kube-compare-mcp

The server implements strong security measures. It explicitly blocks exec-based authentication and auth provider plugins in provided kubeconfigs to prevent arbitrary code execution, enforces size limits on kubeconfig inputs, and sanitizes error messages to prevent leakage of sensitive information. Container image extraction includes path traversal prevention and file size limits. The Kubernetes deployment uses good security practices such as `runAsNonRoot`, `seccompProfile: RuntimeDefault`, `allowPrivilegeEscalation: false`, and `drop: ALL` capabilities. However, the `ClusterRole` grants broad read-only access (`apiGroups: ['*'], resources: ['*'], verbs: ['get', 'list', 'watch']`) to the cluster, which is a functional requirement for a configuration comparison tool but means the server has visibility into all cluster resources. The `readOnlyRootFilesystem: false` is necessary due to temporary file operations and container image extraction.