Merge pull request #64 from matzew/sync-downstream

openshift-merge-bot[bot] · web-flow · commit 3720f23de0e1 · 2025-10-29T10:09:32.000Z
NO-JIRA: Sync downstream with the latest changes in upstream
diff --git a/internal/test/mcp.go b/internal/test/mcp.go
@@ -6,6 +6,7 @@ import (
 	"testing"
 
 	"github.com/mark3labs/mcp-go/client"
+	"github.com/mark3labs/mcp-go/client/transport"
 	"github.com/mark3labs/mcp-go/mcp"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/net/context"
@@ -17,12 +18,12 @@ type McpClient struct {
 	*client.Client
 }
 
-func NewMcpClient(t *testing.T, mcpHttpServer http.Handler) *McpClient {
+func NewMcpClient(t *testing.T, mcpHttpServer http.Handler, options ...transport.StreamableHTTPCOption) *McpClient {
 	require.NotNil(t, mcpHttpServer, "McpHttpServer must be provided")
 	var err error
 	ret := &McpClient{ctx: t.Context()}
 	ret.testServer = httptest.NewServer(mcpHttpServer)
-	ret.Client, err = client.NewStreamableHttpClient(ret.testServer.URL + "/mcp")
+	ret.Client, err = client.NewStreamableHttpClient(ret.testServer.URL+"/mcp", options...)
 	require.NoError(t, err, "Expected no error creating MCP client")
 	err = ret.Start(t.Context())
 	require.NoError(t, err, "Expected no error starting MCP client")
diff --git a/pkg/kubernetes/accesscontrol_clientset.go b/pkg/kubernetes/accesscontrol_clientset.go
@@ -55,6 +55,22 @@ func (a *AccessControlClientset) NodesLogs(ctx context.Context, name string) (*r
 		AbsPath(url...), nil
 }
 
+func (a *AccessControlClientset) NodesStatsSummary(ctx context.Context, name string) (*rest.Request, error) {
+	gvk := &schema.GroupVersionKind{Group: "", Version: "v1", Kind: "Node"}
+	if !isAllowed(a.staticConfig, gvk) {
+		return nil, isNotAllowedError(gvk)
+	}
+
+	if _, err := a.delegate.CoreV1().Nodes().Get(ctx, name, metav1.GetOptions{}); err != nil {
+		return nil, fmt.Errorf("failed to get node %s: %w", name, err)
+	}
+
+	url := []string{"api", "v1", "nodes", name, "proxy", "stats", "summary"}
+	return a.delegate.CoreV1().RESTClient().
+		Get().
+		AbsPath(url...), nil
+}
+
 func (a *AccessControlClientset) Pods(namespace string) (corev1.PodInterface, error) {
 	gvk := &schema.GroupVersionKind{Group: "", Version: "v1", Kind: "Pod"}
 	if !isAllowed(a.staticConfig, gvk) {
diff --git a/pkg/kubernetes/nodes.go b/pkg/kubernetes/nodes.go
@@ -36,3 +36,25 @@ func (k *Kubernetes) NodesLog(ctx context.Context, name string, query string, ta
 
 	return string(rawData), nil
 }
+
+func (k *Kubernetes) NodesStatsSummary(ctx context.Context, name string) (string, error) {
+	// Use the node proxy API to access stats summary from the kubelet
+	// This endpoint provides CPU, memory, filesystem, and network statistics
+
+	req, err := k.AccessControlClientset().NodesStatsSummary(ctx, name)
+	if err != nil {
+		return "", err
+	}
+
+	result := req.Do(ctx)
+	if result.Error() != nil {
+		return "", fmt.Errorf("failed to get node stats summary: %w", result.Error())
+	}
+
+	rawData, err := result.Raw()
+	if err != nil {
+		return "", fmt.Errorf("failed to read node stats summary response: %w", err)
+	}
+
+	return string(rawData), nil
+}
diff --git a/pkg/mcp/common_test.go b/pkg/mcp/common_test.go
@@ -443,9 +443,9 @@ func (s *BaseMcpSuite) TearDownTest() {
 	}
 }
 
-func (s *BaseMcpSuite) InitMcpClient() {
+func (s *BaseMcpSuite) InitMcpClient(options ...transport.StreamableHTTPCOption) {
 	var err error
 	s.mcpServer, err = NewServer(Configuration{StaticConfig: s.Cfg})
 	s.Require().NoError(err, "Expected no error creating MCP server")
-	s.McpClient = test.NewMcpClient(s.T(), s.mcpServer.ServeHTTP(nil))
+	s.McpClient = test.NewMcpClient(s.T(), s.mcpServer.ServeHTTP(nil), options...)
 }
diff --git a/pkg/mcp/mcp_test.go b/pkg/mcp/mcp_test.go
@@ -10,8 +10,9 @@ import (
 	"time"
 
 	"github.com/containers/kubernetes-mcp-server/internal/test"
-	"github.com/mark3labs/mcp-go/client"
+	"github.com/mark3labs/mcp-go/client/transport"
 	"github.com/mark3labs/mcp-go/mcp"
+	"github.com/stretchr/testify/suite"
 )
 
 func TestWatchKubeConfig(t *testing.T) {
@@ -48,16 +49,19 @@ func TestWatchKubeConfig(t *testing.T) {
 	})
 }
 
-func TestSseHeaders(t *testing.T) {
-	mockServer := test.NewMockServer()
-	defer mockServer.Close()
-	before := func(c *mcpContext) {
-		c.withKubeConfig(mockServer.Config())
-		c.clientOptions = append(c.clientOptions, client.WithHeaders(map[string]string{"kubernetes-authorization": "Bearer a-token-from-mcp-client"}))
-	}
-	pathHeaders := make(map[string]http.Header, 0)
-	mockServer.Handle(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-		pathHeaders[req.URL.Path] = req.Header.Clone()
+type McpHeadersSuite struct {
+	BaseMcpSuite
+	mockServer  *test.MockServer
+	pathHeaders map[string]http.Header
+}
+
+func (s *McpHeadersSuite) SetupTest() {
+	s.BaseMcpSuite.SetupTest()
+	s.mockServer = test.NewMockServer()
+	s.Cfg.KubeConfig = s.mockServer.KubeconfigFile(s.T())
+	s.pathHeaders = make(map[string]http.Header)
+	s.mockServer.Handle(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		s.pathHeaders[req.URL.Path] = req.Header.Clone()
 		// Request Performed by DiscoveryClient to Kube API (Get API Groups legacy -core-)
 		if req.URL.Path == "/api" {
 			w.Header().Set("Content-Type", "application/json")
@@ -90,38 +94,42 @@ func TestSseHeaders(t *testing.T) {
 		}
 		w.WriteHeader(404)
 	}))
-	testCaseWithContext(t, &mcpContext{before: before}, func(c *mcpContext) {
-		_, _ = c.callTool("pods_list", map[string]interface{}{})
-		t.Run("DiscoveryClient propagates headers to Kube API", func(t *testing.T) {
-			if len(pathHeaders) == 0 {
-				t.Fatalf("No requests were made to Kube API")
-			}
-			if pathHeaders["/api"] == nil || pathHeaders["/api"].Get("Authorization") != "Bearer a-token-from-mcp-client" {
-				t.Fatalf("Overridden header Authorization not found in request to /api")
-			}
-			if pathHeaders["/apis"] == nil || pathHeaders["/apis"].Get("Authorization") != "Bearer a-token-from-mcp-client" {
-				t.Fatalf("Overridden header Authorization not found in request to /apis")
-			}
-			if pathHeaders["/api/v1"] == nil || pathHeaders["/api/v1"].Get("Authorization") != "Bearer a-token-from-mcp-client" {
-				t.Fatalf("Overridden header Authorization not found in request to /api/v1")
-			}
+}
+
+func (s *McpHeadersSuite) TearDownTest() {
+	s.BaseMcpSuite.TearDownTest()
+	if s.mockServer != nil {
+		s.mockServer.Close()
+	}
+}
+
+func (s *McpHeadersSuite) TestAuthorizationHeaderPropagation() {
+	cases := []string{"kubernetes-authorization", "Authorization"}
+	for _, header := range cases {
+		s.InitMcpClient(transport.WithHTTPHeaders(map[string]string{header: "Bearer a-token-from-mcp-client"}))
+		_, _ = s.CallTool("pods_list", map[string]interface{}{})
+		s.Require().Greater(len(s.pathHeaders), 0, "No requests were made to Kube API")
+		s.Run("DiscoveryClient propagates "+header+" header to Kube API", func() {
+			s.Require().NotNil(s.pathHeaders["/api"], "No requests were made to /api")
+			s.Equal("Bearer a-token-from-mcp-client", s.pathHeaders["/api"].Get("Authorization"), "Overridden header Authorization not found in request to /api")
+			s.Require().NotNil(s.pathHeaders["/apis"], "No requests were made to /apis")
+			s.Equal("Bearer a-token-from-mcp-client", s.pathHeaders["/apis"].Get("Authorization"), "Overridden header Authorization not found in request to /apis")
+			s.Require().NotNil(s.pathHeaders["/api/v1"], "No requests were made to /api/v1")
+			s.Equal("Bearer a-token-from-mcp-client", s.pathHeaders["/api/v1"].Get("Authorization"), "Overridden header Authorization not found in request to /api/v1")
 		})
-		t.Run("DynamicClient propagates headers to Kube API", func(t *testing.T) {
-			if len(pathHeaders) == 0 {
-				t.Fatalf("No requests were made to Kube API")
-			}
-			if pathHeaders["/api/v1/namespaces/default/pods"] == nil || pathHeaders["/api/v1/namespaces/default/pods"].Get("Authorization") != "Bearer a-token-from-mcp-client" {
-				t.Fatalf("Overridden header Authorization not found in request to /api/v1/namespaces/default/pods")
-			}
+		s.Run("DynamicClient propagates "+header+" header to Kube API", func() {
+			s.Require().NotNil(s.pathHeaders["/api/v1/namespaces/default/pods"], "No requests were made to /api/v1/namespaces/default/pods")
+			s.Equal("Bearer a-token-from-mcp-client", s.pathHeaders["/api/v1/namespaces/default/pods"].Get("Authorization"), "Overridden header Authorization not found in request to /api/v1/namespaces/default/pods")
 		})
-		_, _ = c.callTool("pods_delete", map[string]interface{}{"name": "a-pod-to-delete"})
-		t.Run("kubernetes.Interface propagates headers to Kube API", func(t *testing.T) {
-			if len(pathHeaders) == 0 {
-				t.Fatalf("No requests were made to Kube API")
-			}
-			if pathHeaders["/api/v1/namespaces/default/pods/a-pod-to-delete"] == nil || pathHeaders["/api/v1/namespaces/default/pods/a-pod-to-delete"].Get("Authorization") != "Bearer a-token-from-mcp-client" {
-				t.Fatalf("Overridden header Authorization not found in request to /api/v1/namespaces/default/pods/a-pod-to-delete")
-			}
+		_, _ = s.CallTool("pods_delete", map[string]interface{}{"name": "a-pod-to-delete"})
+		s.Run("kubernetes.Interface propagates "+header+" header to Kube API", func() {
+			s.Require().NotNil(s.pathHeaders["/api/v1/namespaces/default/pods/a-pod-to-delete"], "No requests were made to /api/v1/namespaces/default/pods/a-pod-to-delete")
+			s.Equal("Bearer a-token-from-mcp-client", s.pathHeaders["/api/v1/namespaces/default/pods/a-pod-to-delete"].Get("Authorization"), "Overridden header Authorization not found in request to /api/v1/namespaces/default/pods/a-pod-to-delete")
 		})
-	})
+
+	}
+}
+
+func TestMcpHeaders(t *testing.T) {
+	suite.Run(t, new(McpHeadersSuite))
 }
diff --git a/pkg/mcp/nodes_test.go b/pkg/mcp/nodes_test.go
@@ -222,6 +222,115 @@ func (s *NodesSuite) TestNodesLogDenied() {
 	})
 }
 
+func (s *NodesSuite) TestNodesStatsSummary() {
+	s.mockServer.Handle(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		// Get Node response
+		if req.URL.Path == "/api/v1/nodes/existing-node" {
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusOK)
+			_, _ = w.Write([]byte(`{
+				"apiVersion": "v1",
+				"kind": "Node",
+				"metadata": {
+					"name": "existing-node"
+				}
+			}`))
+			return
+		}
+		// Get Stats Summary response
+		if req.URL.Path == "/api/v1/nodes/existing-node/proxy/stats/summary" {
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusOK)
+			_, _ = w.Write([]byte(`{
+				"node": {
+					"nodeName": "existing-node",
+					"cpu": {
+						"time": "2025-10-27T00:00:00Z",
+						"usageNanoCores": 1000000000,
+						"usageCoreNanoSeconds": 5000000000
+					},
+					"memory": {
+						"time": "2025-10-27T00:00:00Z",
+						"availableBytes": 8000000000,
+						"usageBytes": 4000000000,
+						"workingSetBytes": 3500000000
+					}
+				},
+				"pods": []
+			}`))
+			return
+		}
+		w.WriteHeader(http.StatusNotFound)
+	}))
+	s.InitMcpClient()
+	s.Run("nodes_stats_summary(name=nil)", func() {
+		toolResult, err := s.CallTool("nodes_stats_summary", map[string]interface{}{})
+		s.Require().NotNil(toolResult, "toolResult should not be nil")
+		s.Run("has error", func() {
+			s.Truef(toolResult.IsError, "call tool should fail")
+			s.Nilf(err, "call tool should not return error object")
+		})
+		s.Run("describes missing name", func() {
+			expectedMessage := "failed to get node stats summary, missing argument name"
+			s.Equalf(expectedMessage, toolResult.Content[0].(mcp.TextContent).Text,
+				"expected descriptive error '%s', got %v", expectedMessage, toolResult.Content[0].(mcp.TextContent).Text)
+		})
+	})
+	s.Run("nodes_stats_summary(name=inexistent-node)", func() {
+		toolResult, err := s.CallTool("nodes_stats_summary", map[string]interface{}{
+			"name": "inexistent-node",
+		})
+		s.Require().NotNil(toolResult, "toolResult should not be nil")
+		s.Run("has error", func() {
+			s.Truef(toolResult.IsError, "call tool should fail")
+			s.Nilf(err, "call tool should not return error object")
+		})
+		s.Run("describes missing node", func() {
+			expectedMessage := "failed to get node stats summary for inexistent-node: failed to get node inexistent-node: the server could not find the requested resource (get nodes inexistent-node)"
+			s.Equalf(expectedMessage, toolResult.Content[0].(mcp.TextContent).Text,
+				"expected descriptive error '%s', got %v", expectedMessage, toolResult.Content[0].(mcp.TextContent).Text)
+		})
+	})
+	s.Run("nodes_stats_summary(name=existing-node)", func() {
+		toolResult, err := s.CallTool("nodes_stats_summary", map[string]interface{}{
+			"name": "existing-node",
+		})
+		s.Require().NotNil(toolResult, "toolResult should not be nil")
+		s.Run("no error", func() {
+			s.Falsef(toolResult.IsError, "call tool should succeed")
+			s.Nilf(err, "call tool should not return error object")
+		})
+		s.Run("returns stats summary", func() {
+			content := toolResult.Content[0].(mcp.TextContent).Text
+			s.Containsf(content, "existing-node", "expected stats to contain node name, got %v", content)
+			s.Containsf(content, "usageNanoCores", "expected stats to contain CPU metrics, got %v", content)
+			s.Containsf(content, "usageBytes", "expected stats to contain memory metrics, got %v", content)
+		})
+	})
+}
+
+func (s *NodesSuite) TestNodesStatsSummaryDenied() {
+	s.Require().NoError(toml.Unmarshal([]byte(`
+		denied_resources = [ { version = "v1", kind = "Node" } ]
+	`), s.Cfg), "Expected to parse denied resources config")
+	s.InitMcpClient()
+	s.Run("nodes_stats_summary (denied)", func() {
+		toolResult, err := s.CallTool("nodes_stats_summary", map[string]interface{}{
+			"name": "does-not-matter",
+		})
+		s.Require().NotNil(toolResult, "toolResult should not be nil")
+		s.Run("has error", func() {
+			s.Truef(toolResult.IsError, "call tool should fail")
+			s.Nilf(err, "call tool should not return error object")
+		})
+		s.Run("describes denial", func() {
+			expectedMessage := "failed to get node stats summary for does-not-matter: resource not allowed: /v1, Kind=Node"
+			s.Equalf(expectedMessage, toolResult.Content[0].(mcp.TextContent).Text,
+				"expected descriptive error '%s', got %v", expectedMessage, toolResult.Content[0].(mcp.TextContent).Text)
+		})
+	})
+}
+
 func TestNodes(t *testing.T) {
 	suite.Run(t, new(NodesSuite))
 }
diff --git a/pkg/mcp/testdata/toolsets-core-tools.json b/pkg/mcp/testdata/toolsets-core-tools.json
@@ -67,6 +67,29 @@
     },
     "name": "nodes_log"
   },
+  {
+    "annotations": {
+      "title": "Node: Stats Summary",
+      "readOnlyHint": true,
+      "destructiveHint": false,
+      "idempotentHint": false,
+      "openWorldHint": true
+    },
+    "description": "Get detailed resource usage statistics from a Kubernetes node via the kubelet's Summary API. Provides comprehensive metrics including CPU, memory, filesystem, and network usage at the node, pod, and container levels. On systems with cgroup v2 and kernel 4.20+, also includes PSI (Pressure Stall Information) metrics that show resource pressure for CPU, memory, and I/O. See https://kubernetes.io/docs/reference/instrumentation/understand-psi-metrics/ for details on PSI metrics",
+    "inputSchema": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "description": "Name of the node to get stats from",
+          "type": "string"
+        }
+      },
+      "required": [
+        "name"
+      ]
+    },
+    "name": "nodes_stats_summary"
+  },
   {
     "annotations": {
       "title": "Pods: Delete",
diff --git a/pkg/mcp/testdata/toolsets-full-tools-multicluster-enum.json b/pkg/mcp/testdata/toolsets-full-tools-multicluster-enum.json
@@ -237,6 +237,37 @@
     },
     "name": "nodes_log"
   },
+  {
+    "annotations": {
+      "title": "Node: Stats Summary",
+      "readOnlyHint": true,
+      "destructiveHint": false,
+      "idempotentHint": false,
+      "openWorldHint": true
+    },
+    "description": "Get detailed resource usage statistics from a Kubernetes node via the kubelet's Summary API. Provides comprehensive metrics including CPU, memory, filesystem, and network usage at the node, pod, and container levels. On systems with cgroup v2 and kernel 4.20+, also includes PSI (Pressure Stall Information) metrics that show resource pressure for CPU, memory, and I/O. See https://kubernetes.io/docs/reference/instrumentation/understand-psi-metrics/ for details on PSI metrics",
+    "inputSchema": {
+      "type": "object",
+      "properties": {
+        "context": {
+          "description": "Optional parameter selecting which context to run the tool in. Defaults to fake-context if not set",
+          "enum": [
+            "extra-cluster",
+            "fake-context"
+          ],
+          "type": "string"
+        },
+        "name": {
+          "description": "Name of the node to get stats from",
+          "type": "string"
+        }
+      },
+      "required": [
+        "name"
+      ]
+    },
+    "name": "nodes_stats_summary"
+  },
   {
     "annotations": {
       "title": "Pods: Delete",
diff --git a/pkg/mcp/testdata/toolsets-full-tools-multicluster.json b/pkg/mcp/testdata/toolsets-full-tools-multicluster.json
diff --git a/pkg/mcp/testdata/toolsets-full-tools-openshift.json b/pkg/mcp/testdata/toolsets-full-tools-openshift.json
diff --git a/pkg/mcp/testdata/toolsets-full-tools.json b/pkg/mcp/testdata/toolsets-full-tools.json
diff --git a/pkg/toolsets/core/nodes.go b/pkg/toolsets/core/nodes.go

Original file line number	Diff line number	Diff line change
`@@ -443,9 +443,9 @@ func (s *BaseMcpSuite) TearDownTest() {`
`443`	`443`	`}`
`444`	`444`	`}`
`445`	`445`
`446`		`-func (s *BaseMcpSuite) InitMcpClient() {`
	`446`	`+func (s *BaseMcpSuite) InitMcpClient(options ...transport.StreamableHTTPCOption) {`
`447`	`447`	`var err error`
`448`	`448`	`s.mcpServer, err = NewServer(Configuration{StaticConfig: s.Cfg})`
`449`	`449`	`s.Require().NoError(err, "Expected no error creating MCP server")`
`450`		`- s.McpClient = test.NewMcpClient(s.T(), s.mcpServer.ServeHTTP(nil))`
	`450`	`+ s.McpClient = test.NewMcpClient(s.T(), s.mcpServer.ServeHTTP(nil), options...)`
`451`	`451`	`}`