mcp-server-kubernetes

The server uses `child_process.execFileSync` and `spawn` to run external `kubectl` and `helm` commands, which inherently carries risk. However, significant mitigation measures are in place: 1. The `exec_in_pod` tool explicitly accepts commands as an array of strings to prevent shell injection, strictly avoiding direct shell interpretation. 2. Other `kubectl` tools construct arguments programmatically, reducing the risk of injection. 3. Secrets masking (`MASK_SECRETS`) is implemented for `kubectl get secrets` output, though it does not cover all sensitive data exposure in logs. 4. Non-destructive (`ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS`) and read-only (`ALLOW_ONLY_READONLY_TOOLS`) modes are available via environment variables for granular access control. 5. The Helm chart templates include robust security configurations like Pod Security Contexts, `readOnlyRootFilesystem: true`, `allowPrivilegeEscalation: false`, `capabilities.drop: ALL`, customizable RBAC, and NetworkPolicies with default deny, requiring explicit egress rules. 6. For HTTP transports, `ENABLE_UNSAFE_SSE_TRANSPORT` is deprecated in favor of `ENABLE_UNSAFE_STREAMABLE_HTTP_TRANSPORT`, which includes DNS rebinding protection and supports `MCP_AUTH_TOKEN` for header-based authentication. SSE is explicitly flagged as 'unsafe'. These measures demonstrate a strong focus on security best practices for a tool that directly interacts with a Kubernetes cluster.