Getting Started
Quick start guide for Kyverno MCP
The Kyverno MCP Server is a Model Context Protocol (MCP) server that provides Kyverno policy management capabilities through a standardized interface. This server enables AI assistants to interact with Kyverno policies in Kubernetes clusters, making policy management more accessible and automated.
Whether you’re looking to proactively assess the security posture of your clusters before implementing Kyverno, or you need to monitor and analyze policy violations in existing Kyverno deployments, the MCP server provides the tools and guidance necessary for comprehensive policy management across your Kubernetes infrastructure.
Model Context Protocol (MCP) is a standardized protocol that allows AI assistants to interact with external tools and services. The Kyverno MCP Server implements this protocol to expose Kyverno’s policy management capabilities to AI-powered tools like Claude Desktop, Amazon Q, Cursor, and other MCP-compatible clients.
brew tap nirmata/tap
brew install kyverno-mcp
Download the appropriate binary for your platform from the Nirmata downloads page.
# Build the image
docker build -t kyverno-mcp:latest .
# Run with mounted kubeconfig
docker run --rm -i \
-v $HOME/.kube/config:/kube/config:ro \
kyverno-mcp:latest -- \
--kubeconfig /kube/config
For detailed installation instructions, see the Installation Guide.
Start the server using your default kubeconfig:
./kyverno-mcp
Or specify a custom kubeconfig:
./kyverno-mcp --kubeconfig=/path/to/kubeconfig
Add the Kyverno MCP server to your MCP client configuration:
{
"mcpServers": {
"kyverno": {
"command": "/path/to/kyverno-mcp",
"args": [
"--kubeconfig=/path/to/your/kubeconfig"
]
}
}
}
For a complete getting started tutorial, see the Getting Started Guide.
For remote access or browser-based clients, expose the server over HTTP(S):
# HTTPS (recommended for production)
./kyverno-mcp \
--http-addr :8443 \
--tls-cert /path/to/cert.pem \
--tls-key /path/to/key.pem
# HTTP (local testing only)
./kyverno-mcp --http-addr :8080
⚠️ Security Note: Never expose the server over plain HTTP in production. Always use HTTPS with valid TLS certificates or place the server behind an HTTPS-terminating proxy. See our Security Best Practices for more information.
The Kyverno MCP Server provides the following tools:
list_contexts
: List all available Kubernetes contextsswitch_context
: Switch to a different Kubernetes contextapply_policies
: Scan cluster resources against Kyverno policies from curated sets, Git repos, or local files
pod-security
, rbac-best-practices
, kubernetes-best-practices
, all
kyverno apply
show_violations
: Read and display policy violations from PolicyReport and ClusterPolicyReport custom resources
help
: Access built-in Kyverno documentation
installation
, troubleshooting
For detailed tool documentation, see the Available Tools Reference.
Flag | Description | Default |
---|---|---|
--kubeconfig |
Path to kubeconfig file | $KUBECONFIG or ~/.kube/config |
--http-addr |
HTTP(S) server bind address | None (stdio mode) |
--tls-cert |
TLS certificate file path | None |
--tls-key |
TLS private key file path | None |
For complete configuration options, see the Configuration Guide.
Scan clusters for policy violations without installing Kyverno:
Scenario: As a DevOps engineer, I want to scan my Kubernetes clusters for policy violations and assess their security posture without needing to install Kyverno or deploy policies to the cluster.
Apply pod security policies to my cluster and show me what violations occur
Monitor ongoing compliance in clusters with deployed Kyverno policies:
Scenario: As a security engineer, I want to monitor compliance across my Kubernetes clusters that already have Kyverno installed and policies deployed, and get detailed reports on policy violations from PolicyReport resources.
Show me all high-severity violations in the production namespace
Manage policies consistently across development, staging, and production:
Compare policy violations between staging and production clusters
Test security policies across multiple clusters with AI assistance:
Apply rbac-best-practices to all my clusters and show me the compliance status
Ready to get started? Check out our guides:
Visit our GitHub repository for source code and development information.
Quick start guide for Kyverno MCP
Real-world scenarios and user stories for Kyverno MCP
Detailed installation instructions for Kyverno MCP
Complete reference for all Kyverno MCP tools
Configuration options for Kyverno MCP
Common issues and solutions for Kyverno MCP