Kyverno MCP Server

Model Context Protocol server for Kyverno

Overview

The Kyverno MCP Server is a Model Context Protocol (MCP) server that provides Kyverno policy management capabilities through a standardized interface. This server enables AI assistants to interact with Kyverno policies in Kubernetes clusters, making policy management more accessible and automated.

Whether you’re looking to proactively assess the security posture of your clusters before implementing Kyverno, or you need to monitor and analyze policy violations in existing Kyverno deployments, the MCP server provides the tools and guidance necessary for comprehensive policy management across your Kubernetes infrastructure.

What is MCP?

Model Context Protocol (MCP) is a standardized protocol that allows AI assistants to interact with external tools and services. The Kyverno MCP Server implements this protocol to expose Kyverno’s policy management capabilities to AI-powered tools like Claude Desktop, Amazon Q, Cursor, and other MCP-compatible clients.

Key Features

  • Proactive Policy Scanning: Test cluster resources against curated Kyverno policy sets, Git repositories, or local policies to discover security issues without requiring Kyverno installation
  • Real-time Violation Monitoring: View detailed policy violations and compliance status from PolicyReport and ClusterPolicyReport custom resources in clusters with deployed policies
  • Multi-Cluster Management: Seamlessly switch between Kubernetes contexts to scan or monitor policies across different environments
  • AI-Powered Guidance: Natural language interaction with built-in help system for Kyverno installation and troubleshooting
  • Flexible Deployment Options: Run as a local binary, container, or expose via HTTP(S) for different integration scenarios

Getting Started

Configuration & Usage

Support & Resources

Prerequisites

  • Go 1.24 or higher (for building from source)
  • Access to a Kubernetes cluster with a valid kubeconfig
  • Kyverno installed in your cluster (for violation monitoring; optional for proactive policy assessment)

Installation Options

Quick Install with Homebrew

brew tap nirmata/tap
brew install kyverno-mcp
```text

### Download Pre-built Binaries

Download the appropriate binary for your platform from the [Nirmata downloads page](https://downloads.nirmata.io/kyverno-mcp/downloads/).

### Run with Docker

```bash
# Build the image
docker build -t kyverno-mcp:latest .

# Run with mounted kubeconfig
docker run --rm -i \
  -v $HOME/.kube/config:/kube/config:ro \
  kyverno-mcp:latest -- \
  --kubeconfig /kube/config
```text

For detailed installation instructions, see the [Installation Guide](./installation/).

## Getting Started

### Basic Usage

Start the server using your default kubeconfig:

```bash
./kyverno-mcp
```json

Or specify a custom kubeconfig:

```bash
./kyverno-mcp --kubeconfig=/path/to/kubeconfig
```json

### Configure Your MCP Client

Add the Kyverno MCP server to your MCP client configuration:

```json
{
  "mcpServers": {
    "kyverno": {
      "command": "/path/to/kyverno-mcp",
      "args": [
        "--kubeconfig=/path/to/your/kubeconfig"
      ]
    }
  }
}
```text

For a complete getting started tutorial, see the [Getting Started Guide](./getting-started/).

### Network Access (HTTP/HTTPS)

For remote access or browser-based clients, expose the server over HTTP(S):

```bash
# HTTPS (recommended for production)
./kyverno-mcp \
  --http-addr :8443 \
  --tls-cert /path/to/cert.pem \
  --tls-key /path/to/key.pem

# HTTP (local testing only)
./kyverno-mcp --http-addr :8080
```text

⚠️ **Security Note**: Never expose the server over plain HTTP in production. Always use HTTPS with valid TLS certificates or place the server behind an HTTPS-terminating proxy.

## Available Tools

The Kyverno MCP Server provides the following tools:

### Context Management

- **`list_contexts`**: List all available Kubernetes contexts
- **`switch_context`**: Switch to a different Kubernetes context

### Policy Operations

- **`apply_policies`**: Scan cluster resources against Kyverno policies from curated sets, Git repos, or local files
  - Supports policy sets: `pod-security`, `rbac-best-practices`, `kubernetes-best-practices`, `all`
  - Enable proactive security assessment by testing policies without requiring Kyverno installation
  - Source policies from Git repositories or local filesystem paths for custom policy testing
  - Provides immediate, non-persistent violation reports using `kyverno apply`

### Monitoring & Compliance

- **`show_violations`**: Read and display policy violations from PolicyReport and ClusterPolicyReport custom resources
  - Shows both namespaced and cluster-wide violations with severity levels and timestamps
  - Provides detailed violation analysis including affected resources and policy details
  - Requires Kyverno installation and deployed policies to function
  - Offers Kyverno installation guidance when not yet deployed

### Documentation

- **`help`**: Access built-in Kyverno documentation
  - Topics: `installation`, `troubleshooting`

For detailed tool documentation, see the [Available Tools Reference](./available-tools/).

## Command Line Reference

| Flag | Description | Default |
|------|-------------|---------|
| `--kubeconfig` | Path to kubeconfig file | `$KUBECONFIG` or `~/.kube/config` |
| `--http-addr` | HTTP(S) server bind address | None (stdio mode) |
| `--tls-cert` | TLS certificate file path | None |
| `--tls-key` | TLS private key file path | None |

For complete configuration options, see the [Configuration Guide](./configuration/).

## Use Cases

### Proactive Security Assessment
Scan clusters for policy violations without installing Kyverno:

**Scenario**: *As a DevOps engineer, I want to scan my Kubernetes clusters for policy violations and assess their security posture without needing to install Kyverno or deploy policies to the cluster.*

- Scan existing cluster resources against curated policy sets
- Get immediate, non-persistent violation reports
- Receive guidance on Kyverno installation and policy deployment
- Establish baseline security requirements across multiple environments

```text
Apply pod security policies to my cluster and show me what violations occur

Compliance Monitoring & Violation Analysis

Monitor ongoing compliance in clusters with deployed Kyverno policies:

Scenario: As a security engineer, I want to monitor compliance across my Kubernetes clusters that already have Kyverno installed and policies deployed, and get detailed reports on policy violations from PolicyReport resources.

  • Real-time violation monitoring from PolicyReport custom resources
  • Detailed analysis with severity levels, affected resources, and timestamps
  • Filtered reporting by namespace, policy type, or severity
  • Current state monitoring of policy violations
Show me all high-severity violations in the production namespace

Multi-Cluster Policy Management

Manage policies consistently across development, staging, and production:

Compare policy violations between staging and production clusters

Automated Policy Testing

Test security policies across multiple clusters with AI assistance:

Apply rbac-best-practices to all my clusters and show me the compliance status

Next Steps

Support

Quick Start

Ready to get started? Check out our guides:

Documentation

Visit our GitHub repository for source code and development information.

Getting Started

Quick start guide for Kyverno MCP

Usage

Real-world scenarios and user stories for Kyverno MCP

Installation

Detailed installation instructions for Kyverno MCP

Available Tools

Complete reference for all Kyverno MCP tools

Configuration

Configuration options for Kyverno MCP

Troubleshooting

Common issues and solutions for Kyverno MCP