Troubleshooting - cturner8/kube-mcp GitHub Wiki
This page covers common issues and their solutions when running kube-mcp.
Check the pod logs for errors:
kubectl logs -l app.kubernetes.io/name=kube-mcpCommon causes:
| Error | Cause | Solution |
|---|---|---|
OIDC issuer URL is required |
Missing OIDC configuration | Set mcp.oidc.issuerUrl in your values.yaml |
OIDC client ID is required |
Missing client ID | Set mcp.oidc.clientId in your values.yaml |
Base URL is required |
Missing base URL | Set mcp.baseUrl in your values.yaml |
cannot specify both allowed and disallowed tools |
Conflicting tool config | Use either mcp.tools.allowed OR mcp.tools.disallowed, not both |
Check readiness probe failures:
kubectl describe pod -l app.kubernetes.io/name=kube-mcpThe server exposes a /health endpoint. If probes are failing, verify the container port matches your service configuration.
Verify OIDC discovery is accessible:
curl https://<your-oidc-issuer>/.well-known/openid-configurationCheck the Protected Resource Metadata endpoint:
curl https://<your-mcp-url>/.well-known/oauth-protected-resourceCommon causes:
| Symptom | Cause | Solution |
|---|---|---|
| "token signature is invalid" | Wrong signing method | Verify mcp.oidc.signingMethod matches your provider (RS256 or HS256) |
| "token is expired" | Expired JWT | Obtain a fresh token from your OIDC provider |
| "audience claim mismatch" | Wrong client ID | Ensure mcp.oidc.clientId matches the aud claim in your token |
| "issuer claim mismatch" | Wrong issuer URL | Ensure mcp.oidc.issuerUrl exactly matches the iss claim |
If your MCP client isn't prompting for authentication:
- Verify the client supports OAuth/OIDC authentication
- Check the client supports HTTP transport
- Ensure the server URL is correct and accessible from your machine
Example: pods is forbidden: User "system:serviceaccount:..." cannot list resource "pods"
This indicates Kubernetes RBAC is blocking access. Verify the ServiceAccount permissions:
# Check what the ServiceAccount can access
kubectl auth can-i list pods --as=system:serviceaccount:<namespace>:kube-mcp
# View the ClusterRole rules
kubectl get clusterrole kube-mcp -o yamlSolutions:
- Add the missing resource to
rbac.rulesin your values.yaml - Ensure the resource's API group is included (e.g.,
appsfor Deployments)
See RBAC for detailed configuration.
Secrets and ConfigMaps are intentionally excluded from default RBAC. To enable:
- Add secrets/configmaps to
rbac.rules - Remove them from
mcp.tools.disallowed(they're disabled by default)
Possible causes:
-
Tool is disallowed - Check
mcp.tools.disalloweddoesn't include the tool -
Allowlist in use - If using
mcp.tools.allowed, the tool must be explicitly listed - Client caching - Restart your MCP client to refresh the tool list
Possible causes:
- No resources exist - Verify resources exist in the specified namespace
- RBAC restrictions - The ServiceAccount may lack permission (check logs)
- Namespace not specified - Some tools require a namespace argument
Check ingress is configured:
kubectl get ingress -l app.kubernetes.io/name=kube-mcpFor testing without ingress, use port-forwarding:
kubectl port-forward svc/kube-mcp 9000:9000Then configure your MCP client to use http://localhost:9000.
If accessing kube-mcp from a browser and seeing CORS errors:
mcp:
allowedOrigins: "https://your-app.example.com"Multiple origins can be specified as comma-separated values.
Increase log verbosity to diagnose issues:
mcp:
logging:
level: "debug"Then view logs:
kubectl logs -l app.kubernetes.io/name=kube-mcp -fTo debug authentication issues, decode your JWT token at jwt.io and verify:
-
issmatchesmcp.oidc.issuerUrl -
audmatchesmcp.oidc.clientId -
expis in the future - Required scopes are present in
scopeorscpclaim
- GitHub Issues: cturner8/kube-mcp/issues
- Known Limitations: Limitations