Kube Audit MCP

kube-audit-mcp is an MCP server that provides AI agents with the ability to query Kubernetes audit logs and supports multiple log providers such as Alibaba Cloud, AWS, and Google Cloud.

Monitoring Security #Kubernetes #Audit Logs #MCP Service #Cloud Native .Go

rating : 2.5 points

downloads : 4.7K

update time : 2025-09-18

Open Site

What is kube-audit-mcp?

kube-audit-mcp is an MCP server that integrates Kubernetes audit log query capabilities into AI assistants and chatbots. Through this service, AI assistants can help you monitor and analyze various operational activities in Kubernetes clusters, such as resource creation, deletion, and updates.

How to use kube-audit-mcp?

After installing the server, configure your cloud service provider credentials and then enable it in the supported MCP client. The AI assistant can then help you query and analyze Kubernetes audit logs.

Use cases

Scenarios that require the analysis of Kubernetes cluster operation records, such as security audits, troubleshooting, compliance checks, activity monitoring, and anomaly detection.

Main Features

Multi-cloud Support

Supports the log services of multiple cloud service providers, such as Alibaba Cloud SLS, AWS CloudWatch, and Google Cloud Logging.

Audit Log Query

Provides flexible query capabilities, allowing you to filter logs by conditions such as time range, namespace, resource type, and operation type.

AI Assistant Integration

Seamlessly integrates with mainstream AI assistants such as Claude, Gemini, and VS Code Copilot.

Multi-cluster Management

Supports the configuration and management of multiple Kubernetes clusters, facilitating query switching between different environments.

Advantages

Enables secure queries through log services without direct access to the Kubernetes API server

Provides a natural language interface, making it easy for non-technical personnel to use

Supports multiple cloud platforms, adapting to different infrastructure environments

Offers real-time query capabilities, quickly obtaining the latest audit information

Limitations

Requires the configuration of corresponding cloud service provider credentials and permissions

Query performance is limited by the performance of the underlying log service

Currently mainly supports mainstream cloud providers; additional configuration is required for self-built Kubernetes

How to Use

Download and Install

Download the latest version from the GitHub Releases page or use the Docker image.

Configure Credentials

Create a configuration file and set your cloud service provider access credentials.

Configure the MCP Client

Add the kube-audit-mcp server configuration to the AI assistant client you are using.

Start Using

Directly ask questions related to Kubernetes audits in the AI assistant conversation.

Usage Examples

Security Audit

Check for unauthorized resource operations

Troubleshooting

Track resource change history to locate the cause of problems

Compliance Check

Verify compliance with internal security policies and compliance requirements

Frequently Asked Questions

What permissions do I need to use this service?

Does it support self-built Kubernetes clusters?

How is the query performance?

Will the data be sent to third parties?

Related Resources

GitHub Repository

The project's source code and latest version releases

MCP Protocol Documentation

The official documentation of the Model Context Protocol

Kubernetes Audit Documentation

The official Kubernetes audit log documentation

Installation Guide

Detailed installation and configuration guide

🚀 kube-audit-mcp

kube-audit-mcp is a Model Context Protocol (MCP) server that empowers AI agents, assistants, and chatbots to query Kubernetes Audit Logs.

🚀 Quick Start

kube-audit-mcp offers AI agents the ability to query Kubernetes Audit Logs. To get started, follow the installation and configuration steps below.

✨ Features

Enable AI agents to query Kubernetes Audit Logs.
Support multiple MCP clients, such as Claude Code, Claude Desktop, Gemini CLI, VS Code, and kubectl-ai.
Provide multiple transport options and support different log providers.

📦 Installation

First, download and install the latest release from the releases page.
- You can also install via docker:
```
docker pull quay.io/mozillazg/kube-audit-mcp:latest
```
Then, configure the provider of Kubernetes Audit Logs. See Configurations for details.

💻 Usage Examples

MCP Clients

Theoretically, any MCP client should work with kube-audit-mcp.

Standard config works in most of the clients:

{
  "mcpServers": {
    "kube-audit": {
      "type": "stdio",
      "command": "kube-audit-mcp",
      "args": [
        "mcp"
      ]
    }
  }
}

Run with docker

You can also run kube-audit-mcp via docker, use the following config:

{
  "mcpServers": {
    "kube-audit": {
      "type": "stdio",
      "command": "docker",
      "args": [
        "run",
        "-i",
        "--rm",
        "-v",
        "/etc/kube-audit-mcp/config.yaml:/etc/kube-audit-mcp/config.yaml:ro",
        "quay.io/mozillazg/kube-audit-mcp:latest",
        "mcp",
        "--config",
        "/etc/kube-audit-mcp/config.yaml"
      ],
      "env": {
        "ALIBABA_CLOUD_ACCESS_KEY_ID": "needed_if_you_use_alibaba_sls_provider",
        "ALIBABA_CLOUD_ACCESS_KEY_SECRET": "needed_if_you_use_alibaba_sls_provider",
        "AWS_ACCESS_KEY_ID": "needed_if_you_use_aws_cloudwatch_logs_provider",
        "AWS_SECRET_ACCESS_KEY": "needed_if_you_use_aws_cloudwatch_logs_provider",
        "GOOGLE_APPLICATION_CREDENTIALS": "needed_if_you_use_gcp_cloud_logging_provider"
      }
    }
  }
}

Claude Code

Use the Claude Code CLI to add the kube-audit-mcp:

claude mcp add kube-audit kube-audit-mcp mcp

Claude Desktop

Follow the MCP install guide, use the standard config above.

Gemini CLI

Follow the MCP install guide, use the standard config above.

VS Code

Follow the MCP install guide, use the standard config above. You can also install the kube-audit-mcp MCP server using the VS Code CLI:

# For VS Code
code --add-mcp '''{"name":"kube-audit","command":"kube-audit-mcp","args":["mcp"]}'''

After installation, the kube-audit-mcp MCP server will be available for use with your GitHub Copilot agent in VS Code.

kubectl-ai

Follow the MCP install [guide](https://github.com/GoogleCloudPlatform/kubectl-ai/blob/main/pkg/mcp/README.md#local-stdio-based-server-configuration), use the config like below:

servers:
  # Local MCP server (stdio-based)
  - name: kube-audit
    command: kube-audit-mcp
    args:
      - mcp

Transport Options

STDIO Transport (Default)

The default transport mode uses standard input/output for communication. This is the standard MCP transport used by most clients like Claude Desktop.

# Run with default stdio transport
kube-audit-mcp mcp

# Or explicitly specify stdio
kube-audit-mcp mcp --transport stdio

📚 Documentation

Configurations

kube-audit-mcp requires a configuration file to specify the provider of Kubernetes Audit Logs. The configuration file is typically located at ~/.config/kube-audit-mcp/config.yaml or specified via the --config flag.

Sample Config

You can get a sample config via the following command:

kube-audit-mcp sample-config

Here is a sample configuration file

default_cluster: prod              # The default cluster to use
clusters:                          # List of clusters
  - name: prod                     # Name of the cluster
    provider:                      # Provider configuration, see below for details
      name: aws-cloudwatch-logs    # Use CloudWatch Logs as the provider
      aws_cloudwatch_logs:
        log_group_name: /aws/eks/test/cluster  # Replace with your CloudWatch Logs log group name
  - name: dev                     # Name of the cluster
    provider:
      name: alibaba-sls            # Use Alibaba Cloud Log Service as the provider
      alibaba_sls:
        endpoint: cn-hangzhou.log.aliyuncs.com  # Replace with your Log Service endpoint
        project: k8s-log-cxxx                   # Replace with your Log Service project
        logstore: audit-cxxx                    # Replace with your Log Service logstore
  - name: test
    provider:
      name: gcp-cloud-logging      # Use Google Cloud Logging as the provider
      gcp_cloud_logging:
        project_id: test-233xxx # Replace with your Project ID
        cluster_name: test-cluster  # Replace with your GKE cluster name (optional)

Or save the sample configuration to the default config file location:

kube-audit-mcp sample-config --save

Provider

Alibaba Cloud Log Service

Prerequisites:

Install and configure the Alibaba Cloud CLI with credentials
Ensure your Alibaba Cloud user or role has the necessary permissions to read from the specified Log Service project and logstore. The following policy can be used to grant the necessary permissions:

RAM permissions

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "log:GetLogStoreLogs"
      ],
      "Resource": "*"
    }
  ]
}

Config:

name: alibaba-sls
alibaba_sls:
  endpoint: cn-hangzhou.log.aliyuncs.com  # Replace with your Log Service endpoint
  logstore: ${log_store}                  # Replace with your Log Service logstore
  project: ${project_name}                # Replace with your Log Service project

AWS CloudWatch Logs

Prerequisites:

Install and configure the AWS CLI with credentials
Ensure your AWS IAM user or role has the necessary permissions to read from the specified CloudWatch Logs log group. The following policy can be used to grant the necessary permissions:

IAM permissions

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:StartQuery",
        "logs:GetQueryResults"
      ],
      "Resource": "*"
    }
  ]
}

Config:

name: aws-cloudwatch-logs
aws_cloudwatch_logs:
  log_group_name: /aws/eks/${cluster_name}/cluster # Replace with your CloudWatch Logs log group name

Google Cloud Logging

Prerequisites:

Install and configure the Google Cloud CLI with Application Default Credentials
Ensure your Google Cloud IAM user or service account has the necessary permissions to read from the specified Cloud Logging log bucket. The following role can be used to grant the necessary permissions: roles/logging.viewer.

Config:

name: gcp-cloud-logging
gcp_cloud_logging:
  project_id: ${project_id}         # Replace with your Project ID
  cluster_name: ${cluster_name}     # Replace with your GKE cluster name (optional)

Available Tools

This MCP server exposes the following tools to the AI agent:

`query_audit_log`

Queries the Kubernetes audit logs from the configured provider. This is the primary tool for investigating activity in your clusters.

Parameters:

cluster_name (string, optional): The name of the cluster to query. You can see available clusters with the list_clusters tool. Defaults to the configured default_cluster.
start_time (string, optional): The start time for the query. Can be in ISO 8601 format (2024-01-01T10:00:00) or relative time (7d, 1h, 30m). Defaults to 7d.
end_time (string, optional): The end time for the query. If omitted, defaults to the current time.
limit (number, optional): The maximum number of log entries to return. Defaults to 10, with a maximum of 20.
namespace (string, optional): Filter logs by a specific namespace. Supports suffix wildcards (e.g., kube-*).
resource_types (array of strings, optional): Filter by one or more Kubernetes resource types (e.g., pods, deployments). Supports short names (e.g., po, deploy). Use list_common_resource_types to discover available types.
resource_name (string, optional): Filter by a specific resource name. Supports suffix wildcards.
verbs (array of strings, optional): Filter by one or more action verbs (e.g., create, delete, update).
user (string, optional): Filter by the user who performed the action. Supports suffix wildcards.

`list_clusters`

Lists all clusters that are configured in the config.yaml file. This is useful for discovering which clusters you can target for queries.

Parameters: None

`list_common_resource_types`

Returns a list of common Kubernetes resource types, grouped by category (e.g., "Core Resources", "Apps Resources"). This helps in finding the correct value for the resource_types parameter in the query_audit_log tool.

Parameters: None