Add nodes_debug_exec tool in pkg/ocp package

Author: harche

README.md

@@ -199,11 +199,12 @@ The following sets of tools are available (all on by default):
 
 <!-- AVAILABLE-TOOLSETS-START -->
 
-| Toolset | Description                                                                         |
-|---------|-------------------------------------------------------------------------------------|
-| config  | View and manage the current local Kubernetes configuration (kubeconfig)             |
-| core    | Most common tools for Kubernetes management (Pods, Generic Resources, Events, etc.) |
-| helm    | Tools for managing Helm charts and releases                                         |
+| Toolset        | Description                                                                         |
+|----------------|-------------------------------------------------------------------------------------|
+| config         | View and manage the current local Kubernetes configuration (kubeconfig)             |
+| core           | Most common tools for Kubernetes management (Pods, Generic Resources, Events, etc.) |
+| helm           | Tools for managing Helm charts and releases                                         |
+| openshift-core | Core OpenShift-specific tools (Node debugging, etc.)                                |
 
 <!-- AVAILABLE-TOOLSETS-END -->
 
@@ -322,6 +323,19 @@ In case multi-cluster support is enabled (default) and you have access to multip
 
 </details>
 
+<details>
+
+<summary>openshift-core</summary>
+
+- **nodes_debug_exec** - Run commands on an OpenShift node using a privileged debug pod with comprehensive troubleshooting utilities. The debug pod uses the UBI9 toolbox image which includes: systemd tools (systemctl, journalctl), networking tools (ss, ip, ping, traceroute, nmap), process tools (ps, top, lsof, strace), file system tools (find, tar, rsync), and debugging tools (gdb). The host filesystem is mounted at /host, allowing commands to chroot /host if needed to access node-level resources. Output is truncated to the most recent 100 lines, so prefer filters like grep when expecting large logs.
+  - `command` (`array`) **(required)** - Command to execute on the node. All standard debugging utilities from the UBI9 toolbox are available. The host filesystem is mounted at /host - use 'chroot /host <command>' to access node-level resources, or run commands directly in the toolbox environment. Provide each argument as a separate array item (e.g. ['chroot', '/host', 'systemctl', 'status', 'kubelet'] or ['journalctl', '-u', 'kubelet', '--since', '1 hour ago']).
+  - `image` (`string`) - Container image to use for the debug pod (optional). Defaults to registry.access.redhat.com/ubi9/toolbox:latest which provides comprehensive debugging and troubleshooting utilities.
+  - `namespace` (`string`) - Namespace to create the temporary debug pod in (optional, defaults to the current namespace or 'default').
+  - `node` (`string`) **(required)** - Name of the node to debug (e.g. worker-0).
+  - `timeout_seconds` (`integer`) - Maximum time to wait for the command to complete before timing out (optional, defaults to 60 seconds).
+
+</details>
+
 
 <!-- AVAILABLE-TOOLSETS-TOOLS-END -->
 

internal/tools/update-readme/main.go

@@ -15,6 +15,7 @@ import (
 	_ "github.com/containers/kubernetes-mcp-server/pkg/toolsets/config"
 	_ "github.com/containers/kubernetes-mcp-server/pkg/toolsets/core"
 	_ "github.com/containers/kubernetes-mcp-server/pkg/toolsets/helm"
+	_ "github.com/containers/kubernetes-mcp-server/pkg/toolsets/openshift"
 )
 
 type OpenShift struct{}

pkg/config/config.go

@@ -66,7 +66,7 @@ type StaticConfig struct {
 func Default() *StaticConfig {
 	return &StaticConfig{
 		ListOutput: "table",
-		Toolsets:   []string{"core", "config", "helm"},
+		Toolsets:   []string{"core", "config", "helm", "openshift-core"},
 	}
 }
 

pkg/config/config_test.go

@@ -152,8 +152,8 @@ func (s *ConfigSuite) TestReadConfigValidPreservesDefaultsForMissingFields() {
 		s.Equalf("table", config.ListOutput, "Expected ListOutput to be table, got %s", config.ListOutput)
 	})
 	s.Run("toolsets defaulted correctly", func() {
-		s.Require().Lenf(config.Toolsets, 3, "Expected 3 toolsets, got %d", len(config.Toolsets))
-		for _, toolset := range []string{"core", "config", "helm"} {
+		s.Require().Lenf(config.Toolsets, 4, "Expected 4 toolsets, got %d", len(config.Toolsets))
+		for _, toolset := range []string{"core", "config", "helm", "openshift-core"} {
 			s.Containsf(config.Toolsets, toolset, "Expected toolsets to contain %s", toolset)
 		}
 	})

pkg/kubernetes-mcp-server/cmd/root_test.go

@@ -137,15 +137,15 @@ func TestToolsets(t *testing.T) {
 		rootCmd := NewMCPServer(ioStreams)
 		rootCmd.SetArgs([]string{"--help"})
 		o, err := captureOutput(rootCmd.Execute) // --help doesn't use logger/klog, cobra prints directly to stdout
-		if !strings.Contains(o, "Comma-separated list of MCP toolsets to use (available toolsets: config, core, helm).") {
+		if !strings.Contains(o, "Comma-separated list of MCP toolsets to use (available toolsets: config, core, helm, openshift-core).") {
 			t.Fatalf("Expected all available toolsets, got %s %v", o, err)
 		}
 	})
 	t.Run("default", func(t *testing.T) {
 		ioStreams, out := testStream()
 		rootCmd := NewMCPServer(ioStreams)
 		rootCmd.SetArgs([]string{"--version", "--port=1337", "--log-level=1"})
-		if err := rootCmd.Execute(); !strings.Contains(out.String(), "- Toolsets: core, config, helm") {
+		if err := rootCmd.Execute(); !strings.Contains(out.String(), "- Toolsets: core, config, helm, openshift-core") {
 			t.Fatalf("Expected toolsets 'full', got %s %v", out, err)
 		}
 	})

pkg/mcp/nodes_test.go

@@ -0,0 +1,265 @@
+package mcp
+
+import (
+	"encoding/json"
+	"io"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/mark3labs/mcp-go/mcp"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
+
+	"github.com/containers/kubernetes-mcp-server/internal/test"
+)
+
+func TestNodesDebugExecTool(t *testing.T) {
+	testCase(t, func(c *mcpContext) {
+		mockServer := test.NewMockServer()
+		defer mockServer.Close()
+		c.withKubeConfig(mockServer.Config())
+
+		var (
+			createdPod   v1.Pod
+			deleteCalled bool
+		)
+		const namespace = "debug"
+		const logOutput = "filesystem repaired"
+
+		scheme := runtime.NewScheme()
+		_ = v1.AddToScheme(scheme)
+		codec := serializer.NewCodecFactory(scheme).UniversalDeserializer()
+
+		mockServer.Handle(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+			switch {
+			case req.URL.Path == "/api":
+				w.Header().Set("Content-Type", "application/json")
+				_, _ = w.Write([]byte(`{"kind":"APIVersions","versions":["v1"],"serverAddressByClientCIDRs":[{"clientCIDR":"0.0.0.0/0"}]}`))
+			case req.URL.Path == "/apis":
+				w.Header().Set("Content-Type", "application/json")
+				_, _ = w.Write([]byte(`{"kind":"APIGroupList","apiVersion":"v1","groups":[]}`))
+			case req.URL.Path == "/api/v1":
+				w.Header().Set("Content-Type", "application/json")
+				_, _ = w.Write([]byte(`{"kind":"APIResourceList","apiVersion":"v1","resources":[{"name":"pods","singularName":"","namespaced":true,"kind":"Pod","verbs":["get","list","watch","create","update","patch","delete"]}]}`))
+			case req.Method == http.MethodPatch && strings.HasPrefix(req.URL.Path, "/api/v1/namespaces/"+namespace+"/pods/"):
+				// Handle server-side apply (PATCH with fieldManager query param)
+				body, err := io.ReadAll(req.Body)
+				if err != nil {
+					t.Fatalf("failed to read apply body: %v", err)
+				}
+				created := &v1.Pod{}
+				if _, _, err = codec.Decode(body, nil, created); err != nil {
+					t.Fatalf("failed to decode apply body: %v", err)
+				}
+				createdPod = *created
+				// Keep the name from the request URL if it was provided
+				pathParts := strings.Split(req.URL.Path, "/")
+				if len(pathParts) > 0 {
+					createdPod.Name = pathParts[len(pathParts)-1]
+				}
+				createdPod.Namespace = namespace
+				w.Header().Set("Content-Type", "application/json")
+				_ = json.NewEncoder(w).Encode(&createdPod)
+			case req.Method == http.MethodPost && req.URL.Path == "/api/v1/namespaces/"+namespace+"/pods":
+				body, err := io.ReadAll(req.Body)
+				if err != nil {
+					t.Fatalf("failed to read create body: %v", err)
+				}
+				created := &v1.Pod{}
+				if _, _, err = codec.Decode(body, nil, created); err != nil {
+					t.Fatalf("failed to decode create body: %v", err)
+				}
+				createdPod = *created
+				createdPod.ObjectMeta = metav1.ObjectMeta{
+					Namespace: namespace,
+					Name:      createdPod.GenerateName + "abc",
+				}
+				w.Header().Set("Content-Type", "application/json")
+				_ = json.NewEncoder(w).Encode(&createdPod)
+			case req.Method == http.MethodGet && createdPod.Name != "" && req.URL.Path == "/api/v1/namespaces/"+namespace+"/pods/"+createdPod.Name:
+				podStatus := createdPod.DeepCopy()
+				podStatus.Status = v1.PodStatus{
+					Phase: v1.PodSucceeded,
+					ContainerStatuses: []v1.ContainerStatus{{
+						Name: "debug",
+						State: v1.ContainerState{Terminated: &v1.ContainerStateTerminated{
+							ExitCode: 0,
+						}},
+					}},
+				}
+				w.Header().Set("Content-Type", "application/json")
+				_ = json.NewEncoder(w).Encode(podStatus)
+			case req.Method == http.MethodDelete && createdPod.Name != "" && req.URL.Path == "/api/v1/namespaces/"+namespace+"/pods/"+createdPod.Name:
+				deleteCalled = true
+				w.Header().Set("Content-Type", "application/json")
+				_ = json.NewEncoder(w).Encode(&metav1.Status{Status: "Success"})
+			case req.Method == http.MethodGet && createdPod.Name != "" && req.URL.Path == "/api/v1/namespaces/"+namespace+"/pods/"+createdPod.Name+"/log":
+				w.Header().Set("Content-Type", "text/plain")
+				_, _ = w.Write([]byte(logOutput))
+			}
+		}))
+
+		toolResult, err := c.callTool("nodes_debug_exec", map[string]any{
+			"node":      "worker-0",
+			"namespace": namespace,
+			"command":   []any{"uname", "-a"},
+		})
+
+		t.Run("call succeeds", func(t *testing.T) {
+			if err != nil {
+				t.Fatalf("call tool failed: %v", err)
+			}
+			if toolResult.IsError {
+				t.Fatalf("tool returned error: %v", toolResult.Content)
+			}
+			if len(toolResult.Content) == 0 {
+				t.Fatalf("expected output content")
+			}
+			text := toolResult.Content[0].(mcp.TextContent).Text
+			if text != logOutput {
+				t.Fatalf("unexpected tool output %q", text)
+			}
+		})
+
+		t.Run("debug pod shaped correctly", func(t *testing.T) {
+			if createdPod.Spec.Containers == nil || len(createdPod.Spec.Containers) != 1 {
+				t.Fatalf("expected single container in debug pod")
+			}
+			container := createdPod.Spec.Containers[0]
+			expectedCommand := []string{"uname", "-a"}
+			if !equalStringSlices(container.Command, expectedCommand) {
+				t.Fatalf("unexpected debug command: %v", container.Command)
+			}
+			if container.SecurityContext == nil || container.SecurityContext.Privileged == nil || !*container.SecurityContext.Privileged {
+				t.Fatalf("expected privileged container")
+			}
+			if len(createdPod.Spec.Volumes) == 0 || createdPod.Spec.Volumes[0].HostPath == nil {
+				t.Fatalf("expected hostPath volume on debug pod")
+			}
+			if !deleteCalled {
+				t.Fatalf("expected debug pod to be deleted")
+			}
+		})
+	})
+}
+
+func equalStringSlices(a, b []string) bool {
+	if len(a) != len(b) {
+		return false
+	}
+	for i := range a {
+		if a[i] != b[i] {
+			return false
+		}
+	}
+	return true
+}
+
+func TestNodesDebugExecToolNonZeroExit(t *testing.T) {
+	testCase(t, func(c *mcpContext) {
+		mockServer := test.NewMockServer()
+		defer mockServer.Close()
+		c.withKubeConfig(mockServer.Config())
+
+		const namespace = "default"
+		const errorMessage = "failed"
+
+		scheme := runtime.NewScheme()
+		_ = v1.AddToScheme(scheme)
+		codec := serializer.NewCodecFactory(scheme).UniversalDeserializer()
+
+		mockServer.Handle(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+			switch {
+			case req.URL.Path == "/api":
+				w.Header().Set("Content-Type", "application/json")
+				_, _ = w.Write([]byte(`{"kind":"APIVersions","versions":["v1"],"serverAddressByClientCIDRs":[{"clientCIDR":"0.0.0.0/0"}]}`))
+			case req.URL.Path == "/apis":
+				w.Header().Set("Content-Type", "application/json")
+				_, _ = w.Write([]byte(`{"kind":"APIGroupList","apiVersion":"v1","groups":[]}`))
+			case req.URL.Path == "/api/v1":
+				w.Header().Set("Content-Type", "application/json")
+				_, _ = w.Write([]byte(`{"kind":"APIResourceList","apiVersion":"v1","resources":[{"name":"pods","singularName":"","namespaced":true,"kind":"Pod","verbs":["get","list","watch","create","update","patch","delete"]}]}`))
+			case req.Method == http.MethodPatch && strings.HasPrefix(req.URL.Path, "/api/v1/namespaces/"+namespace+"/pods/"):
+				// Handle server-side apply (PATCH with fieldManager query param)
+				body, err := io.ReadAll(req.Body)
+				if err != nil {
+					t.Fatalf("failed to read apply body: %v", err)
+				}
+				pod := &v1.Pod{}
+				if _, _, err = codec.Decode(body, nil, pod); err != nil {
+					t.Fatalf("failed to decode apply body: %v", err)
+				}
+				// Keep the name from the request URL if it was provided
+				pathParts := strings.Split(req.URL.Path, "/")
+				if len(pathParts) > 0 {
+					pod.Name = pathParts[len(pathParts)-1]
+				}
+				pod.Namespace = namespace
+				w.Header().Set("Content-Type", "application/json")
+				_ = json.NewEncoder(w).Encode(pod)
+			case req.Method == http.MethodPost && req.URL.Path == "/api/v1/namespaces/"+namespace+"/pods":
+				body, err := io.ReadAll(req.Body)
+				if err != nil {
+					t.Fatalf("failed to read create body: %v", err)
+				}
+				pod := &v1.Pod{}
+				if _, _, err = codec.Decode(body, nil, pod); err != nil {
+					t.Fatalf("failed to decode create body: %v", err)
+				}
+				pod.ObjectMeta = metav1.ObjectMeta{Name: pod.GenerateName + "xyz", Namespace: namespace}
+				w.Header().Set("Content-Type", "application/json")
+				_ = json.NewEncoder(w).Encode(pod)
+			case strings.HasPrefix(req.URL.Path, "/api/v1/namespaces/"+namespace+"/pods/") && strings.HasSuffix(req.URL.Path, "/log"):
+				w.Header().Set("Content-Type", "text/plain")
+				_, _ = w.Write([]byte(errorMessage))
+			case req.Method == http.MethodGet && strings.HasPrefix(req.URL.Path, "/api/v1/namespaces/"+namespace+"/pods/"):
+				pathParts := strings.Split(req.URL.Path, "/")
+				podName := pathParts[len(pathParts)-1]
+				pod := &v1.Pod{
+					TypeMeta: metav1.TypeMeta{
+						APIVersion: "v1",
+						Kind:       "Pod",
+					},
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      podName,
+						Namespace: namespace,
+					},
+				}
+				pod.Status = v1.PodStatus{
+					Phase: v1.PodSucceeded,
+					ContainerStatuses: []v1.ContainerStatus{{
+						Name: "debug",
+						State: v1.ContainerState{Terminated: &v1.ContainerStateTerminated{
+							ExitCode: 2,
+							Reason:   "Error",
+						}},
+					}},
+				}
+				w.Header().Set("Content-Type", "application/json")
+				_ = json.NewEncoder(w).Encode(pod)
+			}
+		}))
+
+		toolResult, err := c.callTool("nodes_debug_exec", map[string]any{
+			"node":    "infra-1",
+			"command": []any{"journalctl"},
+		})
+
+		if err != nil {
+			t.Fatalf("call tool failed: %v", err)
+		}
+		if !toolResult.IsError {
+			t.Fatalf("expected tool to return error")
+		}
+		text := toolResult.Content[0].(mcp.TextContent).Text
+		if !strings.Contains(text, "command exited with code 2") {
+			t.Fatalf("expected exit code message, got %q", text)
+		}
+		if !strings.Contains(text, "Error") {
+			t.Fatalf("expected error reason included, got %q", text)
+		}
+	})
+}

pkg/mcp/openshift_modules.go

@@ -0,0 +1,3 @@
+package mcp
+
+import _ "github.com/containers/kubernetes-mcp-server/pkg/toolsets/openshift"