feat(contrib): add Kyverno MCP server integration#1442
feat(contrib): add Kyverno MCP server integration#1442optimus-fulcria wants to merge 2 commits intokagent-dev:mainfrom
Conversation
Add deployment manifests and agent configuration for the Kyverno MCP Server, which exposes Kyverno policy management operations to AI agents. 8 tools: list/get/explain policies, compliance reports, violation checks, policy generation, and compliance summaries. Enables natural-language Kubernetes policy management through kagent. Kyverno is a CNCF Graduated policy engine - this integration makes it accessible to both newbies and experienced users via AI agents. Source: https://github.com/Fulcria-Labs/kyverno-mcp-server Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR adds a new community-contributed integration for the Kyverno MCP Server to the contrib/tools directory. Kyverno is a CNCF Graduated policy engine for Kubernetes, and this integration enables AI agents to interact with Kyverno policies through 8 MCP tools (list, get, explain policies, compliance reports, violation checks, policy generation, and compliance summaries). The structure follows the existing pattern established by the k8sgpt MCP server contribution.
Changes:
- Adds Kubernetes deployment manifests (ServiceAccount, ClusterRole, ClusterRoleBinding, Service, Deployment) for the Kyverno MCP server with read-only RBAC scoped to Kyverno CRDs
- Adds RemoteMCPServer and Agent YAML resources to register the MCP server and create a pre-configured Kyverno policy expert agent in kagent
- Adds a README with installation instructions, usage examples, and troubleshooting guidance
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
contrib/tools/kyverno-mcp-server/deploy-kyverno-mcp-server.yaml |
K8s deployment manifests with RBAC, Service, and Deployment for the MCP server |
contrib/tools/kyverno-mcp-server/kyverno-remote-mcpserver.yaml |
RemoteMCPServer registration for kagent |
contrib/tools/kyverno-mcp-server/kyverno-agent.yaml |
Pre-configured kagent Agent with Kyverno policy expertise system prompt and all 8 tools |
contrib/tools/kyverno-mcp-server/README.md |
Installation guide, capabilities table, usage examples, and troubleshooting |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| name: kyverno-mcp-server | ||
| namespace: kagent | ||
| spec: | ||
| url: "http://kyverno-mcp-server:8089/sse" |
There was a problem hiding this comment.
The protocol field is not set, so it defaults to STREAMABLE_HTTP (see go/api/v1alpha2/remotemcpserver_types.go:41). However, the URL uses the /sse endpoint, which indicates this server uses the SSE transport protocol. Without explicitly setting protocol: SSE, the kagent reconciler will create a StreamableClientTransport instead of an SSEClientTransport (see go/internal/controller/reconciler/reconciler.go:814-825), which will likely cause the connection to fail.
Add protocol: SSE to the spec.
| url: "http://kyverno-mcp-server:8089/sse" | |
| url: "http://kyverno-mcp-server:8089/sse" | |
| protocol: SSE |
| spec: | ||
| serviceAccountName: kyverno-mcp-server | ||
| containers: | ||
| - name: kyverno-mcp-server |
There was a problem hiding this comment.
The image kyverno-mcp-server:latest is a local-only image name with no registry prefix, and imagePullPolicy: IfNotPresent means Kubernetes will never pull it from a registry. This only works if the user manually builds and pre-loads the image (e.g., via kind load). While this is documented in the README, it significantly limits usability. In contrast, the k8sgpt integration uses a published image (ghcr.io/k8sgpt-ai/k8sgpt:v0.4.24). Consider referencing a published container image from the kyverno-mcp-server repository if one is available, or add a comment in the YAML indicating this image must be built locally.
| - name: kyverno-mcp-server | |
| - name: kyverno-mcp-server | |
| # NOTE: This image name assumes you have built and loaded the image locally | |
| # (e.g., via `kind load docker-image kyverno-mcp-server:latest`) or pushed it | |
| # to a registry accessible to the cluster. |
| path: /sse | ||
| port: 8089 | ||
| initialDelaySeconds: 5 | ||
| periodSeconds: 10 | ||
| livenessProbe: | ||
| httpGet: | ||
| path: /sse |
There was a problem hiding this comment.
Using the /sse endpoint for liveness and readiness probes is problematic. SSE endpoints are designed to establish long-lived streaming connections, and may not return a simple HTTP 200 response suitable for health checks. This could lead to probe timeouts or unexpected behavior. Consider using a dedicated health endpoint (e.g., /health or /) if the MCP server provides one, or at minimum verify that the /sse endpoint returns a timely HTTP 200 when probed with a GET request.
| path: /sse | |
| port: 8089 | |
| initialDelaySeconds: 5 | |
| periodSeconds: 10 | |
| livenessProbe: | |
| httpGet: | |
| path: /sse | |
| path: / | |
| port: 8089 | |
| initialDelaySeconds: 5 | |
| periodSeconds: 10 | |
| livenessProbe: | |
| httpGet: | |
| path: / |
- Switch probes from /sse (SSE long-lived connection) to tcpSocket to avoid hanging probe connections - Use ghcr.io/kagent-dev/kyverno-mcp-server:latest with comment showing how to use a local image instead - Set protocol: SSE explicitly in RemoteMCPServer spec Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Summary
Why Kyverno?
Kyverno is one of the most popular CNCF projects for Kubernetes policy management, but it has a learning curve. An AI agent that can explain policies, check compliance, and generate templates makes it much more accessible.
Files
deploy-kyverno-mcp-server.yaml- K8s deployment with RBAC (read-only access to Kyverno CRDs)kyverno-remote-mcpserver.yaml- kagent RemoteMCPServer registrationkyverno-agent.yaml- Pre-configured kagent Agent with policy expertiseREADME.md- Installation and usage guideTest plan
Generated with Claude Code