Introduce toml configuration file with a set of deny list #133
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ardaguclu
commented
Jun 19, 2025
pkg/config/conf.toml
Outdated
| # A list of denied Kubernetes resources in Group/Version/Kind format. | ||
| # If a resource is in this list, your MCP server should deny all operations | ||
| # on that resource type across all namespaces. | ||
| [[denied_resources]] |
There was a problem hiding this comment.
Would this format make sense to you?.
There was a problem hiding this comment.
Let's move this discussion to #132
ardaguclu
commented
Jun 19, 2025
pkg/config/conf.toml
Outdated
| kind = "Secret" | ||
|
|
||
| [[denied_resources]] | ||
| group = "rbac.authorization.k8s.io" |
There was a problem hiding this comment.
We allow group based prohibitions.
ardaguclu
force-pushed
the
static-conf-file
branch
from
713cdec to
601f882
Compare
ardaguclu
commented
Jun 19, 2025
ardaguclu
commented
Jun 19, 2025
manusa
reviewed
Jun 19, 2025
Comment on lines
+130
to
+143
| if c.staticConfig == nil { | ||
| c.staticConfig = &config.StaticConfig{ | ||
| DeniedResources: []config.GroupVersionKind{ | ||
| { | ||
| Version: "v1", | ||
| Kind: "Secret", | ||
| }, | ||
| { | ||
| Group: "rbac.authorization.k8s.io", | ||
| Version: "v1", | ||
| }, | ||
| }, | ||
| } | ||
| } |
There was a problem hiding this comment.
Additionally, this PR adds predefined set of resources to not allow any operations in MCP Server.
I wouldn't set any opinionated defaults (at least for the default upstream full profile)
Maybe we want to discuss if we want to provide an upstream safe profile or maybe even a mode of operation that users could activate and added the opinionated denied resources.
Everything else looks good :)
ardaguclu
force-pushed
the
static-conf-file
branch
from
601f882 to
685558e
Compare
ardaguclu
force-pushed
the
static-conf-file
branch
from
685558e to
24de5d3
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #131
Introduces PoC for #132
This PR introduces a new static configuration file in toml format that defaults to
conf.tomlbut can be modified via flagconfig.Additionally, this PR adds predefined set of resources to not allow any operations in MCP Server.
This PR is supposed to fix #132 and #131