poly-k8s-mcp

The server explicitly requires and uses Deno's `--allow-run` permission to execute `kubectl`, `helm`, and `kustomize` CLI tools directly. This means the security boundary is the user's local Kubernetes configuration (`~/.kube/config`) and credentials. An MCP client (e.g., AI assistant) could perform any action the user's configured `kubectl` can. There are no additional authentication or authorization layers provided by the server itself beyond the underlying CLI tools. The `kubectl_apply` tool writes manifest content to `/tmp/kubectl-manifest.yaml` before applying it, which is a common pattern but could pose risks if the server runs in a compromised environment or with over-privileged access. The `kustomize_create` tool writes `kustomization.yaml` files based on input, allowing arbitrary Kustomize configuration to be created. The project's `PROVEN-INTEGRATION.md` indicates future plans for formal verification of resource lifecycles, RBAC, and manifest validation (`SafeSchema`), but these are not currently implemented, meaning input validation against Kubernetes schemas is not enforced by the server itself.