feat: add troubleshoot_kubernetes_list_top_400_500_http_errors_in_pods (#38)

Author: tembleking

AGENTS.md

@@ -56,6 +56,7 @@ The handler filters tools dynamically based on `GetMyPermissions` from Sysdig Se
 | `kubernetes_list_cronjobs` | `tool_kubernetes_list_cronjobs.go` | Retrieves information from the cronjobs in the cluster. | `promql.exec` | "List all cronjobs in cluster 'prod' and namespace 'default'" |
 | `troubleshoot_kubernetes_list_top_unavailable_pods` | `tool_troubleshoot_kubernetes_list_top_unavailable_pods.go` | Shows the top N pods with the highest number of unavailable or unready replicas. | `promql.exec` | "Show the top 20 unavailable pods in cluster 'production'" |
 | `troubleshoot_kubernetes_list_top_restarted_pods` | `tool_troubleshoot_kubernetes_list_top_restarted_pods.go` | Lists the pods with the highest number of container restarts. | `promql.exec` | "Show the top 10 pods with the most container restarts in cluster 'production'" |
+| `troubleshoot_kubernetes_list_top_400_500_http_errors_in_pods` | `tool_troubleshoot_kubernetes_list_top_400_500_http_errors_in_pods.go` | Lists the pods with the highest rate of HTTP 4xx and 5xx errors over a specified time interval. | `promql.exec` | "Show the top 20 pods with the most HTTP errors in cluster 'production'" |
 
 Every tool has a companion `_test.go` file that exercises request validation, permission metadata, and Sysdig client calls through mocks.
 Note that if you add more tools you need to also update this file to reflect that.

README.md

@@ -143,6 +143,11 @@ The server dynamically filters the available tools based on the permissions asso
   - **Required Permission**: `promql.exec`
   - **Sample Prompt**: "Show the top 10 pods with the most container restarts in cluster 'production'"
 
+- **`troubleshoot_kubernetes_list_top_400_500_http_errors_in_pods`**
+  - **Description**: Lists the pods with the highest rate of HTTP 4xx and 5xx errors over a specified time interval, allowing filtering by cluster, namespace, workload type, and workload name.
+  - **Required Permission**: `promql.exec`
+  - **Sample Prompt**: "Show the top 20 pods with the most HTTP errors in cluster 'production'"
+
 ## Requirements
 
 - [Go](https://go.dev/doc/install) 1.25 or higher (if running without Docker).

cmd/server/main.go

@@ -102,6 +102,7 @@ func setupHandler(sysdigClient sysdig.ExtendedClientWithResponsesInterface) *mcp
 		tools.NewKubernetesListPodContainers(sysdigClient),
 		tools.NewTroubleshootKubernetesListTopUnavailablePods(sysdigClient),
 		tools.NewTroubleshootKubernetesListTopRestartedPods(sysdigClient),
+		tools.NewTroubleshootKubernetesListTop400500HttpErrorsInPods(sysdigClient),
 	)
 	return handler
 }

internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_400_500_http_errors_in_pods.go

@@ -0,0 +1,110 @@
+package tools
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"strings"
+	"time"
+
+	"github.com/mark3labs/mcp-go/mcp"
+	"github.com/mark3labs/mcp-go/server"
+	"github.com/sysdiglabs/sysdig-mcp-server/internal/infra/sysdig"
+)
+
+type TroubleshootKubernetesListTop400500HttpErrorsInPods struct {
+	SysdigClient sysdig.ExtendedClientWithResponsesInterface
+}
+
+func NewTroubleshootKubernetesListTop400500HttpErrorsInPods(sysdigClient sysdig.ExtendedClientWithResponsesInterface) *TroubleshootKubernetesListTop400500HttpErrorsInPods {
+	return &TroubleshootKubernetesListTop400500HttpErrorsInPods{
+		SysdigClient: sysdigClient,
+	}
+}
+
+func (t *TroubleshootKubernetesListTop400500HttpErrorsInPods) RegisterInServer(s *server.MCPServer) {
+	tool := mcp.NewTool("troubleshoot_kubernetes_list_top_400_500_http_errors_in_pods",
+		mcp.WithDescription("Lists the pods with the highest rate of HTTP 4xx and 5xx errors over a specified time interval, allowing filtering by cluster, namespace, workload type, and workload name."),
+		mcp.WithString("interval", mcp.Description("Time interval for the query (e.g. '1h', '30m'). Default is '1h'.")),
+		mcp.WithString("cluster_name", mcp.Description("The name of the cluster to filter by.")),
+		mcp.WithString("namespace_name", mcp.Description("The name of the namespace to filter by.")),
+		mcp.WithString("workload_type", mcp.Description("The type of the workload to filter by.")),
+		mcp.WithString("workload_name", mcp.Description("The name of the workload to filter by.")),
+		mcp.WithNumber("limit",
+			mcp.Description("Maximum number of pods to return."),
+			mcp.DefaultNumber(20),
+		),
+		mcp.WithOutputSchema[map[string]any](),
+		WithRequiredPermissions(), // FIXME(fede): Add the required permissions. It should be `promql.exec` but somehow the token does not have that permission even if you are able to execute queries.
+	)
+	s.AddTool(tool, t.handle)
+}
+
+func (t *TroubleshootKubernetesListTop400500HttpErrorsInPods) handle(ctx context.Context, request mcp.CallToolRequest) (*mcp.CallToolResult, error) {
+	interval := mcp.ParseString(request, "interval", "1h")
+	clusterName := mcp.ParseString(request, "cluster_name", "")
+	namespaceName := mcp.ParseString(request, "namespace_name", "")
+	workloadType := mcp.ParseString(request, "workload_type", "")
+	workloadName := mcp.ParseString(request, "workload_name", "")
+	limit := mcp.ParseInt(request, "limit", 20)
+
+	query, err := buildTopHttpErrorsQuery(interval, limit, clusterName, namespaceName, workloadType, workloadName)
+	if err != nil {
+		return mcp.NewToolResultErrorFromErr("failed to build query", err), nil
+	}
+
+	limitQuery := sysdig.LimitQuery(limit)
+	params := &sysdig.GetQueryV1Params{
+		Query: query,
+		Limit: &limitQuery,
+	}
+
+	httpResp, err := t.SysdigClient.GetQueryV1(ctx, params)
+	if err != nil {
+		return mcp.NewToolResultErrorFromErr("failed to execute query", err), nil
+	}
+
+	if httpResp.StatusCode != 200 {
+		bodyBytes, _ := io.ReadAll(httpResp.Body)
+		return mcp.NewToolResultErrorf("failed to execute query: status code %d, body: %s", httpResp.StatusCode, string(bodyBytes)), nil
+	}
+
+	var queryResponse sysdig.QueryResponseV1
+	if err := json.NewDecoder(httpResp.Body).Decode(&queryResponse); err != nil {
+		return mcp.NewToolResultErrorFromErr("failed to decode response", err), nil
+	}
+
+	return mcp.NewToolResultJSON(queryResponse)
+}
+
+func buildTopHttpErrorsQuery(interval string, limit int, clusterName, namespaceName, workloadType, workloadName string) (string, error) {
+	duration, err := time.ParseDuration(interval)
+	if err != nil {
+		return "", fmt.Errorf("invalid interval format: %w", err)
+	}
+	seconds := duration.Seconds()
+
+	filters := []string{}
+	if clusterName != "" {
+		filters = append(filters, fmt.Sprintf("kube_cluster_name=~\"%s\"", clusterName))
+	}
+	if namespaceName != "" {
+		filters = append(filters, fmt.Sprintf("kube_namespace_name=\"%s\"", namespaceName))
+	}
+	if workloadType != "" {
+		filters = append(filters, fmt.Sprintf("kube_workload_type=\"%s\"", workloadType))
+	}
+	if workloadName != "" {
+		filters = append(filters, fmt.Sprintf("kube_workload_name=\"%s\"", workloadName))
+	}
+
+	filterStr := ""
+	if len(filters) > 0 {
+		filterStr = strings.Join(filters, ",")
+	}
+
+	// topk(20,sum(sum_over_time(sysdig_container_net_http_error_count{kube_cluster_name=~"demo-kube-gke"}[1h])) by (kube_cluster_name, kube_namespace_name, kube_workload_type, kube_workload_name, kube_pod_name)) / 3600
+	return fmt.Sprintf("topk(%d,sum(sum_over_time(sysdig_container_net_http_error_count{%s}[%s])) by (kube_cluster_name, kube_namespace_name, kube_workload_type, kube_workload_name, kube_pod_name)) / %f",
+		limit, filterStr, interval, seconds), nil
+}

internal/infra/mcp/tools/tool_troubleshoot_kubernetes_list_top_400_500_http_errors_in_pods_test.go

@@ -0,0 +1,123 @@
+package tools_test
+
+import (
+	"bytes"
+	"context"
+	"io"
+	"net/http"
+
+	"github.com/mark3labs/mcp-go/mcp"
+	"github.com/mark3labs/mcp-go/server"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	"github.com/sysdiglabs/sysdig-mcp-server/internal/infra/mcp/tools"
+	"github.com/sysdiglabs/sysdig-mcp-server/internal/infra/sysdig"
+	"github.com/sysdiglabs/sysdig-mcp-server/internal/infra/sysdig/mocks"
+	"go.uber.org/mock/gomock"
+)
+
+var _ = Describe("TroubleshootKubernetesListTop400500HttpErrorsInPods Tool", func() {
+	var (
+		tool       *tools.TroubleshootKubernetesListTop400500HttpErrorsInPods
+		mockSysdig *mocks.MockExtendedClientWithResponsesInterface
+		mcpServer  *server.MCPServer
+		ctrl       *gomock.Controller
+		ctx        context.Context
+	)
+
+	BeforeEach(func() {
+		ctrl = gomock.NewController(GinkgoT())
+		mockSysdig = mocks.NewMockExtendedClientWithResponsesInterface(ctrl)
+		tool = tools.NewTroubleshootKubernetesListTop400500HttpErrorsInPods(mockSysdig)
+		mcpServer = server.NewMCPServer("test", "test")
+		tool.RegisterInServer(mcpServer)
+		ctx = context.Background()
+	})
+
+	It("should register successfully in the server", func() {
+		Expect(mcpServer.GetTool("troubleshoot_kubernetes_list_top_400_500_http_errors_in_pods")).NotTo(BeNil())
+	})
+
+	When("listing top http errors", func() {
+		DescribeTable("it succeeds", func(ctx context.Context, toolName string, request mcp.CallToolRequest, expectedParamsRequested sysdig.GetQueryV1Params) {
+			mockSysdig.EXPECT().GetQueryV1(gomock.Any(), &expectedParamsRequested).Return(&http.Response{
+				StatusCode: http.StatusOK,
+				Body:       io.NopCloser(bytes.NewBufferString(`{"status":"success"}`)),
+			}, nil)
+
+			serverTool := mcpServer.GetTool(toolName)
+			result, err := serverTool.Handler(ctx, request)
+			Expect(err).NotTo(HaveOccurred())
+
+			resultData, ok := result.Content[0].(mcp.TextContent)
+			Expect(ok).To(BeTrue())
+			Expect(resultData.Text).To(MatchJSON(`{"status":"success"}`))
+		},
+			Entry("default params",
+				"troubleshoot_kubernetes_list_top_400_500_http_errors_in_pods",
+				mcp.CallToolRequest{
+					Params: mcp.CallToolParams{
+						Name:      "troubleshoot_kubernetes_list_top_400_500_http_errors_in_pods",
+						Arguments: map[string]any{},
+					},
+				},
+				sysdig.GetQueryV1Params{
+					Query: `topk(20,sum(sum_over_time(sysdig_container_net_http_error_count{}[1h])) by (kube_cluster_name, kube_namespace_name, kube_workload_type, kube_workload_name, kube_pod_name)) / 3600.000000`,
+					Limit: asPtr(sysdig.LimitQuery(20)),
+				},
+			),
+			Entry("with custom params",
+				"troubleshoot_kubernetes_list_top_400_500_http_errors_in_pods",
+				mcp.CallToolRequest{
+					Params: mcp.CallToolParams{
+						Name: "troubleshoot_kubernetes_list_top_400_500_http_errors_in_pods",
+						Arguments: map[string]any{
+							"interval":       "30m",
+							"cluster_name":   "prod-cluster",
+							"namespace_name": "backend",
+							"limit":          5,
+						},
+					},
+				},
+				sysdig.GetQueryV1Params{
+					Query: `topk(5,sum(sum_over_time(sysdig_container_net_http_error_count{kube_cluster_name=~"prod-cluster",kube_namespace_name="backend"}[30m])) by (kube_cluster_name, kube_namespace_name, kube_workload_type, kube_workload_name, kube_pod_name)) / 1800.000000`,
+					Limit: asPtr(sysdig.LimitQuery(5)),
+				},
+			),
+			Entry("with all params",
+				"troubleshoot_kubernetes_list_top_400_500_http_errors_in_pods",
+				mcp.CallToolRequest{
+					Params: mcp.CallToolParams{
+						Name: "troubleshoot_kubernetes_list_top_400_500_http_errors_in_pods",
+						Arguments: map[string]any{
+							"interval":       "2h",
+							"cluster_name":   "dev",
+							"namespace_name": "default",
+							"workload_type":  "deployment",
+							"workload_name":  "api",
+							"limit":          10,
+						},
+					},
+				},
+				sysdig.GetQueryV1Params{
+					Query: `topk(10,sum(sum_over_time(sysdig_container_net_http_error_count{kube_cluster_name=~"dev",kube_namespace_name="default",kube_workload_type="deployment",kube_workload_name="api"}[2h])) by (kube_cluster_name, kube_namespace_name, kube_workload_type, kube_workload_name, kube_pod_name)) / 7200.000000`,
+					Limit: asPtr(sysdig.LimitQuery(10)),
+				},
+			),
+		)
+
+		It("returns error for invalid interval", func() {
+			serverTool := mcpServer.GetTool("troubleshoot_kubernetes_list_top_400_500_http_errors_in_pods")
+			request := mcp.CallToolRequest{
+				Params: mcp.CallToolParams{
+					Name:      "troubleshoot_kubernetes_list_top_400_500_http_errors_in_pods",
+					Arguments: map[string]any{"interval": "invalid"},
+				},
+			}
+			result, err := serverTool.Handler(ctx, request)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(result.IsError).To(BeTrue())
+			Expect(result.Content[0].(mcp.TextContent).Text).To(ContainSubstring("invalid interval format"))
+		})
+	})
+})