refactor(kubernetes)!: consolidate AccessControlClientset into Kubernetes struct

The AccessControlClientset was an unnecessary layer of indirection
between the KubernetesClient interface and the Kubernetes implementation.
This change merges the AccessControlClientset directly into the Kubernetes
struct, simplifying the architecture and reducing complexity.

- Merge KubernetesClientSet interface into KubernetesClient
- Move all AccessControlClientset methods to Kubernetes struct
- Delete accesscontrol.go and accesscontrol_client_set.go
- Rename NewAccessControlClientset to NewKubernetes
- Update all callers to use Kubernetes directly

BREAKING CHANGE: AccessControlClientset() method removed from KubernetesClient
interface. Callers should use the KubernetesClient methods directly.

Signed-off-by: Marc Nuri <[email protected]>

Author: manusa

pkg/api/kubernetes.go

@@ -43,7 +43,10 @@ type NodesTopOptions struct {
 	Name string
 }
 
-type KubernetesClientSet interface {
+// KubernetesClient defines the interface for Kubernetes operations that tool and prompt handlers need.
+// This interface abstracts the concrete Kubernetes implementation to allow controlled access to the underlying resource APIs,
+// better decoupling, and testability.
+type KubernetesClient interface {
 	genericclioptions.RESTClientGetter
 	kubernetes.Interface
 	// NamespaceOrDefault returns the provided namespace or the default configured namespace if empty
@@ -53,18 +56,8 @@ type KubernetesClientSet interface {
 	DiscoveryClient() discovery.CachedDiscoveryInterface
 	DynamicClient() dynamic.Interface
 	MetricsV1beta1Client() *metricsv1beta1.MetricsV1beta1Client
-}
-
-// KubernetesClient defines the interface for Kubernetes operations that tool and prompt handlers need.
-// This interface abstracts the concrete Kubernetes implementation to allow for better decoupling
-// and testability. The pkg/kubernetes.Kubernetes type implements this interface.
-//
-// For toolsets that need direct access to the Kubernetes clientset (e.g., for DynamicClient),
-// they can type-assert to ClientsetProvider.
-type KubernetesClient interface {
-	// AccessControlClientset provides access to the underlying Kubernetes clientset with access control enforced
-	AccessControlClientset() KubernetesClientSet
 
+	// TODO: To be removed in next iteration
 	// --- Resource Operations ---
 
 	// ResourcesList lists resources of the specified GroupVersionKind

pkg/kubernetes/accesscontrol.go

@@ -34,7 +34,7 @@ func IsInCluster(cfg api.ClusterProvider) bool {
 // ConfigurationContextsDefault returns the current context name
 // TODO: Should be moved to the Provider level ?
 func (k *Kubernetes) ConfigurationContextsDefault() (string, error) {
-	cfg, err := k.AccessControlClientset().ToRawKubeConfigLoader().RawConfig()
+	cfg, err := k.ToRawKubeConfigLoader().RawConfig()
 	if err != nil {
 		return "", err
 	}
@@ -44,7 +44,7 @@ func (k *Kubernetes) ConfigurationContextsDefault() (string, error) {
 // ConfigurationContextsList returns the list of available context names
 // TODO: Should be moved to the Provider level ?
 func (k *Kubernetes) ConfigurationContextsList() (map[string]string, error) {
-	cfg, err := k.AccessControlClientset().ToRawKubeConfigLoader().RawConfig()
+	cfg, err := k.ToRawKubeConfigLoader().RawConfig()
 	if err != nil {
 		return nil, err
 	}
@@ -67,7 +67,7 @@ func (k *Kubernetes) ConfigurationContextsList() (map[string]string, error) {
 func (k *Kubernetes) ConfigurationView(minify bool) (runtime.Object, error) {
 	var cfg clientcmdapi.Config
 	var err error
-	if cfg, err = k.AccessControlClientset().ToRawKubeConfigLoader().RawConfig(); err != nil {
+	if cfg, err = k.ToRawKubeConfigLoader().RawConfig(); err != nil {
 		return nil, err
 	}
 	if minify {

pkg/kubernetes/accesscontrol_client_set.go

@@ -1,10 +1,22 @@
 package kubernetes
 
 import (
+	"fmt"
+	"net/http"
+
 	"github.com/containers/kubernetes-mcp-server/pkg/api"
+	"k8s.io/apimachinery/pkg/api/meta"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/discovery"
+	"k8s.io/client-go/discovery/cached/memory"
+	"k8s.io/client-go/dynamic"
+	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/kubernetes/scheme"
 	_ "k8s.io/client-go/plugin/pkg/client/auth/oidc"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/restmapper"
+	"k8s.io/client-go/tools/clientcmd"
+	metricsv1beta1 "k8s.io/metrics/pkg/client/clientset/versioned/typed/metrics/v1beta1"
 )
 
 type HeaderKey string
@@ -21,14 +33,107 @@ type CloseWatchKubeConfig func() error
 var Scheme = scheme.Scheme
 var ParameterCodec = runtime.NewParameterCodec(Scheme)
 
+// Kubernetes is a limited Kubernetes Client delegating interface to the standard kubernetes.Clientset
+// Only a limited set of functions are implemented with a single point of access to the kubernetes API where
+// apiVersion and kinds are checked for allowed access
 type Kubernetes struct {
-	accessControlClientSet *AccessControlClientset
+	kubernetes.Interface
+	config          api.BaseConfig
+	clientCmdConfig clientcmd.ClientConfig
+	restConfig      *rest.Config
+	restMapper      meta.ResettableRESTMapper
+	discoveryClient discovery.CachedDiscoveryInterface
+	dynamicClient   dynamic.Interface
+	metricsV1beta1  *metricsv1beta1.MetricsV1beta1Client
 }
 
 var _ api.KubernetesClient = (*Kubernetes)(nil)
 
-// AccessControlClientset returns the access-controlled clientset
-// This ensures that any denied resources configured in the system are properly enforced
-func (k *Kubernetes) AccessControlClientset() api.KubernetesClientSet {
-	return k.accessControlClientSet
+func NewKubernetes(config api.BaseConfig, clientCmdConfig clientcmd.ClientConfig, restConfig *rest.Config) (*Kubernetes, error) {
+	k := &Kubernetes{
+		config:          config,
+		clientCmdConfig: clientCmdConfig,
+		restConfig:      rest.CopyConfig(restConfig),
+	}
+	if k.restConfig.UserAgent == "" {
+		k.restConfig.UserAgent = rest.DefaultKubernetesUserAgent()
+	}
+	k.restConfig.Wrap(func(original http.RoundTripper) http.RoundTripper {
+		return &AccessControlRoundTripper{
+			delegate:                original,
+			deniedResourcesProvider: config,
+			restMapper:              k.restMapper,
+		}
+	})
+	discoveryClient, err := discovery.NewDiscoveryClientForConfig(k.restConfig)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create discovery client: %v", err)
+	}
+	k.discoveryClient = memory.NewMemCacheClient(discoveryClient)
+	k.restMapper = restmapper.NewDeferredDiscoveryRESTMapper(k.discoveryClient)
+	k.Interface, err = kubernetes.NewForConfig(k.restConfig)
+	if err != nil {
+		return nil, err
+	}
+	k.dynamicClient, err = dynamic.NewForConfig(k.restConfig)
+	if err != nil {
+		return nil, err
+	}
+	k.metricsV1beta1, err = metricsv1beta1.NewForConfig(k.restConfig)
+	if err != nil {
+		return nil, err
+	}
+	return k, nil
+}
+
+func (k *Kubernetes) RESTConfig() *rest.Config {
+	return k.restConfig
+}
+
+func (k *Kubernetes) RESTMapper() meta.ResettableRESTMapper {
+	return k.restMapper
+}
+
+func (k *Kubernetes) DiscoveryClient() discovery.CachedDiscoveryInterface {
+	return k.discoveryClient
+}
+
+func (k *Kubernetes) DynamicClient() dynamic.Interface {
+	return k.dynamicClient
+}
+
+func (k *Kubernetes) MetricsV1beta1Client() *metricsv1beta1.MetricsV1beta1Client {
+	return k.metricsV1beta1
+}
+
+func (k *Kubernetes) configuredNamespace() string {
+	if ns, _, nsErr := k.ToRawKubeConfigLoader().Namespace(); nsErr == nil {
+		return ns
+	}
+	return ""
+}
+
+func (k *Kubernetes) NamespaceOrDefault(namespace string) string {
+	if namespace == "" {
+		return k.configuredNamespace()
+	}
+	return namespace
+}
+
+func (k *Kubernetes) ToDiscoveryClient() (discovery.CachedDiscoveryInterface, error) {
+	return k.DiscoveryClient(), nil
+}
+
+func (k *Kubernetes) ToRESTMapper() (meta.RESTMapper, error) {
+	return k.RESTMapper(), nil
+}
+
+// ToRESTConfig returns the rest.Config object (genericclioptions.RESTClientGetter)
+func (k *Kubernetes) ToRESTConfig() (*rest.Config, error) {
+	return k.RESTConfig(), nil
+}
+
+// ToRawKubeConfigLoader returns the clientcmd.ClientConfig object (genericclioptions.RESTClientGetter)
+func (k *Kubernetes) ToRawKubeConfigLoader() clientcmd.ClientConfig {
+	return k.clientCmdConfig
 }