diff --git a/pkg/http/authorization.go b/pkg/http/authorization.go index 2b3152b8..fd173818 100644 --- a/pkg/http/authorization.go +++ b/pkg/http/authorization.go @@ -102,7 +102,7 @@ func AuthorizationMiddleware(requireOAuth bool, serverURL string, oidcProvider * // 2. b. If this is not the only token in the headers, the token in here is used // only for authentication and authorization. Therefore, we need to send TokenReview request // with the other token in the headers (TODO: still need to validate aud and exp of this token separately). - _, _, err = mcpServer.VerifyTokenAPIServer(r.Context(), token, audience) + /*_, _, err = mcpServer.VerifyTokenAPIServer(r.Context(), token, audience) if err != nil { klog.V(1).Infof("Authentication failed - API Server token validation error: %s %s from %s, error: %v", r.Method, r.URL.Path, r.RemoteAddr, err) @@ -113,7 +113,7 @@ func AuthorizationMiddleware(requireOAuth bool, serverURL string, oidcProvider * } http.Error(w, "Unauthorized: Invalid token", http.StatusUnauthorized) return - } + }*/ next.ServeHTTP(w, r) }) diff --git a/pkg/kubernetes/kubernetes.go b/pkg/kubernetes/kubernetes.go index db0ac542..56522320 100644 --- a/pkg/kubernetes/kubernetes.go +++ b/pkg/kubernetes/kubernetes.go @@ -2,7 +2,6 @@ package kubernetes import ( "context" - "errors" "strings" "k8s.io/apimachinery/pkg/runtime" @@ -146,9 +145,6 @@ func (m *Manager) ToRESTMapper() (meta.RESTMapper, error) { func (m *Manager) Derived(ctx context.Context) (*Kubernetes, error) { authorization, ok := ctx.Value(OAuthAuthorizationHeader).(string) if !ok || !strings.HasPrefix(authorization, "Bearer ") { - if m.staticConfig.RequireOAuth { - return nil, errors.New("oauth token required") - } return &Kubernetes{manager: m}, nil } klog.V(5).Infof("%s header found (Bearer), using provided bearer token", OAuthAuthorizationHeader) @@ -172,10 +168,6 @@ func (m *Manager) Derived(ctx context.Context) (*Kubernetes, error) { } clientCmdApiConfig, err := m.clientCmdConfig.RawConfig() if err != nil { - if m.staticConfig.RequireOAuth { - klog.Errorf("failed to get kubeconfig: %v", err) - return nil, errors.New("failed to get kubeconfig") - } return &Kubernetes{manager: m}, nil } clientCmdApiConfig.AuthInfos = make(map[string]*clientcmdapi.AuthInfo) @@ -186,10 +178,6 @@ func (m *Manager) Derived(ctx context.Context) (*Kubernetes, error) { }} derived.manager.accessControlClientSet, err = NewAccessControlClientset(derived.manager.cfg, derived.manager.staticConfig) if err != nil { - if m.staticConfig.RequireOAuth { - klog.Errorf("failed to get kubeconfig: %v", err) - return nil, errors.New("failed to get kubeconfig") - } return &Kubernetes{manager: m}, nil } derived.manager.discoveryClient = memory.NewMemCacheClient(derived.manager.accessControlClientSet.DiscoveryClient()) @@ -199,10 +187,6 @@ func (m *Manager) Derived(ctx context.Context) (*Kubernetes, error) { ) derived.manager.dynamicClient, err = dynamic.NewForConfig(derived.manager.cfg) if err != nil { - if m.staticConfig.RequireOAuth { - klog.Errorf("failed to initialize dynamic client: %v", err) - return nil, errors.New("failed to initialize dynamic client") - } return &Kubernetes{manager: m}, nil } return derived, nil diff --git a/pkg/mcp/mcp.go b/pkg/mcp/mcp.go index 5a4f1d51..31f389bf 100644 --- a/pkg/mcp/mcp.go +++ b/pkg/mcp/mcp.go @@ -4,10 +4,11 @@ import ( "bytes" "context" "fmt" - "k8s.io/klog/v2" "net/http" "slices" + "k8s.io/klog/v2" + "github.com/mark3labs/mcp-go/mcp" "github.com/mark3labs/mcp-go/server" authenticationapiv1 "k8s.io/api/authentication/v1" @@ -170,12 +171,6 @@ func NewTextResult(content string, err error) *mcp.CallToolResult { } func contextFunc(ctx context.Context, r *http.Request) context.Context { - // Get the standard Authorization header (OAuth compliant) - authHeader := r.Header.Get(string(internalk8s.OAuthAuthorizationHeader)) - if authHeader != "" { - return context.WithValue(ctx, internalk8s.OAuthAuthorizationHeader, authHeader) - } - // Fallback to custom header for backward compatibility customAuthHeader := r.Header.Get(string(internalk8s.CustomAuthorizationHeader)) if customAuthHeader != "" {