feat(auth): Authorize user from custom SSE header

manusa · manusa · commit 40074b8a6416 · 2025-05-28T12:31:39.000+02:00
PoC to show how we can propagate an Authorization Bearer token
from the MCP client up to the Kubernetes API by passing a custom
header (Kubernetes-Authorization-Bearer-Token).

A new Derived client is necessary for each request due to the incompleteness
of some of the client-go clients.
This might add some overhead for each prompt.
Ideally, the issue with the discoveryclient and others should be fixed to
allow reading the authorization header from the request context.
diff --git a/pkg/kubernetes/impersonate_roundtripper.go b/pkg/kubernetes/impersonate_roundtripper.go
@@ -0,0 +1,20 @@
+package kubernetes
+
+import "net/http"
+
+const (
+	AuthorizationHeader            = "Kubernetes-Authorization"
+	AuthorizationBearerTokenHeader = "Kubernetes-Authorization-Bearer-Token"
+)
+
+type impersonateRoundTripper struct {
+	delegate http.RoundTripper
+}
+
+func (irt *impersonateRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	// TODO: Solution won't work with discoveryclient which uses context.TODO() instead of the passed-in context
+	if v, ok := req.Context().Value(AuthorizationHeader).(string); ok {
+		req.Header.Set("Authorization", v)
+	}
+	return irt.delegate.RoundTrip(req)
+}
diff --git a/pkg/kubernetes/kubernetes.go b/pkg/kubernetes/kubernetes.go
@@ -1,6 +1,7 @@
 package kubernetes
 
 import (
+	"context"
 	"github.com/fsnotify/fsnotify"
 	"github.com/manusa/kubernetes-mcp-server/pkg/helm"
 	v1 "k8s.io/api/core/v1"
@@ -14,6 +15,7 @@ import (
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/restmapper"
 	"k8s.io/client-go/tools/clientcmd"
+	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 	"sigs.k8s.io/yaml"
 )
 
@@ -41,6 +43,10 @@ func NewKubernetes(kubeconfig string) (*Kubernetes, error) {
 	if err := resolveKubernetesConfigurations(k8s); err != nil {
 		return nil, err
 	}
+	// TODO: Won't work because not all client-go clients use the shared context (e.g. discovery client uses context.TODO())
+	//k8s.cfg.Wrap(func(original http.RoundTripper) http.RoundTripper {
+	//	return &impersonateRoundTripper{original}
+	//})
 	var err error
 	k8s.clientSet, err = kubernetes.NewForConfig(k8s.cfg)
 	if err != nil {
@@ -115,6 +121,37 @@ func (k *Kubernetes) ToRESTMapper() (meta.RESTMapper, error) {
 	return k.deferredDiscoveryRESTMapper, nil
 }
 
+func (k *Kubernetes) Derived(ctx context.Context) *Kubernetes {
+	bearerToken, ok := ctx.Value(AuthorizationBearerTokenHeader).(string)
+	if !ok {
+		return k
+	}
+	var _ error // TODO: ignored --> should be handled eventually
+	derivedCfg := rest.CopyConfig(k.cfg)
+	derivedCfg.BearerToken = bearerToken
+	derivedCfg.BearerTokenFile = ""
+	derivedCfg.AuthProvider = nil
+	derivedCfg.Username = ""
+	derivedCfg.Password = ""
+	derivedCfg.Impersonate = rest.ImpersonationConfig{}
+	clientcmdapiConfig, _ := k.clientCmdConfig.RawConfig()
+	clientcmdapiConfig.AuthInfos = make(map[string]*clientcmdapi.AuthInfo)
+	derived := &Kubernetes{
+		Kubeconfig:      k.Kubeconfig,
+		clientCmdConfig: clientcmd.NewDefaultClientConfig(clientcmdapiConfig, nil),
+		cfg:             derivedCfg,
+	}
+	derived.clientSet, _ = kubernetes.NewForConfig(derived.cfg)
+	discoveryClient, _ := discovery.NewDiscoveryClientForConfig(derived.cfg)
+	derived.discoveryClient = memory.NewMemCacheClient(discoveryClient)
+	derived.deferredDiscoveryRESTMapper = restmapper.NewDeferredDiscoveryRESTMapper(memory.NewMemCacheClient(derived.discoveryClient))
+	derived.dynamicClient, _ = dynamic.NewForConfig(derived.cfg)
+	derived.scheme = runtime.NewScheme()
+	derived.parameterCodec = runtime.NewParameterCodec(derived.scheme)
+	derived.Helm = helm.NewHelm(derived)
+	return derived
+}
+
 func marshal(v any) (string, error) {
 	switch t := v.(type) {
 	case []unstructured.Unstructured:
diff --git a/pkg/mcp/events.go b/pkg/mcp/events.go
@@ -27,7 +27,7 @@ func (s *Server) eventsList(ctx context.Context, ctr mcp.CallToolRequest) (*mcp.
 	if namespace == nil {
 		namespace = ""
 	}
-	ret, err := s.k.EventsList(ctx, namespace.(string))
+	ret, err := s.k.Derived(ctx).EventsList(ctx, namespace.(string))
 	if err != nil {
 		return NewTextResult("", fmt.Errorf("failed to list events in all namespaces: %v", err)), nil
 	}
diff --git a/pkg/mcp/helm.go b/pkg/mcp/helm.go
@@ -64,14 +64,14 @@ func (s *Server) helmInstall(ctx context.Context, ctr mcp.CallToolRequest) (*mcp
 	if v, ok := ctr.GetArguments()["namespace"].(string); ok {
 		namespace = v
 	}
-	ret, err := s.k.Helm.Install(ctx, chart, values, name, namespace)
+	ret, err := s.k.Derived(ctx).Helm.Install(ctx, chart, values, name, namespace)
 	if err != nil {
 		return NewTextResult("", fmt.Errorf("failed to install helm chart '%s': %w", chart, err)), nil
 	}
 	return NewTextResult(ret, err), nil
 }
 
-func (s *Server) helmList(_ context.Context, ctr mcp.CallToolRequest) (*mcp.CallToolResult, error) {
+func (s *Server) helmList(ctx context.Context, ctr mcp.CallToolRequest) (*mcp.CallToolResult, error) {
 	allNamespaces := false
 	if v, ok := ctr.GetArguments()["all_namespaces"].(bool); ok {
 		allNamespaces = v
@@ -80,14 +80,14 @@ func (s *Server) helmList(_ context.Context, ctr mcp.CallToolRequest) (*mcp.Call
 	if v, ok := ctr.GetArguments()["namespace"].(string); ok {
 		namespace = v
 	}
-	ret, err := s.k.Helm.List(namespace, allNamespaces)
+	ret, err := s.k.Derived(ctx).Helm.List(namespace, allNamespaces)
 	if err != nil {
 		return NewTextResult("", fmt.Errorf("failed to list helm releases in namespace '%s': %w", namespace, err)), nil
 	}
 	return NewTextResult(ret, err), nil
 }
 
-func (s *Server) helmUninstall(_ context.Context, ctr mcp.CallToolRequest) (*mcp.CallToolResult, error) {
+func (s *Server) helmUninstall(ctx context.Context, ctr mcp.CallToolRequest) (*mcp.CallToolResult, error) {
 	var name string
 	ok := false
 	if name, ok = ctr.GetArguments()["name"].(string); !ok {
@@ -97,7 +97,7 @@ func (s *Server) helmUninstall(_ context.Context, ctr mcp.CallToolRequest) (*mcp
 	if v, ok := ctr.GetArguments()["namespace"].(string); ok {
 		namespace = v
 	}
-	ret, err := s.k.Helm.Uninstall(name, namespace)
+	ret, err := s.k.Derived(ctx).Helm.Uninstall(name, namespace)
 	if err != nil {
 		return NewTextResult("", fmt.Errorf("failed to uninstall helm chart '%s': %w", name, err)), nil
 	}
diff --git a/pkg/mcp/mcp.go b/pkg/mcp/mcp.go
@@ -1,10 +1,12 @@
 package mcp
 
 import (
+	"context"
 	"github.com/manusa/kubernetes-mcp-server/pkg/kubernetes"
 	"github.com/manusa/kubernetes-mcp-server/pkg/version"
 	"github.com/mark3labs/mcp-go/mcp"
 	"github.com/mark3labs/mcp-go/server"
+	"net/http"
 )
 
 type Configuration struct {
@@ -71,6 +73,7 @@ func (s *Server) ServeStdio() error {
 
 func (s *Server) ServeSse(baseUrl string) *server.SSEServer {
 	options := make([]server.SSEOption, 0)
+	options = append(options, server.WithSSEContextFunc(contextFunc))
 	if baseUrl != "" {
 		options = append(options, server.WithBaseURL(baseUrl))
 	}
@@ -104,3 +107,8 @@ func NewTextResult(content string, err error) *mcp.CallToolResult {
 		},
 	}
 }
+
+func contextFunc(ctx context.Context, r *http.Request) context.Context {
+	//return context.WithValue(ctx, kubernetes.AuthorizationHeader, r.Header.Get(kubernetes.AuthorizationHeader))
+	return context.WithValue(ctx, kubernetes.AuthorizationBearerTokenHeader, r.Header.Get(kubernetes.AuthorizationBearerTokenHeader))
+}
diff --git a/pkg/mcp/namespaces.go b/pkg/mcp/namespaces.go
@@ -35,15 +35,15 @@ func (s *Server) initNamespaces() []server.ServerTool {
 }
 
 func (s *Server) namespacesList(ctx context.Context, _ mcp.CallToolRequest) (*mcp.CallToolResult, error) {
-	ret, err := s.k.NamespacesList(ctx)
+	ret, err := s.k.Derived(ctx).NamespacesList(ctx)
 	if err != nil {
 		err = fmt.Errorf("failed to list namespaces: %v", err)
 	}
 	return NewTextResult(ret, err), nil
 }
 
 func (s *Server) projectsList(ctx context.Context, _ mcp.CallToolRequest) (*mcp.CallToolResult, error) {
-	ret, err := s.k.ProjectsList(ctx)
+	ret, err := s.k.Derived(ctx).ProjectsList(ctx)
 	if err != nil {
 		err = fmt.Errorf("failed to list projects: %v", err)
 	}
diff --git a/pkg/mcp/pods.go b/pkg/mcp/pods.go
@@ -110,7 +110,7 @@ func (s *Server) podsListInAllNamespaces(ctx context.Context, ctr mcp.CallToolRe
 		selector = labelSelector.(string)
 	}
 
-	ret, err := s.k.PodsListInAllNamespaces(ctx, selector)
+	ret, err := s.k.Derived(ctx).PodsListInAllNamespaces(ctx, selector)
 	if err != nil {
 		return NewTextResult("", fmt.Errorf("failed to list pods in all namespaces: %v", err)), nil
 	}
@@ -127,7 +127,7 @@ func (s *Server) podsListInNamespace(ctx context.Context, ctr mcp.CallToolReques
 	if labelSelector != nil {
 		selector = labelSelector.(string)
 	}
-	ret, err := s.k.PodsListInNamespace(ctx, ns.(string), selector)
+	ret, err := s.k.Derived(ctx).PodsListInNamespace(ctx, ns.(string), selector)
 	if err != nil {
 		return NewTextResult("", fmt.Errorf("failed to list pods in namespace %s: %v", ns, err)), nil
 	}
@@ -143,7 +143,7 @@ func (s *Server) podsGet(ctx context.Context, ctr mcp.CallToolRequest) (*mcp.Cal
 	if name == nil {
 		return NewTextResult("", errors.New("failed to get pod, missing argument name")), nil
 	}
-	ret, err := s.k.PodsGet(ctx, ns.(string), name.(string))
+	ret, err := s.k.Derived(ctx).PodsGet(ctx, ns.(string), name.(string))
 	if err != nil {
 		return NewTextResult("", fmt.Errorf("failed to get pod %s in namespace %s: %v", name, ns, err)), nil
 	}
@@ -159,7 +159,7 @@ func (s *Server) podsDelete(ctx context.Context, ctr mcp.CallToolRequest) (*mcp.
 	if name == nil {
 		return NewTextResult("", errors.New("failed to delete pod, missing argument name")), nil
 	}
-	ret, err := s.k.PodsDelete(ctx, ns.(string), name.(string))
+	ret, err := s.k.Derived(ctx).PodsDelete(ctx, ns.(string), name.(string))
 	if err != nil {
 		return NewTextResult("", fmt.Errorf("failed to delete pod %s in namespace %s: %v", name, ns, err)), nil
 	}
@@ -190,7 +190,7 @@ func (s *Server) podsExec(ctx context.Context, ctr mcp.CallToolRequest) (*mcp.Ca
 	} else {
 		return NewTextResult("", errors.New("failed to exec in pod, invalid command argument")), nil
 	}
-	ret, err := s.k.PodsExec(ctx, ns.(string), name.(string), container.(string), command)
+	ret, err := s.k.Derived(ctx).PodsExec(ctx, ns.(string), name.(string), container.(string), command)
 	if err != nil {
 		return NewTextResult("", fmt.Errorf("failed to exec in pod %s in namespace %s: %v", name, ns, err)), nil
 	} else if ret == "" {
@@ -212,7 +212,7 @@ func (s *Server) podsLog(ctx context.Context, ctr mcp.CallToolRequest) (*mcp.Cal
 	if container == nil {
 		container = ""
 	}
-	ret, err := s.k.PodsLog(ctx, ns.(string), name.(string), container.(string))
+	ret, err := s.k.Derived(ctx).PodsLog(ctx, ns.(string), name.(string), container.(string))
 	if err != nil {
 		return NewTextResult("", fmt.Errorf("failed to get pod %s log in namespace %s: %v", name, ns, err)), nil
 	} else if ret == "" {
@@ -238,7 +238,7 @@ func (s *Server) podsRun(ctx context.Context, ctr mcp.CallToolRequest) (*mcp.Cal
 	if port == nil {
 		port = float64(0)
 	}
-	ret, err := s.k.PodsRun(ctx, ns.(string), name.(string), image.(string), int32(port.(float64)))
+	ret, err := s.k.Derived(ctx).PodsRun(ctx, ns.(string), name.(string), image.(string), int32(port.(float64)))
 	if err != nil {
 		return NewTextResult("", fmt.Errorf("failed to get pod %s log in namespace %s: %v", name, ns, err)), nil
 	}
diff --git a/pkg/mcp/resources.go b/pkg/mcp/resources.go
@@ -111,7 +111,7 @@ func (s *Server) resourcesList(ctx context.Context, ctr mcp.CallToolRequest) (*m
 	if err != nil {
 		return NewTextResult("", fmt.Errorf("failed to list resources, %s", err)), nil
 	}
-	ret, err := s.k.ResourcesList(ctx, gvk, namespace.(string), labelSelector.(string))
+	ret, err := s.k.Derived(ctx).ResourcesList(ctx, gvk, namespace.(string), labelSelector.(string))
 	if err != nil {
 		return NewTextResult("", fmt.Errorf("failed to list resources: %v", err)), nil
 	}
@@ -131,7 +131,7 @@ func (s *Server) resourcesGet(ctx context.Context, ctr mcp.CallToolRequest) (*mc
 	if name == nil {
 		return NewTextResult("", errors.New("failed to get resource, missing argument name")), nil
 	}
-	ret, err := s.k.ResourcesGet(ctx, gvk, namespace.(string), name.(string))
+	ret, err := s.k.Derived(ctx).ResourcesGet(ctx, gvk, namespace.(string), name.(string))
 	if err != nil {
 		return NewTextResult("", fmt.Errorf("failed to get resource: %v", err)), nil
 	}
@@ -143,7 +143,7 @@ func (s *Server) resourcesCreateOrUpdate(ctx context.Context, ctr mcp.CallToolRe
 	if resource == nil || resource == "" {
 		return NewTextResult("", errors.New("failed to create or update resources, missing argument resource")), nil
 	}
-	ret, err := s.k.ResourcesCreateOrUpdate(ctx, resource.(string))
+	ret, err := s.k.Derived(ctx).ResourcesCreateOrUpdate(ctx, resource.(string))
 	if err != nil {
 		return NewTextResult("", fmt.Errorf("failed to create or update resources: %v", err)), nil
 	}
@@ -163,7 +163,7 @@ func (s *Server) resourcesDelete(ctx context.Context, ctr mcp.CallToolRequest) (
 	if name == nil {
 		return NewTextResult("", errors.New("failed to delete resource, missing argument name")), nil
 	}
-	err = s.k.ResourcesDelete(ctx, gvk, namespace.(string), name.(string))
+	err = s.k.Derived(ctx).ResourcesDelete(ctx, gvk, namespace.(string), name.(string))
 	if err != nil {
 		return NewTextResult("", fmt.Errorf("failed to delete resource: %v", err)), nil
 	}

Original file line number	Diff line number	Diff line change
`@@ -27,7 +27,7 @@ func (s Server) eventsList(ctx context.Context, ctr mcp.CallToolRequest) (mcp.`
`27`	`27`	`if namespace == nil {`
`28`	`28`	`namespace = ""`
`29`	`29`	`}`
`30`		`- ret, err := s.k.EventsList(ctx, namespace.(string))`
	`30`	`+ ret, err := s.k.Derived(ctx).EventsList(ctx, namespace.(string))`
`31`	`31`	`if err != nil {`
`32`	`32`	`return NewTextResult("", fmt.Errorf("failed to list events in all namespaces: %v", err)), nil`
`33`	`33`	`}`
Original file line number	Diff line number	Diff line change
`@@ -64,14 +64,14 @@ func (s Server) helmInstall(ctx context.Context, ctr mcp.CallToolRequest) (mcp`
`64`	`64`	`if v, ok := ctr.GetArguments()["namespace"].(string); ok {`
`65`	`65`	`namespace = v`
`66`	`66`	`}`
`67`		`- ret, err := s.k.Helm.Install(ctx, chart, values, name, namespace)`
	`67`	`+ ret, err := s.k.Derived(ctx).Helm.Install(ctx, chart, values, name, namespace)`
`68`	`68`	`if err != nil {`
`69`	`69`	`return NewTextResult("", fmt.Errorf("failed to install helm chart '%s': %w", chart, err)), nil`
`70`	`70`	`}`
`71`	`71`	`return NewTextResult(ret, err), nil`
`72`	`72`	`}`
`73`	`73`
`74`		`-func (s Server) helmList(_ context.Context, ctr mcp.CallToolRequest) (mcp.CallToolResult, error) {`
	`74`	`+func (s Server) helmList(ctx context.Context, ctr mcp.CallToolRequest) (mcp.CallToolResult, error) {`
`75`	`75`	`allNamespaces := false`
`76`	`76`	`if v, ok := ctr.GetArguments()["all_namespaces"].(bool); ok {`
`77`	`77`	`allNamespaces = v`
`@@ -80,14 +80,14 @@ func (s Server) helmList(_ context.Context, ctr mcp.CallToolRequest) (mcp.Call`
`80`	`80`	`if v, ok := ctr.GetArguments()["namespace"].(string); ok {`
`81`	`81`	`namespace = v`
`82`	`82`	`}`
`83`		`- ret, err := s.k.Helm.List(namespace, allNamespaces)`
	`83`	`+ ret, err := s.k.Derived(ctx).Helm.List(namespace, allNamespaces)`
`84`	`84`	`if err != nil {`
`85`	`85`	`return NewTextResult("", fmt.Errorf("failed to list helm releases in namespace '%s': %w", namespace, err)), nil`
`86`	`86`	`}`
`87`	`87`	`return NewTextResult(ret, err), nil`
`88`	`88`	`}`
`89`	`89`
`90`		`-func (s Server) helmUninstall(_ context.Context, ctr mcp.CallToolRequest) (mcp.CallToolResult, error) {`
	`90`	`+func (s Server) helmUninstall(ctx context.Context, ctr mcp.CallToolRequest) (mcp.CallToolResult, error) {`
`91`	`91`	`var name string`
`92`	`92`	`ok := false`
`93`	`93`	`if name, ok = ctr.GetArguments()["name"].(string); !ok {`
`@@ -97,7 +97,7 @@ func (s Server) helmUninstall(_ context.Context, ctr mcp.CallToolRequest) (mcp`
`97`	`97`	`if v, ok := ctr.GetArguments()["namespace"].(string); ok {`
`98`	`98`	`namespace = v`
`99`	`99`	`}`
`100`		`- ret, err := s.k.Helm.Uninstall(name, namespace)`
	`100`	`+ ret, err := s.k.Derived(ctx).Helm.Uninstall(name, namespace)`
`101`	`101`	`if err != nil {`
`102`	`102`	`return NewTextResult("", fmt.Errorf("failed to uninstall helm chart '%s': %w", name, err)), nil`
`103`	`103`	`}`
Original file line number	Diff line number	Diff line change
`@@ -35,15 +35,15 @@ func (s *Server) initNamespaces() []server.ServerTool {`
`35`	`35`	`}`
`36`	`36`
`37`	`37`	`func (s Server) namespacesList(ctx context.Context, _ mcp.CallToolRequest) (mcp.CallToolResult, error) {`
`38`		`- ret, err := s.k.NamespacesList(ctx)`
	`38`	`+ ret, err := s.k.Derived(ctx).NamespacesList(ctx)`
`39`	`39`	`if err != nil {`
`40`	`40`	`err = fmt.Errorf("failed to list namespaces: %v", err)`
`41`	`41`	`}`
`42`	`42`	`return NewTextResult(ret, err), nil`
`43`	`43`	`}`
`44`	`44`
`45`	`45`	`func (s Server) projectsList(ctx context.Context, _ mcp.CallToolRequest) (mcp.CallToolResult, error) {`
`46`		`- ret, err := s.k.ProjectsList(ctx)`
	`46`	`+ ret, err := s.k.Derived(ctx).ProjectsList(ctx)`
`47`	`47`	`if err != nil {`
`48`	`48`	`err = fmt.Errorf("failed to list projects: %v", err)`
`49`	`49`	`}`
Original file line number	Diff line number	Diff line change
`@@ -110,7 +110,7 @@ func (s *Server) podsListInAllNamespaces(ctx context.Context, ctr mcp.CallToolRe`
`110`	`110`	`selector = labelSelector.(string)`
`111`	`111`	`}`
`112`	`112`
`113`		`- ret, err := s.k.PodsListInAllNamespaces(ctx, selector)`
	`113`	`+ ret, err := s.k.Derived(ctx).PodsListInAllNamespaces(ctx, selector)`
`114`	`114`	`if err != nil {`
`115`	`115`	`return NewTextResult("", fmt.Errorf("failed to list pods in all namespaces: %v", err)), nil`
`116`	`116`	`}`
`@@ -127,7 +127,7 @@ func (s *Server) podsListInNamespace(ctx context.Context, ctr mcp.CallToolReques`
`127`	`127`	`if labelSelector != nil {`
`128`	`128`	`selector = labelSelector.(string)`
`129`	`129`	`}`
`130`		`- ret, err := s.k.PodsListInNamespace(ctx, ns.(string), selector)`
	`130`	`+ ret, err := s.k.Derived(ctx).PodsListInNamespace(ctx, ns.(string), selector)`
`131`	`131`	`if err != nil {`
`132`	`132`	`return NewTextResult("", fmt.Errorf("failed to list pods in namespace %s: %v", ns, err)), nil`
`133`	`133`	`}`
`@@ -143,7 +143,7 @@ func (s Server) podsGet(ctx context.Context, ctr mcp.CallToolRequest) (mcp.Cal`
`143`	`143`	`if name == nil {`
`144`	`144`	`return NewTextResult("", errors.New("failed to get pod, missing argument name")), nil`
`145`	`145`	`}`
`146`		`- ret, err := s.k.PodsGet(ctx, ns.(string), name.(string))`
	`146`	`+ ret, err := s.k.Derived(ctx).PodsGet(ctx, ns.(string), name.(string))`
`147`	`147`	`if err != nil {`
`148`	`148`	`return NewTextResult("", fmt.Errorf("failed to get pod %s in namespace %s: %v", name, ns, err)), nil`
`149`	`149`	`}`
`@@ -159,7 +159,7 @@ func (s Server) podsDelete(ctx context.Context, ctr mcp.CallToolRequest) (mcp.`
`159`	`159`	`if name == nil {`
`160`	`160`	`return NewTextResult("", errors.New("failed to delete pod, missing argument name")), nil`
`161`	`161`	`}`
`162`		`- ret, err := s.k.PodsDelete(ctx, ns.(string), name.(string))`
	`162`	`+ ret, err := s.k.Derived(ctx).PodsDelete(ctx, ns.(string), name.(string))`
`163`	`163`	`if err != nil {`
`164`	`164`	`return NewTextResult("", fmt.Errorf("failed to delete pod %s in namespace %s: %v", name, ns, err)), nil`
`165`	`165`	`}`
`@@ -190,7 +190,7 @@ func (s Server) podsExec(ctx context.Context, ctr mcp.CallToolRequest) (mcp.Ca`
`190`	`190`	`} else {`
`191`	`191`	`return NewTextResult("", errors.New("failed to exec in pod, invalid command argument")), nil`
`192`	`192`	`}`
`193`		`- ret, err := s.k.PodsExec(ctx, ns.(string), name.(string), container.(string), command)`
	`193`	`+ ret, err := s.k.Derived(ctx).PodsExec(ctx, ns.(string), name.(string), container.(string), command)`
`194`	`194`	`if err != nil {`
`195`	`195`	`return NewTextResult("", fmt.Errorf("failed to exec in pod %s in namespace %s: %v", name, ns, err)), nil`
`196`	`196`	`} else if ret == "" {`
`@@ -212,7 +212,7 @@ func (s Server) podsLog(ctx context.Context, ctr mcp.CallToolRequest) (mcp.Cal`
`212`	`212`	`if container == nil {`
`213`	`213`	`container = ""`
`214`	`214`	`}`
`215`		`- ret, err := s.k.PodsLog(ctx, ns.(string), name.(string), container.(string))`
	`215`	`+ ret, err := s.k.Derived(ctx).PodsLog(ctx, ns.(string), name.(string), container.(string))`
`216`	`216`	`if err != nil {`
`217`	`217`	`return NewTextResult("", fmt.Errorf("failed to get pod %s log in namespace %s: %v", name, ns, err)), nil`
`218`	`218`	`} else if ret == "" {`
`@@ -238,7 +238,7 @@ func (s Server) podsRun(ctx context.Context, ctr mcp.CallToolRequest) (mcp.Cal`
`238`	`238`	`if port == nil {`
`239`	`239`	`port = float64(0)`
`240`	`240`	`}`
`241`		`- ret, err := s.k.PodsRun(ctx, ns.(string), name.(string), image.(string), int32(port.(float64)))`
	`241`	`+ ret, err := s.k.Derived(ctx).PodsRun(ctx, ns.(string), name.(string), image.(string), int32(port.(float64)))`
`242`	`242`	`if err != nil {`
`243`	`243`	`return NewTextResult("", fmt.Errorf("failed to get pod %s log in namespace %s: %v", name, ns, err)), nil`
`244`	`244`	`}`
Original file line number	Diff line number	Diff line change
`@@ -111,7 +111,7 @@ func (s Server) resourcesList(ctx context.Context, ctr mcp.CallToolRequest) (m`
`111`	`111`	`if err != nil {`
`112`	`112`	`return NewTextResult("", fmt.Errorf("failed to list resources, %s", err)), nil`
`113`	`113`	`}`
`114`		`- ret, err := s.k.ResourcesList(ctx, gvk, namespace.(string), labelSelector.(string))`
	`114`	`+ ret, err := s.k.Derived(ctx).ResourcesList(ctx, gvk, namespace.(string), labelSelector.(string))`
`115`	`115`	`if err != nil {`
`116`	`116`	`return NewTextResult("", fmt.Errorf("failed to list resources: %v", err)), nil`
`117`	`117`	`}`
`@@ -131,7 +131,7 @@ func (s Server) resourcesGet(ctx context.Context, ctr mcp.CallToolRequest) (mc`
`131`	`131`	`if name == nil {`
`132`	`132`	`return NewTextResult("", errors.New("failed to get resource, missing argument name")), nil`
`133`	`133`	`}`
`134`		`- ret, err := s.k.ResourcesGet(ctx, gvk, namespace.(string), name.(string))`
	`134`	`+ ret, err := s.k.Derived(ctx).ResourcesGet(ctx, gvk, namespace.(string), name.(string))`
`135`	`135`	`if err != nil {`
`136`	`136`	`return NewTextResult("", fmt.Errorf("failed to get resource: %v", err)), nil`
`137`	`137`	`}`
`@@ -143,7 +143,7 @@ func (s *Server) resourcesCreateOrUpdate(ctx context.Context, ctr mcp.CallToolRe`
`143`	`143`	`if resource == nil \|\| resource == "" {`
`144`	`144`	`return NewTextResult("", errors.New("failed to create or update resources, missing argument resource")), nil`
`145`	`145`	`}`
`146`		`- ret, err := s.k.ResourcesCreateOrUpdate(ctx, resource.(string))`
	`146`	`+ ret, err := s.k.Derived(ctx).ResourcesCreateOrUpdate(ctx, resource.(string))`
`147`	`147`	`if err != nil {`
`148`	`148`	`return NewTextResult("", fmt.Errorf("failed to create or update resources: %v", err)), nil`
`149`	`149`	`}`
`@@ -163,7 +163,7 @@ func (s *Server) resourcesDelete(ctx context.Context, ctr mcp.CallToolRequest) (`
`163`	`163`	`if name == nil {`
`164`	`164`	`return NewTextResult("", errors.New("failed to delete resource, missing argument name")), nil`
`165`	`165`	`}`
`166`		`- err = s.k.ResourcesDelete(ctx, gvk, namespace.(string), name.(string))`
	`166`	`+ err = s.k.Derived(ctx).ResourcesDelete(ctx, gvk, namespace.(string), name.(string))`
`167`	`167`	`if err != nil {`
`168`	`168`	`return NewTextResult("", fmt.Errorf("failed to delete resource: %v", err)), nil`
`169`	`169`	`}`