).PodsExec(ctx, ns.(string), name.(string), container.(string), command)`
`194`	`194`	`if err != nil {`
`195`	`195`	`return NewTextResult("", fmt.Errorf("failed to exec in pod %s in namespace %s: %v", name, ns, err)), nil`
`196`	`196`	`} else if ret == "" {`
`@@ -212,7 +212,7 @@ func (s Server) podsLog(ctx context.Context, ctr mcp.CallToolRequest) (mcp.Cal`
`212`	`212`	`if container == nil {`
`213`	`213`	`container = ""`
`214`	`214`	`}`
`215`		`- ret, err := s.k.PodsLog(ctx, ns.(string), name.(string), container.(string))`
	`215`	`+ ret, err := s.k.Derived(ctx).PodsLog(ctx, ns.(string), name.(string), container.(string))`
`216`	`216`	`if err != nil {`
`217`	`217`	`return NewTextResult("", fmt.Errorf("failed to get pod %s log in namespace %s: %v", name, ns, err)), nil`
`218`	`218`	`} else if ret == "" {`
`@@ -238,7 +238,7 @@ func (s Server) podsRun(ctx context.Context, ctr mcp.CallToolRequest) (mcp.Cal`
`238`	`238`	`if port == nil {`
`239`	`239`	`port = float64(0)`
`240`	`240`	`}`
`241`		`- ret, err := s.k.PodsRun(ctx, ns.(string), name.(string), image.(string), int32(port.(float64)))`
	`241`	`+ ret, err := s.k.Derived(ctx).PodsRun(ctx, ns.(string), name.(string), image.(string), int32(port.(float64)))`
`242`	`242`	`if err != nil {`
`243`	`243`	`return NewTextResult("", fmt.Errorf("failed to get pod %s log in namespace %s: %v", name, ns, err)), nil`
`244`	`244`	`}`
Original file line number	Diff line number	Diff line change
`@@ -111,7 +111,7 @@ func (s Server) resourcesList(ctx context.Context, ctr mcp.CallToolRequest) (m`
`111`	`111`	`if err != nil {`
`112`	`112`	`return NewTextResult("", fmt.Errorf("failed to list resources, %s", err)), nil`
`113`	`113`	`}`
`114`		`- ret, err := s.k.ResourcesList(ctx, gvk, namespace.(string), labelSelector.(string))`
	`114`	`+ ret, err := s.k.Derived(ctx).ResourcesList(ctx, gvk, namespace.(string), labelSelector.(string))`
`115`	`115`	`if err != nil {`
`116`	`116`	`return NewTextResult("", fmt.Errorf("failed to list resources: %v", err)), nil`
`117`	`117`	`}`
`@@ -131,7 +131,7 @@ func (s Server) resourcesGet(ctx context.Context, ctr mcp.CallToolRequest) (mc`
`131`	`131`	`if name == nil {`
`132`	`132`	`return NewTextResult("", errors.New("failed to get resource, missing argument name")), nil`
`133`	`133`	`}`
`134`		`- ret, err := s.k.ResourcesGet(ctx, gvk, namespace.(string), name.(string))`
	`134`	`+ ret, err := s.k.Derived(ctx).ResourcesGet(ctx, gvk, namespace.(string), name.(string))`
`135`	`135`	`if err != nil {`
`136`	`136`	`return NewTextResult("", fmt.Errorf("failed to get resource: %v", err)), nil`
`137`	`137`	`}`
`@@ -143,7 +143,7 @@ func (s *Server) resourcesCreateOrUpdate(ctx context.Context, ctr mcp.CallToolRe`
`143`	`143`	`if resource == nil \|\| resource == "" {`
`144`	`144`	`return NewTextResult("", errors.New("failed to create or update resources, missing argument resource")), nil`
`145`	`145`	`}`
`146`		`- ret, err := s.k.ResourcesCreateOrUpdate(ctx, resource.(string))`
	`146`	`+ ret, err := s.k.Derived(ctx).ResourcesCreateOrUpdate(ctx, resource.(string))`
`147`	`147`	`if err != nil {`
`148`	`148`	`return NewTextResult("", fmt.Errorf("failed to create or update resources: %v", err)), nil`
`149`	`149`	`}`
`@@ -163,7 +163,7 @@ func (s *Server) resourcesDelete(ctx context.Context, ctr mcp.CallToolRequest) (`
`163`	`163`	`if name == nil {`
`164`	`164`	`return NewTextResult("", errors.New("failed to delete resource, missing argument name")), nil`
`165`	`165`	`}`
`166`		`- err = s.k.ResourcesDelete(ctx, gvk, namespace.(string), name.(string))`
	`166`	`+ err = s.k.Derived(ctx).ResourcesDelete(ctx, gvk, namespace.(string), name.(string))`
`167`	`167`	`if err != nil {`
`168`	`168`	`return NewTextResult("", fmt.Errorf("failed to delete resource: %v", err)), nil`
`169`	`169`	`}`